1. 16 Aug, 2016 20 commits
  2. 10 Aug, 2016 20 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.6.6 · 90838e40
      Greg Kroah-Hartman authored
      90838e40
    • Paul Burton's avatar
      MIPS: CM: Fix mips_cm_max_vp_width for UP kernels · 491749fe
      Paul Burton authored
      commit a60ae81e upstream.
      
      Fix mips_cm_max_vp_width for UP kernels where it previously referenced
      smp_num_siblings, which is not declared for UP kernels. This led to
      build errors such as the following:
      
        drivers/built-in.o: In function `$L446':
        irq-mips-gic.c:(.text+0x1994): undefined reference to `smp_num_siblings'
        drivers/built-in.o:irq-mips-gic.c:(.text+0x199c): more undefined references to `smp_num_siblings' follow
      
      On UP kernels simply return 1, leaving the reference to smp_num_siblings
      in place only for SMP kernels.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: Matt Redfearn <matt.redfearn@imgtec.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/12332/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      491749fe
    • Miklos Szeredi's avatar
      vfs: fix deadlock in file_remove_privs() on overlayfs · 42c7aa83
      Miklos Szeredi authored
      commit c1892c37 upstream.
      
      file_remove_privs() is called with inode lock on file_inode(), which
      proceeds to calling notify_change() on file->f_path.dentry.  Which triggers
      the WARN_ON_ONCE(!inode_is_locked(inode)) in addition to deadlocking later
      when ovl_setattr tries to lock the underlying inode again.
      
      Fix this mess by not mixing the layers, but doing everything on underlying
      dentry/inode.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 07a2daab ("ovl: Copy up underlying inode's ->i_mode to overlay inode")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42c7aa83
    • Scott Bauer's avatar
      vfs: ioctl: prevent double-fetch in dedupe ioctl · 04678f55
      Scott Bauer authored
      commit 10eec60c upstream.
      
      This prevents a double-fetch from user space that can lead to to an
      undersized allocation and heap overflow.
      
      Fixes: 54dbc151 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
      Signed-off-by: default avatarScott Bauer <sbauer@plzdonthack.me>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04678f55
    • Alexander Shishkin's avatar
      intel_th: Fix a deadlock in modprobing · 900ac92c
      Alexander Shishkin authored
      commit a36aa80f upstream.
      
      Driver initialization tries to request a hub (GTH) driver module from
      its probe callback, resulting in a deadlock.
      
      This patch solves the problem by adding a deferred work for requesting
      the hub module.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      900ac92c
    • Alexander Shishkin's avatar
      intel_th: pci: Add Kaby Lake PCH-H support · df1abbea
      Alexander Shishkin authored
      commit 7a1a47ce upstream.
      
      This adds Intel(R) Trace Hub PCI ID for Kaby Lake PCH-H.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df1abbea
    • Gregory Greenman's avatar
      cfg80211: handle failed skb allocation · f4cb43e0
      Gregory Greenman authored
      commit 16a910a6 upstream.
      
      Handle the case when dev_alloc_skb returns NULL.
      
      Fixes: 2b67f944 ("cfg80211: reuse existing page fragments in A-MSDU rx")
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4cb43e0
    • Dmitri Epshtein's avatar
      net: mvneta: set real interrupt per packet for tx_done · 2f4cf2ec
      Dmitri Epshtein authored
      commit 06708f81 upstream.
      
      Commit aebea2ba ("net: mvneta: fix Tx interrupt delay") intended to
      set coalescing threshold to a value guaranteeing interrupt generation
      per each sent packet, so that buffers can be released with no delay.
      
      In fact setting threshold to '1' was wrong, because it causes interrupt
      every two packets. According to the documentation a reason behind it is
      following - interrupt occurs once sent buffers counter reaches a value,
      which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This
      behavior was confirmed during tests. Also when testing the SoC working
      as a NAS device, better performance was observed with int-per-packet,
      as it strongly depends on the fact that all transmitted packets are
      released immediately.
      
      This commit enables NETA controller work in interrupt per sent packet mode
      by setting coalescing threshold to 0.
      Signed-off-by: default avatarDmitri Epshtein <dima@marvell.com>
      Signed-off-by: default avatarMarcin Wojtas <mw@semihalf.com>
      Fixes aebea2ba ("net: mvneta: fix Tx interrupt delay")
      Acked-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f4cf2ec
    • Ilya Dryomov's avatar
      libceph: apply new_state before new_up_client on incrementals · 14877928
      Ilya Dryomov authored
      commit 930c5328 upstream.
      
      Currently, osd_weight and osd_state fields are updated in the encoding
      order.  This is wrong, because an incremental map may look like e.g.
      
          new_up_client: { osd=6, addr=... } # set osd_state and addr
          new_state: { osd=6, xorstate=EXISTS } # clear osd_state
      
      Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down).  After
      applying new_up_client, osd_state is changed to EXISTS | UP.  Carrying
      on with the new_state update, we flip EXISTS and leave osd6 in a weird
      "!EXISTS but UP" state.  A non-existent OSD is considered down by the
      mapping code
      
      2087    for (i = 0; i < pg->pg_temp.len; i++) {
      2088            if (ceph_osd_is_down(osdmap, pg->pg_temp.osds[i])) {
      2089                    if (ceph_can_shift_osds(pi))
      2090                            continue;
      2091
      2092                    temp->osds[temp->size++] = CRUSH_ITEM_NONE;
      
      and so requests get directed to the second OSD in the set instead of
      the first, resulting in OSD-side errors like:
      
      [WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680
      
      and hung rbds on the client:
      
      [  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
      [  493.566805] rbd: rbd0:   result -6 xferred 400000
      [  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688
      
      The fix is to decouple application from the decoding and:
      - apply new_weight first
      - apply new_state before new_up_client
      - twiddle osd_state flags if marking in
      - clear out some of the state if osd is destroyed
      
      Fixes: http://tracker.ceph.com/issues/14901Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarJosh Durgin <jdurgin@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14877928
    • Tejun Heo's avatar
      libata: LITE-ON CX1-JB256-HP needs lower max_sectors · 54d61751
      Tejun Heo authored
      commit 1488a1e3 upstream.
      
      Since 34b48db6 ("block: remove artifical max_hw_sectors cap"),
      max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON
      CX1-JB256-HP keeps timing out with higher max_sectors.  Revert it to
      the previous value.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: dgerasimov@gmail.com
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671
      Fixes: 34b48db6 ("block: remove artifical max_hw_sectors cap")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54d61751
    • Lukasz Gemborowski's avatar
      i2c: mux: reg: wrong condition checked for of_address_to_resource return value · ed87c214
      Lukasz Gemborowski authored
      commit 22ebf00e upstream.
      
      of_address_to_resource return 0 on successful call but
      devm_ioremap_resource is called only if it returns non-zero value
      Signed-off-by: default avatarLukasz Gemborowski <lukasz.gemborowski@nokia.com>
      Reviewed-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed87c214
    • Sricharan R's avatar
      i2c: qup: Fix wrong value of index variable · f5be1dff
      Sricharan R authored
      commit d4f56c77 upstream.
      
      index gets incremented during check to determine if the
      messages can be transferred with dma. But not reset after
      that, resulting in wrong start value in subsequent loop,
      causing failure. Fix it.
      Signed-off-by: default avatarSricharan R <sricharan@codeaurora.org>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5be1dff
    • Laurent Pinchart's avatar
      adv7604: Don't ignore pad number in subdev DV timings pad operations · 9388174e
      Laurent Pinchart authored
      commit 6519c3d7 upstream.
      
      The dv_timings_cap() and enum_dv_timings() pad operations take a pad
      number as an input argument and return the DV timings capabilities and
      list of supported DV timings for that pad.
      
      Commit bd3e275f ("[media] media: i2c: adv7604: Use v4l2-dv-timings
      helpers") broke this as it started ignoring the pad number, always
      returning the information associated with the currently selected input.
      Fix it.
      
      Fixes: bd3e275f ("[media] media: i2c: adv7604: Use v4l2-dv-timings helpers")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9388174e
    • Thomas Gleixner's avatar
      cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble · 5e8123b6
      Thomas Gleixner authored
      commit a7c73414 upstream.
      
      Xiaolong Ye reported lock debug warnings triggered by the following commit:
      
        8de4a0066106 ("perf/x86: Convert the core to the hotplug state machine")
      
      The bug is the following: the cpuhp_bp_states[] array is cut short when
      CONFIG_SMP=n, but the dynamically registered callbacks are stored nevertheless
      and happily scribble outside of the array bounds...
      
      We need to store them in case that the state is unregistered so we can invoke
      the teardown function. That's independent of CONFIG_SMP. Make sure the array
      is large enough.
      Reported-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Adam Borowski <kilobyte@angband.pl>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: lkp@01.org
      Cc: tipbuild@zytor.com
      Fixes: cff7d378 "cpu/hotplug: Convert to a state machine for the control processor"
      Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1607122144560.4083@nanosSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8123b6
    • Alexey Dobriyan's avatar
      posix_cpu_timer: Exit early when process has been reaped · 2acf7a3a
      Alexey Dobriyan authored
      commit 2c13ce8f upstream.
      
      Variable "now" seems to be genuinely used unintialized
      if branch
      
      	if (CPUCLOCK_PERTHREAD(timer->it_clock)) {
      
      is not taken and branch
      
      	if (unlikely(sighand == NULL)) {
      
      is taken. In this case the process has been reaped and the timer is marked as
      disarmed anyway. So none of the postprocessing of the sample is
      required. Return right away.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Link: http://lkml.kernel.org/r/20160707223911.GA26483@p183.telecom.bySigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2acf7a3a
    • James Patrick-Evans's avatar
      media: fix airspy usb probe error path · 1031db3d
      James Patrick-Evans authored
      commit aa93d1fe upstream.
      
      Fix a memory leak on probe error of the airspy usb device driver.
      
      The problem is triggered when more than 64 usb devices register with
      v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
      
      The memory leak is caused by the probe function of the airspy driver
      mishandeling errors and not freeing the corresponding control structures
      when an error occours registering the device to v4l2 core.
      
      A badusb device can emulate 64 of these devices, and then through
      continual emulated connect/disconnect of the 65th device, cause the
      kernel to run out of RAM and crash the kernel, thus causing a local DOS
      vulnerability.
      
      Fixes CVE-2016-5400
      Signed-off-by: default avatarJames Patrick-Evans <james@jmp-e.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1031db3d
    • Brian King's avatar
      ipr: Clear interrupt on croc/crocodile when running with LSI · 602efc3c
      Brian King authored
      commit 54e430bb upstream.
      
      If we fall back to using LSI on the Croc or Crocodile chip we need to
      clear the interrupt so we don't hang the system.
      Tested-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      602efc3c
    • Alan Stern's avatar
      SCSI: fix new bug in scsi_dev_info_list string matching · 224d3cc7
      Alan Stern authored
      commit 5e7ff2ca upstream.
      
      Commit b704f70c ("SCSI: fix bug in scsi_dev_info_list matching")
      changed the way vendor- and model-string matching was carried out in the
      routine that looks up entries in a SCSI devinfo list.  The new matching
      code failed to take into account the case of a maximum-length string; in
      such cases it could end up testing for a terminating '\0' byte beyond
      the end of the memory allocated to the string.  This out-of-bounds bug
      was detected by UBSAN.
      
      I don't know if anybody has actually encountered this bug.  The symptom
      would be that a device entry in the blacklist might not be matched
      properly if it contained an 8-character vendor name or a 16-character
      model name.  Such entries certainly exist in scsi_static_device_list.
      
      This patch fixes the problem by adding a check for a maximum-length
      string before the '\0' test.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Fixes: b704f70c ("SCSI: fix bug in scsi_dev_info_list matching")
      Tested-by: default avatarWilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      224d3cc7
    • Bruno Prémont's avatar
      qla2xxx: Fix NULL pointer deref in QLA interrupt · ddb2bdc5
      Bruno Prémont authored
      commit 262e2bfd upstream.
      
      In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
      pointer dereference when rsp->msix is NULL:
      
      [    5.622457] NULL pointer dereference at 0000000000000050
      [    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457] PGD 0
      [    5.622457] Oops: 0000 [#1] SMP
      [    5.622457] Modules linked in:
      [    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
      [    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
      [    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
      [    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
      [    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
      [    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
      [    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
      [    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
      [    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
      [    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
      [    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
      [    5.622457] Stack:
      [    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
      [    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
      [    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
      [    5.622457] Call Trace:
      [    5.622457]  <IRQ>
      [    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
      [    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
      [    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
      [    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
      [    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
      [    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
      [    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
      [    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
      [    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
      [    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
      [    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
      [    5.622457]  <EOI>
      [    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
      [    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
      [    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
      [    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
      [    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
      [    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
      [    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457]  RSP <ffff8801afb03de8>
      [    5.622457] CR2: 0000000000000050
      [    5.622457] ---[ end trace fa2b19c25106d42b ]---
      [    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
      
      The affected code was introduced by commit cdb898c5
      (qla2xxx: Add irq affinity notification).
      
      Only dereference rsp->msix when it has been set so the machine can boot
      fine. Possibly rsp->msix is unset because:
      [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
      [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
      [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
      [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
      [    3.890145] scsi host0: qla2xxx
      [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
      [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
      [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
      Signed-off-by: default avatarBruno Prémont <bonbons@linux-vserver.org>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Fixes: cdb898c5Signed-off-by: default avatarJames Bottomley <jejb@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddb2bdc5
    • Paul Burton's avatar
      irqchip/mips-gic: Match IPI IRQ domain by bus token only · 4406733d
      Paul Burton authored
      commit 547aefc4 upstream.
      
      Commit fbde2d7d ("MIPS: Add generic SMP IPI support") introduced
      code which calls irq_find_matching_host with a NULL node parameter in
      order to discover IPI IRQ domains which are not associated with the DT
      root node's interrupt parent. This suggests that implementations of IPI
      IRQ domains should effectively ignore the node parameter if it is NULL
      and search purely based upon the bus token. Commit 2af70a96
      ("irqchip/mips-gic: Add a IPI hierarchy domain") did not do this when
      implementing the GIC IPI IRQ domain, and on MIPS Boston boards this
      leads to no IPI domain being discovered and a NULL pointer dereference
      when attempting to send an IPI:
      
        CPU 0 Unable to handle kernel paging request at virtual address 0000000000000040, epc == ffffffff8016e70c, ra == ffffffff8010ff5c
        Oops[#1]:
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc6-00223-gad0d1b6 #945
        task: a8000000ff066fc0 ti: a8000000ff068000 task.ti: a8000000ff068000
        $ 0   : 0000000000000000 0000000000000001 ffffffff80730000 0000000000000003
        $ 4   : 0000000000000000 ffffffff8057e5b0 a800000001e3ee00 0000000000000000
        $ 8   : 0000000000000000 0000000000000023 0000000000000001 0000000000000001
        $12   : 0000000000000000 ffffffff803323d0 0000000000000000 0000000000000000
        $16   : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
        $20   : 0000000000000000 ffffffff8057e5b0 0000000000000001 0000000000000000
        $24   : 0000000000000000 ffffffff8012de28
        $28   : a8000000ff068000 a8000000ff06fbc0 0000000000000000 ffffffff8010ff5c
        Hi    : ffffffff8014c174
        Lo    : a800000001e1e140
        epc   : ffffffff8016e70c __ipi_send_mask+0x24/0x11c
        ra    : ffffffff8010ff5c mips_smp_send_ipi_mask+0x68/0x178
        Status: 140084e2        KX SX UX KERNEL EXL
        Cause : 00800008 (ExcCode 02)
        BadVA : 0000000000000040
        PrId  : 0001a920 (MIPS I6400)
        Process swapper/0 (pid: 1, threadinfo=a8000000ff068000, task=a8000000ff066fc0, tls=0000000000000000)
        Stack : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
                  0000000000000000 ffffffff8057e5b0 0000000000000001 ffffffff8010ff5c
                  0000000000000001 0000000000000020 0000000000000000 0000000000000000
                  0000000000000000 ffffffff801108fc 0000000000000000 0000000000000001
                  0000000000000001 0000000000000000 0000000000000000 ffffffff801865e8
                  a8000000ff0c7500 a8000000ff06fc90 0000000000000001 0000000000000002
                  ffffffff801108fc ffffffff801868b8 0000000000000000 ffffffff801108fc
                  0000000000000000 0000000000000003 ffffffff8068c700 0000000000000001
                  ffffffff80730000 0000000000000001 a8000000ff00a290 ffffffff80110c50
                  0000000000000003 a800000001e48308 0000000000000003 0000000000000008
                  ...
        Call Trace:
        [<ffffffff8016e70c>] __ipi_send_mask+0x24/0x11c
        [<ffffffff8010ff5c>] mips_smp_send_ipi_mask+0x68/0x178
        [<ffffffff801865e8>] generic_exec_single+0x150/0x170
        [<ffffffff801868b8>] smp_call_function_single+0x108/0x160
        [<ffffffff80110c50>] cps_boot_secondary+0x328/0x394
        [<ffffffff80110534>] __cpu_up+0x38/0x90
        [<ffffffff8012de4c>] bringup_cpu+0x24/0xac
        [<ffffffff8012df40>] cpuhp_up_callbacks+0x58/0xdc
        [<ffffffff8012e648>] cpu_up+0x118/0x18c
        [<ffffffff806dc158>] smp_init+0xbc/0xe8
        [<ffffffff806d4c18>] kernel_init_freeable+0xa0/0x228
        [<ffffffff8056c908>] kernel_init+0x10/0xf0
        [<ffffffff80105098>] ret_from_kernel_thread+0x14/0x1c
      
      Fix this by allowing the GIC IPI IRQ domain to match purely based upon
      the bus token if the node provided is NULL.
      
      Fixes: 2af70a96 ("irqchip/mips-gic: Add a IPI hierarchy domain")
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Qais Yousef <qsyousef@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/20160705132600.27730-2-paul.burton@imgtec.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4406733d