With MACHINE_HAS_VX, we convert the floating point registers from the
vector registeres when storing the status. For other VCPUs, these are
stored to vcpu->run->s.regs.vrs, but we are using current->thread.fpu.vxrs,
which resolves to the currently loaded VCPU.
So kvm_s390_store_status_unloaded() currently writes the wrong floating
point registers (converted from the vector registers) when called from
another VCPU on a z13.
This is only the case for old user space not handling SIGP STORE STATUS and
SIGP STOP AND STORE STATUS, but relying on the kernel implementation. All
other calls come from the loaded VCPU via kvm_s390_store_status().
Fixes: 9abc2a08a7 (KVM: s390: fix memory overwrites when vx is disabled)
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Linux guests on Haswell (and also SandyBridge and Broadwell, at least)
would crash if you decided to run a host command that uses PEBS, like
perf record -e 'cpu/mem-stores/pp' -a
This happens because KVM is using VMX MSR switching to disable PEBS, but
SDM [2015-12] 18.4.4.4 Re-configuring PEBS Facilities explains why it
isn't safe:
When software needs to reconfigure PEBS facilities, it should allow a
quiescent period between stopping the prior event counting and setting
up a new PEBS event. The quiescent period is to allow any latent
residual PEBS records to complete its capture at their previously
specified buffer address (provided by IA32_DS_AREA).
There might not be a quiescent period after the MSR switch, so a CPU
ends up using host's MSR_IA32_DS_AREA to access an area in guest's
memory. (Or MSR switching is just buggy on some models.)
The guest can learn something about the host this way:
If the guest doesn't map address pointed by MSR_IA32_DS_AREA, it results
in #PF where we leak host's MSR_IA32_DS_AREA through CR2.
After that, a malicious guest can map and configure memory where
MSR_IA32_DS_AREA is pointing and can therefore get an output from
host's tracing.
This is not a critical leak as the host must initiate with PEBS tracing
and I have not been able to get a record from more than one instruction
before vmentry in vmx_vcpu_run() (that place has most registers already
overwritten with guest's).
We could disable PEBS just few instructions before vmentry, but
disabling it earlier shouldn't affect host tracing too much.
We also don't need to switch MSR_IA32_PEBS_ENABLE on VMENTRY, but that
optimization isn't worth its code, IMO.
(If you are implementing PEBS for guests, be sure to handle the case
where both host and guest enable PEBS, because this patch doesn't.)
Fixes: 26a4f3c08d ("perf/x86: disable PEBS on a guest entry.")
Cc: <stable@vger.kernel.org>
Reported-by: Jiří Olša <jolsa@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
we have to check bit 40 of the facility list before issuing LPP
and not bit 48. Otherwise a guest running on a system with
"The decimal-floating-point zoned-conversion facility" and without
the "The set-program-parameters facility" might crash on an lpp
instruction.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: stable@vger.kernel.org # v4.4+
Fixes: e22cf8ca6f ("s390/cpumf: rework program parameter setting to detect guest samples")
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
d_instantiate(new_dentry, old_inode) is absolutely wrong thing to
do - it will oops if new_dentry used to be positive, for starters.
What we need is d_invalidate() the target and be done with that.
Cc: stable@vger.kernel.org # v3.18+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Failing to allocate an inode for child means that cache for *parent* is
incompletely populated. So it's parent directory inode ('dir') that
needs NCPI_DIR_CACHE flag removed, *not* the child inode ('inode', which
is what we'd failed to allocate in the first place).
Fucked-up-in: commit 5e993e25 ("ncpfs: get rid of d_validate() nonsense")
Fucked-up-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Thomas Huth discovered that a guest could cause a hard hang of a
host CPU by setting the Instruction Authority Mask Register (IAMR)
to a suitable value. It turns out that this is because when the
code was added to context-switch the new special-purpose registers
(SPRs) that were added in POWER8, we forgot to add code to ensure
that they were restored to a sane value on guest exit.
This adds code to set those registers where a bad value could
compromise the execution of the host kernel to a suitable neutral
value on guest exit.
Cc: stable@vger.kernel.org # v3.14+
Fixes: b005255e12
Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Choose between atomic or non atomic connector dpms helper. If tda998x
is connected to a drm driver that does not support atomic modeset
calling drm_atomic_helper_connector_dpms() causes a crash when the
connectors atomic state is not initialized. The patch implements a
driver specific connector dpms helper that calls
drm_atomic_helper_connector_dpms() if driver supports DRIVER_ATOMIC
and otherwise it calls the legacy drm_helper_connector_dpms().
Fixes commit 9736e988d3 ("drm/i2c: tda998x: Add support for atomic
modesetting").
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
This partially reverts commit d56f57ac96 ("drm/gma500: Move to private
save/restore hooks") which removed these lines by mistake.
Reported-by: Sebastian Herbszt <herbszt@gmx.de>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Tested-by: Thomas Hellstrom <thellstrom@vmware.com>
Tested-by: Sebastian Herbszt <herbszt@gmx.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Some more radeon and amdgpu stuff for drm-next. Mostly just bug fixes
for new features and cleanups.
* 'drm-next-4.6' of git://people.freedesktop.org/~agd5f/linux:
drm/amdgpu: fix rb bitmap & cu bitmap calculation
drm/amdgpu: trace the pd_addr in vm_grab_id as well
drm/amdgpu: fix VM faults caused by vm_grab_id() v4
drm/amdgpu: update radeon acpi header
drm/radeon: update radeon acpi header
drm/amd: cleanup get_mfd_cell_dev()
drm/amdgpu: fix error handling in amdgpu_bo_list_set
drm/amd/powerplay: fix code style warning.
drm/amd: Do not make DRM_AMD_ACP default to y
drm/amdgpu/gfx: fix off by one in rb rework (v2)
Notable changes:
- correctness fixes to the GPU cache flushing when switching execution
state and when powering down the GPU
- reduction of time spent in hardirq-off context
- placement improvements to the GPU DMA linear window, allowing the
driver to properly work on i.MX6 systems with more than 2GB of RAM
* 'drm-etnaviv-next' of git://git.pengutronix.de/git/lst/linux:
drm: etnaviv: clean up submit_bo()
drm: etnaviv: clean up vram_mapping submission/retire path
drm: etnaviv: improve readability of command insertion to ring buffer
drm: etnaviv: clean up GPU command submission
drm: etnaviv: use previous GPU pipe state when pipe switching
drm: etnaviv: flush all GPU caches when stopping GPU
drm: etnaviv: track current execution state
drm: etnaviv: extract arming of semaphore
drm: etnaviv: extract replacement of WAIT command
drm: etnaviv: extract command ring reservation
drm/etnaviv: move GPU linear window to end of DMA window
drm/etnaviv: move runtime PM balance into retire worker
- fbc by default on hsw&bdw, thanks to great work by Paulo!
- psr by default hsw,bdw,vlv&chv, thanks to great work by Rodrigo!
- fixes to hw state readout vs. rpm issues (Imre)
- dc3 fixes&improvements (Mika), this and above already cherr-pick to -fixes
- first part of locking fixes from Tvrtko
- proper atomic code for load detect (Maarten)
- more rpm fixes from Ville
- more atomic work from Maarten
* tag 'drm-intel-next-2016-02-29' of git://anongit.freedesktop.org/drm-intel: (63 commits)
drm/i915: Update DRIVER_DATE to 20160229
drm/i915: Execlists cannot pin a context without the object
drm/i915: Reduce the pointer dance of i915_is_ggtt()
drm/i915: Rename vma->*_list to *_link for consistency
drm/i915: Balance assert_rpm_wakelock_held() for !IS_ENABLED(CONFIG_PM)
drm/i915/lrc: Only set RS ctx enable in ctx control reg if there is a RS
drm/i915/gen9: Set value of Indirect Context Offset based on gen version
drm/i915: Remove update_sprite_watermarks.
drm/i915: Kill off intel_crtc->atomic.wait_vblank, v6.
drm/i915: Unify power domain handling.
drm/i915: Pass crtc state to modeset_get_crtc_power_domains.
drm/i915: Add for_each_pipe_masked()
drm/i915: Make sure pipe interrupts are processed before turning off power well on BDW+
drm/i915: synchronize_irq() before turning off disp2d power well on VLV/CHV
drm/i915: Skip PIPESTAT reads from irq handler on VLV/CHV when power well is down
drm/i915/gen9: Write dc state debugmask bits only once
drm/i915/gen9: Extend dmc debug mask to include cores
drm/i915/gen9: Verify and enforce dc6 state writes
drm/i915/gen9: Check for DC state mismatch
drm/i915/fbc: enable FBC by default on HSW and BDW
...
Accumulated fixes and improvements from ti-linux-4.1.
* Almost complete rewrite of pagefliping code
* dma-buf support
* pinctrl support
* lot of fixes and cleanups
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJW3ZNlAAoJEJA2s1DX1hlBBcEQALfPeM84vrjimisntOwxgMMC
vuqAjFr0LjtbHjhEbNtG/jckCxsLAU88UY+vtvawkSw9+t+AlBdMbydbxfWO/7ER
UuNm+a14clyxcJfIr9/VhtTKy9mlZ8uliz0sOfvAo+ayYJPa1YG9jw+HGJCYsD2f
WFwMJwiPeTeDJGLRH+7Vuy4F4iGg6rYcT3fvkE5xHIevG+tavMWV9IFuflAwCvqA
1BE88kWK4f4phyW3DjEMgfVOk3T4EZqkIcI5XZBLC1vp5w5nEdeb4UrX4VBQQ34x
WTJU+5nGdH7lMxMeadqfc/+0LOigSlNOh6h+ugGpTIka3CpE5nO9tq5Wid78QPfK
vaSAyQ/b0a0hiCBs1bA/GEC/dbFSmmE9vE72DVSOwK30tgvhMip4rzZyM7ERz8lz
DBZL0Fw8zb/mEyCfhuCImjzVuHNZKQlRw7tImOBqKrBBWU5LOIsgZ5srEzIeBnmV
BxgAzI/NcTTo+w2t/+59wUiAep4OPP3Lyz8jRA4c7uhttwXknaX28FjKZJLHtcEM
tBXJkLoGB2egpwnG5s+xKJA9qBE1AwbbRLnnySGEjtSagRAMZ7f1WqQmiRXkFGqQ
Ilmteg2SFt/KX7EllL1U5ggX24IlzE+MLFhG/f4zcTBziidcyP2tpN5Tn7uMdx7V
UHP4lSJKNldbRj5VwIh1
=vIeq
-----END PGP SIGNATURE-----
Merge tag 'tilcdc-4.6' of https://github.com/jsarha/linux into drm-next
tilcdc changes for v4.6
Accumulated fixes and improvements from ti-linux-4.1.
* Almost complete rewrite of pagefliping code
* dma-buf support
* pinctrl support
* lot of fixes and cleanups
* tag 'tilcdc-4.6' of https://github.com/jsarha/linux: (22 commits)
drm/tilcdc: Use devm_kzalloc() and devm_kcalloc() for private data
drm/tilcdc: Initialize crtc->port
drm/tilcdc: Disable sync lost interrupt if it fires on every frame
drm/tilcdc: Add prints on sync lost and FIFO underrun interrupts
drm/tilcdc: Remove the duplicate LCDC_INT_ENABLE_SET_REG in registers[]
drm/tilcdc: Fix interrupt enable/disable code for version 2 tilcdc
drm/tilcdc: Do not update the next frame buffer close to vertical blank
drm/tilcdc: Get rid of complex ping-pong mechanism
drm/tilcdc: cleanup irq handling
drm/tilcdc: remove broken error handling
drm/tilcdc: split reset to a separate function
drm/tilcdc: disable crtc on unload
drm/tilcdc: cleanup runtime PM handling
drm/tilcdc: Allocate register storage based on the actual number registers
drm/tilcdc: fix build error when !CONFIG_CPU_FREQ
drm/tilcdc: Implement dma-buf support for tilcdc
drm/tilcdc: disable the lcd controller/dma engine when suspend invoked
drm/tilcdc: make frame_done interrupt active at all times
drm/tilcdc: fix kernel panic on suspend when no hdmi monitor connected
drm/tilcdc: adopt pinctrl support
...
Pull networking fixes from David Miller:
1) Fix ordering of WEXT netlink messages so we don't see a newlink
after a dellink, from Johannes Berg.
2) Out of bounds access in minstrel_ht_set_best_prob_rage, from
Konstantin Khlebnikov.
3) Paging buffer memory leak in iwlwifi, from Matti Gottlieb.
4) Wrong units used to set initial TCP rto from cached metrics, also
from Konstantin Khlebnikov.
5) Fix stale IP options data in the SKB control block from leaking
through layers of encapsulation, from Bernie Harris.
6) Zero padding len miscalculated in bnxt_en, from Michael Chan.
7) Only CHECKSUM_PARTIAL packets should be passed down through GSO, fix
from Hannes Frederic Sowa.
8) Fix suspend/resume with JME networking devices, from Diego Violat
and Guo-Fu Tseng.
9) Checksums not validated properly in bridge multicast support due to
the placement of the SKB header pointers at the time of the check,
fix from Álvaro Fernández Rojas.
10) Fix hang/tiemout with r8169 if a stats fetch is done while the
device is runtime suspended. From Chun-Hao Lin.
11) The forwarding database netlink dump facilities don't track the
state of the dump properly, resulting in skipped/missed entries.
From Minoura Makoto.
12) Fix regression from a recent 3c59x bug fix, from Neil Horman.
13) Fix list corruption in bna driver, from Ivan Vecera.
14) Big endian machines crash on vlan add in bnx2x, fix from Michal
Schmidt.
15) Ethtool RSS configuration not propagated properly in mlx5 driver,
from Tariq Toukan.
16) Fix regression in PHY probing in stmmac driver, from Gabriel
Fernandez.
17) Fix SKB tailroom calculation in igmp/mld code, from Benjamin
Poirier.
18) A past change to skip empty routing headers in ipv6 extention header
parsing accidently caused fragment headers to not be matched any
longer. Fix from Florian Westphal.
19) eTSEC-106 erratum needs to be applied to more gianfar chips, from
Atsushi Nemoto.
20) Fix netdev reference after free via workqueues in usb networking
drivers, from Oliver Neukum and Bjørn Mork.
21) mdio->irq is now an array rather than a pointer to dynamic memory,
but several drivers were still trying to free it :-/ Fixes from
Colin Ian King.
22) act_ipt iptables action forgets to set the family field, thus LOG
netfilter targets don't work with it. Fix from Phil Sutter.
23) SKB leak in ibmveth when skb_linearize() fails, from Thomas Falcon.
24) pskb_may_pull() cannot be called with interrupts disabled, fix code
that tries to do this in vmxnet3 driver, from Neil Horman.
25) be2net driver leaks iomap'd memory on removal, fix from Douglas
Miller.
26) Forgotton RTNL mutex unlock in ppp_create_interface() error paths,
from Guillaume Nault.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (97 commits)
ppp: release rtnl mutex when interface creation fails
cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
tcp: fix tcpi_segs_in after connection establishment
net: hns: fix the bug about loopback
jme: Fix device PM wakeup API usage
jme: Do not enable NIC WoL functions on S0
udp6: fix UDP/IPv6 encap resubmit path
be2net: Don't leak iomapped memory on removal.
vmxnet3: avoid calling pskb_may_pull with interrupts disabled
net: ethernet: Add missing MFD_SYSCON dependency on HAS_IOMEM
ibmveth: check return of skb_linearize in ibmveth_start_xmit
cdc_ncm: toggle altsetting to force reset before setup
usbnet: cleanup after bind() in probe()
mlxsw: pci: Correctly determine if descriptor queue is full
mlxsw: spectrum: Always decrement bridge's ref count
tipc: fix nullptr crash during subscription cancel
net: eth: altera: do not free array priv->mdio->irq
net/ethoc: do not free array priv->mdio->irq
net: sched: fix act_ipt for LOG target
asix: do not free array priv->mdio->irq
...
Pull overlayfs fixes from Miklos Szeredi:
"Overlayfs bug fixes. All marked as -stable material"
* 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
ovl: copy new uid/gid into overlayfs runtime inode
ovl: ignore lower entries when checking purity of non-directory entries
ovl: fix getcwd() failure after unsuccessful rmdir
ovl: fix working on distributed fs as lower layer
This reverts commit dbb17a21c1.
It turns out that commit can cause problems for systems with multiple
GPUs, and causes X to hang on at least a HP Pavilion dv7 with hybrid
graphics.
This got noticed originally in 4.4.4, where this patch had already
gotten back-ported, but 4.5-rc7 was verified to have the same problem.
Alexander Deucher says:
"It looks like you have a muxed system so I suspect what's happening is
that one of the display is being reported as connected for both the
IGP and the dGPU and then the desktop environment gets confused or
there some sort problem in the detect functions since the mux is not
switched to the dGPU. I don't see an easy fix unless Dave has any
ideas. I'd say just revert for now"
Reported-by: Jörg-Volker Peetz <jvpeetz@web.de>
Acked-by: Alexander Deucher <Alexander.Deucher@amd.com>
Cc: Dave Airlie <airlied@gmail.com>
Cc: stable@kernel.org # wherever dbb17a21c1 got back-ported
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Add missing rtnl_unlock() in the error path of ppp_create_interface().
Fixes: 58a89ecaca ("ppp: fix lockdep splat in ppp_dev_uninit()")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
usbnet_link_change will call schedule_work and should be
avoided if bind is failing. Otherwise we will end up with
scheduled work referring to a netdev which has gone away.
Instead of making the call conditional, we can just defer
it to usbnet_probe, using the driver_info flag made for
this purpose.
Fixes: 8a34b0ae87 ("usbnet: cdc_ncm: apply usbnet_link_change")
Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
If final packet (ACK) of 3WHS is lost, it appears we do not properly
account the following incoming segment into tcpi_segs_in
While we are at it, starts segs_in with one, to count the SYN packet.
We do not yet count number of SYN we received for a request sock, we
might add this someday.
packetdrill script showing proper behavior after fix :
// Tests tcpi_segs_in when 3rd packet (ACK) of 3WHS is lost
0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
+.020 < P. 1:1001(1000) ack 1 win 32792
+0 accept(3, ..., ...) = 4
+.000 %{ assert tcpi_segs_in == 2, 'tcpi_segs_in=%d' % tcpi_segs_in }%
Fixes: 2efd055c53 ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
It will always be passed if the soc is tested the loopback cases. This
patch will fix this bug.
Signed-off-by: Kejian Yan <yankejian@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
According to Documentation/power/devices.txt
The driver should not use device_set_wakeup_enable() which is the policy
for user to decide.
Using device_init_wakeup() to initialize dev->power.should_wakeup and
dev->power.can_wakeup on driver initialization.
And use device_may_wakeup() on suspend to decide if WoL function should
be enabled on NIC.
Reported-by: Diego Viola <diego.viola@gmail.com>
Signed-off-by: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Otherwise it might be back on resume right after going to suspend in
some hardware.
Reported-by: Diego Viola <diego.viola@gmail.com>
Signed-off-by: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
pci_create_root_bus() passes a "parent" pointer to
pci_bus_assign_domain_nr(). When CONFIG_PCI_DOMAINS_GENERIC is defined,
pci_bus_assign_domain_nr() dereferences that pointer. Many callers of
pci_create_root_bus() supply a NULL "parent" pointer, which leads to a NULL
pointer dereference error.
7c67470009 ("PCI: Move domain assignment from arm64 to generic code")
moved the "parent" dereference from arm64 to generic code. Only arm64 used
that code (because only arm64 defined CONFIG_PCI_DOMAINS_GENERIC), and it
always supplied a valid "parent" pointer. Other arches supplied NULL
"parent" pointers but didn't defined CONFIG_PCI_DOMAINS_GENERIC, so they
used a no-op version of pci_bus_assign_domain_nr().
8c7d14746a ("ARM/PCI: Move to generic PCI domains") defined
CONFIG_PCI_DOMAINS_GENERIC on ARM, and many ARM platforms use
pci_common_init(), which supplies a NULL "parent" pointer.
These platforms (cns3xxx, dove, footbridge, iop13xx, etc.) crash
with a NULL pointer dereference like this while probing PCI:
Unable to handle kernel NULL pointer dereference at virtual address 000000a4
PC is at pci_bus_assign_domain_nr+0x10/0x84
LR is at pci_create_root_bus+0x48/0x2e4
Kernel panic - not syncing: Attempted to kill init!
[bhelgaas: changelog, add "Reported:" and "Fixes:" tags]
Reported: http://forum.doozan.com/read.php?2,17868,22070,quote=1
Fixes: 8c7d14746a ("ARM/PCI: Move to generic PCI domains")
Fixes: 7c67470009 ("PCI: Move domain assignment from arm64 to generic code")
Signed-off-by: Krzysztof Hałasa <khalasa@piap.pl>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
CC: stable@vger.kernel.org # v4.0+
IPv4 interprets a negative return value from a protocol handler as a
request to redispatch to a new protocol. In contrast, IPv6 interprets a
negative value as an error, and interprets a positive value as a request
for redispatch.
UDP for IPv6 was unaware of this difference. Change __udp6_lib_rcv() to
return a positive value for redispatch. Note that the socket's
encap_rcv hook still needs to return a negative value to request
dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to
identify the byte containing the next protocol.
Signed-off-by: Bill Sommerfeld <wsommerfeld@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The adapter->pcicfg resource is either mapped via pci_iomap() or
derived from adapter->db. During be_remove() this resource was ignored
and so could remain mapped after remove.
Add a flag to track whether adapter->pcicfg was mapped or not, then
use that flag in be_unmap_pci_bars() to unmap if required.
Fixes: 25848c901 ("use PCI MMIO read instead of config read for errors")
Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
vmxnet3 has a function vmxnet3_parse_and_copy_hdr which, among other operations,
uses pskb_may_pull to linearize the header portion of an skb. That operation
eventually uses local_bh_disable/enable to ensure that it doesn't race with the
drivers bottom half handler. Unfortunately, vmxnet3 preforms this
parse_and_copy operation with a spinlock held and interrupts disabled. This
causes us to run afoul of the WARN_ON_ONCE(irqs_disabled()) warning in
local_bh_enable, resulting in this:
WARNING: at kernel/softirq.c:159 local_bh_enable+0x59/0x90() (Not tainted)
Hardware name: VMware Virtual Platform
Modules linked in: ipv6 ppdev parport_pc parport microcode e1000 vmware_balloon
vmxnet3 i2c_piix4 sg ext4 jbd2 mbcache sd_mod crc_t10dif sr_mod cdrom mptspi
mptscsih mptbase scsi_transport_spi pata_acpi ata_generic ata_piix vmwgfx ttm
drm_kms_helper drm i2c_core dm_mirror dm_region_hash dm_log dm_mod [last
unloaded: mperf]
Pid: 6229, comm: sshd Not tainted 2.6.32-616.el6.i686 #1
Call Trace:
[<c04624d9>] ? warn_slowpath_common+0x89/0xe0
[<c0469e99>] ? local_bh_enable+0x59/0x90
[<c046254b>] ? warn_slowpath_null+0x1b/0x20
[<c0469e99>] ? local_bh_enable+0x59/0x90
[<c07bb936>] ? skb_copy_bits+0x126/0x210
[<f8d1d9fe>] ? ext4_ext_find_extent+0x24e/0x2d0 [ext4]
[<c07bc49e>] ? __pskb_pull_tail+0x6e/0x2b0
[<f95a6164>] ? vmxnet3_xmit_frame+0xba4/0xef0 [vmxnet3]
[<c05d15a6>] ? selinux_ip_postroute+0x56/0x320
[<c0615988>] ? cfq_add_rq_rb+0x98/0x110
[<c0852df8>] ? packet_rcv+0x48/0x350
[<c07c5839>] ? dev_queue_xmit_nit+0xc9/0x140
...
Fix it by splitting vmxnet3_parse_and_copy_hdr into two functions:
vmxnet3_parse_hdr, which sets up the internal/on stack ctx datastructure, and
pulls the skb (both of which can be done without holding the spinlock with irqs
disabled
and
vmxnet3_copy_header, which just copies the skb to the tx ring under the lock
safely.
tested and shown to correct the described problem. Applies cleanly to the head
of the net tree
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Shrikrishna Khare <skhare@vmware.com>
CC: "VMware, Inc." <pv-drivers@vmware.com>
CC: "David S. Miller" <davem@davemloft.net>
Acked-by: Shrikrishna Khare <skhare@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
iwlwifi
* free firmware paging memory when the module is unloaded or device removed
* fix pending frames counter to fix an issue when removing stations
ssb
* fix a build problem related to ssb_fill_sprom_with_fallback()
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAABAgAGBQJW2bUaAAoJEG4XJFUm622bfrAH/jy7VHux59vq30TGhNwBZKWi
Klgx4KPhv93kS9pj6eSN5QdSQ9JeYtSryo9d+isy/T77z3phrmmOPyjBbgWRm3eV
RGUccrhvpNRRoLhdNX2r6ubbwJ8MU3w/CIEK9RO16hxKu6XPqP1U9sfoxqQ7hswH
DKeTeu7nMfahe9923amo2wgSDkad14V8EaX009JHsh61QPyLF3QG8670PLwU2uFI
j4ThpMNBrgBsbtIr8qPfGDu1SvDClKhAIRjdCIylRRX3QScNfT81491N+uJafcyM
d4xiPyFFXzNtaYqYYVfN8DzJGseCI63wHN7KmzB405mAs9ciA2263GIen7ySXvg=
=LfgZ
-----END PGP SIGNATURE-----
Merge tag 'wireless-drivers-for-davem-2016-03-04' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
====================
wireless-drivers fixes for 4.5
iwlwifi
* free firmware paging memory when the module is unloaded or device removed
* fix pending frames counter to fix an issue when removing stations
ssb
* fix a build problem related to ssb_fill_sprom_with_fallback()
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
The MFD_SYSCON depends on HAS_IOMEM so when selecting it avoid unmet
direct dependencies.
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If skb_linearize fails, the driver should drop the packet
instead of trying to copy it into the bounce buffer.
Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Some devices will silently fail setup unless they are reset first.
This is necessary even if the data interface is already in
altsetting 0, which it will be when the device is probed for the
first time. Briefly toggling the altsetting forces a function
reset regardless of the initial state.
This fixes a setup problem observed on a number of Huawei devices,
appearing to operate in NTB-32 mode even if we explicitly set them
to NTB-16 mode.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Correct a typo introduced by
d0cdf90031 ("EDAC, sb_edac: Add Knights Landing (Xeon Phi gen 2) support")
As a result under some configurations DIMMs were not correctly
recognized. Problem affects only Xeon Phi architecture.
Signed-off-by: Hubert Chrzaniuk <hubert.chrzaniuk@intel.com>
Acked-by: Aristeu Rozanski <aris@redhat.com>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: lukasz.anaczkowski@intel.com
Link: http://lkml.kernel.org/r/1457361045-26221-1-git-send-email-hubert.chrzaniuk@intel.com
Signed-off-by: Borislav Petkov <bp@suse.de>
The recent commit [0bdf5a0564: drm/i915: Add reverse mapping between
port and intel_encoder] introduced a reverse mapping to retrieve
intel_dig_port object from the port number. The code assumed that the
port vs intel_dig_port are 1:1 mapping. But in reality, this was a
too naive assumption.
As Martin reported about the missing HDMI audio on his SNB machine,
pre-HSW chips may have multiple intel_dig_port objects corresponding
to the same port. Since we assign the mapping statically at the init
time and the multiple objects override the map, it may not match with
the actually enabled output.
This patch tries to address the regression above. The reverse mapping
is provided basically only for the audio callbacks, so now we set /
clear the mapping dynamically at enabling and disabling HDMI/DP audio,
so that we can always track the latest and correct object
corresponding to the given port.
Fixes: 0bdf5a0564 ('drm/i915: Add reverse mapping between port and intel_encoder')
Reported-and-tested-by: Martin Kepplinger <martink@posteo.de>
Cc: drm-intel-fixes@lists.freedesktop.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Tested-by: Martin Kepplinger <martink@posteo.de>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1456324522-21591-1-git-send-email-tiwai@suse.de
(cherry picked from commit 9dfbffcf4a)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Pirko says:
====================
mlxsw: couple of fixes
Couple of fixes from Ido.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
The descriptor queues for sending (SDQs) and receiving (RDQs) packets
are managed by two counters - producer and consumer - which are both
16-bit in size. A queue is considered full when the difference between
the two equals the queue's maximum number of descriptors.
However, if the producer counter overflows, then it's possible for the
full queue check to fail, as it doesn't take the overflow into account.
In such a case, descriptors already passed to the device - but for which
a completion has yet to be posted - will be overwritten, thereby causing
undefined behavior. The above can be achieved under heavy load (~30
netperf instances).
Fix that by casting the subtraction result to u16, preventing it from
being treated as a signed integer.
Fixes: eda6500a98 ("mlxsw: Add PCI bus implementation")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since we only support one VLAN filtering bridge we need to associate a
reference count with it, so that when the last port netdev leaves it, we
would know that a different bridge can be offloaded to hardware.
When a LAG device is memeber in a bridge and port netdevs are leaving
the LAG, we should always decrement the bridge's reference count, as it's
incremented for any port in the LAG.
Fixes: 4dc236c317 ("mlxsw: spectrum: Handle port leaving LAG while bridged")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
As we now store the etnaviv_vram_mapping, we no longer need to store
the iova itself: we can get this directly from the mapping structure.
Arrange for submit_bo() to return a pointer to etnaviv_gem_submit_bo,
and directly access mapping->iova when applying relocations.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Currently, we scan the list of mappings each time we want to operate on
the vram_mapping struct. Rather than repeatedly scanning these, look
them up once in the submission path, and then use _reference and
_unreference methods as necessary to manage this object.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Improve the readibility of the function which inserts command buffers
and other maintanence commands into the GPUs ring buffer. We do this
by splitting the ring buffer reservation in two: one chunk for any
commands that need to be issued prior to the command buffer, and a
separate chunk for commands issued after the buffer.
The result is a much more obvious code flow in this function, and
localisation of the conditional maintanence commands prior to the
command buffer.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Clean up the GPU command submission path to prepare for the next change.
This makes the next change easier to read and understand.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Use the previous GPU pipe state when deciding which GPU caches should
be flushed prior to switching the current pipe. This avoids infering
what the previously selected pipe was, and potentially flushing the
wrong caches.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Flush the GPU caches to ensure that any dirty data is pushed out before
stopping the front end.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Add tracking of the current execution state (iow, active GPU pipe).
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Extract out the arming of a semaphore from the pipe select code.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Extract out the replacement of the WAIT command with some other command.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Provide a helper etnaviv_buffer_reserve() to ensure that we can fit a
set of commands into the ring buffer without wrapping by moving code
out of etnaviv_buffer_queue().
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
If the end of the system DMA window is farther away from the start of
physical RAM than the size of the GPU linear window, move the linear
window so that it ends at the same address than the system DMA window.
This allows to map command buffer from CMA, which is likely to reside
at the end of the system DMA window, while also overlapping as much
RAM as possible, in order to optimize regular buffer mappings through
the linear window.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
The retire worker is kicked for each fence, either the normal way
by signaling the fence from the event completion interrupt or by
the recover worker if the GPU got stuck. Moving the RPM put into
the retire worker allows us to have it in a single place for
both cases.
This also shaves off quite a bit of the CPU time spent in hardirq
context, as arming the autosuspend timer when the RPM refcount
drops to 0 is a relatively costly operation.
Tested-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
This is far too big a set of fixes for this late in the release cycle
but the overwhelming bulk is essentially the same simple fix from
Takashi for a cut'n'pasted 64 bit cleanliness issue in the userspace
interface where drivers were accessing things using the wrong element in
a union which worked OK on 32 bit platforms as the correct element
happened to be aligned the same way but with 64 bit platforms ABIs are
different and the two members of the union are laid out in different
places. They aren't all tagged to stable since some of these chips have
vanishingly little chance of being used in 64 bit systems.
The other changes are:
- A fix for Qualcomm devices to work on big endian systems. The
original change is actually correct but triggered a bug in regmap
which is too invasive to fix for this cycle and can be worked around
by just letting regmap pick the default.
- A fix for the Samsung I2S driver locking which wasn't using IRQ safe
spinlocks when it needed to.
- A fix for the new Intel Sky Lake driver forgetting that C pointer
arithmetic takes the type of the pointer into consideration.
- A revert of a change to the FSL SSI driver that broke some systems.
- A fix for the cleanup path of the wm9713 driver.
- A fix for some incorrect register definitions in the ADAU17x1 driver
that caused misclocking in some configurations.
- A fix for the tracepoints for jack detection to avoid using an
internal field of the core jack structure which is no longer present
in all configurations.
- A fix for another of the new Intel drivers which tried to write to a
string literal.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJW3OpsAAoJECTWi3JdVIfQ/lMH/05/atIZLFI3tfxpp9P1zCD2
6BH6aUtGEz8uh7wpfLlgUKvBhFZxZmr2aYHiuD2c2UQYWJ5L14GavkUvrohQ1oBp
6LGN2pJ/0uhQ6XnFHcYnJt5C3pdQspNxaNZBCTdLQZDjjki13Q8jXVL2vToFFbpK
vFEHLqeuwtSLgtgNJMHHLR6o5QpfX7lcMGKwsfNI8k5b+2j5UDh+fwGQcnU9wueU
FyxIy9FNlHd1nWwQDNyGL06pMKazsPV6KaPDXa/rG6RsOBxpjz+5JgCVKmAh7EUp
/qUS2Xy0DVTkedtunnA9EIIHyfC1zuFjeH6lU2UyP/A2kcMlzpNyt7uMRK0dolg=
=+Y7p
-----END PGP SIGNATURE-----
Merge tag 'asoc-fix-v4.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.5
This is far too big a set of fixes for this late in the release cycle
but the overwhelming bulk is essentially the same simple fix from
Takashi for a cut'n'pasted 64 bit cleanliness issue in the userspace
interface where drivers were accessing things using the wrong element in
a union which worked OK on 32 bit platforms as the correct element
happened to be aligned the same way but with 64 bit platforms ABIs are
different and the two members of the union are laid out in different
places. They aren't all tagged to stable since some of these chips have
vanishingly little chance of being used in 64 bit systems.
The other changes are:
- A fix for Qualcomm devices to work on big endian systems. The
original change is actually correct but triggered a bug in regmap
which is too invasive to fix for this cycle and can be worked around
by just letting regmap pick the default.
- A fix for the Samsung I2S driver locking which wasn't using IRQ safe
spinlocks when it needed to.
- A fix for the new Intel Sky Lake driver forgetting that C pointer
arithmetic takes the type of the pointer into consideration.
- A revert of a change to the FSL SSI driver that broke some systems.
- A fix for the cleanup path of the wm9713 driver.
- A fix for some incorrect register definitions in the ADAU17x1 driver
that caused misclocking in some configurations.
- A fix for the tracepoints for jack detection to avoid using an
internal field of the core jack structure which is no longer present
in all configurations.
- A fix for another of the new Intel drivers which tried to write to a
string literal.
Errata id: i877
Description:
------------
The RGMII 1000 Mbps Transmit timing is based on the output clock
(rgmiin_txc) being driven relative to the rising edge of an internal
clock and the output control/data (rgmiin_txctl/txd) being driven relative
to the falling edge of an internal clock source. If the internal clock
source is allowed to be static low (i.e., disabled) for an extended period
of time then when the clock is actually enabled the timing delta between
the rising edge and falling edge can change over the lifetime of the
device. This can result in the device switching characteristics degrading
over time, and eventually failing to meet the Data Manual Delay Time/Skew
specs.
To maintain RGMII 1000 Mbps IO Timings, SW should minimize the
duration that the Ethernet internal clock source is disabled. Note that
the device reset state for the Ethernet clock is "disabled".
Other RGMII modes (10 Mbps, 100Mbps) are not affected
Workaround:
-----------
If the SoC Ethernet interface(s) are used in RGMII mode at 1000 Mbps,
SW should minimize the time the Ethernet internal clock source is disabled
to a maximum of 200 hours in a device life cycle. This is done by enabling
the clock as early as possible in IPL (QNX) or SPL/u-boot (Linux/Android)
by setting the register CM_GMAC_CLKSTCTRL[1:0]CLKTRCTRL = 0x2:SW_WKUP.
So, do not allow to gate the cpsw clocks using ti,no-idle property in
cpsw node assuming 1000 Mbps is being used all the time. If someone does
not need 1000 Mbps and wants to gate clocks to cpsw, this property needs
to be deleted in their respective board files.
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
