[ Upstream commit 1b0ff89852 ]
While the driver is probing the adapter, an error may occur before the
netdev structure is allocated and attached to pci_dev. In this case,
not only netdev isn't available, but the tg3 private structure is also
not available as it is just math from the NULL pointer, so dereferences
must be skipped.
The following trace is seen when the error is triggered:
[1.402247] Unable to handle kernel paging request for data at address 0x00001a99
[1.402410] Faulting instruction address: 0xc0000000007e33f8
[1.402450] Oops: Kernel access of bad area, sig: 11 [#1]
[1.402481] SMP NR_CPUS=2048 NUMA PowerNV
[1.402513] Modules linked in:
[1.402545] CPU: 0 PID: 651 Comm: eehd Not tainted 4.4.0-36-generic #55-Ubuntu
[1.402591] task: c000001fe4e42a20 ti: c000001fe4e88000 task.ti: c000001fe4e88000
[1.402742] NIP: c0000000007e33f8 LR: c0000000007e3164 CTR: c000000000595ea0
[1.402787] REGS: c000001fe4e8b790 TRAP: 0300 Not tainted (4.4.0-36-generic)
[1.402832] MSR: 9000000100009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 28000422 XER: 20000000
[1.403058] CFAR: c000000000008468 DAR: 0000000000001a99 DSISR: 42000000 SOFTE: 1
GPR00: c0000000007e3164 c000001fe4e8ba10 c0000000015c5e00 0000000000000000
GPR04: 0000000000000001 0000000000000000 0000000000000039 0000000000000299
GPR08: 0000000000000000 0000000000000001 c000001fe4e88000 0000000000000006
GPR12: 0000000000000000 c00000000fb40000 c0000000000e6558 c000003ca1bffd00
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000000d52768
GPR24: c000000000d52740 0000000000000100 c000003ca1b52000 0000000000000002
GPR28: 0000000000000900 0000000000000000 c00000000152a0c0 c000003ca1b52000
[1.404226] NIP [c0000000007e33f8] tg3_io_error_detected+0x308/0x340
[1.404265] LR [c0000000007e3164] tg3_io_error_detected+0x74/0x340
This patch avoids the NULL pointer dereference by moving the access after
the netdev NULL pointer check on tg3_io_error_detected(). Also, we add a
check for netdev being NULL on tg3_io_resume() [suggested by Michael Chan].
Fixes: 0486a063b1 ("tg3: prevent ifup/ifdown during PCI error recovery")
Fixes: dfc8f37031 ("net/tg3: Release IRQs on permanent error")
Tested-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Milton Miller <miltonm@us.ibm.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Acked-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit db32e4e49c ]
Similar to commit 3be07244b7 ("ip6_gre: fix flowi6_proto value in
xmit path"), set flowi6_proto to IPPROTO_GRE for output route lookup.
Up until now, ip6gre_xmit_other() has set flowi6_proto to a bogus value.
This affected output route lookup for packets sent on an ip6gretap device
in cases where routing was dependent on the value of flowi6_proto.
Since the correct proto is already set in the tunnel flowi6 template via
commit 252f3f5a11 ("ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit
path."), simply delete the line setting the incorrect flowi6_proto value.
Suggested-by: Jiri Benc <jbenc@redhat.com>
Fixes: c12b395a46 ("gre: Support GRE over IPv6")
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 019b1c9fe3 ]
If DBGUNDO() is enabled (FASTRETRANS_DEBUG > 1), a compile
error will happen, since inet6_sk(sk)->daddr became sk->sk_v6_daddr
Fixes: efe4208f47 ("ipv6: make lookups simpler and faster")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2fe664f1fc ]
With TCP MTU probing enabled and offload TX checksumming disabled,
tcp_mtu_probe() calculated the wrong checksum when a fragment being copied
into the probe's SKB had an odd length. This was caused by the direct use
of skb_copy_and_csum_bits() to calculate the checksum, as it pads the
fragment being copied, if needed. When this fragment was not the last, a
subsequent call used the previous checksum without considering this
padding.
The effect was a stale connection in one way, as even retransmissions
wouldn't solve the problem, because the checksum was never recalculated for
the full SKB length.
Signed-off-by: Douglas Caetano dos Santos <douglascs@taghos.com.br>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 20c64d5cd5 ]
A malicious TCP receiver, sending SACK, can force the sender to split
skbs in write queue and increase its memory usage.
Then, when socket is closed and its write queue purged, we might
overflow sk_forward_alloc (It becomes negative)
sk_mem_reclaim() does nothing in this case, and more than 2GB
are leaked from TCP perspective (tcp_memory_allocated is not changed)
Then warnings trigger from inet_sock_destruct() and
sk_stream_kill_queues() seeing a not zero sk_forward_alloc
All TCP stack can be stuck because TCP is under memory pressure.
A simple fix is to preemptively reclaim from sk_mem_uncharge().
This makes sure a socket wont have more than 2 MB forward allocated,
after burst and idle period.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ffb4d6c850 ]
If a TCP socket gets a large write queue, an overflow can happen
in a test in __tcp_retransmit_skb() preventing all retransmits.
The flow then stalls and resets after timeouts.
Tested:
sysctl -w net.core.wmem_max=1000000000
netperf -H dest -- -s 1000000000
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add the header file asm/debug-monitors.h into debug-sr.c to fix the following bug
arch/arm64/kvm/hyp/debug-sr.c: In function ‘__debug_cond_save_host_state’:
arch/arm64/kvm/hyp/debug-sr.c:118:45: error: ‘DBG_MDSCR_KDE’ undeclared (first use in this function)
if ((vcpu->arch.ctxt.sys_regs[MDSCR_EL1] & DBG_MDSCR_KDE) ||
^~~~~~~~~~~~~
arch/arm64/kvm/hyp/debug-sr.c:118:45: note: each undeclared identifier is reported only once for each function it appears in
arch/arm64/kvm/hyp/debug-sr.c:119:45: error: ‘DBG_MDSCR_MDE’ undeclared (first use in this function)
(vcpu->arch.ctxt.sys_regs[MDSCR_EL1] & DBG_MDSCR_MDE))
^~~~~~~~~~~~~
Signed-off-by: Alex Shi <alex.shi@linaro.org>
Conflicts:
conflicts are almost come from mm-kaslr, focus on mm
arch/arm64/include/asm/cpufeature.h
arch/arm64/include/asm/pgtable.h
arch/arm64/kernel/Makefile
arch/arm64/kernel/cpufeature.c
arch/arm64/kernel/head.S
arch/arm64/kernel/suspend.c
arch/arm64/kernel/vmlinux.lds.S
arch/arm64/kvm/hyp.S
arch/arm64/mm/init.c
arch/arm64/mm/mmu.c
arch/arm64/mm/proc-macros.S
With CONFIG_DEBUG_PAGEALLOC, pages do not have the valid bit
set when free in the buddy allocator. Add an indiciation to
the page table dumping code that the valid bit is not set,
'F' for fault, to make this easier to understand.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit d7e9d59494)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
ARCH_SUPPORTS_DEBUG_PAGEALLOC provides a hook to map and unmap
pages for debugging purposes. This requires memory be mapped
with PAGE_SIZE mappings since breaking down larger mappings
at runtime will lead to TLB conflicts. Check if debug_pagealloc
is enabled at runtime and if so, map everyting with PAGE_SIZE
pages. Implement the functions to actually map/unmap the
pages at runtime.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
[catalin.marinas@arm.com: static annotation block_mappings_allowed() and #ifdef]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 83863f25e4)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
create_mapping is only used in fixmap_remap_fdt. All the create_mapping
calls need to happen on existing translation table pages without
additional allocations. Rather than have an alloc function be called
and fail, just set it to NULL and catch its use. Also change
the name to create_mapping_noalloc to better capture what exactly is
going on.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 132233a759)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
The range of set_memory_* is currently restricted to the module address
range because of difficulties in breaking down larger block sizes.
vmalloc maps PAGE_SIZE pages so it is safe to use as well. Update the
function ranges and add a comment explaining why the range is restricted
the way it is.
Suggested-by: Laura Abbott <labbott@fedoraproject.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
(cherry picked from commit 95f5c80050)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
The SBBR and ACPI specifications allow ACPI based systems that do not
implement PSCI (eg systems with no EL3) to boot through the ACPI parking
protocol specification[1].
This patch implements the ACPI parking protocol CPU operations, and adds
code that eases parsing the parking protocol data structures to the
ARM64 SMP initializion carried out at the same time as cpus enumeration.
To wake-up the CPUs from the parked state, this patch implements a
wakeup IPI for ARM64 (ie arch_send_wakeup_ipi_mask()) that mirrors the
ARM one, so that a specific IPI is sent for wake-up purpose in order
to distinguish it from other IPI sources.
Given the current ACPI MADT parsing API, the patch implements a glue
layer that helps passing MADT GICC data structure from SMP initialization
code to the parking protocol implementation somewhat overriding the CPU
operations interfaces. This to avoid creating a completely trasparent
DT/ACPI CPU operations layer that would require creating opaque
structure handling for CPUs data (DT represents CPU through DT nodes, ACPI
through static MADT table entries), which seems overkill given that ACPI
on ARM64 mandates only two booting protocols (PSCI and parking protocol),
so there is no need for further protocol additions.
Based on the original work by Mark Salter <msalter@redhat.com>
[1] https://acpica.org/sites/acpica/files/MP%20Startup%20for%20ARM%20platforms.docx
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Tested-by: Loc Ho <lho@apm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Hanjun Guo <hanjun.guo@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mark Salter <msalter@redhat.com>
Cc: Al Stone <ahs3@redhat.com>
[catalin.marinas@arm.com: Added WARN_ONCE(!acpi_parking_protocol_valid() on the IPI]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 5e89c55e4e)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
Conflicts:
have probes/ now in arch/arm64/kernel/Makefile
This is a workaround for the issue that
"400M, 500M and 600M of clk_gpu needs high vdd_gpu",
according to "6.2" of Mali Application Note
"Potential glitches on Power Domain interfaces".
Change-Id: I8b8eccd2079e21ac5e1db7b4552c8f998f676a9f
Signed-off-by: chenzhen <chenzhen@rock-chips.com>
margin 25mV-50mV, stress test:
1. antutu-3d, use governor simpleondemand
2. webgl, fish number 50, sweep frequency
3. glmark2, run texture and shadow, sweep frequency
Change-Id: Ia2682610e948df7df2ad190ac3a28b2dad464cb3
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
This patch fix the following warning:
drivers/pinctrl/pinctrl-rockchip.c:1415 rockchip_set_drive_perpin() warn: inconsistent returns 'spin_lock:&bank->slock'.
Locked on: line 1377
line 1384
line 1393
Unlocked on: line 1306
line 1333
line 1342
line 1352
line 1406
line 1415
drivers/pinctrl/pinctrl-rockchip.c:1415 rockchip_set_drive_perpin() warn: inconsistent returns 'irqsave:flags'.
Locked on: line 1377
line 1384
line 1393
Unlocked on: line 1306
line 1333
line 1342
line 1352
line 1406
line 1415
Change-Id: I3f97010fbc283084f06b83afcc46ab684d2a11c3
Signed-off-by: David Wu <david.wu@rock-chips.com>
Refer to the commit 85fbd722ad ("libata, freezer: avoid
block device removal while system is frozen"), when system
enter suspend, it may freeze kthreads and workqueues, and
do not restart them until complete PM resume all of devices.
If we remove XHCI hcd while system is frozen, it may call
usb_disconnect() to remove a usb block device which pluged
in before, but has gone missing. Unfortunately, remove the
block device can race with the rest of device resume. Since
freezable kthreads and workqueues are thawed after all of
devices resume are completed and block device removal depends
on freezable workqueues and kthreads (e.g. bdi_wq) to make
progress, this can lead to deadlock - block device removal
can't proceed because kthreads and workqueues are frozen and
can't be restarted because device resume is blocked behind
block device removal.
This patch must be used and tested with the commit bc68c26eff86
("CHROMIUM: usb: dwc3: rockchip: fix NULL pointer dereference
when resume"). This issue can be easily reproduced with USB-C
HUB and USB2/3 flash drive, result in the following backtrace.
[ 360.201135] INFO: task kworker/u12:3:122 blocked for more than 120 seconds.
[ 360.208094] Not tainted 4.4.21 #185
[ 360.212102] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 360.219923] kworker/u12:3 D ffffffc000204fd8 0 122 2 0x00000000
[ 360.227007] Workqueue: events_unbound async_run_entry_fn
[ 360.232326] Call trace:
[ 360.234776] [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
[ 360.239918] [<ffffffc000915bf4>] __schedule+0x440/0x6d8
[ 360.245139] [<ffffffc000915f20>] schedule+0x94/0xb4
[ 360.250016] [<ffffffc00091909c>] schedule_timeout+0x44/0x27c
[ 360.255670] [<ffffffc000916b78>] wait_for_common+0xf8/0x198
[ 360.261237] [<ffffffc000916c40>] wait_for_completion+0x28/0x34
[ 360.267067] [<ffffffc0005f3f4c>] dpm_wait+0x40/0x4c
[ 360.271942] [<ffffffc0005f4770>] device_resume+0x60/0x1a4
[ 360.277337] [<ffffffc0005f48e4>] async_resume+0x30/0x60
[ 360.282558] [<ffffffc000242fc4>] async_run_entry_fn+0x50/0x104
[ 360.288387] [<ffffffc0002397f0>] process_one_work+0x240/0x424
[ 360.294128] [<ffffffc00023a28c>] worker_thread+0x2fc/0x424
[ 360.299608] [<ffffffc00023f5fc>] kthread+0x10c/0x114
[ 360.304570] [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
[ 360.309876] task PC stack pid father
[ 360.315789] init D ffffffc000204fd8 0 1 0 0x00400009
...
[ 360.564124] [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
[ 360.569259] [<ffffffc000915bf4>] __schedule+0x440/0x6d8
[ 360.574481] [<ffffffc000915f20>] schedule+0x94/0xb4
[ 360.579355] [<ffffffc00091909c>] schedule_timeout+0x44/0x27c
[ 360.585010] [<ffffffc000916b78>] wait_for_common+0xf8/0x198
[ 360.590580] [<ffffffc000916c40>] wait_for_completion+0x28/0x34
[ 360.596408] [<ffffffc000239270>] flush_work+0x168/0x1a4
[ 360.601629] [<ffffffc0002395a4>] flush_delayed_work+0x44/0x50
[ 360.607371] [<ffffffc000322f48>] bdi_unregister+0xa8/0xfc
[ 360.612766] [<ffffffc00049afdc>] blk_cleanup_queue+0xf4/0x10c
[ 360.618508] [<ffffffc000625d7c>] __scsi_remove_device+0x80/0xc8
[ 360.624423] [<ffffffc000623dec>] scsi_forget_host+0x5c/0x74
[ 360.629991] [<ffffffc000619a98>] scsi_remove_host+0x90/0x110
[ 360.635646] [<ffffffc000692940>] usb_stor_disconnect+0x78/0xec
[ 360.641474] [<ffffffc0006545e4>] usb_unbind_interface+0xa0/0x1f8
[ 360.647477] [<ffffffc0005e70cc>] __device_release_driver+0xb4/0x114
[ 360.653746] [<ffffffc0005e7158>] device_release_driver+0x2c/0x40
[ 360.659748] [<ffffffc0005e61f8>] bus_remove_device+0x110/0x128
[ 360.665575] [<ffffffc0005e3178>] device_del+0x164/0x1f4
[ 360.670797] [<ffffffc000652094>] usb_disable_device+0x94/0x1c8
[ 360.676625] [<ffffffc000649b74>] usb_disconnect+0x9c/0x1d0
[ 360.682106] [<ffffffc000649b60>] usb_disconnect+0x88/0x1d0
[ 360.687587] [<ffffffc00064e0e4>] usb_remove_hcd+0xc8/0x1e0
[ 360.693068] [<ffffffc000664b4c>] dwc3_rockchip_otg_extcon_evt_work+0x14c/0x198
[ 360.700284] [<ffffffc0002397f0>] process_one_work+0x240/0x424
[ 360.706026] [<ffffffc00023a28c>] worker_thread+0x2fc/0x424
[ 360.711506] [<ffffffc00023f5fc>] kthread+0x10c/0x114
[ 360.716467] [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
BUG=chrome-os-partner:58705, chrome-os-partner:59103
TEST=Plug in USB-C HUB and USB2/3 flash drive, then set
system to enter S3. After system suspend, plug out the
USB-C HUB first, and then press keyboard or power key to
check if system can wakeup successfully.
Change-Id: I6cb8ea1a4399b9b69b522ec0ed5f0f7810118850
Signed-off-by: William wu <wulf@rock-chips.com>
Reviewed-on: https://chromium-review.googlesource.com/408499
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: William Wu <wulf@rock-chips.com>
During system PM resume process, if remove XHCI hcd prior to
XHCI controller PM resume, it will result in a crash with
the following backtrace.
[ 80.730581] Unable to handle kernel NULL pointer dereference at virtual address 00000138
...
[ 80.731780] Call trace:
[ 80.731784] [<ffffffc0005e43cc>] dev_driver_string+0x18/0x4c
[ 80.731787] [<ffffffc0005e4918>] __dev_printk+0x34/0x88
[ 80.731791] [<ffffffc0005e4da0>] dev_warn+0x7c/0xa0
[ 80.731796] [<ffffffc000651ef8>] usb_root_hub_lost_power+0x28/0x40
[ 80.731801] [<ffffffc0006866e8>] xhci_resume+0x250/0x444
[ 80.731805] [<ffffffc00069612c>] xhci_plat_resume+0x44/0x64
[ 80.731811] [<ffffffc0005ea878>] platform_pm_resume+0x50/0x64
[ 80.731816] [<ffffffc0005f6354>] dpm_run_callback+0xb0/0x198
[ 80.731819] [<ffffffc0005f68f4>] device_resume+0x160/0x19c
[ 80.731822] [<ffffffc0005f6960>] async_resume+0x30/0x60
[ 80.731827] [<ffffffc000242b88>] async_run_entry_fn+0x50/0xfc
[ 80.731832] [<ffffffc000238e38>] process_one_work+0x230/0x3dc
[ 80.731837] [<ffffffc000239db8>] worker_thread+0x248/0x370
[ 80.731840] [<ffffffc00023f23c>] kthread+0x10c/0x114
[ 80.731845] [<ffffffc000203d90>] ret_from_fork+0x10/0x40
It's because that when do PM resume, dwc3_rockchip_resume() will
be called before XHCI resume, and it will remove XHCI hcd and set
rhdev->dev to NULL, this cause rhdev->dev NULL pointer dereference
in XHCI resume.
So we need to check the flag dwc->xhci->dev.power.is_suspended to
ensure that XHCI has been resumed completely from pm suspended state
before remove XHCI hcd.
BUG=chrome-os-partner:58705
TEST=Plug in Type-C USB device, then set system to enter S3.
After system suspend, plug out the Type-C USB device first,
and then press keyboard or power key to check if system can
wakeup successfully.
Change-Id: I90fc48f5d3af8d08a290861ad7fcdaa5e4352320
Signed-off-by: William wu <wulf@rock-chips.com>
Reviewed-on: https://chromium-review.googlesource.com/408498
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: William Wu <wulf@rock-chips.com>
On some special platforms (e.g. rk3399), they will call
usb_remove_hcd() to remove xhci hcd if no device connected,
and add xhci hcd again when detect usb device. But they
just simply remove xhci hcd, and the usb core hub_event
don't know it at all. The hub_event just find usb device
disconnect, and try to call usb_disconnect() -> usb_disable
_endpoint() -> usb_kill_urb() -> usb_hcd_unlink_urb() ->
xhci_urb_dequeue -> queue a stop endpoint command, and
then the usb_kill_urb will wait_event(usb_kill_urb_queue,
atomic_read(&urb->use_count) == 0).
But in this case, we have removed xhci hcd and stop xhci
controller, so xhci can't complete stop endpoint command
and fail to call usb_hcd_giveback_urb() which can wakeup
usb_kill_urb_queue, this cause stall in usb_kill_urb()
with the following backstrace.
[ 240.202208] INFO: task kworker/0:2:130 blocked for more than 120 seconds.
[ 240.208996] Not tainted 4.4.21 #454
[ 240.213008] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 240.220828] kworker/0:2 D ffffffc000204fd8 0 130 2 0x00000000
[ 240.227919] Workqueue: usb_hub_wq hub_event
[ 240.232117] Call trace:
[ 240.234576] [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
[ 240.239713] [<ffffffc000919cb4>] __schedule+0x440/0x6d8
[ 240.244938] [<ffffffc000919fe0>] schedule+0x94/0xb4
[ 240.249814] [<ffffffc000654530>] usb_kill_urb+0xc4/0x110
[ 240.255128] [<ffffffc000653538>] usb_hcd_flush_endpoint+0x128/0x148
[ 240.261755] [<ffffffc0006560e4>] usb_disable_endpoint+0x70/0xa4
[ 240.267679] [<ffffffc00065617c>] usb_disable_interface+0x64/0x7c
[ 240.273680] [<ffffffc000658760>] usb_unbind_interface+0x88/0x1f8
[ 240.279687] [<ffffffc0005eb260>] __device_release_driver+0xb4/0x114
[ 240.285952] [<ffffffc0005eb2ec>] device_release_driver+0x2c/0x40
[ 240.291956] [<ffffffc0005ea38c>] bus_remove_device+0x110/0x128
[ 240.297783] [<ffffffc0005e730c>] device_del+0x164/0x1f4
[ 240.303006] [<ffffffc000656228>] usb_disable_device+0x94/0x1c8
[ 240.308834] [<ffffffc00064dd08>] usb_disconnect+0x9c/0x1d0
[ 240.314317] [<ffffffc00064f51c>] hub_event+0x58c/0xde0
[ 240.319451] [<ffffffc0002397f0>] process_one_work+0x240/0x424
[ 240.325193] [<ffffffc00023a28c>] worker_thread+0x2fc/0x424
[ 240.330725] [<ffffffc00023f5fc>] kthread+0x10c/0x114
[ 240.335708] [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
...
[ 240.466674] kworker/4:2 D ffffffc000204fd8 0 153 2 0x00000000
[ 240.473752] Workqueue: events dwc3_rockchip_otg_extcon_evt_work
[ 240.479680] Call trace:
[ 240.482131] [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
[ 240.487265] [<ffffffc000919cb4>] __schedule+0x440/0x6d8
[ 240.492487] [<ffffffc000919fe0>] schedule+0x94/0xb4
[ 240.497361] [<ffffffc00091a364>] schedule_preempt_disabled+0x28/0x44
[ 240.503713] [<ffffffc00091be20>] __mutex_lock_slowpath+0x120/0x1ac
[ 240.509885] [<ffffffc00091bef8>] mutex_lock+0x4c/0x68
[ 240.514936] [<ffffffc00064dcc8>] usb_disconnect+0x5c/0x1d0
[ 240.520415] [<ffffffc000652278>] usb_remove_hcd+0xc8/0x1e0
[ 240.525899] [<ffffffc000668ce8>] dwc3_rockchip_otg_extcon_evt_work+0x154/0x198
[ 240.533112] [<ffffffc0002397f0>] process_one_work+0x240/0x424
[ 240.538856] [<ffffffc00023a28c>] worker_thread+0x2fc/0x424
[ 240.544335] [<ffffffc00023f5fc>] kthread+0x10c/0x114
[ 240.549296] [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
This patch try to do the same thing as XHCI_STATE_HALTED in
xhci_urb_dequeue() if xhci->xhc_state is XHCI_STATE_REMOVING.
Because XHCI_STATE_REMOVING means that we are removing xhci
hcd, and need to call usb_hcd_giveback_urb() directly without
queueing any stop endpoint command.
In addition, this patch also forbid xhci to queue command or
slot control if it's in XHCI_STATE_REMOVING. It maybe helpful
to avoid the other unexpected problems, though I haven't met
them so far.
BUG=chrome-os-partner:59103
TEST=do plug/unplug USB-C HUB with an USB3 flash drive,
check if kernel blocked for more than 120 seconds.
Change-Id: I35ec94dcc742d29d52f73fa30f79cf005063ea55
Signed-off-by: William wu <wulf@rock-chips.com>
Reviewed-on: https://chromium-review.googlesource.com/408127
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Tested-by: Inno Park <ih.yoo.park@samsung.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: William Wu <wulf@rock-chips.com>
Check on resume if the cable state has changed to detect devices
(un)plugged during suspend.
TEST=build and boot on rk3399 board. No USB device plugged. Set
system enter suspend. Wait for device to suspend. Plug USB device.
Wakeup system; Verify USB device is enumerated.
Change-Id: Iadbefe6737fa3ddfe2da1a66473f876411a4412a
Signed-off-by: William Wu <wulf@rock-chips.com>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/395528
Reviewed-by: Guenter Roeck <groeck@chromium.org>
fix following problems:
vcodec_service.c:1613 try_set_reg()
error: double lock 'mutex:&pservice->shutdown_lock'
vcodec_service.c:1682 try_set_reg()
warn: inconsistent returns 'mutex:&pservice->shutdown_lock'.
Locked on: line 1614
Unlocked on: line 1682
vcodec_service.c:599 vpu_get_clk()
warn: missing break? reassigning 'pservice->pd_video'
vcodec_service.c:901 vcodec_fd_to_iova()
warn: returning -1 instead of -ENOMEM is sloppy
vcodec_service.c:1100 vcodec_bufid_to_iova()
warn: returning -1 instead of -ENOMEM is sloppy
vcodec_service.c:1209 reg_init()
warn: passing __func__ while the format string already
contains the name of the function 'reg_init'
vcodec_service.c:1231 reg_init()
warn: passing __func__ while the format string already
contains the name of the function 'reg_init'
vcodec_service.c:1237 reg_init()
warn: passing __func__ while the format string already
contains the name of the function 'reg_init'
vcodec_service.c:1714 return_reg()
warn: passing __func__ while the format string already
contains the name of the function 'return_reg'
Change-Id: Ia2d3be7ad7a726d9af9e58c25079e6c11a7d302f
Signed-off-by: alpha lin <alpha.lin@rock-chips.com>
1.If rga get the mmu error, we must unlock the lock
or it will lead the next frame timeout.
2.calculate the rga mmu buf back length size in the
rga time out handler or it will lead the next frame
get mmu lentch wrong.
Change-Id: If85751bd292774a1d0ef9693b7f8ad92a4727c07
Signed-off-by: Zikim,Wei <wzq@rock-chips.com>
If rga get the mmu error, we must unlock the lock
or it will lead the next frame timeout.
Change-Id: I377217ea417de8e4d3f4ff63e478db1370951e62
Signed-off-by: Zikim,Wei <wzq@rock-chips.com>
(cherry picked from commit f453db8699919760a2297a7d2512f3c03c3edf25)
At boot we may change the granularity of the tables mapping the kernel
(by splitting or making sections). This may happen when we create the
linear mapping (in __map_memblock), or at any point we try to apply
fine-grained permissions to the kernel (e.g. fixup_executable,
mark_rodata_ro, fixup_init).
Changing the active page tables in this manner may result in multiple
entries for the same address being allocated into TLBs, risking problems
such as TLB conflict aborts or issues derived from the amalgamation of
TLB entries. Generally, a break-before-make (BBM) approach is necessary
to avoid conflicts, but we cannot do this for the kernel tables as it
risks unmapping text or data being used to do so.
Instead, we can create a new set of tables from scratch in the safety of
the existing mappings, and subsequently migrate over to these using the
new cpu_replace_ttbr1 helper, which avoids the two sets of tables being
active simultaneously.
To avoid issues when we later modify permissions of the page tables
(e.g. in fixup_init), we must create the page tables at a granularity
such that later modification does not result in splitting of tables.
This patch applies this strategy, creating a new set of fine-grained
page tables from scratch, and safely migrating to them. The existing
fixmap and kasan shadow page tables are reused in the new fine-grained
tables.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 068a17a580)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
Currently we have separate ALIGN_DEBUG_RO{,_MIN} directives to align
_etext and __init_begin. While we ensure that __init_begin is
page-aligned, we do not provide the same guarantee for _etext. This is
not problematic currently as the alignment of __init_begin is sufficient
to prevent issues when we modify permissions.
Subsequent patches will assume page alignment of segments of the kernel
we wish to map with different permissions. To ensure this, move _etext
after the ALIGN_DEBUG_RO_MIN for the init section. This renders the
prior ALIGN_DEBUG_RO irrelevant, and hence it is removed. Likewise,
upgrade to ALIGN_DEBUG_RO_MIN(PAGE_SIZE) for _stext.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit fca082bfb5)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
To allow us to initialise pgdirs which are fixmapped, allow explicitly
passing a pgdir rather than an mm. A new __create_pgd_mapping function
is added for this, with existing __create_mapping callers migrated to
this.
The mm argument was previously only used at the top level. Now that it
is redundant at all levels, it is removed. To indicate its new found
similarity to alloc_init_{pud,pmd,pte}, __create_mapping is renamed to
init_pgd.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 11509a306b)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
Now that create_mapping uses fixmap slots to modify pte, pmd, and pud
entries, we can access page tables anywhere in physical memory,
regardless of the extent of the linear mapping.
Given that, we no longer need to limit memblock allocations during page
table creation, and can leave the limit as its default
MEMBLOCK_ALLOC_ANYWHERE.
We never add memory which will fall outside of the linear map range
given phys_offset and MAX_MEMBLOCK_ADDR are configured appropriately, so
any tables we create will fall in the linear map of the final tables.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit cdef5f6e9e)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
As a preparatory step to allow us to allocate early page tables from
unmapped memory using memblock_alloc, modify the __create_mapping
callees to map and unmap the tables they modify using fixmap entries.
All but the top-level pgd initialisation is performed via the fixmap.
Subsequent patches will inject the pgd physical address, and migrate to
using the FIX_PGD slot.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit f471044545)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
We currently have __pmd_populate for creating a pmd table entry given
the physical address of a pte, but don't have equivalents for the pud or
pgd levels of table.
To enable us to manipulate tables which are mapped outside of the linear
mapping (where we have a PA, but not a linear map VA), it is useful to
have these functions.
This patch adds __{pud,pgd}_populate. As these should not be called when
the kernel uses folded {pmd,pud}s, in these cases they expand to
BUILD_BUG(). So long as the appropriate checks are made on the {pud,pgd}
entry prior to attempting population, these should be optimized out at
compile time.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 1e531cce68)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
When we "upgrade" to a section mapping, we free any table we made
redundant by giving it back to memblock. To get the PA, we acquire the
physical address and convert this to a VA, then subsequently convert
this back to a PA.
This works currently, but will not work if the tables are not accessed
via linear map VAs (e.g. is we use fixmap slots).
This patch uses {pmd,pud}_page_paddr to acquire the PA. This avoids the
__pa(__va()) round trip, saving some work and avoiding reliance on the
linear mapping.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Jeremy Linton <jeremy.linton@arm.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 316b39db06)
Signed-off-by: Alex Shi <alex.shi@linaro.org>
fix below warnings:
sensor-dev.c:1016 gyro_dev_ioctl() warn: inconsistent returns 'mutex:&sensor->operation_mutex'.
Locked on: line 973
line 982
Unlocked on: line 919
line 1010
line 1016
sensor-dev.c:1905 sensor_probe() error: potential null dereference 'sensor->input_dev'. (input_allocate_device returns null)
sensor-dev.c:1905 sensor_probe() error: we previously assumed 'sensor->input_dev' could be null (see line 1902)
sensor-dev.c:2051 sensor_probe() error: don't call input_free_device() after input_unregister_device()
sensor-dev.c:2080 sensor_remove() error: don't call input_free_device() after input_unregister_device()
Change-Id: I7da8a337282df7f9b8e6474a68928fc53d4e6890
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
(cherry picked from commit 08fd14ea02692f43eaa8a166791cdaaa4b6c0738)
commit cf0ea4da4c upstream.
Like many similar devices it needs a quirk to work.
Issuing the request gets the device into an irrecoverable state.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40b6e61ac7 upstream.
Commit e96a8a3bb6 ("UBI: Fastmap: Do not add vol if it already
exists") introduced a bug by changing the possible error codes returned
by add_vol():
- this function no longer returns NULL in case of allocation failure
but return ERR_PTR(-ENOMEM)
- when a duplicate entry in the volume RB tree is found it returns
ERR_PTR(-EEXIST) instead of ERR_PTR(-EINVAL)
Fix the tests done on add_vol() return val to match this new behavior.
Fixes: e96a8a3bb6 ("UBI: Fastmap: Do not add vol if it already exists")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Acked-by: Sheng Yong <shengyong1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 42acfc6615 upstream.
In csi_J(3), the third parameter of scr_memsetw (vc_screenbuf_size) is
divided by 2 inappropriatelly. But scr_memsetw expects size, not
count, because it divides the size by 2 on its own before doing actual
memset-by-words.
So remove the bogus division.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Petr Písař <ppisar@redhat.com>
Fixes: f8df13e0a9 (tty: Clean console safely)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 51fbc7c06c upstream.
In commit 2abd9d5fa6 ("usb: dwc3: ep0: Add chained TRB support"), the
size of the memory allocated with 'dma_alloc_coherent()' has been modified
but the corresponding calls to 'dma_free_coherent()' have not been updated
accordingly.
This has been spotted with coccinelle, using the following script:
////////////////////
@r@
expression x0, x1, y0, y1, z0, z1, t0, t1, ret;
@@
* ret = dma_alloc_coherent(x0, y0, z0, t0);
...
* dma_free_coherent(x1, y1, ret, t1);
@script:python@
y0 << r.y0;
y1 << r.y1;
@@
if y1.find(y0) == -1:
print "WARNING: sizes look different: '%s' vs '%s'" % (y0, y1)
////////////////////
Fixes: 2abd9d5fa6 ("usb: dwc3: ep0: Add chained TRB support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0733424c9b upstream.
Exported pwm channels aren't removed before the pwmchip and are
leaked. This results in invalid sysfs files. This fix removes
all exported pwm channels before chip removal.
Signed-off-by: David Hsu <davidhsu@google.com>
Fixes: 76abbdde2d ("pwm: Add sysfs interface")
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ecbfa8eaba upstream.
scan_pool() does not mark the PEB for scrubing when bitflips are
detected in the EC header of a free PEB (VID header region left to
0xff).
Make sure we scrub the PEB in this case.
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Fixes: dbb7d2a88d ("UBI: Add fastmap core")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
