Commit Graph

496010 Commits

Author SHA1 Message Date
Eric Nelson
58cc9c9a17 ASoC: sgtl5000: add delay before first I2C access
To quote from section 1.3.1 of the data sheet:
	The SGTL5000 has an internal reset that is deasserted
	8 SYS_MCLK cycles after all power rails have been brought
	up. After this time, communication can start

	...
	1.0us represents 8 SYS_MCLK cycles at the minimum 8.0 MHz SYS_MCLK.

Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com>
Reviewed-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
2015-02-03 13:08:41 +00:00
Will Deacon
8e64806672 ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover
Commit e1a5848e33 ("ARM: 7924/1: mm: don't bother with reserved ttbr0
when running with LPAE") removed the use of the reserved TTBR0 value
for LPAE systems, since the ASID is held in the TTBR and can be updated
atomicly with the pgd of the next mm.

Unfortunately, this patch forgot to update flush_context, which
deliberately avoids marking the local active ASID as allocated, since we
used to switch via ASID zero and didn't need to allocate the ASID of
the previous mm. The side-effect of this is that we can allocate the
same ASID to the next mm and, between flushing the local TLB and updating
TTBR0, we can perform speculative TLB fills for userspace nG mappings
using the page table of the previous mm.

The consequence of this is that the next mm can erroneously hit some
mappings of the previous mm. Note that this was made significantly
harder to hit by a391263cd8 ("ARM: 8203/1: mm: try to re-use old ASID
assignments following a rollover") but is still theoretically possible.

This patch fixes the problem by removing the code from flush_context
that forces the allocated ASID to zero for the local CPU. Many thanks
to the Broadcom guys for tracking this one down.

Fixes: e1a5848e33 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE")

Cc: <stable@vger.kernel.org> # v3.14+
Reported-by: Raymond Ngun <rngun@broadcom.com>
Tested-by: Raymond Ngun <rngun@broadcom.com>
Reviewed-by: Gregory Fong <gregory.0xf0@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2015-02-03 12:57:33 +00:00
Robin Gong
a02bb401f8 spi: imx: use pio mode for i.mx6dl
For TKT238285 hardware issue which may cause txfifo store data twice can only
be caught on i.mx6dl, we use pio mode instead of DMA mode on i.mx6dl.

Fixes: f62caccd12 (spi: spi-imx: add DMA support)
Signed-off-by: Robin Gong <b38343@freescale.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
2015-02-03 12:17:01 +00:00
Mikulas Patocka
3e87523897 sched/wait: Remove might_sleep() from wait_event_cmd()
The patch e22b886a8a ("sched/wait: Add might_sleep() checks")
introduced a bug in the raid5 subsystem.

The function raid5_quiesce() (and resize_stripes()) uses the 'cmd'
part to release and acquire a spinlock (so we call the sleep
primitives in atomic context), and therefore we cannot do the
might_sleep() check.

Remove it.

Fixes: e22b886a8a ("sched/wait: Add might_sleep() checks")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1502020935580.13510@file01.intranet.prod.int.rdu2.redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-02-03 12:14:25 +01:00
David Vrabel
42b5212fee xen-netback: stop the guest rx thread after a fatal error
After commit e9d8b2c296 (xen-netback:
disable rogue vif in kthread context), a fatal (protocol) error would
leave the guest Rx thread spinning, wasting CPU time.  Commit
ecf08d2dbb (xen-netback: reintroduce
guest Rx stall detection) made this even worse by removing a
cond_resched() from this path.

Since a fatal error is non-recoverable, just allow the guest Rx thread
to exit.  This requires taking additional refs to the task so the
thread exiting early is handled safely.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reported-by: Julien Grall <julien.grall@linaro.org>
Tested-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 19:39:04 -08:00
Jack Morgenstein
5a2e87b168 net/mlx4_core: Fix kernel Oops (mem corruption) when working with more than 80 VFs
Commit de966c5928 (net/mlx4_core: Support more than 64 VFs) was meant to
allow up to 126 VFs.  However, due to leaving MLX4_MFUNC_MAX too low, using
more than 80 VFs resulted in memory corruptions (and Oopses) when more than
80 VFs were requested. In addition, the number of slaves was left too high.

This commit fixes these issues.

Fixes: de966c5928 ("net/mlx4_core: Support more than 64 VFs")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Amir Vadai <amirv@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 19:38:04 -08:00
Dan Carpenter
c101cff901 isdn: off by one in connect_res()
The bug here is that we use "Reject" as the index into the cau_t[] array
in the else path.  Since the cau_t[] has 9 elements if Reject == 9 then
we are reading beyond the end of the array.

My understanding of the code is that it's saying that if Reject is 1 or
too high then that's invalid and we should hang up.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 19:33:18 -08:00
David S. Miller
3ae55826ae Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:

1) Validate hooks for nf_tables NAT expressions, otherwise users can
   crash the kernel when using them from the wrong hook. We already
   got one user trapped on this when configuring masquerading.

2) Fix a BUG splat in nf_tables with CONFIG_DEBUG_PREEMPT=y. Reported
   by Andreas Schultz.

3) Avoid unnecessary reroute of traffic in the local input path
   in IPVS that triggers a crash in in xfrm. Reported by Florian
   Wiessner and fixes by Julian Anastasov.

4) Fix memory and module refcount leak from the error path of
   nf_tables_newchain().
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 19:30:53 -08:00
Richard Weinberger
e6b02be81b Documentation: Update netlink_mmap.txt
Update netlink_mmap.txt wrt. commit 4682a03586
("netlink: Always copy on mmap TX.").

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 18:50:00 -08:00
David L Stevens
44ba582bea sunvnet: set queue mapping when doing packet copies
This patch fixes a bug where vnet_skb_shape() didn't set the already-selected
queue mapping when a packet copy was required. This results in using the
wrong queue index for stops/starts, hung tx queues and watchdog timeouts
under heavy load.

Signed-off-by: David L Stevens <david.stevens@oracle.com>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 18:20:35 -08:00
Marcelo Leitner
61132bf7fb qlge: Fix qlge_update_hw_vlan_features to handle if interface is down
Currently qlge_update_hw_vlan_features() will always first put the
interface down, then update features and then bring it up again. But it
is possible to hit this code while the adapter is down and this causes a
non-paired call to napi_disable(), which will get stuck.

This patch fixes it by skipping these down/up actions if the interface
is already down.

Fixes: a45adbe8d3 ("qlge: Enhance nested VLAN (Q-in-Q) handling.")
Cc: Harish Patil <harish.patil@qlogic.com>
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-02 17:51:14 -08:00
Dave Airlie
86640966f6 Merge tag 'drm-amdkfd-fixes-2015-02-02' of git://people.freedesktop.org/~gabbayo/linux into drm-fixes
Three small fixes that came up during last week, nothing scary:

- Accidently incremented a counter instead of decrementing it (copy-paste error)
- Module parameter of max num of queues must be at least 1 and not 0
- Don't do BUG() as a result from wrong user input

* tag 'drm-amdkfd-fixes-2015-02-02' of git://people.freedesktop.org/~gabbayo/linux:
  drm/amdkfd: Don't create BUG due to incorrect user parameter
  drm/amdkfd: max num of queues can't be 0
  drm/amdkfd: Fix bug in accounting of queues
2015-02-03 11:21:11 +10:00
Dave Airlie
92773fc77e Merge branch 'drm-fixes-3.19' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
One last round of fixes for radeon for 3.19:
- fix some fallout from the reservation object integration on the
  test/benchmark options
- fix a crash in the gpu vm code if gfx init fails
- fix a pll issue that leads to a blank screen on older IGP parts

* 'drm-fixes-3.19' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: fix the crash in test functions
  drm/radeon: fix the crash in benchmark functions
  drm/radeon: properly set vm fragment size for TN/RL
  drm/radeon: don't init gpuvm if accel is disabled (v3)
  drm/radeon: fix PLLs on RS880 and older v2
2015-02-03 11:20:39 +10:00
Ilija Hadzic
92b712b739 drm/radeon: fix the crash in test functions
radeon_copy_dma and radeon_copy_blit must be called with
a valid reservation object. Otherwise a crash will be provoked.
We borrow the object from vram BO.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=88464

Cc: stable@vger.kernel.org
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2015-02-02 11:39:36 -05:00
Ilija Hadzic
3f5e1b4f58 drm/radeon: fix the crash in benchmark functions
radeon_copy_dma and radeon_copy_blit must be called with
a valid reservation object. Otherwise a crash will be provoked.
We borrow the object from destination BO.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=88464

Cc: stable@vger.kernel.org
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2015-02-02 11:39:35 -05:00
Alex Deucher
a124d068bf drm/radeon: properly set vm fragment size for TN/RL
Should be the same as cayman.  We don't use VM by default
on NI parts so this isn't critical.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-02-02 11:39:34 -05:00
Alex Deucher
544143f9e0 drm/radeon: don't init gpuvm if accel is disabled (v3)
If acceleration is disabled, it does not make sense
to init gpuvm since nothing will use it.  Moreover,
if radeon_vm_init() gets called it uses accel to try
and clear the pde tables, etc. which results in a bug.

v2: handle vm_fini as well
v3: handle bo_open/close as well

Bug:
https://bugs.freedesktop.org/show_bug.cgi?id=88786

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-02-02 11:39:33 -05:00
Christian König
72edd83cc9 drm/radeon: fix PLLs on RS880 and older v2
This is a workaround for RS880 and older chips which seem to have
an additional limit on the minimum PLL input frequency.

v2: fix signed/unsigned warning

bugs:
https://bugzilla.kernel.org/show_bug.cgi?id=91861
https://bugzilla.kernel.org/show_bug.cgi?id=83461

Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2015-02-02 11:39:33 -05:00
Charlotte Richardson
51ac3d2f0c PCI: Add NEC variants to Stratus ftServer PCIe DMI check
NEC OEMs the same platforms as Stratus does, which have multiple devices on
some PCIe buses under downstream ports.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=51331
Fixes: 1278998f8f ("PCI: Work around Stratus ftServer broken PCIe hierarchy (fix DMI check)")
Signed-off-by: Charlotte Richardson <charlotte.richardson@stratus.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org	# v3.5+
CC: Myron Stowe <myron.stowe@redhat.com>
2015-02-02 09:36:23 -06:00
Brian King
3a9794d329 sd: Fix max transfer length for 4k disks
The following patch fixes an issue observed with 4k sector disks
where the max_hw_sectors attribute was getting set too large in
sd_revalidate_disk. Since sdkp->max_xfer_blocks is in units
of SCSI logical blocks and queue_max_hw_sectors is in units of
512 byte blocks, on a 4k sector disk, every time we went through
sd_revalidate_disk, we were taking the current value of
queue_max_hw_sectors and increasing it by a factor of 8. Fix
this by only shifting sdkp->max_xfer_blocks.

Cc: stable@vger.kernel.org
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2015-02-02 13:46:29 +01:00
Mike Christie
28072ad50c scsi: fix device handler detach oops
This fixes a regression caused by commit 1d5203 ("scsi: handle more device
handler setup/teardown in common code").

The bug is that the alua detach() callout will try to access the
sddev->scsi_dh_data, but we have already set it to NULL. This patch
moves the clearing of that field to after detach() is called.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2015-02-02 13:45:28 +01:00
Jie Yang
97fa99a3b8 MAINTAINERS: ASoC: add maintainer for Intel BDW/HSW ASoC driver
Adding myself as the Intel BDW/HSW ASoC driver maintainer.

Signed-off-by: Jie Yang <yang.jie@intel.com>
Acked-by: Liam Girdwood <lgirdwood@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-02 12:00:20 +00:00
Oded Gabbay
b9dce23ddc drm/amdkfd: Don't create BUG due to incorrect user parameter
This patch changes a BUG_ON() statement to pr_debug, in case the user tries to
update a non-existing queue.

Signed-off-by: Oded Gabbay <oded.gabbay@amd.com>
Reviewed-by: Ben Goz <ben.goz@amd.com>
Reviewed-by: Jammy Zhou <Jammy.Zhou@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
2015-02-02 09:45:24 +02:00
Oded Gabbay
ca400b2a1a drm/amdkfd: max num of queues can't be 0
Signed-off-by: Oded Gabbay <oded.gabbay@amd.com>
Reviewed-by: Jammy Zhou <Jammy.Zhou@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
2015-02-02 09:45:24 +02:00
Oded Gabbay
8b58f26111 drm/amdkfd: Fix bug in accounting of queues
Signed-off-by: Oded Gabbay <oded.gabbay@amd.com>
Reviewed-by: Jammy Zhou <Jammy.Zhou@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
2015-02-02 09:45:24 +02:00
Eric Dumazet
bdbbb8527b ipv4: tcp: get rid of ugly unicast_sock
In commit be9f4a44e7 ("ipv4: tcp: remove per net tcp_sock")
I tried to address contention on a socket lock, but the solution
I chose was horrible :

commit 3a7c384ffd ("ipv4: tcp: unicast_sock should not land outside
of TCP stack") addressed a selinux regression.

commit 0980e56e50 ("ipv4: tcp: set unicast_sock uc_ttl to -1")
took care of another regression.

commit b5ec8eeac4 ("ipv4: fix ip_send_skb()") fixed another regression.

commit 811230cd85 ("tcp: ipv4: initialize unicast_sock sk_pacing_rate")
was another shot in the dark.

Really, just use a proper socket per cpu, and remove the skb_orphan()
call, to re-enable flow control.

This solves a serious problem with FQ packet scheduler when used in
hostile environments, as we do not want to allocate a flow structure
for every RST packet sent in response to a spoofed packet.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-02-01 23:06:19 -08:00
NeilBrown
d959014334 md/bitmap: fix a might_sleep() warning.
commit 8eb23b9f35
    sched: Debug nested sleeps

causes false-positive warnings in RAID5 code.

This annotation removes them and adds a comment
explaining why there is no real problem.

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2015-02-02 17:08:03 +11:00
NeilBrown
b1b02fe97f md/raid5: fix another livelock caused by non-aligned writes.
If a non-page-aligned write is destined for a device which
is missing/faulty, we can deadlock.

As the target device is missing, a read-modify-write cycle
is not possible.
As the write is not for a full-page, a recontruct-write cycle
is not possible.

This should be handled by logic in fetch_block() which notices
there is a non-R5_OVERWRITE write to a missing device, and so
loads all blocks.

However since commit 67f455486d, that code requires
STRIPE_PREREAD_ACTIVE before it will active, and those circumstances
never set STRIPE_PREREAD_ACTIVE.

So: in handle_stripe_dirtying, if neither rmw or rcw was possible,
set STRIPE_DELAYED, which will cause STRIPE_PREREAD_ACTIVE be set
after a suitable delay.

Fixes: 67f455486d
Cc: stable@vger.kernel.org (v3.16+)
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Tested-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2015-02-02 16:57:17 +11:00
Linus Torvalds
e36f014edf Linux 3.19-rc7 2015-02-01 20:07:21 -08:00
Linus Torvalds
fba7e99458 ARM: SoC fixes
One more week's worth of fixes. Worth pointing out here are:
 
 - A patch fixing detaching of iommu registrations when a device is removed --
   earlier the ops pointer wasn't managed properly
 - Another set of Renesas boards get the same GIC setup fixup as others have in
   previous -rcs
 - Serial port aliases fixups for sunxi. We did the same to tegra but we
   caught that in time before the merge window due to more machines being
   affected. Here it took longer for anyone to notice.
 - A couple more DT tweaks on sunxi
 - A follow-up patch for the mvebu coherency disabling in last -rc batch
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUzl/yAAoJEIwa5zzehBx3/v0P/iU4sCz/HYBwL46lSZZLnFyX
 RDFiq+I6nQFM3CG6oRn0gEi+/GbdyQ/Q6kMbver216pSfymZ+agRFaA6oj1o4HRD
 FQ2Dtz2ytvdkO8uSUzIV+nLJ//3MMwxmXTnB7SrDuzy6VeJ6GHlxxp39jrPCWtgi
 z7eo1bAuEKRQpVqJLBbqaNTsc4+9990zcgz5ChvfCqOvY3rE/AElEF5CMk71TFHW
 NTZQGM/HWteehA3/vTODICrd5SqV3peNAe3n6OMnZEEniUCesnug6IamUMwqKWVb
 y8rgobVV6ow5F0Cr3Zxc9Ufj8R1yayRQoGOdzDfuQ+zPivi2NbseinQgMUVujXYh
 TE/Ea4j+V1bYSY6EA89pAjw2C6e7fIWPOUJbO9hj5Ywc+uzR+ns+GFR2AaBggpFu
 4h0ig0ceOkzTgDWW0fNhH6BysvvczErT1CD0l6B+QgUZQadbSCFcGe8k2pNuJvYG
 f2lq6zUBIaNY5ZO6gu9inrd8UxjutKZM1p80fZc+tCFrm5YfHLFLwJPqfG7+8iEW
 R5OoQ1Jjb5SdO7u1yH2znQtlM9Z1u7bGQ7BkWPfZ0XbkHqiVgCpBUigzlRSgFO0+
 1rITIcwKgfdv8Sw4yngO6C3zFzn9Jz/cvGtW+gEjmSDV0BlhWCfWkTWys3ocdO79
 JSToPOtd87iekn7nHLBY
 =nw2v
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "One more week's worth of fixes.  Worth pointing out here are:

   - A patch fixing detaching of iommu registrations when a device is
     removed -- earlier the ops pointer wasn't managed properly
   - Another set of Renesas boards get the same GIC setup fixup as
     others have in previous -rcs
   - Serial port aliases fixups for sunxi.  We did the same to tegra but
     we caught that in time before the merge window due to more machines
     being affected.  Here it took longer for anyone to notice.
   - A couple more DT tweaks on sunxi
   - A follow-up patch for the mvebu coherency disabling in last -rc
     batch"

* tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  arm: dma-mapping: Set DMA IOMMU ops in arm_iommu_attach_device()
  ARM: shmobile: r8a7790: Instantiate GIC from C board code in legacy builds
  ARM: shmobile: r8a73a4: Instantiate GIC from C board code in legacy builds
  ARM: mvebu: don't set the PL310 in I/O coherency mode when I/O coherency is disabled
  ARM: sunxi: dt: Fix aliases
  ARM: dts: sun4i: Add simplefb node with de_fe0-de_be0-lcd0-hdmi pipeline
  ARM: dts: sun6i: ippo-q8h-v5: Fix serial0 alias
  ARM: dts: sunxi: Fix usb-phy support for sun4i/sun5i
2015-02-01 13:20:47 -08:00
Linus Torvalds
3441456bfa Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input layer updates from Dmitry Torokhov:
 "Just a few quirks for PS/2 this time"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: elantech - add more Fujtisu notebooks to force crc_enabled
  Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857)
  Input: synaptics - adjust min/max for Lenovo ThinkPad X1 Carbon 2nd
2015-02-01 13:16:40 -08:00
Linus Torvalds
00845eb968 sched: don't cause task state changes in nested sleep debugging
Commit 8eb23b9f35 ("sched: Debug nested sleeps") added code to report
on nested sleep conditions, which we generally want to avoid because the
inner sleeping operation can re-set the thread state to TASK_RUNNING,
but that will then cause the outer sleep loop not actually sleep when it
calls schedule.

However, that's actually valid traditional behavior, with the inner
sleep being some fairly rare case (like taking a sleeping lock that
normally doesn't actually need to sleep).

And the debug code would actually change the state of the task to
TASK_RUNNING internally, which makes that kind of traditional and
working code not work at all, because now the nested sleep doesn't just
sometimes cause the outer one to not block, but will cause it to happen
every time.

In particular, it will cause the cardbus kernel daemon (pccardd) to
basically busy-loop doing scheduling, converting a laptop into a heater,
as reported by Bruno Prémont.  But there may be other legacy uses of
that nested sleep model in other drivers that are also likely to never
get converted to the new model.

This fixes both cases:

 - don't set TASK_RUNNING when the nested condition happens (note: even
   if WARN_ONCE() only _warns_ once, the return value isn't whether the
   warning happened, but whether the condition for the warning was true.
   So despite the warning only happening once, the "if (WARN_ON(..))"
   would trigger for every nested sleep.

 - in the cases where we knowingly disable the warning by using
   "sched_annotate_sleep()", don't change the task state (that is used
   for all core scheduling decisions), instead use '->task_state_change'
   that is used for the debugging decision itself.

(Credit for the second part of the fix goes to Oleg Nesterov: "Can't we
avoid this subtle change in behaviour DEBUG_ATOMIC_SLEEP adds?" with the
suggested change to use 'task_state_change' as part of the test)

Reported-and-bisected-by: Bruno Prémont <bonbons@linux-vserver.org>
Tested-by: Rafael J Wysocki <rjw@rjwysocki.net>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Cc: Ilya Dryomov <ilya.dryomov@inktank.com>,
Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Hurley <peter@hurleysoftware.com>,
Cc: Davidlohr Bueso <dave@stgolabs.net>,
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-01 12:23:32 -08:00
Rainer Koenig
47c1ffb2b6 Input: elantech - add more Fujtisu notebooks to force crc_enabled
Add two more Fujitsu LIFEBOOK models that also ship with the Elantech
touchpad and don't work with crc_disabled to the quirk list.

Signed-off-by: Rainer Koenig <Rainer.Koenig@ts.fujitsu.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2015-02-01 11:51:26 -08:00
Olof Johansson
28111dda37 Third Round of Renesas ARM Based SoC Fixes for v3.19
* Instantiate GIC from C board code in legacy builds on r8a7790 and r8a73a4
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUytABAAoJENfPZGlqN0++qrkP/R2n+rHBNvZTW4p88IZcZ37O
 7zRXCkcXLHHVfKp8XHEMrhH/Pc7uIonWgq3SIKHDlK9UwAvfOdLPj2CMGm7bN+Ea
 +fgT6Qe1UP9kgbsH1whovsR3CzjLDqxmlhfjTkrmu5UjFNGQuv/iFVkkzViSCDYd
 YkSIYxybAlH3Nd7xxNFG54LzjCPauY2V76JM76/3j24m+zxZverY8sN46PtKryGg
 /toQzuVeimpz4BtObXZAi7Y7eWvvYUtELGshTTGKBmtRhLWGZDrS+60KpMDVoKtK
 f135X2taKm2jIiKPXCPMQTOWsXBls1TuxIGssiIysPU6t5OCSuNd/M1RiKDhZhE3
 J4L4vCMq/Gn2XbYe2+O0PNkLxuWepSZ4VRzALZCPhP48CYGrazP63JWTnjROcC61
 5bxuUtWMUVHF52hEWf6bXEiAEBNZP7u8kBc02drsscQHM/N3SiFcIxK/nGlIVMjy
 Qt01fYR+zZZ2v5OhQHeEe7lBfUMnKA9+QLHR4dJ32oJvyAFiDImLsrEBiVlTDk47
 gYJXmqGp2GWgB1H2mDiopHg+ERsavK9P7FL9juYG3OdvFPFuQwktJDSpN+Y0GZMV
 wRADV2/ylZBw48DidX86TD3gwtV7gP995nHvQJ2nv+/Kjq58uR4AHwn0wVHPldCE
 cDf5IYwdvD0a42id6zb5
 =/Oq9
 -----END PGP SIGNATURE-----

Merge tag 'renesas-soc-fixes3-for-v3.19' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into fixes

Merge "Third Round of Renesas ARM Based SoC Fixes for v3.19" from Simon Horman:

* Instantiate GIC from C board code in legacy builds on r8a7790 and r8a73a4

* tag 'renesas-soc-fixes3-for-v3.19' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas:
  ARM: shmobile: r8a7790: Instantiate GIC from C board code in legacy builds
  ARM: shmobile: r8a73a4: Instantiate GIC from C board code in legacy builds

Signed-off-by: Olof Johansson <olof@lixom.net>
2015-02-01 08:51:12 -08:00
Eric Dumazet
0d32ef8cef net: sched: fix panic in rate estimators
Doing the following commands on a non idle network device
panics the box instantly, because cpu_bstats gets overwritten
by stats.

tc qdisc add dev eth0 root <your_favorite_qdisc>
... some traffic (one packet is enough) ...
tc qdisc replace dev eth0 root est 1sec 4sec <your_favorite_qdisc>

[  325.355596] BUG: unable to handle kernel paging request at ffff8841dc5a074c
[  325.362609] IP: [<ffffffff81541c9e>] __gnet_stats_copy_basic+0x3e/0x90
[  325.369158] PGD 1fa7067 PUD 0
[  325.372254] Oops: 0000 [#1] SMP
[  325.375514] Modules linked in: ...
[  325.398346] CPU: 13 PID: 14313 Comm: tc Not tainted 3.19.0-smp-DEV #1163
[  325.412042] task: ffff8800793ab5d0 ti: ffff881ff2fa4000 task.ti: ffff881ff2fa4000
[  325.419518] RIP: 0010:[<ffffffff81541c9e>]  [<ffffffff81541c9e>] __gnet_stats_copy_basic+0x3e/0x90
[  325.428506] RSP: 0018:ffff881ff2fa7928  EFLAGS: 00010286
[  325.433824] RAX: 000000000000000c RBX: ffff881ff2fa796c RCX: 000000000000000c
[  325.440988] RDX: ffff8841dc5a0744 RSI: 0000000000000060 RDI: 0000000000000060
[  325.448120] RBP: ffff881ff2fa7948 R08: ffffffff81cd4f80 R09: 0000000000000000
[  325.455268] R10: ffff883ff223e400 R11: 0000000000000000 R12: 000000015cba0744
[  325.462405] R13: ffffffff81cd4f80 R14: ffff883ff223e460 R15: ffff883feea0722c
[  325.469536] FS:  00007f2ee30fa700(0000) GS:ffff88407fa20000(0000) knlGS:0000000000000000
[  325.477630] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  325.483380] CR2: ffff8841dc5a074c CR3: 0000003feeae9000 CR4: 00000000001407e0
[  325.490510] Stack:
[  325.492524]  ffff883feea0722c ffff883fef719dc0 ffff883feea0722c ffff883ff223e4a0
[  325.499990]  ffff881ff2fa79a8 ffffffff815424ee ffff883ff223e49c 000000015cba0744
[  325.507460]  00000000f2fa7978 0000000000000000 ffff881ff2fa79a8 ffff883ff223e4a0
[  325.514956] Call Trace:
[  325.517412]  [<ffffffff815424ee>] gen_new_estimator+0x8e/0x230
[  325.523250]  [<ffffffff815427aa>] gen_replace_estimator+0x4a/0x60
[  325.529349]  [<ffffffff815718ab>] tc_modify_qdisc+0x52b/0x590
[  325.535117]  [<ffffffff8155edd0>] rtnetlink_rcv_msg+0xa0/0x240
[  325.540963]  [<ffffffff8155ed30>] ? __rtnl_unlock+0x20/0x20
[  325.546532]  [<ffffffff8157f811>] netlink_rcv_skb+0xb1/0xc0
[  325.552145]  [<ffffffff8155b355>] rtnetlink_rcv+0x25/0x40
[  325.557558]  [<ffffffff8157f0d8>] netlink_unicast+0x168/0x220
[  325.563317]  [<ffffffff8157f47c>] netlink_sendmsg+0x2ec/0x3e0

Lets play safe and not use an union : percpu 'pointers' are mostly read
anyway, and we have typically few qdiscs per host.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Fixes: 22e0f8b932 ("net: sched: make bstats per cpu and estimator RCU safe")
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-31 17:49:37 -08:00
Haiyang Zhang
d953ca4ddf hyperv: Fix the error processing in netvsc_send()
The existing code frees the skb in EAGAIN case, in which the skb will be
retried from upper layer and used again.
Also, the existing code doesn't free send buffer slot in error case, because
there is no completion message for unsent packets.
This patch fixes these problems.

(Please also include this patch for stable trees. Thanks!)

Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-31 17:31:49 -08:00
Linus Torvalds
788807d7ca Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
 "i2c driver bugfixes (s3c2410, slave-eeprom, sh_mobile), size
  regression "bugfix" (i2c slave), documentation bugfix (st).

  Also, one documentation update (da9063), so some devicetrees can now
  be verified"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: sh_mobile: terminate DMA reads properly
  i2c: Only include slave support if selected
  i2c: s3c2410: fix ABBA deadlock by keeping clock prepared
  i2c: slave-eeprom: fix boundary check when using sysfs
  i2c: st: Rename clock reference to something that exists
  DT: i2c: Add devices handled by the da9063 MFD driver
2015-01-31 10:34:25 -08:00
Linus Torvalds
2141fd0181 Char/misc driver fixes for 3.19-rc7
Here are two tiny patches, one fixing up the drivers/Kconfig file, and
 one adding a MAINTAINERS entry for the UIO git tree.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iEYEABECAAYFAlTML2MACgkQMUfUDdst+ynVBQCfUDkF9rW1UziWD7z1suWoIb46
 wa8An0Szv5VAQXctCojeRWDPqZHPyVlD
 =Kje6
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
 "Here are two tiny patches, one fixing up the drivers/Kconfig file, and
  one adding a MAINTAINERS entry for the UIO git tree"

* tag 'char-misc-3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  drivers/Kconfig: remove duplicate entry for soc
  MAINTAINERS: add git url entry for UIO
2015-01-30 19:49:44 -08:00
Linus Torvalds
5921dfe8dc Staging tree fixes for 3.19-rc7
Here are two tiny staging tree fixes.  One for the nvec driver to
 resolve a reported problem, and one to add a MAINTAINERS entry for the
 Android drivers.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iEYEABECAAYFAlTML9gACgkQMUfUDdst+ylHaQCeKSr7xYfSFhLpm+Uulqddn6xS
 FP0An1cX7t2NCj5glf69MmP6gIKD45Lx
 =Xje7
 -----END PGP SIGNATURE-----

Merge tag 'staging-3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging tree fixes from Greg KH:
 "Here are two tiny staging tree fixes.  One for the nvec driver to
  resolve a reported problem, and one to add a MAINTAINERS entry for the
  Android drivers"

* tag 'staging-3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  MAINTAINERS: add Android driver entries
  staging: nvec: specify a platform-device base id
2015-01-30 19:44:56 -08:00
Linus Torvalds
73dc61cb38 USB fixes for 3.19-rc7
Here are some small USB fixes and quirk additions for 3.19-rc7.
 
 All have been in linux-next for a while with no reported problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iEYEABECAAYFAlTMMEIACgkQMUfUDdst+ynPyQCfd95j9DLPlMpdDQJSzKfGRAvx
 lvMAoIChCVtG8qMn6DuceGGADTKeAit6
 =VqrZ
 -----END PGP SIGNATURE-----

Merge tag 'usb-3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are some small USB fixes and quirk additions for 3.19-rc7.

  All have been in linux-next for a while with no reported problems"

* tag 'usb-3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: Add OTG PET device to TPL
  usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller
  uas: Add no-report-opcodes quirk for Simpletech devices with id 4971:8017
  storage: Revise/fix quirk for 04E6:000F SCM USB-SCSI converter
  usb: phy: never defer probe in non-OF case
  usb: dwc2: call dwc2_is_controller_alive() under spinlock
2015-01-30 19:35:35 -08:00
Iyappan Subramanian
ecf6ba83d7 drivers: net: xgene: fix: Out of order descriptor bytes read
This patch fixes the following kernel crash,

	WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_input.c:3079 tcp_clean_rtx_queue+0x658/0x80c()
	Call trace:
	[<fffffe0000096b7c>] dump_backtrace+0x0/0x184
	[<fffffe0000096d10>] show_stack+0x10/0x1c
	[<fffffe0000685ea0>] dump_stack+0x74/0x98
	[<fffffe00000b44e0>] warn_slowpath_common+0x88/0xb0
	[<fffffe00000b461c>] warn_slowpath_null+0x14/0x20
	[<fffffe00005b5c1c>] tcp_clean_rtx_queue+0x654/0x80c
	[<fffffe00005b6228>] tcp_ack+0x454/0x688
	[<fffffe00005b6ca8>] tcp_rcv_established+0x4a4/0x62c
	[<fffffe00005bf4b4>] tcp_v4_do_rcv+0x16c/0x350
	[<fffffe00005c225c>] tcp_v4_rcv+0x8e8/0x904
	[<fffffe000059d470>] ip_local_deliver_finish+0x100/0x26c
	[<fffffe000059dad8>] ip_local_deliver+0xac/0xc4
	[<fffffe000059d6c4>] ip_rcv_finish+0xe8/0x328
	[<fffffe000059dd3c>] ip_rcv+0x24c/0x38c
	[<fffffe0000563950>] __netif_receive_skb_core+0x29c/0x7c8
	[<fffffe0000563ea4>] __netif_receive_skb+0x28/0x7c
	[<fffffe0000563f54>] netif_receive_skb_internal+0x5c/0xe0
	[<fffffe0000564810>] napi_gro_receive+0xb4/0x110
	[<fffffe0000482a2c>] xgene_enet_process_ring+0x144/0x338
	[<fffffe0000482d18>] xgene_enet_napi+0x1c/0x50
	[<fffffe0000565454>] net_rx_action+0x154/0x228
	[<fffffe00000b804c>] __do_softirq+0x110/0x28c
	[<fffffe00000b8424>] irq_exit+0x8c/0xc0
	[<fffffe0000093898>] handle_IRQ+0x44/0xa8
	[<fffffe000009032c>] gic_handle_irq+0x38/0x7c
	[...]

Software writes poison data into the descriptor bytes[15:8] and upon
receiving the interrupt, if those bytes are overwritten by the hardware with
the valid data, software also reads bytes[7:0] and executes receive/tx
completion logic.

If the CPU executes the above two reads in out of order fashion, then the
bytes[7:0] will have older data and causing the kernel panic.  We have to
force the order of the reads and thus this patch introduces read memory
barrier between these reads.

Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Signed-off-by: Keyur Chudgar <kchudgar@apm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 18:17:31 -08:00
David S. Miller
08178e5ac4 Merge branch 'vlan_get_protocol'
Toshiaki Makita says:

====================
Fix checksum error when using stacked vlan

When I was testing 802.1ad, I found several drivers don't take into
account 802.1ad or multiple vlans when retrieving L3 (IP/IPv6) or
L4 (TCP/UDP) protocol for checksum offload.

It is mainly due to vlan_get_protocol(), which extracts ether type only
when it is tagged with single 802.1Q. When 802.1ad is used or there are
multiple vlans, it extracts vlan protocol and drivers cannot determine
which L3/L4 protocol is used.

Those drivers, most of which have IP_CSUM/IPV6_CSUM features, get L3/L4
header-offset by software, so it seems that their checksum offload works
with multiple vlans if we can parse protocols correctly.
(They know mac header length, and probably don't care about what is in it.)

And another thing, some of Intel's drivers seem to use skb->protocol where
vlan_get_protocol() is more suitable.

I tested that at least igb/igbvf on I350 works with this patch set.

Note:
We can hand a double tagged packet with CHECKSUM_PARTIAL to a HW driver
by creating a vlan device on a bridge device and enabling vlan_filtering
of the bridge with 802.1ad protocol.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 18:03:58 -08:00
Toshiaki Makita
10e4fb333c ixgbevf: Fix checksum error when using stacked vlan
When a skb has multiple vlans and it is CHECKSUM_PARTIAL,
ixgbevf_tx_csum() fails to get the network protocol and checksum related
descriptor fields are not configured correctly because skb->protocol
doesn't show the L3 protocol in this case.

Use first->protocol instead of skb->protocol to get the proper network
protocol.

Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 18:03:47 -08:00
Toshiaki Makita
0213668f06 ixgbe: Fix checksum error when using stacked vlan
When a skb has multiple vlans and it is CHECKSUM_PARTIAL,
ixgbe_tx_csum() fails to get the network protocol and checksum related
descriptor fields are not configured correctly because skb->protocol
doesn't show the L3 protocol in this case.

Use vlan_get_protocol() to get the proper network protocol.

Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 18:03:47 -08:00
Toshiaki Makita
72b1405964 igbvf: Fix checksum error when using stacked vlan
When a skb has multiple vlans and it is CHECKSUM_PARTIAL,
igbvf_tx_csum() fails to get the network protocol and checksum related
descriptor fields are not configured correctly because skb->protocol
doesn't show the L3 protocol in this case.

Use vlan_get_protocol() to get the proper network protocol.

Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 18:03:47 -08:00
Toshiaki Makita
d4bcef3fbe net: Fix vlan_get_protocol for stacked vlan
vlan_get_protocol() could not get network protocol if a skb has a 802.1ad
vlan tag or multiple vlans, which caused incorrect checksum calculation
in several drivers.

Fix vlan_get_protocol() to retrieve network protocol instead of incorrect
vlan protocol.

As the logic is the same as skb_network_protocol(), create a common helper
function __vlan_get_protocol() and call it from existing functions.

Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 18:03:47 -08:00
Saran Maruti Ramanara
cfbf654efc net: sctp: fix passing wrong parameter header to param_type2af in sctp_process_param
When making use of RFC5061, section 4.2.4. for setting the primary IP
address, we're passing a wrong parameter header to param_type2af(),
resulting always in NULL being returned.

At this point, param.p points to a sctp_addip_param struct, containing
a sctp_paramhdr (type = 0xc004, length = var), and crr_id as a correlation
id. Followed by that, as also presented in RFC5061 section 4.2.4., comes
the actual sctp_addr_param, which also contains a sctp_paramhdr, but
this time with the correct type SCTP_PARAM_IPV{4,6}_ADDRESS that
param_type2af() can make use of. Since we already hold a pointer to
addr_param from previous line, just reuse it for param_type2af().

Fixes: d6de309759 ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
Signed-off-by: Saran Maruti Ramanara <saran.neti@telus.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 17:45:23 -08:00
Pablo Neira
8b7c36d810 netlink: fix wrong subscription bitmask to group mapping in
The subscription bitmask passed via struct sockaddr_nl is converted to
the group number when calling the netlink_bind() and netlink_unbind()
callbacks.

The conversion is however incorrect since bitmask (1 << 0) needs to be
mapped to group number 1. Note that you cannot specify the group number 0
(usually known as _NONE) from setsockopt() using NETLINK_ADD_MEMBERSHIP
since this is rejected through -EINVAL.

This problem became noticeable since 97840cb ("netfilter: nfnetlink:
fix insufficient validation in nfnetlink_bind") when binding to bitmask
(1 << 0) in ctnetlink.

Reported-by: Andre Tomt <andre@tomt.net>
Reported-by: Ivan Delalande <colona@arista.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-30 17:43:47 -08:00
James Hogan
39148e94e3 MIPS: fork: Fix MSA/FPU/DSP context duplication race
There is a race in the MIPS fork code which allows the child to get a
stale copy of parent MSA/FPU/DSP state that is active in hardware
registers when the fork() is called. This is because copy_thread() saves
the live register state into the child context only if the hardware is
currently in use, apparently on the assumption that the hardware state
cannot have been saved and disabled since the initial duplication of the
task_struct. However preemption is certainly possible during this
window.

An example sequence of events is as follows:

1) The parent userland process puts important data into saved floating
   point registers ($f20-$f31), which are then dirty compared to the
   process' stored context.

2) The parent process calls fork() which does a clone system call.

3) In the kernel, do_fork() -> copy_process() -> dup_task_struct() ->
   arch_dup_task_struct() (which uses the weakly defined default
   implementation). This duplicates the parent process' task context,
   which includes a stale version of its FP context from when it was
   last saved, probably some time before (1).

4) At some point before copy_process() calls copy_thread(), such as when
   duplicating the memory map, the process is desceduled. Perhaps it is
   preempted asynchronously, or perhaps it sleeps while blocked on a
   mutex. The dirty FP state in the FP registers is saved to the parent
   process' context and the FPU is disabled.

5) When the process is rescheduled again it continues copying state
   until it gets to copy_thread(), which checks whether the FPU is in
   use, so that it can copy that dirty state to the child process' task
   context. Because of the deschedule however the FPU is not in use, so
   the child process' context is left with stale FP context from the
   last time the parent saved it (some time before (1)).

6) When the new child process is scheduled it reads the important data
   from the saved floating point register, and ends up doing a NULL
   pointer dereference as a result of the stale data.

This use of saved floating point registers across function calls can be
triggered fairly easily by explicitly using inline asm with a current
(MIPS R2) compiler, but is far more likely to happen unintentionally
with a MIPS R6 compiler where the FP registers are more likely to get
used as scratch registers for storing non-fp data.

It is easily fixed, in the same way that other architectures do it, by
overriding the implementation of arch_dup_task_struct() to sync the
dirty hardware state to the parent process' task context *prior* to
duplicating it, rather than copying straight to the child process' task
context in copy_thread(). Note, the FPU hardware is not disabled so the
parent process may continue executing with the live register context,
but now the child process is guaranteed to have an identical copy of it
at that point.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reported-by: Matthew Fortune <matthew.fortune@imgtec.com>
Tested-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9075/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2015-01-31 00:44:19 +01:00
David Daney
9ead8632bb MIPS: Fix C0_Pagegrain[IEC] support.
The following commits:

  5890f70f15 (MIPS: Use dedicated exception handler if CPU supports RI/XI exceptions)
  6575b1d417 (MIPS: kernel: cpu-probe: Detect unique RI/XI exceptions)

break the kernel for *all* existing MIPS CPUs that implement the
CP0_PageGrain[IEC] bit.  They cause the TLB exception handlers to be
generated without the legacy execute-inhibit handling, but never set
the CP0_PageGrain[IEC] bit to activate the use of dedicated exception
vectors for execute-inhibit exceptions.  The result is that upon
detection of an execute-inhibit violation, we loop forever in the TLB
exception handlers instead of sending SIGSEGV to the task.

If we are generating TLB exception handlers expecting separate
vectors, we must also enable the CP0_PageGrain[IEC] feature.

The bug was introduced in kernel version 3.17.

Signed-off-by: David Daney <david.daney@cavium.com>
Cc: <stable@vger.kernel.org>
Cc: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: http://patchwork.linux-mips.org/patch/8880/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2015-01-31 00:44:08 +01:00