Fix B-tree corruption when a new record is inserted at position 0 in the
node in hfs_brec_insert(). In this case a hfs_brec_update_parent() is
called to update the parent index node (if exists) and it is passed
hfs_find_data with a search_key containing a newly inserted key instead
of the key to be updated. This results in an inconsistent index node.
The bug reproduces on my machine after an extents overflow record for
the catalog file (CNID=4) is inserted into the extents overflow B-tree.
Because of a low (reserved) value of CNID=4, it has to become the first
record in the first leaf node.
The resulting first leaf node is correct:
----------------------------------------------------
| key0.CNID=4 | key1.CNID=123 | key2.CNID=456, ... |
----------------------------------------------------
But the parent index key0 still contains the previous key CNID=123:
-----------------------
| key0.CNID=123 | ... |
-----------------------
A change in hfs_brec_insert() makes hfs_brec_update_parent() work
correctly by preventing it from getting fd->record=-1 value from
__hfs_brec_find().
Along the way, I removed duplicate code with unification of the if
condition. The resulting code is equivalent to the original code
because node is never 0.
Also hfs_brec_update_parent() will now return an error after getting a
negative fd->record value. However, the return value of
hfs_brec_update_parent() is not checked anywhere in the file and I'm
leaving it unchanged by this patch. brec.c lacks error checking after
some other calls too, but this issue is of less importance than the one
being fixed by this patch.
Signed-off-by: Sergei Antonov <saproj@gmail.com>
Cc: Joe Perches <joe@perches.com>
Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Acked-by: Hin-Tak Leung <htl10@users.sourceforge.net>
Cc: Anton Altaparmakov <aia21@cam.ac.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
I am familiar with these drivers and I care about them so let me add
myself as their maintainer.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Acked-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When affs_bread_ino() fails, correctly unlock the page and release the
page cache with proper error value. All write_end() should
unlock/release the page that was locked by write_beg().
Signed-off-by: Taesoo Kim <tsgatesv@gmail.com>
Cc: Fabian Frederick <fabf@skynet.be>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit 3c605096d3 ("mm/page_alloc: restrict max order of merging on
isolated pageblock") changed the logic of unset_migratetype_isolate to
check the buddy allocator and explicitly call __free_pages to merge.
The page that is being freed in this path never had prep_new_page called
so set_page_refcounted is called explicitly but there is no call to
kernel_map_pages. With the default kernel_map_pages this is mostly
harmless but if kernel_map_pages does any manipulation of the page
tables (unmapping or setting pages to read only) this may trigger a
fault:
alloc_contig_range test_pages_isolated(ceb00, ced00) failed
Unable to handle kernel paging request at virtual address ffffffc0cec00000
pgd = ffffffc045fc4000
[ffffffc0cec00000] *pgd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
Modules linked in: exfatfs
CPU: 1 PID: 23237 Comm: TimedEventQueue Not tainted 3.10.49-gc72ad36-dirty #1
task: ffffffc03de52100 ti: ffffffc015388000 task.ti: ffffffc015388000
PC is at memset+0xc8/0x1c0
LR is at kernel_map_pages+0x1ec/0x244
Fix this by calling kernel_map_pages to ensure the page is set in the
page table properly
Fixes: 3c605096d3 ("mm/page_alloc: restrict max order of merging on isolated pageblock")
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Mel Gorman <mgorman@suse.de>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Cc: Xishi Qiu <qiuxishi@huawei.com>
Cc: Vladimir Davydov <vdavydov@parallels.com>
Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Gioh Kim <gioh.kim@lge.com>
Cc: Michal Nazarewicz <mina86@mina86.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit 9aabf810a6 ("mm/slub: optimize alloc/free fastpath by removing
preemption on/off") introduced an occasional hang for kernels built with
CONFIG_PREEMPT && !CONFIG_SMP.
The problem is the following loop the patch introduced to
slab_alloc_node and slab_free:
do {
tid = this_cpu_read(s->cpu_slab->tid);
c = raw_cpu_ptr(s->cpu_slab);
} while (IS_ENABLED(CONFIG_PREEMPT) && unlikely(tid != c->tid));
GCC 4.9 has been observed to hoist the load of c and c->tid above the
loop for !SMP kernels (as in this case raw_cpu_ptr(x) is compile-time
constant and does not force a reload). On arm64 the generated assembly
looks like:
ldr x4, [x0,#8]
loop:
ldr x1, [x0,#8]
cmp x1, x4
b.ne loop
If the thread is preempted between the load of c->tid (into x1) and tid
(into x4), and an allocation or free occurs in another thread (bumping
the cpu_slab's tid), the thread will be stuck in the loop until
s->cpu_slab->tid wraps, which may be forever in the absence of
allocations/frees on the same CPU.
This patch changes the loop condition to access c->tid with READ_ONCE.
This ensures that the value is reloaded even when the compiler would
otherwise assume it could cache the value, and also ensures that the
load will not be torn.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit c6a95dbee7 ("MAINTAINERS: add the RTC driver for the
Armada38x") typoed the pattern, fix it.
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
walk_page_test() is purely pagewalk's internal stuff, and its positive
return values are not intended to be passed to the callers of pagewalk.
However, in the current code if the last vma in the do-while loop in
walk_page_range() happens to return a positive value, it leaks outside
walk_page_range(). So the user visible effect is invalid/unexpected
return value (according to the reporter, mbind() causes it.)
This patch fixes it simply by reinitializing the return value after
checked.
Another exposed interface, walk_page_vma(), already returns 0 for such
cases so no problem.
Fixes: fafaa4264e ("pagewalk: improve vma handling")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Kazutomo Yoshii <kazutomo.yoshii@gmail.com>
Reported-by: Kazutomo Yoshii <kazutomo.yoshii@gmail.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
I have constantly stumbled upon "kernel BUG at mm/rmap.c:399!" after
upgrading to 3.19 and had no luck with 4.0-rc1 neither.
So, after looking into new logic introduced by commit 7a3ef208e6 ("mm:
prevent endless growth of anon_vma hierarchy"), I found chances are that
unlink_anon_vmas() is called without incrementing dst->anon_vma->degree
in anon_vma_clone() due to allocation failure. If dst->anon_vma is not
NULL in error path, its degree will be incorrectly decremented in
unlink_anon_vmas() and eventually underflow when exiting as a result of
another call to unlink_anon_vmas(). That's how "kernel BUG at
mm/rmap.c:399!" is triggered for me.
This patch fixes the underflow by dropping dst->anon_vma when allocation
fails. It's safe to do so regardless of original value of dst->anon_vma
because dst->anon_vma doesn't have valid meaning if anon_vma_clone()
fails. Besides, callers don't care dst->anon_vma in such case neither.
Also suggested by Michal Hocko, we can clean up vma_adjust() a bit as
anon_vma_clone() now does the work.
[akpm@linux-foundation.org: tweak comment]
Fixes: 7a3ef208e6 ("mm: prevent endless growth of anon_vma hierarchy")
Signed-off-by: Leon Yu <chianglungyu@gmail.com>
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The Moorestown RTC driver implements suspend and resume callbacks and
assigns them to the suspend and resume fields of the device_driver
struct. These callbacks are never actually called by anything though.
Modify the driver to properly use dev_pm_ops so that the suspend and
resume functions are actually executed upon suspend/resume.
[akpm@linux-foundation.org: device_driver.name is const char *]
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Feng Tang <feng.tang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The coraid.com email address is defunct. The old aoe support area hosted
at coraid.com is no longer up. These changes update the email and website
to current ones.
Signed-off-by: Ed Cashin <ed.cashin@acm.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Pull block layer fixes from Jens Axboe:
"A small collection of fixes that has been gathered over the last few
weeks. This contains:
- A one-liner fix for NVMe, fixing a missing list_head init that
could makes us oops on hitting recovery at load time.
- Two small blk-mq fixes:
- Fixup a bad goto jump on error handling.
- Fix for oopsing if running out of reserved tags.
- A memory leak fix for NBD.
- Two small writeback fixes from Tejun, fixing a missing init to
INITIAL_JIFFIES, and a possible underflow introduced recently.
- A core merge fixup in sg gap detection, where rq->biotail was
indexed with the count of rq->bio"
* 'for-linus' of git://git.kernel.dk/linux-block:
writeback: fix possible underflow in write bandwidth calculation
NVMe: Initialize device list head before starting
Fix bug in blk_rq_merge_ok
blkmq: Fix NULL pointer deref when all reserved tags in
blk-mq: fix use of incorrect goto label in blk_mq_init_queue error path
nbd: fix possible memory leak
writeback: add missing INITIAL_JIFFIES init in global_update_bandwidth()
Return a negative error value like the rest of the entries in this function.
Cc: <stable@vger.kernel.org>
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
The faulting virtual address is >32bits and has been moved
to different registers. Add to error state and output upper
register first, in the same line for easy reconstruction of
the fault address.
v2: correct gen masking (Michel)
v3: s/TBL/TLB (Ville)
Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
Reviewed-by: Michel Thierry <michel.thierry@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
It should have been negative since it is returned with ERR_PTR().
Introduced in new code commit:
commit 50470bb011
Author: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Date: Mon Mar 23 11:10:36 2015 +0000
drm/i915/skl: Support secondary (rotated) frame buffer mapping
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Or users can just spam the log all they want.
Issue introduced in
commit 9a8f0a1290
Author: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Date: Fri Feb 27 11:15:24 2015 +0000
drm/i915/skl: Allow Y (and Yf) frame buffer creation
References: https://bugs.freedesktop.org/show_bug.cgi?id=89628
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
After a suspend/resume cycle we missed to enable smt again, which leads
to all sorts of bugs, since the kernel assumes smt is enabled, while the
hardware thinks it is not.
Reported-and-tested-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reported-by: Stefan Haberland <stefan.haberland@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
- switch_mm() fix where init_mm.pgd ends up in the user TTBR0;
swapper_pg_dir is not suitable for user mappings
- this_cpu accessors fix for preemption safety
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVEag5AAoJEGvWsS0AyF7xA2gP/3x/Qh3iaON3v5zlP6gMFlzQ
i5L0k4GXdowbMixhe+2PifYg54JvRoDQpjobpOXKwUOPrsHSQHKhdo6PELf/EDA6
bmuak45GeayP5s4LvIDrm8zIoToF3DzIsvT2d9rPLcA5E0jLOZr9mFcJyCu81jwG
JJFea4a4oWnfzETFx86NHLHkxMTokL+TqeLkHPNDm6ZY+ajMPOMR6COvlCBNkGkD
0s3s6yKQefL9q/3OzhJOGfIQghQWAR6oQUqKNvABmeeOtyUC3KApAdFk+3v+fOaV
nAf3thImnd7YdBSC34qCbKAPGvUQZAZbqkMBdtOl6Yk0xMilPb5AVh/5M45++GKd
64rQrDdDRlYEwpThoHceMOSMUY2gKL+KZr7HuK1ZDnQzGrD7yro9V/LRzdpPHcXN
wfrO2xfAF4wowj5AhhSkJ6n1TolrpIkUj0dNyAmiQ7qh9J2LS7HgDSvBXCRaHP/y
z7kNrybqpWMCa3Xg7Tez6K/pV1ObHK2MufLk3wsBL5JuPoxpLmqwhtQABWFwoMks
lQ4y3QweQktGhhp1ZN1Rn93vTOsK4tZrONnwvRmZE/mM5N+ELxVZxfrFcuPWUAcG
y1WiXKVXnXZ/MxgYj5XLTxjCB6K0Rpz4ywE1GfdJKReBbW5l99kzXEYLoTVzD0am
3wallsQqIFPErQ6pbgEw
=MQxz
-----END PGP SIGNATURE-----
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull two arm64 fixes from Catalin Marinas:
- switch_mm() fix where init_mm.pgd ends up in the user TTBR0;
swapper_pg_dir is not suitable for user mappings
- this_cpu accessors fix for preemption safety
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: percpu: Make this_cpu accessors pre-empt safe
arm64: Use the reserved TTBR0 if context switching to the init_mm
- Fix the MCE code to use CONFIG_KVM_BOOK3S_64_HANDLER
- Little endian fixes for post mobility device tree update
- Add PVR for POWER8NVL processor
- Fixes for hypervisor doorbell handling
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVEMazAAoJEFHr6jzI4aWAdZUP/jr6w7JtFRMUf2VvrU+QsIlZ
QHXIVXONvWxpLLkdDMJvbZ8BEm/sgXyVMpjgEZPneeNYIJp/PeZJqvDjIw5VBEPd
mMljfMwcYLvGAnpJnP3dgnuQUYf6/g1YiZlIHxn4qsmzlCPgzJm5Wn1ZzupmbZZk
vNEHeSZZ5ILLI+2JNwal2uOf8L2Q4a/OINjhPy/2aM+aBXMUX75jK4G4BLpyTs5M
jHTSSkerhvlM2SWy5Pu4UtJ19Sj3m48TgT0ZzkPfRGv4EEs8oLC7gMI1+T+/KE/F
pCgnVB3G5YxP8ln7RrHUH7hod/c3gzu5hsLzyIIH6gquzmffEAEGmYWg8aLOXdGQ
EGkZKubmoCr5j09SLD//Gb5Ru6e93seRF/9cn5wHiAFccVsA+r4VyvMuoHL/b4aP
o47d3cMwsQWqUsoeOfWUOQRZHQWa9kS/ueWOWzTjEt8KILNnf0L8QyL/GzAGrEYz
Rn6lEVaKsKPwMLuPQRjifCIG8Mno9gEVPYd5ZyxzOVirq4lUUqMSprG//u8iuavj
si/N0gwRVkrK3Vy+zp1p1pmii2XRSrVgBKPyx3RIxiZKfVTypQmT1NIZpywQVT3j
wYD7YbyPYk6maY63m5jy7X/9P48NdRSd+rg0+fMuN/Dps+lHQTy8hzf4bU7kT7hO
aIEbuTBunMkaadxxItJI
=ZvQl
-----END PGP SIGNATURE-----
Merge tag 'powerpc-4.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull powerpc fixes from Michael Ellerman:
- Fix the MCE code to use CONFIG_KVM_BOOK3S_64_HANDLER
- Little endian fixes for post mobility device tree update
- Add PVR for POWER8NVL processor
- Fixes for hypervisor doorbell handling
* tag 'powerpc-4.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
powerpc/book3s: Fix the MCE code to use CONFIG_KVM_BOOK3S_64_HANDLER
powerpc/pseries: Little endian fixes for post mobility device tree update
powerpc: Add PVR for POWER8NVL processor
powerpc/powernv: Fixes for hypervisor doorbell handling
Pull libata fix from Tejun Heo:
"One patch to fix a regression from the recent switch to blk-mq tag
allocation which can cause oops on SAS-attached SATA drives"
* 'for-4.0-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
ata: Add a new flag to destinguish sas controller
- Use DMA'able addresses for DMA; rtsx_usb
- Use return value in the correct way; kempld-core
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVED3JAAoJEFGvii+H/Hdh0W0QAIG7pV1Br5K2DgkpMZlg88sa
WIP6G5frOJMdPwQ4+UPI68RMXEa4tman36cTju7vwUV/K6PnXeaiyofwHjNMX7xu
qvdmFGULD3AmJT4phtjZjO6UgrVqBvmIGMwYp8qSjV+eaKA9CbwfGdzqpatfOH94
m+JW6N+5GNAdpi4i6ZnhNWsMbDQz4q4ss5VZHMS6vFv3y3ByQjN+ojb/o5QRmIy5
45XWmnLSzjkwdgtAk9L9FnH1RJnl80kML0cmrjKPvWOX393WpmebjvEplYmOZ9sn
k2GhkDI9oU+GjmLakrZXOmz62Kr/DLgbIHJwA6y0Q7/3HqtoygnUyod2X91g6X7b
dN5bZluu1wx/sP6xrqKNJlMoW/gMyK8uUnfb7qXLEbqHKcLnMmVHOkgOEU9lkCt2
/j2u67vfuYmkZR3wHx8caWMD4pyBhOc6MkIUimPH5o6S+NjPK9f7Gm6584exw+N8
w4YGTDkIrlEc2xdPda4e8wkJjeh/Vlwt2jOb+vCN2ZbsJpv5HYLzWduBcV20RePn
6zgeQWJNAJFtcyWoqIXZF0nV27Fs0APFZyQ/QOf0ZhNeK+NvX0U0O6D9568z2kMw
PfnHCpif3f2ZF8gBRjxJIHhBtnTZ6RLR3b49eVNLSsJUf2rpMeAFhdoG9dM6ewpl
uIlHWnA68HecUhNVSQQS
=FZfe
-----END PGP SIGNATURE-----
Merge tag 'mfd-fixes-4.0' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Pull MFD fixes from Lee Jones:
- Use DMA'able addresses for DMA; rtsx_usb
- Use return value in the correct way; kempld-core
* tag 'mfd-fixes-4.0' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
mfd: kempld-core: Fix callback return value check
mfd: rtsx_usb: Prevent DMA from stack
Tvrtko noticed a new warning on boot:
WARNING: CPU: 1 PID: 353 at include/linux/kref.h:47 drm_framebuffer_reference+0x6c/0x80 [drm]()
Call Trace:
[<ffffffff8161f10c>] dump_stack+0x4f/0x7b
[<ffffffff81052caa>] warn_slowpath_common+0xaa/0xd0
[<ffffffff81052d8a>] warn_slowpath_null+0x1a/0x20
[<ffffffffa00d035c>] drm_framebuffer_reference+0x6c/0x80 [drm]
[<ffffffffa01c0df7>] update_state_fb.isra.54+0x47/0x50 [i915]
[<ffffffffa01ccd5c>] skylake_get_initial_plane_config+0x93c/0x950 [i915]
[<ffffffffa01e8721>] intel_modeset_init+0x1551/0x17c0 [i915]
[<ffffffffa02476e0>] i915_driver_load+0xed0/0x11e0 [i915]
[<ffffffff81627aa1>] ? _raw_spin_unlock_irqrestore+0x51/0x70
[<ffffffffa00ca8b7>] drm_dev_register+0x77/0x110 [drm]
[<ffffffffa00cda3b>] drm_get_pci_dev+0x11b/0x1f0 [drm]
[<ffffffff81098e3d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff81627aa1>] ? _raw_spin_unlock_irqrestore+0x51/0x70
[<ffffffffa0145276>] i915_pci_probe+0x56/0x60 [i915]
[<ffffffff813ad59c>] pci_device_probe+0x7c/0x100
[<ffffffff81466aad>] driver_probe_device+0x16d/0x380
We cannot take a reference at this point, not before
intel_framebuffer_init() and the underlying drm_framebuffer_init().
Introduced in:
commit 706dc7b549175e47f23e913b7f1e52874a7d0f56
Author: Matt Roper <matthew.d.roper@intel.com>
Date: Tue Feb 3 13:10:04 2015 -0800
drm/i915: Ensure plane->state->fb stays in sync with plane->fb
v2: Don't move update_state_fb(). It was moved around because I
originally put update_state_fb() in intel_alloc_plane_obj() before
finding a better place. (Matt)
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Reported-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
From drm-next:
(cherry picked from commit f55548b5af)
Signed-off-by: Dave Airlie <airlied@redhat.com>
A couple of driver specific fixes of the usual "important if you have
that device" kind together with a fix for a use after free bug that was
introduced into the trace code in some of the recent refactoring of the
message queue handling.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVEdEPAAoJECTWi3JdVIfQADEIAIV7j0Ot7bkIBk9I5rxakQyI
TxiAmrFASSJ1Li9tyL56FAzH6rkKtCp7RZgtyAQ7+GS7p8vUmVphVJP+JYbFMJ8t
R7zdUg6YMphY1A2AjPgCskb33ZOWvy5V52+WmkSmVN+iTGgP8ixgdJKEwHQ+Ddjy
JhGDl5MI2G3ubV4d4Deyde4n4tvasvHiwYVo5QxQArbUSU/LbA+kHh2iJxA1kBWX
9x7PFM+SAOSgceddumA+pwvJBgd/52PkQZhSYCO+w40is1UxGlf39nqaYAPKV1Qv
EDVaVZ3C4UodbL9qxFBzGspf+ASBs/LbOOa+Dlk2eKsqJH1XiSuEF0fkKCA0wYA=
=x0qK
-----END PGP SIGNATURE-----
Merge tag 'spi-v4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A couple of driver specific fixes of the usual "important if you have
that device" kind together with a fix for a use after free bug that
was introduced into the trace code in some of the recent refactoring
of the message queue handling"
* tag 'spi-v4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: trigger trace event for message-done before mesg->complete
spi: dw-mid: clear BUSY flag fist and test other one
spi: qup: Fix cs-num DT property parsing
Two fixes here, one typo fix in the documentation and one fix for a
system hang with one of the Palmas chips caused by the use of an
incorrect offset being provided for one of the registers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVEaIJAAoJECTWi3JdVIfQ54MH/2q047KXbu0SjJ36x0O/kpnw
zYZhnSSh2anSm64hZYaYEdZUOhsoWXT/iq8P6JSZnpJzQQ0DNiCvUEBWWoyG7cq/
wts6zc9dEJZND5gFFKbQX54Hi5JHAJXNBLqT57d69QJNIHtvXkk2ztIAjxbNu6z8
THnkWX4AFkcGY5ZBF3lrM/Ur3I3E1UWIeIM7hser5KvwPKxQYdV7K4ph4actmXZ/
zGU4oVO4pwSfpA/FKQtpuA3WL89eBSeICt1sleOqSvHhoSdmGbXjndxrkyC0kpeQ
j6DrkeO2dCmPqMoyzyoUPQLvELfwXVGuhemfOAdZtefE/vxH2zY9VKUlDHuL7Do=
=qhJo
-----END PGP SIGNATURE-----
Merge tag 'regulator-fix-v4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"Two fixes here, one typo fix in the documentation and one fix for a
system hang with one of the Palmas chips caused by the use of an
incorrect offset being provided for one of the registers"
* tag 'regulator-fix-v4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: Fix documentation for regmap in the config
regulator: palmas: Correct TPS659038 register definition for REGEN2
This patch fixes a bad interaction between the support that was added
for having regmaps without devices for early system controller
initialization and the trace support. There's a very good analysis of
the actual issue in the commit message for the change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVEGNEAAoJECTWi3JdVIfQO+oH/1E2Ho6+X0lIG1mAIC27fae+
XwxtVvUOjCMSPOJ2gg+++YSKc7KIgkxt/VHpw2VllgklYDz32hHloaX/NCfIFaAt
jqTcE+PEeNJgjiZ0qa9zidMeT+BakhsYYl1gwA+0NYVH6AQuwXhhlKdq5+0MmySB
QMCVmWcB/XdvIW5t1nGleahTxqaIRyFXGk1q4dArKjlWSolKrLJr1QHXVvgJBDWN
BTVuzI5WCzzCc1W4FHO6X91PQCEdc7eJxrCXGIuZ53nZlLx3YbhdKxHifibaxU4e
7pRFH1e5FI2jEYjcfDsYi71A+OuexXGHmq1Trm2uPaSIFsCTz32QzieyTD2Lfp8=
=eX90
-----END PGP SIGNATURE-----
Merge tag 'regmap-fix-v4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap
Pull regmap fix from Mark Brown:
"This patch fixes a bad interaction between the support that was added
for having regmaps without devices for early system controller
initialization and the trace support.
There's a very good analysis of the actual issue in the commit message
for the change"
* tag 'regmap-fix-v4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regmap: introduce regmap_name to fix syscon regmap trace events
Without proper regulator support for individual boards, it is dangerous
to have overclocked/overvoltaged OPPs in the list. Cpufreq will increase
the frequency without the accompanying voltage increase, resulting in
an unstable system.
Remove them for now. We can revisit them with the new version of OPP
bindings, which support boost settings and frequency ranges, among
other things.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
The Olimex A10-Lime is known to be unstable when running at 1008MHz.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
We currently have a race: if we're preempted during syscall
exit, we can fail to process syscall return work that is queued
up while we're preempted in ret_from_sys_call after checking
ti.flags.
Fix it by disabling interrupts before checking ti.flags.
Reported-by: Stefan Seyfried <stefan.seyfried@googlemail.com>
Reported-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Fixes: 96b6352c12 ("x86_64, entry: Remove the syscall exit audit")
Link: http://lkml.kernel.org/r/189320d42b4d671df78c10555976bb10af1ffc75.1427137498.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
this_cpu operations were implemented for arm64 in:
5284e1b arm64: xchg: Implement cmpxchg_double
f97fc81 arm64: percpu: Implement this_cpu operations
Unfortunately, it is possible for pre-emption to take place between
address generation and data access. This can lead to cases where data
is being manipulated by this_cpu for a different CPU than it was
called on. Which effectively breaks the spec.
This patch disables pre-emption for the this_cpu operations
guaranteeing that address generation and data manipulation take place
without a pre-emption in-between.
Fixes: 5284e1b4bc ("arm64: xchg: Implement cmpxchg_double")
Fixes: f97fc81079 ("arm64: percpu: Implement this_cpu operations")
Reported-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Steve Capper <steve.capper@linaro.org>
[catalin.marinas@arm.com: remove space after type cast]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
As part of allocation of the drm_i915_private variable, drrs capability
enum is initialized to DRRS_NOT_SUPPORTED. Hence need not initialize at
each connector init.
Moreover initializing this enum at connector init will reset
the successful DRRS initialization of previous connector, as we have
the DRRS support for only one panel at a time.
Signed-off-by: Ramalingam C <ramalingam.c@intel.com>
Reviewed-by: Sivakumar Thulasimani <sivakumar.thulasimani@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
The logical place for clearing the RPS latched interrupt bits is when
resetting the RPS interrupts, so move the corresponding part from the RPS
disable function to the reset function. During resetting we already
cleared the IIR bits, so the only thing missing there was clearing pm_iir.
Note that we call gen6_disable_rps_interrupts() also during driver load
and resume time via intel_uncore_sanitize() when i915 interrupts are
still not installed. If there are any pending RPS bits at this point
(which after this patch wouldn't be cleared) they will be cleared by the
reset code via the interrupt preinstall hooks.
Signed-off-by: Imre Deak <imre.deak@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
When disabling RPS interrupts there is a race where we disable RPS
inerrupts while the interrupt handler is running and the handler has
already latched the pending RPS interrupt from the master IIR register.
Afterwards the disabling path clears the PM IIR bits, making the state
of pending interrupts inconsistent from the interrupt handler's point of
view. This triggers the following warning: "The master control interrupt
lied (PM)!".
To fix this make sure that any running interrupt handler (which may
have already latched the master IIR) finishes before clearing the IIR
bits.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=87347
Signed-off-by: Imre Deak <imre.deak@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Originally it was impossible to be dropping the last refcount in this
function since there was always one around still from the idr. But in
commit 83f45fc360
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Wed Aug 6 09:10:18 2014 +0200
drm: Don't grab an fb reference for the idr
we've switched to weak references, broke that assumption but forgot to
fix it up.
Since we still force-disable planes it's only possible to hit this
when racing multiple rmfb with fbdev restoring or similar evil things.
As long as userspace is nice it's impossible to hit the BUG_ON.
But the BUG_ON would most likely be hit from fbdev code, which usually
invovles the console_lock besides all modeset locks. So very likely
we'd never get the bug reports if this was hit in the wild, hence
better be safe than sorry and backport.
Spotted by Matt Roper while reviewing other patches.
[airlied: pull this back into 4.0 - the oops happens there]
Cc: stable@vger.kernel.org
Cc: Matt Roper <matthew.d.roper@intel.com>
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
KVM guest can fail to startup with following trace on host:
qemu-system-x86: page allocation failure: order:4, mode:0x40d0
Call Trace:
dump_stack+0x47/0x67
warn_alloc_failed+0xee/0x150
__alloc_pages_direct_compact+0x14a/0x150
__alloc_pages_nodemask+0x776/0xb80
alloc_kmem_pages+0x3a/0x110
kmalloc_order+0x13/0x50
kmemdup+0x1b/0x40
__kvm_set_memory_region+0x24a/0x9f0 [kvm]
kvm_set_ioapic+0x130/0x130 [kvm]
kvm_set_memory_region+0x21/0x40 [kvm]
kvm_vm_ioctl+0x43f/0x750 [kvm]
Failure happens when attempting to allocate pages for
'struct kvm_memslots', however it doesn't have to be
present in physically contiguous (kmalloc-ed) address
space, change allocation to kvm_kvzalloc() so that
it will be vmalloc-ed when its size is more then a page.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
kvm_ioapic_update_eoi() wasn't called if directed EOI was enabled.
We need to do that for irq notifiers. (Like with edge interrupts.)
Fix it by skipping EOI broadcast only.
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=82211
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Commit c4db59d31e ("fs: don't reassign dirty inodes to
default_backing_dev_info") exposed DM to a latent race in free_dev() vs
add_disk() in relation to management of the device's minor number.
Fix this by refactoring free_dev() to match cleanup order of the
alloc_dev() error path. Move cleanup of the gendisk, queue, and bdev
to _before_ the cleanup of the idr managed minor number.
Also, purely due to cleanup that fell out during the free_dev() audit:
- adjust dm_blk_close() to access the gendisk's private_data under
the _minor_lock spinlock.
- move __dm_destroy()'s dm_get_live_table() call out from under the
_minor_lock spinlock.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1202449
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Reported-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
The idle_task_exit() function may call switch_mm() with next ==
&init_mm. On arm64, init_mm.pgd cannot be used for user mappings, so
this patch simply sets the reserved TTBR0.
Cc: <stable@vger.kernel.org>
Reported-by: Jon Medhurst (Tixy) <tixy@linaro.org>
Tested-by: Jon Medhurst (Tixy) <tixy@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Pull networking fixes from David Miller:
1) Validate iov ranges before feeding them into iov_iter_init(), from
Al Viro.
2) We changed copy_from_msghdr_from_user() to zero out the msg_namelen
is a NULL pointer is given for the msg_name. Do the same in the
compat code too. From Catalin Marinas.
3) Fix partially initialized tuples in netfilter conntrack helper, from
Ian Wilson.
4) Missing continue; statement in nft_hash walker can lead to crashes,
from Herbert Xu.
5) tproxy_tg6_check looks for IP6T_INV_PROTO in ->flags instead of
->invflags, fix from Pablo Neira Ayuso.
6) Incorrect memory account of TCP FINs can result in negative socket
memory accounting values. Fix from Josh Hunt.
7) Don't allow virtual functions to enable VLAN promiscuous mode in
be2net driver, from Vasundhara Volam.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set
cx82310_eth: wait for firmware to become ready
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour
be2net: use PCI MMIO read instead of config read for errors
be2net: restrict MODIFY_EQ_DELAY cmd to a max of 8 EQs
be2net: Prevent VFs from enabling VLAN promiscuous mode
tcp: fix tcp fin memory accounting
ipv6: fix backtracking for throw routes
net: ethernet: pcnet32: Setup the SRAM and NOUFLO on Am79C97{3, 5}
ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment
netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check()
netfilter: restore rule tracing via nfnetlink_log
netfilter: nf_tables: allow to change chain policy without hook if it exists
netfilter: Fix potential crash in nft_hash walker
netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
Pull sparc fixes from David Miller:
"Some perf bug fixes from David Ahern, and the fix for that nasty
memmove() bug"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: Fix several bugs in memmove().
sparc: Touch NMI watchdog when walking cpus and calling printk
sparc: perf: Add support M7 processor
sparc: perf: Make counting mode actually work
sparc: perf: Remove redundant perf_pmu_{en|dis}able calls
This model uses the same dock port as the previous generation.
Signed-off-by: Sebastian Wicki <gandro@gmx.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Firstly, handle zero length calls properly. Believe it or not there
are a few of these happening during early boot.
Next, we can't just drop to a memcpy() call in the forward copy case
where dst <= src. The reason is that the cache initializing stores
used in the Niagara memcpy() implementations can end up clearing out
cache lines before we've sourced their original contents completely.
For example, considering NG4memcpy, the main unrolled loop begins like
this:
load src + 0x00
load src + 0x08
load src + 0x10
load src + 0x18
load src + 0x20
store dst + 0x00
Assume dst is 64 byte aligned and let's say that dst is src - 8 for
this memcpy() call. That store at the end there is the one to the
first line in the cache line, thus clearing the whole line, which thus
clobbers "src + 0x28" before it even gets loaded.
To avoid this, just fall through to a simple copy only mildly
optimized for the case where src and dst are 8 byte aligned and the
length is a multiple of 8 as well. We could get fancy and call
GENmemcpy() but this is good enough for how this thing is actually
used.
Reported-by: David Ahern <david.ahern@oracle.com>
Reported-by: Bob Picco <bpicco@meloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
From 1ebf33901ecc75d9496862dceb1ef0377980587c Mon Sep 17 00:00:00 2001
From: Tejun Heo <tj@kernel.org>
Date: Mon, 23 Mar 2015 00:08:19 -0400
2f800fbd77 ("writeback: fix dirtied pages accounting on redirty")
introduced account_page_redirty() which reverts stat updates for a
redirtied page, making BDI_DIRTIED no longer monotonically increasing.
bdi_update_write_bandwidth() uses the delta in BDI_DIRTIED as the
basis for bandwidth calculation. While unlikely, since the above
patch, the newer value may be lower than the recorded past value and
underflow the bandwidth calculation leading to a wild result.
Fix it by subtracing min of the old and new values when calculating
delta. AFAIK, there hasn't been any report of it happening but the
resulting erratic behavior would be non-critical and temporary, so
it's possible that the issue is happening without being reported. The
risk of the fix is very low, so tagged for -stable.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Jan Kara <jack@suse.cz>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Greg Thelen <gthelen@google.com>
Fixes: 2f800fbd77 ("writeback: fix dirtied pages accounting on redirty")
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
Driver recovery requires the device's list node to have been initialized.
Fixes: https://lkml.org/lkml/2015/3/22/262
Reported-by: Steven Noonan <steven@uplinklabs.net>
Signed-off-by: Keith Busch <keith.busch@intel.com>
Cc: Matthew Wilcox <willy@linux.intel.com>
Cc: Jens Axboe <axboe@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
v2: Pass in rotation info to sprite plane updates as well.
v3: Use helper to determine 90/270 rotation. (Michel Thierry)
v4: Rebased for fb modifiers and atomic changes.
For: VIZ-4546
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Michel Thierry <michel.thierry@intel.com> (v3)
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Need to do this in order to support 90/270 rotated display.
v2: Pass in drm_plane instead of plane index to intel_obj_display_address.
v3:
* Renamed intel_obj_display_address to intel_plane_obj_offset.
(Chris Wilson)
* Simplified rotation check to bitwise AND. (Chris Wilson)
v4:
* Extracted 90/270 rotation check into a helper function. (Michel Thierry)
v5:
* Rebased for ggtt view changes.
For: VIZ-4545
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Michel Thierry <michel.thierry@intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
90/270 rotated scanout needs a rotated GTT view of the framebuffer.
This is put in a separate VMA with a dedicated ggtt view and wired such that
it is created when a framebuffer is pinned to a 90/270 rotated plane.
Rotation is only possible with Yb/Yf buffers and error is propagated to
user space in case of a mismatch.
Special rotated page view is constructed at the VMA creation time by
borrowing the DMA addresses from obj->pages.
v2:
* Do not bother with pages for rotated sg list, just populate the DMA
addresses. (Daniel Vetter)
* Checkpatch cleanup.
v3:
* Rebased on top of new plane handling (create rotated mapping when
setting the rotation property).
* Unpin rotated VMA on unpinning from display plane.
* Simplify rotation check using bitwise AND. (Chris Wilson)
v4:
* Fix unpinning of optional rotated mapping so it is really considered
to be optional.
v5:
* Rebased for fb modifier changes.
* Rebased for atomic commit.
* Only pin needed view for display. (Ville Syrjälä, Daniel Vetter)
v6:
* Rebased after preparatory work has been extracted out. (Daniel Vetter)
v7:
* Slightly simplified tiling geometry calculation.
* Moved rotated GGTT view implementation into i915_gem_gtt.c (Daniel Vetter)
v8:
* Do not use i915_gem_obj_size to get object size since that actually
returns the size of an VMA which may not exist.
* Rebased for ggtt view changes.
v9:
* Rebased after code review changes on the preceding patches.
* Tidy function definitions. (Joonas Lahtinen)
For: VIZ-4726
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Michel Thierry <michel.thierry@intel.com> (v4)
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
For now only default implementation defaulting to normal view.
v2: Some code review cleanups. (Joonas Lahtinen)
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> (v2)
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Sergei Antonov