Lucas Stach [Tue, 22 Dec 2015 18:41:04 +0000 (19:41 +0100)]
mmc: tegra: use correct accessor for misc ctrl register
The misc control register is 32bit wide, the used readw/writew
accessors only mainipulate the low 16bit of this register. It
currently doesn't matter as all the bit changed are located in
the lower half, but together with the u32 variable used to hold
the contents of the register it is seriously confusing.
Switch to 32bit accessors to avoid any future breakage.
Signed-off-by: Lucas Stach <dev@lynxeye.de> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Lucas Stach [Tue, 22 Dec 2015 18:41:03 +0000 (19:41 +0100)]
mmc: tegra: enable UHS-I modes
Keep the quirk bits, as Tegra30 and Tegra114 host have different levels
of support for UHS-I modes and so need different spare bits to be set,
but change the logic to be positive.
Tegra210 needs a different tuning sequence than Tegra30+. Disable
UHS modes until support for this is properly added.
Lucas Stach [Tue, 22 Dec 2015 18:41:02 +0000 (19:41 +0100)]
mmc: tegra: implement UHS tuning
This implements the UHS tuning sequence in a similar way to the one
contained in the TRM. It deviates in the way how to check if the tap
value is passing, by using the common Linux MMC function, which does
not only check for data CRC errors, but also if the received block
pattern is correct.
Signed-off-by: Lucas Stach <dev@lynxeye.de> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Allow the the driver to change the clock supplied from the CAR directly,
minimizing the need to divide the clock inside the SDMMC module itself.
This allows for higher clock speeds than the default 48MHz supplied to
the module and is a prerequisite to support DDR signaling modes, where
the Tegra host needs to be run with a fixed internal divider of 2 for
data to be sampled correctly. (Tegra K1 TRM v03p chapter 29.7.1.1)
Also enable the broken preset value quirk as the preset values need to
be adapted to the changed clocking. While Tegra114+ allows this through
vendor registers, there is no such way for Tegra30. Takes the easy way
out and keep things consistent between the different SoC generations by
flagging the preset registers as unusable.
Signed-off-by: Lucas Stach <dev@lynxeye.de> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Jisheng Zhang [Fri, 11 Dec 2015 13:36:29 +0000 (21:36 +0800)]
mmc: sdhci: restore behavior when setting VDD via external regulator
After commit 52221610dd84 ("mmc: sdhci: Improve external VDD regulator
support"), for the VDD is supplied via external regulators, we ignore
the code to convert a VDD voltage request into one of the standard
SDHCI voltage levels, then program it in the SDHCI_POWER_CONTROL. This
brings two issues:
1. SDHCI_QUIRK2_CARD_ON_NEEDS_BUS_ON quirk isn't handled properly any
more.
2. What's more, once SDHCI_POWER_ON bit is set, some controllers such
as the sdhci-pxav3 used in marvell berlin SoCs require the voltage
levels programming in the SDHCI_POWER_CONTROL register, even the VDD
is supplied by external regulator. So the host in marvell berlin SoCs
still works fine after the commit. However, commit 3cbc6123a93d ("mmc:
sdhci: Set SDHCI_POWER_ON with external vmmc") sets the SDHCI_POWER_ON
bit, this would make the host in marvell berlin SoCs won't work any
more with external vmmc.
This patch restores the behavior when setting VDD through external
regulator by moving the call of mmc_regulator_set_ocr() to the end
of sdhci_set_power() function.
After this patch, the sdcard on Marvell Berlin SoC boards work again.
Colin Cross [Thu, 22 Oct 2015 17:00:41 +0000 (10:00 -0700)]
mmc: block: Allow more than 8 partitions per card
It is quite common for Android devices to utilize more
then 8 partitions on internal eMMC storage.
The vanilla kernel can support this via
CONFIG_MMC_BLOCK_MINORS, however that solution caps the
system to 256 minors total, which limits the number of
mmc cards the system can support.
This patch, which has been carried for quite awhile in
the AOSP common tree, provides an alternative solution
that doesn't seem to limit the total card count. So I
wanted to submit it for consideration upstream.
This patch sets the GENHD_FL_EXT_DEVT flag, which will
allocate minor number in major 259 for partitions past
disk->minors.
It also removes the use of disk_devt to determine devidx
from md->disk. md->disk->first_minor is always initialized
from devidx and can always be used to recover it.
Cc: Ulf Hansson <ulf.hansson@linaro.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Ben Hutchings <ben@decadent.org.uk> Cc: Chuanxiao Dong <chuanxiao.dong@intel.com> Cc: Shawn Lin <shawn.lin@rock-chips.com> Cc: Austin S Hemmelgarn <ahferroin7@gmail.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Android Kernel Team <kernel-team@android.com> Cc: linux-mmc@vger.kernel.org Signed-off-by: Colin Cross <ccross@android.com>
[jstultz: Added context to commit message] Signed-off-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Ulf Hansson [Tue, 1 Dec 2015 09:35:29 +0000 (10:35 +0100)]
mmc: core: Optimize boot time by detecting cards simultaneously
The mmc workqueue is an ordered workqueue, allowing only one work to
execute per given time. As this workqueue is used for card detection, the
conseqeunce is that cards will be detected one by one waiting for each
other.
Moreover, most of the time spent during card initialization is waiting for
the card's internal firmware to be ready. From a CPU perspective this
typically means waiting for a completion variable to be kicked via an
IRQ-handler or waiting for a sleep timer to finish.
This behaviour of detecting/initializing cards is sub-optimal, especially
for SOCs having several controllers/cards.
Let's convert to use the system_freezable_wq for the mmc detect works.
This enables several works to be executed simultaneously and thus also
cards to be detected like so.
Tests on UX500, which holds two eMMC cards and an SD-card (actually also
an SDIO card, currently not detected), shows a significant improved
behaviour due to this change.
Before this change, both the eMMC cards waited for the SD card to be
initialized as its detect work entered the workqueue first. In some cases,
depending on the characteristic of the SD-card, they got delayed 1-1.5 s.
Additionally for the second eMMC, it needed to wait for the first eMMC to
be initialized which added another 120-190 ms.
Converting to the system_freezable_wq, removed these delays and made both
the eMMC cards available far earlier in the boot sequence.
Selecting the system_freezable_wq, in favour of for example the system_wq,
is because we need card detection mechanism to be disabled once userspace
are frozen during system PM. Currently the mmc core deal with this via PM
notifiers, but following patches may utilize the behaviour of the
system_freezable_wq, to simplify the use of the PM notifiers.
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Tested-by: Alan Cooper <alcooperx@gmail.com> Tested-by: Shawn Lin <shawn.lin@rock-chips.com>
Arnd Bergmann [Thu, 12 Nov 2015 14:14:23 +0000 (15:14 +0100)]
mmc: dw_mmc: use resource_size_t to store physical address
The dw_mmc driver stores the physical address of the MMIO registers
in a pointer, which requires the use of type casts, and is actually
broken if anyone ever has this device on a 32-bit SoC in registers
above 4GB. Gcc warns about this possibility when the driver is built
with ARM LPAE enabled:
mmc/host/dw_mmc.c: In function 'dw_mci_edmac_start_dma':
mmc/host/dw_mmc.c:702:17: warning: cast from pointer to integer of different size
cfg.dst_addr = (dma_addr_t)(host->phy_regs + fifo_offset);
^
mmc/host/dw_mmc-pltfm.c: In function 'dw_mci_pltfm_register':
mmc/host/dw_mmc-pltfm.c:63:19: warning: cast to pointer from integer of different size
host->phy_regs = (void *)(regs->start);
This changes the code to use resource_size_t, which gets rid of the
warning, the bug and the useless casts.
Chaotian Jing [Mon, 30 Nov 2015 01:27:30 +0000 (09:27 +0800)]
mmc: core: fix __mmc_switch timeout caused by preempt
there is a time window between __mmc_send_status() and time_afer(),
on some eMMC chip, the timeout_ms is only 10ms, if this thread was
scheduled out during this period, then, even card has already changes
to transfer state by the result of CMD13, this part of code also treat
it to timeout error.
So, need calculate timeout first, then call __mmc_send_status(), if
already timeout and card still in programing state, then treat it to
the real timeout error.
Rabin Vincent [Fri, 27 Nov 2015 11:59:11 +0000 (12:59 +0100)]
mmc: usdhi6rol0: handle NULL data in timeout
Commit bb08a7d489bd ("mmc: usdhi6rol0: fix NULL pointer deref in debug
print") fixed one NULL pointer dereference but unfortunately introduced
another. "data" may be NULL if this is a command timeout for a command
without any data, so we should only use it if we're actually waiting for
data.
saurabh [Wed, 25 Nov 2015 18:26:24 +0000 (23:56 +0530)]
mmc: of_mmc_spi: Add IRQF_ONESHOT to interrupt flags
If no primary handler is specified for threaded_irq then a
default one is assigned which always returns IRQ_WAKE_THREAD.
This handler requires the IRQF_ONESHOT, because the source of
interrupt is not disabled
Chaotian Jing [Tue, 1 Dec 2015 12:12:34 +0000 (20:12 +0800)]
mmc: mediatek: change some dev_err to dev_dbg
there are too many error logs shown when use CMD21/CMD19 to do tune,
and it will appear at each resume time, print out so many logs to the
uart console cost too mush time. so change it to dev_dbg.
Fu, Zhonghui [Fri, 4 Dec 2015 13:05:56 +0000 (21:05 +0800)]
mmc: enable MMC/SD/SDIO device to suspend/resume asynchronously
Now, PM core supports asynchronous suspend/resume mode for devices
during system suspend/resume, and the power state transition of one
device may be completed in separate kernel thread. PM core ensures
all power state transition dependency between devices. This patch
enables MMC/SD/SDIO card and SDIO function devices to suspend/resume
asynchronously. This will take advantage of multicore and improve
system suspend/resume speed. After applying this patch and enabling
all SDIO function's child devices to suspend/resume asynchronously
on ASUS T100TA, the system suspend-to-idle time is reduced from
1645ms to 1108ms, and the system resume time is reduced from 940ms
to 918ms.
Signed-off-by: Zhonghui Fu <zhonghui.fu@linux.intel.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Adrian Hunter [Thu, 26 Nov 2015 12:00:50 +0000 (14:00 +0200)]
mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
sdhci has a legacy facility to prevent runtime suspend if the
bus power is on. This is needed in cases where the power to
the card is dependent on the bus power. It is controlled by
a pair of functions: sdhci_runtime_pm_bus_on() and
sdhci_runtime_pm_bus_off(). These functions use a boolean
variable 'bus_on' to ensure changes are always paired.
There is an additional check for 'runtime_suspended' which is
the problem. In fact, its use is ill-conceived as the only
requirement for the logic is that 'on' and 'off' are paired,
which is actually broken by the check, for example if the bus
power is turned on during runtime resume. So remove the check.
Adrian Hunter [Thu, 26 Nov 2015 12:00:49 +0000 (14:00 +0200)]
mmc: sdhci: 64-bit DMA actually has 4-byte alignment
The version 3.00 SDHCI spec. was a bit unclear about the
required data alignment for 64-bit DMA, whereas the version
4.10 spec. uses different language and indicates that only
4-byte alignment is required rather than the 8-byte alignment
currently implemented. That make no difference to SD and EMMC
which invariably transfer data in sector-aligned blocks.
However with SDIO, it results in using more DMA descriptors
than necessary. Theoretically that slows DMA slightly although
DMA is not the limiting factor for throughput, so there is no
discernable impact on performance. Nevertheless, the driver
should follw the spec unless there is good reason not to, so
this patch corrects the alignment criterion.
There is a more complicated criterion for the DMA descriptor
table itself. However the table is allocated by dma_alloc_coherent()
which allocates pages (i.e. aligned to a page boundary).
For simplicity just check it is 8-byte aligned, but add a comment
that some Intel controllers actually require 8-byte alignment
even when using 32-bit DMA.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Adrian Hunter [Thu, 26 Nov 2015 12:00:48 +0000 (14:00 +0200)]
mmc: sdhci: Fix DMA descriptor with zero data length
SDHCI has built-in DMA called ADMA2. ADMA2 uses a descriptor
table to define DMA scatter-gather. Each desciptor can specify
a data length up to 65536 bytes, however the length field is
only 16-bits so zero means 65536. Consequently, putting zero
when the size is zero must not be allowed. This patch fixes
one case where zero data length could be set inadvertently.
The problem happens because unaligned data gets split and the
code did not consider that the remaining aligned portion might
be zero length. That case really only happens for SDIO because
SD and eMMC cards transfer blocks that are invariably sector-
aligned. For SDIO, access to function registers is done by
data transfer (CMD53) when the register is bigger than 1 byte.
Generally registers are 4 bytes but 2-byte registers are possible.
So DMA of 4 bytes or less can happen. When 32-bit DMA is used,
the data alignment must be 4, so 4-byte transfers won't casue a
problem, but a 2-byte transfer could. However with the introduction
of 64-bit DMA, the data alignment for 64-bit DMA was made 8 bytes,
so all 4-byte transfers not on 8-byte boundaries get "split" into
a 4-byte chunk and a 0-byte chunk, thereby hitting the bug.
In fact, a closer look at the SDHCI specs indicates that only the
descriptor table requires 8-byte alignment for 64-bit DMA. That
will be dealt with in a separate patch, but the potential for a
2-byte access remains, so this fix is needed anyway.
Adrian Hunter [Thu, 26 Nov 2015 12:00:47 +0000 (14:00 +0200)]
mmc: sdio: Fix invalid vdd in voltage switch power cycle
The 'ocr' parameter passed to mmc_set_signal_voltage()
defines the power-on voltage used when power cycling
after a failure to set the voltage. However, in the
case of mmc_sdio_init_card(), the value passed has the
R4_18V_PRESENT flag set which is not valid for power-on
and results in an invalid vdd. Fix by passing the card's
ocr value which does not have the flag.
Wenkai Du [Thu, 26 Nov 2015 12:00:44 +0000 (14:00 +0200)]
mmc: mmc: Fix incorrect use of driver strength switching HS200 and HS400
Commit cc4f414c885c ("mmc: mmc: Add driver strength selection")
added driver strength selection for eMMC HS200 and HS400 modes.
That patch also set the driver stength when transitioning through
High Speed mode to HS200/HS400, but driver strength is not defined
for High Speed mode. While the JEDEC specification is not clear
on this point it has been observed to cause problems for some eMMC,
and removing the driver strength setting in this case makes it
consistent with the normal use of High Speed mode.
Signed-off-by: Wenkai Du <wenkai.du@intel.com> Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Linus Walleij [Wed, 25 Nov 2015 13:57:57 +0000 (14:57 +0100)]
mmc: mvsdio: delete platform data code path
There are no in-kernel users of the MVSDIO platform data method
(instantiating from a board file) so just delete this code and
make this a DT-only driver. We depend on OF and check that we have
an OF node in probe().
Cc: Nicolas Pitre <nico@fluxnic.net> Cc: Andrew Lunn <andrew@lunn.ch> Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Acked-by: Nicolas Pitre <nico@linaro.org> Acked-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Linus Walleij [Wed, 25 Nov 2015 13:57:31 +0000 (14:57 +0100)]
mmc: mvsdio: delete platform data header
This platform data struct is only used inside the MVSDIO driver,
nowhere else in the entire kernel. Move the struct into the
driver and delete the external header.
Cc: Nicolas Pitre <nico@fluxnic.net> Cc: Andrew Lunn <andrew@lunn.ch> Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Acked-by: Nicolas Pitre <nico@linaro.org> Acked-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
if (vvn > VENDOR_V_22)
host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
}
This patch is used to fix it by add/remove some quirks according to
verdor version in probe.
Signed-off-by: Yangbo Lu <yangbo.lu@freescale.com> Fixes: f4932cfd22f1 ("mmc: sdhci-of-esdhc: support both BE and LE host controller") Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
mmc: atmel-mci: move atmel-mci-regs.h content in atmel-mci.c
atmel-mci-regs.h is only included in atmel-mci.c so move its content in
the driver and do some cleanup in these definitions to remove checkpatch
errors.
Arnd Bergmann [Fri, 20 Nov 2015 10:28:42 +0000 (11:28 +0100)]
mmc: fix mmc_{un,}register_pm_notifier prototypes
The mmc pm notifiers were recently reworked, but the new
code produces a lot of warnings when CONFIG_PM_SLEEP is disabled:
In file included from ../drivers/mmc/core/sdio_bus.c:27:0:
drivers/mmc/core/core.h:97:13: warning: 'mmc_register_pm_notifier' defined but not used [-Wunused-function]
The obvious solution is to add the 'inline' keyword at the
function definition, as it should be for any function defined
in a header file.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: 0e40be7c20e0 ("mmc: core: Refactor code to register the MMC PM notifier") Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Arnd Bergmann [Mon, 16 Nov 2015 16:08:41 +0000 (17:08 +0100)]
mmc: sh_mmcif: rework dma channel handling
When compiling the sh_mmcif driver for ARM64, we currently
get a harmless build warning:
../drivers/mmc/host/sh_mmcif.c: In function 'sh_mmcif_request_dma_one':
../drivers/mmc/host/sh_mmcif.c:417:4: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
(void *)pdata->slave_id_tx :
^
../drivers/mmc/host/sh_mmcif.c:418:4: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
(void *)pdata->slave_id_rx;
This could be worked around by adding another cast to uintptr_t, but
I decided to simplify the code a little more to avoid that. This
splits out the platform data using code into a separate function
and builds that only for CONFIG_SUPERH. This part still has a typecast
but does not need a second one. The SH platform code could be further
modified to pass a pointer directly as we do on other architectures
when we have a filter function.
The normal case is simplified further and now just calls
dma_request_slave_channel() directly without going through the
compat handling.
Marek Vasut [Wed, 18 Nov 2015 09:47:02 +0000 (10:47 +0100)]
mmc: sdhci: Fix strings broken across multiple lines
This is a trivial patch which fixes printed strings split across two
or more lines in the source. I tried to grep for some error output*,
but I couldn't find it easily because it was broken across multiple
lines. This patch makes my life easier.
* in particular "Timeout waiting for hardware interrupt."
Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
mmc: kconfig: replace FAULT_INJECTION with FAULT_INJECTION_DEBUG_FS
Fault-injection capability for MMC IO uses debugfs entries to configure
the attributes.
FAULT_INJECTION_DEBUG_FS must be enabled to use FAIL_MMC_REQUEST.
Replace FAULT_INJECTION with FAULT_INJECTION_DEBUG_FS.
Also remove 'select DEBUG_FS' since FAULT_INJECTION_DEBUG_FS depends on
it.
mmc: core: set regulator not found message as debug
Turn the informative message about no vmmc/vqmmc regulator found in
debug one. There is no need to indicate that something optional is
missing. Moreover, it can bring confusion, people who doesn't know
it is optional may consider these messages as warnings or errors.
Ulf Hansson [Thu, 5 Nov 2015 15:21:39 +0000 (16:21 +0100)]
mmc: core: Check for non-removable cards earlier in the error path
_mmc_detect_card_removed() validates that the card is removable, but when
being called via the bus_ops ->detect() callbacks, the validation is
redundant as it's already done in mmc_rescan().
Move the validation of a removable card to the mmc_detect_card_removed()
API, which is where it's applicable, to allow the blk error recovery path
to get the response a bit earlier.
Ulf Hansson [Thu, 5 Nov 2015 15:11:12 +0000 (16:11 +0100)]
mmc: core: Refactor code to register the MMC PM notifier
Instead of checking for "#ifdef" directly in the code, let's invent a pair
of mmc core functions to deal with register/unregister the MMC PM notifier
block. Implement stubs for these functions when CONFIG_PM_SLEEP is unset,
as in that case the PM notifiers isn't used.
Ulf Hansson [Thu, 5 Nov 2015 15:01:32 +0000 (16:01 +0100)]
mmc: core: Make runtime resume default behavior for MMC/SD
MMC_CAP_RUNTIME_RESUME was invented to decrease system PM resume time for
systems that particularly needs this. As the feature has matured let's
make it the default behavior for MMC/SD.
Ulf Hansson [Thu, 5 Nov 2015 15:08:08 +0000 (16:08 +0100)]
mmc: core: Keep host claimed in mmc_rescan() while calling host ops
As mmc_claim_host() invokes pm_runtime_get_sync() for the mmc host device,
it's important that the host is kept claimed for *all* accesses to it via
the host_ops callbacks.
In mmc_rescan(), the ->card_event() and the ->get_cd() callback are being
invoked without claiming the host, let's fix this.
Sudeep Holla [Wed, 21 Oct 2015 10:10:02 +0000 (11:10 +0100)]
mmc: core: enable support for the standard "wakeup-source" property
Though the mmc core driver should/will continue to support the legacy
"enable-sdio-wakeup" property to enable SDIO as the wakeup source, we
need to add support for the new standard property "wakeup-source".
This patch adds support for "wakeup-source" property in addition to the
existing "enable-sdio-wakeup" property.
Linus Torvalds [Sun, 20 Dec 2015 18:01:11 +0000 (10:01 -0800)]
Merge tag 'rtc-4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
Pull RTC fixes from Alexandre Belloni:
"Late fixes for the RTC subsystem for 4.4:
A fix for a nasty hardware bug in rk808 and an initialization
reordering in da9063 to fix a possible crash"
* tag 'rtc-4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux:
rtc: da9063: fix access ordering error during RTC interrupt at system power on
rtc: rk808: Compensate for Rockchip calendar deviation on November 31st
Steve Twiss [Tue, 8 Dec 2015 16:28:39 +0000 (16:28 +0000)]
rtc: da9063: fix access ordering error during RTC interrupt at system power on
This fix alters the ordering of the IRQ and device registrations in the RTC
driver probe function. This change will apply to the RTC driver that supports
both DA9063 and DA9062 PMICs.
A problem could occur with the existing RTC driver if:
A system is started from a cold boot using the PMIC RTC IRQ to initiate a
power on operation. For instance, if an RTC alarm is used to start a
platform from power off.
The existing driver IRQ is requested before the device has been properly
registered.
i.e.
ret = devm_request_threaded_irq()
comes before
rtc->rtc_dev = devm_rtc_device_register();
In this case, the interrupt can be called before the device has been
registered and the handler can be called immediately. The IRQ handler
da9063_alarm_event() contains the function call
which in turn tries to access the unavailable rtc->rtc_dev.
The fix is to reorder the functions inside the RTC probe. The IRQ is
requested after the RTC device resource has been registered so that
get_irq_byname is the last thing to happen.
Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Julius Werner [Tue, 15 Dec 2015 23:02:49 +0000 (15:02 -0800)]
rtc: rk808: Compensate for Rockchip calendar deviation on November 31st
In A.D. 1582 Pope Gregory XIII found that the existing Julian calendar
insufficiently represented reality, and changed the rules about
calculating leap years to account for this. Similarly, in A.D. 2013
Rockchip hardware engineers found that the new Gregorian calendar still
contained flaws, and that the month of November should be counted up to
31 days instead. Unfortunately it takes a long time for calendar changes
to gain widespread adoption, and just like more than 300 years went by
before the last Protestant nation implemented Greg's proposal, we will
have to wait a while until all religions and operating system kernels
acknowledge the inherent advantages of the Rockchip system. Until then
we need to translate dates read from (and written to) Rockchip hardware
back to the Gregorian format.
This patch works by defining Jan 1st, 2016 as the arbitrary anchor date
on which Rockchip and Gregorian calendars are in sync. From that we can
translate arbitrary later dates back and forth by counting the number
of November/December transitons since the anchor date to determine the
offset between the calendars. We choose this method (rather than trying
to regularly "correct" the date stored in hardware) since it's the only
way to ensure perfect time-keeping even if the system may be shut down
for an unknown number of years. The drawback is that other software
reading the same hardware (e.g. mainboard firmware) must use the same
translation convention (including the same anchor date) to be able to
read and write correct timestamps from/to the RTC.
Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Linus Torvalds [Sun, 20 Dec 2015 01:44:19 +0000 (17:44 -0800)]
Merge tag 'tty-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are some tty/serial driver fixes for 4.4-rc6 that resolve some
reported problems. All of these have been in linux-next. The details
are in the shortlog"
* tag 'tty-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: Fix GPF in flush_to_ldisc()
serial: earlycon: Add missing spinlock initialization
serial: sh-sci: Fix length of scatterlist
n_tty: Fix poll() after buffer-limited eof push read
serial: 8250_uniphier: fix dl_read and dl_write functions
Linus Torvalds [Sun, 20 Dec 2015 00:46:46 +0000 (16:46 -0800)]
Merge tag 'md/4.4-rc5-fixes' of git://neil.brown.name/md
Pull md fixes from Neil Brown:
"Four fixes for md:
- two recently introduced regressions fixed.
- one older bug in RAID10 - tagged for -stable since 4.2
- one minor sysfs api improvement"
* tag 'md/4.4-rc5-fixes' of git://neil.brown.name/md:
Fix remove_and_add_spares removes drive added as spare in slot_store
md: fix bug due to nested suspend
MD: change journal disk role to disk 0
md/raid10: fix data corruption and crash during resync
Linus Torvalds [Sun, 20 Dec 2015 00:40:48 +0000 (16:40 -0800)]
Merge tag 'powerpc-4.4-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
Pull powerpc fixes from Michael Ellerman:
- Partial revert of "powerpc: Individual System V IPC system calls"
- pr_warn_once on unsupported OPAL_MSG type from Stewart
- Fix deadlock in opal-irqchip introduced by "Fix double endian
conversion" from Alistair
* tag 'powerpc-4.4-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc/opal-irqchip: Fix deadlock introduced by "Fix double endian conversion"
powerpc/powernv: pr_warn_once on unsupported OPAL_MSG type
Partial revert of "powerpc: Individual System V IPC system calls"
Linus Torvalds [Sat, 19 Dec 2015 18:10:43 +0000 (10:10 -0800)]
Merge tag 'spi-fix-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A couple of reference counting bugs here, one in spidev and one with
holding an extra reference in the core that we never freed if we
removed a device, plus a driver specific fix. Both of the refcounting
bugs are very old but they've only been found by observation so
hopefully their impact has been low"
* tag 'spi-fix-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: fix parent-device reference leak
spi: spidev: Hold spi_lock over all defererences of spi in release()
spi-fsl-dspi: Fix CTAR Register access
Linus Torvalds [Sat, 19 Dec 2015 18:05:00 +0000 (10:05 -0800)]
Merge tag 'gpio-v4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Some GPIO fixes for the v4.4 series. Most prominent: I revert the
error propagation from the .get() function until we can fix up all the
drivers properly for v4.5.
- Revert the error number propagation from the .get() vtable entry
temporarily, until we make the proper fixes to all drivers.
- Fix the clamping behaviour in the generic GPIO driver.
- Driver fix for the ath79 driver"
* tag 'gpio-v4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: revert get() to non-errorprogating behaviour
gpio: generic: clamp values from bgpio_get_set()
gpio: ath79: Fix the logic to clear offset bit of AR71XX_GPIO_REG_OE register
Linus Torvalds [Sat, 19 Dec 2015 18:01:03 +0000 (10:01 -0800)]
Merge tag 'pinctrl-v4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
- Driver fixes for Freescale i.MX7D, Intel, Broadcom 2835
- One MAINTAINERS entry
* tag 'pinctrl-v4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
MAINTAINERS: pinctrl: Add maintainers for pinctrl-single
pinctrl: bcm2835: Fix initial value for direction_output
pinctrl: intel: fix offset calculation issue of register PAD_OWN
pinctrl: intel: fix bug of register offset calculation
pinctrl: freescale: add ZERO_OFFSET_VALID flag for vf610 pinctrl
Linus Torvalds [Sat, 19 Dec 2015 17:52:44 +0000 (09:52 -0800)]
Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
"A set of 'usual' driver bugfixes for the I2C subsystem"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: rcar: disable runtime PM correctly in slave mode
i2c: designware: Keep pm_runtime_enable/_disable calls in sync
i2c: designware: fix IO timeout issue for AMD controller
i2c: imx: init bus recovery info before adding i2c adapter
i2c: do not use 0x in front of %pa
i2c: davinci: Increase module clock frequency
i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
i2c: rk3x: populate correct variable for sda_falling_time
Wolfram Sang [Wed, 16 Dec 2015 19:05:18 +0000 (20:05 +0100)]
i2c: rcar: disable runtime PM correctly in slave mode
When we also are I2C slave, we need to disable runtime PM because the
address detection mechanism needs to be active all the time. However, we
can reenable runtime PM once the slave instance was unregistered. So,
use pm_runtime_get_sync/put to achieve this, since it has proper
refcounting. pm_runtime_allow/forbid is like a global knob controllable
from userspace which is unsuitable here.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Cc: stable@kernel.org
Linus Torvalds [Sat, 19 Dec 2015 05:01:35 +0000 (21:01 -0800)]
Merge tag 'pm+acpi-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael Wysocki:
"These fix a potential regression introduced during the 4.3 cycle
(generic power domains framework), a nasty bug that has been present
forever (power capping RAPL driver), a build issue (Tegra cpufreq
driver) and a minor ugliness introduced recently (intel_pstate).
Specifics:
- Fix a potential regression in the generic power domains framework
introduced during the 4.3 development cycle that may lead to
spurious failures of system suspend in certain situations (Ulf
Hansson).
- Fix a problem in the power capping RAPL (Running Average Power
Limits) driver that causes it to initialize successfully on some
systems where it is not supposed to do that which is due to an
incorrect check in an initialization routine (Prarit Bhargava).
- Fix a build problem in the cpufreq Tegra driver that depends on the
regulator framework, but that dependency is not reflected in
Kconfig (Arnd Bergmann).
- Fix a recent mistake in the intel_pstate driver where a numeric
constant is used directly instead of a symbol defined specifically
for the case in question (Prarit Bhargava)"
* tag 'pm+acpi-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
powercap / RAPL: fix BIOS lock check
cpufreq: intel_pstate: Minor cleanup for FRAC_BITS
cpufreq: tegra: add regulator dependency for T124
PM / Domains: Allow runtime PM callbacks to be re-used during system PM
Linus Torvalds [Sat, 19 Dec 2015 04:35:35 +0000 (20:35 -0800)]
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"Three fixes this time, two in SES picked up by KASAN for various types
of buffer overrun. The first is a USB array which returns page 8
whatever is asked for and causes us to overrun with incorrect data
format assumptions and the second is an invalid iteration of page 10
(the additional information page).
The final fix is a reversion of a NULL deref fix which caused
suspend/resume not to be called in pairs leading to incorrect device
operation (Jens has queued a more proper fix for the problem in
block)"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
ses: fix additional element traversal bug
Revert "SCSI: Fix NULL pointer dereference in runtime PM"
ses: Fix problems with simple enclosures
James Chen [Fri, 18 Dec 2015 23:51:48 +0000 (15:51 -0800)]
Input: elants_i2c - fix wake-on-touch
When sending "SLEEP" command to the controller it ceases scanning
completely and is unable to wake the system up from sleep, so if it is
configured as a wakeup source we should simply configure interrupt for
wakeup and rely on idle logic within the controller to reduce power
consumption while it is not used.
Signed-off-by: James Chen <james.chen@emc.com.tw> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Linus Torvalds [Fri, 18 Dec 2015 23:35:08 +0000 (15:35 -0800)]
Merge branch 'for-linus-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
"A couple of small fixes"
* 'for-linus-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
Btrfs: check prepare_uptodate_page() error code earlier
Btrfs: check for empty bitmap list in setup_cluster_bitmaps
btrfs: fix misleading warning when space cache failed to load
Btrfs: fix transaction handle leak in balance
Btrfs: fix unprotected list move from unused_bgs to deleted_bgs list
Linus Torvalds [Fri, 18 Dec 2015 22:25:57 +0000 (14:25 -0800)]
Merge branch 'akpm' (patches from Andrew)
Merge misc fixes from Andrew Morton:
"Three patches"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
include/linux/mmdebug.h: should include linux/bug.h
mm/zswap: change incorrect strncmp use to strcmp
proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
James Morse [Fri, 18 Dec 2015 22:22:07 +0000 (14:22 -0800)]
include/linux/mmdebug.h: should include linux/bug.h
mmdebug.h uses BUILD_BUG_ON_INVALID(), assuming someone else included
linux/bug.h. Include it ourselves.
This saves build-failures such as:
arch/arm64/include/asm/pgtable.h: In function 'set_pte_at':
arch/arm64/include/asm/pgtable.h:281:3: error: implicit declaration of function 'BUILD_BUG_ON_INVALID' [-Werror=implicit-function-declaration]
VM_WARN_ONCE(!pte_young(pte),
Fixes: 02602a18c32d7 ("bug: completely remove code generated by disabled VM_BUG_ON()") Signed-off-by: James Morse <james.morse@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dan Streetman [Fri, 18 Dec 2015 22:22:04 +0000 (14:22 -0800)]
mm/zswap: change incorrect strncmp use to strcmp
Change the use of strncmp in zswap_pool_find_get() to strcmp.
The use of strncmp is no longer correct, now that zswap_zpool_type is
not an array; sizeof() will return the size of a pointer, which isn't
the right length to compare. We don't need to use strncmp anyway,
because the existing params and the passed in params are all guaranteed
to be null terminated, so strcmp should be used.
Signed-off-by: Dan Streetman <ddstreet@ieee.org> Reported-by: Weijie Yang <weijie.yang@samsung.com> Cc: Seth Jennings <sjennings@variantweb.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Colin Ian King [Fri, 18 Dec 2015 22:22:01 +0000 (14:22 -0800)]
proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") removed
the setting of ret after the get_proc_task call and incorrectly left it as
-ESRCH. Instead, return 0 when successful.
Example breakage:
echo 0 > /proc/self/coredump_filter
bash: echo: write error: No such process
Fixes: 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Cc: <stable@vger.kernel.org> [4.3+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 18 Dec 2015 20:51:52 +0000 (12:51 -0800)]
Merge tag 'hwmon-for-linus-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
- Select CONFIG_BITREVERSE for sht15 driver to avoid build failure if
it is not configured.
- Force wait for conversion time for the first valid data in tmp102
driver to avoid reporting erroneous data to the thermal subsystem.
* tag 'hwmon-for-linus-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (sht15) Select CONFIG_BITREVERSE
hwmon: (tmp102) Force wait for conversion time for the first valid data
Linus Torvalds [Fri, 18 Dec 2015 20:38:35 +0000 (12:38 -0800)]
Merge tag 'iommu-fixes-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
Pull IOMMU fixes from Joerg Roedel:
"Two similar fixes for the Intel and AMD IOMMU drivers to add proper
access checks before calling handle_mm_fault"
* tag 'iommu-fixes-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/vt-d: Do access checks before calling handle_mm_fault()
iommu/amd: Do proper access checking before calling handle_mm_fault()
Linus Torvalds [Fri, 18 Dec 2015 20:24:52 +0000 (12:24 -0800)]
Merge tag 'for-linus-4.4-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen bug fixes from David Vrabel:
- XSA-155 security fixes to backend drivers.
- XSA-157 security fixes to pciback.
* tag 'for-linus-4.4-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen-pciback: fix up cleanup path when alloc fails
xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set.
xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled.
xen/pciback: Do not install an IRQ handler for MSI interrupts.
xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled
xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled
xen/pciback: Save xen_pci_op commands before processing it
xen-scsiback: safely copy requests
xen-blkback: read from indirect descriptors only once
xen-blkback: only read request operation from shared ring once
xen-netback: use RING_COPY_REQUEST() throughout
xen-netback: don't use last request to determine minimum Tx credit
xen: Add RING_COPY_REQUEST()
xen/x86/pvh: Use HVM's flush_tlb_others op
xen: Resume PMU from non-atomic context
xen/events/fifo: Consume unprocessed events when a CPU dies
Linus Torvalds [Fri, 18 Dec 2015 20:19:01 +0000 (12:19 -0800)]
Merge tag 'arc-fixes-for-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc
Pull ARC architecture fixes from Vineet Gupta:
"Fixes for:
- perf interrupts on SMP: Not enabled (at boot) and disabled (at runtime)
- stack unwinder regression (for modules, ignoring dwarf3)
- nsim hosed for non default kernel link base builds"
* tag 'arc-fixes-for-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
ARC: smp: Rename platform hook @init_cpu_smp -> @init_per_cpu
ARC: rename smp operation init_irq_cpu() to init_per_cpu()
ARC: dw2 unwind: Ignore CIE version !=1 gracefully instead of bailing
ARC: dw2 unwind: Reinstante unwinding out of modules
ARC: [plat-sim] unbork non default CONFIG_LINUX_LINK_BASE
ARC: intc: Document arc_request_percpu_irq() better
ARCv2: perf: Ensure perf intr gets enabled on all cores
ARC: intc: No need to clear IRQ_NOAUTOEN
ARCv2: intc: Fix random perf irq disabling in SMP setup
ARC: [axs10x] cap ethernet phy to 100 Mbit/sec
Linus Torvalds [Fri, 18 Dec 2015 19:47:06 +0000 (11:47 -0800)]
Merge tag 'sound-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"As usual in rc6, this update contains only a few HD-audio and
USB-audio device-specific quirks: yet another Thinkpad noise fixes,
Dell headphone mic fixes, and AudioQuest DragonFly fixes"
* tag 'sound-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd
ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads
ALSA: hda - Apply click noise workaround for Thinkpads generically
ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines
ALSA: usb-audio: Add sample rate inquiry quirk for AudioQuest DragonFly
ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly
Linus Torvalds [Fri, 18 Dec 2015 19:19:16 +0000 (11:19 -0800)]
Merge tag 'for-linus-20151217' of git://git.infradead.org/linux-mtd
Pull MTD fixes from Brian Norris:
"I was holding out on this pull request for a bit, since there are a
few other small issues being discussed that look like 4.4-rc
regressions. Hopefully I can get those stabilized soon, but these are
ready at any rate:
- A little bit of a last-minute change for the device tree "fixed
partition" binding. This is needed because we might want to reuse
the 'partitions' subnode for other sorts of partitioning
descriptions -- e.g., for describing which on-flash partition
format(s) might be used on the system.
- Also tone down a warning message, since it is probably going to
show up on a lot of systems where it should just be ignored"
* tag 'for-linus-20151217' of git://git.infradead.org/linux-mtd:
doc: dt: mtd: partitions: add compatible property to "partitions" node
mtd: ofpart: don't complain about missing 'partitions' node too loudly
Alan Stern [Wed, 16 Dec 2015 18:32:38 +0000 (13:32 -0500)]
USB: fix invalid memory access in hub_activate()
Commit 8520f38099cc ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue. However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so. As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated. Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.
This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running. It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Alexandru Cornea <alexandru.cornea@intel.com> Tested-by: Alexandru Cornea <alexandru.cornea@intel.com> Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work") CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Wed, 16 Dec 2015 11:06:37 +0000 (14:06 +0300)]
USB: ipaq.c: fix a timeout loop
The code expects the loop to end with "retries" set to zero but, because
it is a post-op, it will end set to -1. I have fixed this by moving the
decrement inside the loop.
Fixes: 014aa2a3c32e ('USB: ipaq: minor ipaq_open() cleanup.') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Antti Palosaari [Mon, 26 Oct 2015 20:58:14 +0000 (18:58 -0200)]
[media] airspy: increase USB control message buffer size
Driver requested device firmware version string during probe using
only 24 byte long buffer. That buffer is too small for newer firmware
versions, which causes device firmware hang - device stops responding
to any commands after that. Increase buffer size to 128 which should
be enough for any current and future version strings.
Link: https://github.com/airspy/host/issues/27 Cc: <stable@vger.kernel.org> # 3.17+ Reported-by: Benjamin Vernoux <bvernoux@gmail.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Antti Palosaari [Fri, 23 Oct 2015 22:01:31 +0000 (20:01 -0200)]
[media] hackrf: move RF gain ctrl enable behind module parameter
Used Avago MGA-81563 RF amplifier could be destroyed pretty easily
with too strong signal or transmitting to bad antenna.
Add module parameter 'enable_rf_gain_ctrl' which allows enabling
RF gain control - otherwise, default without the module parameter,
RF gain control is set to 'grabbed' state which prevents setting
value to the control.
Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Doug Goldstein [Thu, 26 Nov 2015 20:32:39 +0000 (14:32 -0600)]
xen-pciback: fix up cleanup path when alloc fails
When allocating a pciback device fails, clear the private
field. This could lead to an use-after free, however
the 'really_probe' takes care of setting
dev_set_drvdata(dev, NULL) in its failure path (which we would
exercise if the ->probe function failed), so we we
are OK. However lets be defensive as the code can change.
Going forward we should clean up the pci_set_drvdata(dev, NULL)
in the various code-base. That will be for another day.
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reported-by: Jonathan Creekmore <jonathan.creekmore@gmail.com> Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set.
commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way")
teaches us that dealing with MSI-X can be troublesome.
Further checks in the MSI-X architecture shows that if the
PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we
may not be able to access the BAR (since they are memory regions).
Since the MSI-X tables are located in there.. that can lead
to us causing PCIe errors. Inhibit us performing any
operation on the MSI-X unless the MEMORY bit is set.
Note that Xen hypervisor with:
"x86/MSI-X: access MSI-X table only after having enabled MSI-X"
will return:
xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3!
When the generic MSI code tries to setup the PIRQ without
MEMORY bit set. Which means with later versions of Xen
(4.6) this patch is not neccessary.
This is part of XSA-157
CC: stable@vger.kernel.org Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled.
Otherwise just continue on, returning the same values as
previously (return of 0, and op->result has the PIRQ value).
This does not change the behavior of XEN_PCI_OP_disable_msi[|x].
The pci_disable_msi or pci_disable_msix have the checks for
msi_enabled or msix_enabled so they will error out immediately.
However the guest can still call these operations and cause
us to disable the 'ack_intr'. That means the backend IRQ handler
for the legacy interrupt will not respond to interrupts anymore.
This will lead to (if the device is causing an interrupt storm)
for the Linux generic code to disable the interrupt line.
Naturally this will only happen if the device in question
is plugged in on the motherboard on shared level interrupt GSI.
This is part of XSA-157
CC: stable@vger.kernel.org Reviewed-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: Do not install an IRQ handler for MSI interrupts.
Otherwise an guest can subvert the generic MSI code to trigger
an BUG_ON condition during MSI interrupt freeing:
for (i = 0; i < entry->nvec_used; i++)
BUG_ON(irq_has_action(entry->irq + i));
Xen PCI backed installs an IRQ handler (request_irq) for
the dev->irq whenever the guest writes PCI_COMMAND_MEMORY
(or PCI_COMMAND_IO) to the PCI_COMMAND register. This is
done in case the device has legacy interrupts the GSI line
is shared by the backend devices.
To subvert the backend the guest needs to make the backend
to change the dev->irq from the GSI to the MSI interrupt line,
make the backend allocate an interrupt handler, and then command
the backend to free the MSI interrupt and hit the BUG_ON.
Since the backend only calls 'request_irq' when the guest
writes to the PCI_COMMAND register the guest needs to call
XEN_PCI_OP_enable_msi before any other operation. This will
cause the generic MSI code to setup an MSI entry and
populate dev->irq with the new PIRQ value.
Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY
and cause the backend to setup an IRQ handler for dev->irq
(which instead of the GSI value has the MSI pirq). See
'xen_pcibk_control_isr'.
Then the guest disables the MSI: XEN_PCI_OP_disable_msi
which ends up triggering the BUG_ON condition in 'free_msi_irqs'
as there is an IRQ handler for the entry->irq (dev->irq).
Note that this cannot be done using MSI-X as the generic
code does not over-write dev->irq with the MSI-X PIRQ values.
The patch inhibits setting up the IRQ handler if MSI or
MSI-X (for symmetry reasons) code had been called successfully.
P.S.
Xen PCIBack when it sets up the device for the guest consumption
ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device).
XSA-120 addendum patch removed that - however when upstreaming said
addendum we found that it caused issues with qemu upstream. That
has now been fixed in qemu upstream.
This is part of XSA-157
CC: stable@vger.kernel.org Reviewed-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled
The guest sequence of:
a) XEN_PCI_OP_enable_msix
b) XEN_PCI_OP_enable_msix
results in hitting an NULL pointer due to using freed pointers.
The device passed in the guest MUST have MSI-X capability.
The a) constructs and SysFS representation of MSI and MSI groups.
The b) adds a second set of them but adding in to SysFS fails (duplicate entry).
'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that
in a) pdev->msi_irq_groups is still set) and also free's ALL of the
MSI-X entries of the device (the ones allocated in step a) and b)).
The unwind code: 'free_msi_irqs' deletes all the entries and tries to
delete the pdev->msi_irq_groups (which hasn't been set to NULL).
However the pointers in the SysFS are already freed and we hit an
NULL pointer further on when 'strlen' is attempted on a freed pointer.
The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard
against that. The check for msi_enabled is not stricly neccessary.
This is part of XSA-157
CC: stable@vger.kernel.org Reviewed-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled
The guest sequence of:
a) XEN_PCI_OP_enable_msi
b) XEN_PCI_OP_enable_msi
c) XEN_PCI_OP_disable_msi
results in hitting an BUG_ON condition in the msi.c code.
The MSI code uses an dev->msi_list to which it adds MSI entries.
Under the above conditions an BUG_ON() can be hit. The device
passed in the guest MUST have MSI capability.
The a) adds the entry to the dev->msi_list and sets msi_enabled.
The b) adds a second entry but adding in to SysFS fails (duplicate entry)
and deletes all of the entries from msi_list and returns (with msi_enabled
is still set). c) pci_disable_msi passes the msi_enabled checks and hits:
BUG_ON(list_empty(dev_to_msi_list(&dev->dev)));
and blows up.
The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard
against that. The check for msix_enabled is not stricly neccessary.
This is part of XSA-157.
CC: stable@vger.kernel.org Reviewed-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: Save xen_pci_op commands before processing it
Double fetch vulnerabilities that happen when a variable is
fetched twice from shared memory but a security check is only
performed the first time.
The xen_pcibk_do_op function performs a switch statements on the op->cmd
value which is stored in shared memory. Interestingly this can result
in a double fetch vulnerability depending on the performed compiler
optimization.
This patch fixes it by saving the xen_pci_op command before
processing it. We also use 'barrier' to make sure that the
compiler does not perform any optimization.
This is part of XSA155.
CC: stable@vger.kernel.org Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Roger Pau Monné [Tue, 3 Nov 2015 16:40:43 +0000 (16:40 +0000)]
xen-blkback: read from indirect descriptors only once
Since indirect descriptors are in memory shared with the frontend, the
frontend could alter the first_sect and last_sect values after they have
been validated but before they are recorded in the request. This may
result in I/O requests that overflow the foreign page, possibly
overwriting local pages when the I/O request is executed.
When parsing indirect descriptors, only read first_sect and last_sect
once.
This is part of XSA155.
CC: stable@vger.kernel.org Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
David Vrabel [Fri, 30 Oct 2015 15:17:06 +0000 (15:17 +0000)]
xen-netback: use RING_COPY_REQUEST() throughout
Instead of open-coding memcpy()s and directly accessing Tx and Rx
requests, use the new RING_COPY_REQUEST() that ensures the local copy
is correct.
This is more than is strictly necessary for guest Rx requests since
only the id and gref fields are used and it is harmless if the
frontend modifies these.
This is part of XSA155.
CC: stable@vger.kernel.org Reviewed-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>