openwrt/staging/blogic.git
8 years agodrm/nouveau/fifo/gk104: identify fault-recovery members more clearly
Ben Skeggs [Fri, 11 Mar 2016 03:09:28 +0000 (13:09 +1000)]
drm/nouveau/fifo/gk104: identify fault-recovery members more clearly

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gk104: rename spoon to pbdma, and move detection to oneinit
Ben Skeggs [Fri, 11 Mar 2016 03:09:28 +0000 (13:09 +1000)]
drm/nouveau/fifo/gk104: rename spoon to pbdma, and move detection to oneinit

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gf100: fix certain engines not being recovered after a fault
Ben Skeggs [Fri, 11 Mar 2016 03:09:28 +0000 (13:09 +1000)]
drm/nouveau/fifo/gf100: fix certain engines not being recovered after a fault

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gf100: don't attempt recovery of unknown mmu engines
Ben Skeggs [Fri, 11 Mar 2016 03:09:28 +0000 (13:09 +1000)]
drm/nouveau/fifo/gf100: don't attempt recovery of unknown mmu engines

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gf100: identify fault-recovery members more clearly
Ben Skeggs [Fri, 11 Mar 2016 03:09:28 +0000 (13:09 +1000)]
drm/nouveau/fifo/gf100: identify fault-recovery members more clearly

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gf100: rename spooon to pbdma, and move detection to oneinit
Ben Skeggs [Fri, 11 Mar 2016 03:09:28 +0000 (13:09 +1000)]
drm/nouveau/fifo/gf100: rename spooon to pbdma, and move detection to oneinit

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/fuc: Store $r0 in interrupt handler
Roy Spliet [Thu, 10 Mar 2016 11:19:00 +0000 (11:19 +0000)]
drm/nouveau/gr/fuc: Store $r0 in interrupt handler

It's supposed to always be 0, but at least nv_iowr() temporarily violates
this. Since the ih touches $r0, it should be stored.

Signed-off-by: Roy Spliet <rs855@cam.ac.uk>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/pmu/fuc: use imm32 in ld/st macros
Karol Herbst [Wed, 2 Mar 2016 16:23:07 +0000 (17:23 +0100)]
drm/nouveau/pmu/fuc: use imm32 in ld/st macros

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/pmu/fuc: use the call macro instead of using the call instruction directly
Karol Herbst [Wed, 2 Mar 2016 16:23:06 +0000 (17:23 +0100)]
drm/nouveau/pmu/fuc: use the call macro instead of using the call instruction directly

the macro deals with target specific differences and so we should always use
this

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/pmu/fuc: replace mov+sethi with imm32
Karol Herbst [Wed, 2 Mar 2016 16:23:05 +0000 (17:23 +0100)]
drm/nouveau/pmu/fuc: replace mov+sethi with imm32

on gk208+ we can simply mov 32bits, so we should have a single mov there

v2: use or operator instead of add

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/pmu/fuc: fix imm32 for gk208+
Karol Herbst [Wed, 2 Mar 2016 16:23:04 +0000 (17:23 +0100)]
drm/nouveau/pmu/fuc: fix imm32 for gk208+

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/core: use vzalloc for allocating ramht
Ilia Mirkin [Sun, 6 Mar 2016 21:06:06 +0000 (16:06 -0500)]
drm/nouveau/core: use vzalloc for allocating ramht

Most calls to nvkm_ramht_new use 0x8000 as the size. This results in a
fairly sizeable chunk of memory to be allocated, which may not be
available with kzalloc. Since this is done fairly rarely (once per
channel), use vzalloc instead.

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gk104: kick channel upon removal
Alexandre Courbot [Tue, 1 Mar 2016 07:59:05 +0000 (16:59 +0900)]
drm/nouveau/fifo/gk104: kick channel upon removal

A channel may still be processed by the PBDMA even after removal, unless
it is properly kicked. Some chips are more sensible to this than others,
with GM20B triggering the issue very easily (the PBDMA will try to fetch
methods from the previously-removed channel after a new one is added).

Make sure this cannot happen by kicking the channel right after it is
disabled, and before the new runlist is submitted.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/instmem/gk20a: add write barrier when releasing DMA object
Alexandre Courbot [Thu, 3 Mar 2016 07:38:12 +0000 (16:38 +0900)]
drm/nouveau/instmem/gk20a: add write barrier when releasing DMA object

When using the DMA-API for instmem, we may obtain a write-combined
mapping. For such cases, add a write barrier in
gk20a_instobj_release_dma() to make sure that all writes have reached
memory at this time.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/device/pci: set as non-CPU-coherent on ARM64
Alexandre Courbot [Thu, 3 Mar 2016 07:03:02 +0000 (16:03 +0900)]
drm/nouveau/device/pci: set as non-CPU-coherent on ARM64

Without this buffer inconsistencies may appear between the CPU
and GPU when using a PCI GPU on an ARM64 board.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/hwmon: fix crash on non-PCI platforms
Alexandre Courbot [Wed, 2 Mar 2016 10:13:42 +0000 (19:13 +0900)]
drm/nouveau/hwmon: fix crash on non-PCI platforms

Registration of the hwmon device will fail on non-PCI systems since
dev->pdev is NULL in that case. Use the more generic drm_device::dev
member that points to the same and is always set no matter the platform.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau: silence unimportant HDMI status message
Alexandre Courbot [Wed, 2 Mar 2016 10:13:03 +0000 (19:13 +0900)]
drm/nouveau: silence unimportant HDMI status message

On non-PCI devices, nobody should really care if the device does not
provide HDMI...

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/bo: consider DMA buffers on x86 only
Alexandre Courbot [Wed, 2 Mar 2016 10:12:27 +0000 (19:12 +0900)]
drm/nouveau/bo: consider DMA buffers on x86 only

The DMA API has different semantics on different architectures.
Currently on arm64, it can only provide memory from a small pool which
dries up quickly if we attempt to allocate big buffers from it.

Do not consider that option when running on non-x86, since regular TTM
buffers are the (current) best-fit for ARM platforms.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/ltc/gf100: use more reasonable timeout value
Alexandre Courbot [Tue, 1 Mar 2016 08:39:00 +0000 (17:39 +0900)]
drm/nouveau/ltc/gf100: use more reasonable timeout value

LTC operations timeout was set to 2ms, which may be too low for devices
that run at very low clocks (e.g. GM20B) and trigger timeout messages.

Set the timeout to the default 2s. Also remove the redundant error
messages since nvkm_wait_msec() will already display a warning.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gk104: take runlist target into account
Alexandre Courbot [Tue, 1 Mar 2016 07:51:58 +0000 (16:51 +0900)]
drm/nouveau/fifo/gk104: take runlist target into account

Bits 28:29 of RUNLIST_BASE specify the memory target of the runlist. Set
it to 0x3 (SYS_MEM_NONCOHERENT) if the runlist object resides in system
memory.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gf100: take runlist target into account
Alexandre Courbot [Tue, 1 Mar 2016 07:51:57 +0000 (16:51 +0900)]
drm/nouveau/fifo/gf100: take runlist target into account

Bits 28:29 of RUNLIST_BASE specify the memory target of the runlist. Set
it to 0x3 (SYS_MEM_NONCOHERENT) if the runlist object resides in system
memory.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/fifo/gk104: fix chid bit mask
Xia Yang [Thu, 25 Feb 2016 08:59:08 +0000 (17:59 +0900)]
drm/nouveau/fifo/gk104: fix chid bit mask

Fix the channel id bit mask in FIFO schedule timeout error handling.

FIFO_ENGINE_STATUS_NEXT_ID is bit 27:16 thus 0x0fff0000.
FIFO_ENGINE_STATUS_ID      is bit 11:0  thus 0x00000fff.

Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/instmem/gk20a: set DMA mask early
Alexandre Courbot [Thu, 25 Feb 2016 06:08:42 +0000 (15:08 +0900)]
drm/nouveau/instmem/gk20a: set DMA mask early

DMA mask is typically set in nouveau_ttm_init(), but this function is
called late during initialization and GK20A's instmem will have called
DMA functions before this happens.

Having a wrongly set DMA mask can result in the use of unneeded bounce
buffers. Set it early to avoid this.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm206: remove implementation, it's now identical to gm200
Ben Skeggs [Thu, 25 Feb 2016 00:40:51 +0000 (10:40 +1000)]
drm/nouveau/gr/gm206: remove implementation, it's now identical to gm200

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: switch over to using sw_nonctx from firmware
Ben Skeggs [Thu, 25 Feb 2016 00:03:13 +0000 (10:03 +1000)]
drm/nouveau/gr/gm200: switch over to using sw_nonctx from firmware

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: switch over to using sw_method_init from firmware
Ben Skeggs [Thu, 25 Feb 2016 00:00:17 +0000 (10:00 +1000)]
drm/nouveau/gr/gm200: switch over to using sw_method_init from firmware

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: switch over to using sw_bundle_init from firmware
Ben Skeggs [Wed, 24 Feb 2016 23:58:12 +0000 (09:58 +1000)]
drm/nouveau/gr/gm200: switch over to using sw_bundle_init from firmware

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: switch over to using sw_ctx from firmware
Ben Skeggs [Wed, 24 Feb 2016 23:48:37 +0000 (09:48 +1000)]
drm/nouveau/gr/gm200: switch over to using sw_ctx from firmware

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/bios/extdev: also parse v4.1 table
Karol Herbst [Sat, 20 Feb 2016 16:12:19 +0000 (17:12 +0100)]
drm/nouveau/bios/extdev: also parse v4.1 table

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
8 years agodrm/nouveau/hwmon: don't require therm to be valid to get any data
Karol Herbst [Sat, 20 Feb 2016 16:10:12 +0000 (17:10 +0100)]
drm/nouveau/hwmon: don't require therm to be valid to get any data

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
8 years agodrm/nouveau/hwmon: add power consumption
Karol Herbst [Thu, 18 Feb 2016 19:10:19 +0000 (20:10 +0100)]
drm/nouveau/hwmon: add power consumption

v2: expose only if the sensor reading is valid

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
8 years agodrm/nouveau/iccsense: implement for ina209, ina219 and ina3221
Karol Herbst [Thu, 18 Feb 2016 15:53:44 +0000 (16:53 +0100)]
drm/nouveau/iccsense: implement for ina209, ina219 and ina3221

based on Martins initial work

v3: fix ina2x9 calculations
v4: don't kmalloc(0), fix the lsb/pga stuff
v5: add a field to tell if the power reading may be invalid
    add nkvm_iccsense_read_all function
    check for the device on the i2c bus

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
8 years agodrm/nouveau/nvbios/iccsense: add parsing of the SENSE table
Martin Peres [Thu, 18 Feb 2016 13:35:12 +0000 (14:35 +0100)]
drm/nouveau/nvbios/iccsense: add parsing of the SENSE table

Karol Herbst:
v4: don't kmalloc(0)
v5: stricter validation

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
8 years agodrm/nouveau/subdev/iccsense: add new subdev for power sensors
Martin Peres [Thu, 18 Feb 2016 13:10:49 +0000 (14:10 +0100)]
drm/nouveau/subdev/iccsense: add new subdev for power sensors

Signed-off-by: Karol Herbst <nouveau@karolherbst.de>
Reviewed-by: Martin Peres <martin.peres@free.fr>
8 years agodrm/nouveau/secboot/gm20b: add secure boot support
Alexandre Courbot [Wed, 24 Feb 2016 05:42:24 +0000 (14:42 +0900)]
drm/nouveau/secboot/gm20b: add secure boot support

Add secure boot support for the GM20B chip found in Tegra X1. Secure
boot on Tegra works slightly differently from desktop, notably in the
way the WPR region is set up.

In addition, the firmware bootloaders use a slightly different header
format.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/secboot/gm200: add secure-boot support
Alexandre Courbot [Wed, 24 Feb 2016 05:42:23 +0000 (14:42 +0900)]
drm/nouveau/secboot/gm200: add secure-boot support

Add secure-boot for the dGPU set of GM20X chips, using the PMU as the
high-secure falcon.

This work is based on Deepak Goyal's initial port of Secure Boot to
Nouveau.

v2. use proper memory target function

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: do not load firmware for secure falcons
Alexandre Courbot [Wed, 24 Feb 2016 05:42:22 +0000 (14:42 +0900)]
drm/nouveau/gr/gm200: do not load firmware for secure falcons

Secure falcons' firmware is managed by secboot. Do not load it in GR for
them.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gf100: add support for securely-managed falcons
Alexandre Courbot [Wed, 24 Feb 2016 05:42:21 +0000 (14:42 +0900)]
drm/nouveau/gr/gf100: add support for securely-managed falcons

Start securely-managed falcons using secboot functions since the process
for them is different from just writing CPUCTL.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/core: add support for secure boot
Alexandre Courbot [Wed, 24 Feb 2016 05:42:20 +0000 (14:42 +0900)]
drm/nouveau/core: add support for secure boot

On GM200 and later GPUs, firmware for some essential falcons (notably
GR ones) must be authenticated by a NVIDIA-produced signature and
loaded by a high-secure falcon in order to be able to access privileged
registers, in a process known as Secure Boot.

Secure Boot requires building a binary blob containing the firmwares
and signatures of the falcons to be loaded. This blob is then given to
a high-secure falcon running a signed loader firmware that copies the
blob into a write-protected region, checks that the signatures are
valid, and finally loads the verified firmware into the managed falcons
and switches them to privileged mode.

This patch adds infrastructure code to support this process on chips
that require it.

v2:
- The IRQ mask of the PMU falcon was left - replace it with the proper
  irq_mask variable.
- The falcon reset procedure expecting a falcon in an initialized state,
  which was accidentally provided by the PMU subdev. Make sure that
  secboot can manage the falcon on its own.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: load external firmware and bundles
Alexandre Courbot [Wed, 24 Feb 2016 05:42:19 +0000 (14:42 +0900)]
drm/nouveau/gr/gm200: load external firmware and bundles

Load firmware and bundles in GM200's constructor. The previously called
GF100 function did not care about the bundles.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gk20a: share external bundles loading functions
Alexandre Courbot [Wed, 24 Feb 2016 05:42:18 +0000 (14:42 +0900)]
drm/nouveau/gr/gk20a: share external bundles loading functions

There functions are going to be used by other chips that rely on
NVIDIA-provided firmware. Export them.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gk20a: simplify external bundle loading functions
Alexandre Courbot [Wed, 24 Feb 2016 05:42:17 +0000 (14:42 +0900)]
drm/nouveau/gr/gk20a: simplify external bundle loading functions

Make these functions easier to use by handling memory management from
within.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gf100: load firmware in outer function
Alexandre Courbot [Wed, 24 Feb 2016 05:42:16 +0000 (14:42 +0900)]
drm/nouveau/gr/gf100: load firmware in outer function

The firmwares required by GR may vary from chip to chip, especially with
the introduction of secure boot and NVIDIA-provided firmwares. Move the
firmware loading outside of gf100_gr_ctor so other chips may still call
it while managing their firmwares themselves.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gk20a: move firmware bundle release to gf100
Alexandre Courbot [Wed, 24 Feb 2016 05:42:15 +0000 (14:42 +0900)]
drm/nouveau/gr/gk20a: move firmware bundle release to gf100

Some members of gf100_gr were freed by the gk20a driver. That's not
where it should be done - free them in gf100 so other chips that use
NVIDIA-provided firmware free these structures properly.

This also removes the need for a GK20A-specific destructor.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/core: add gpuobj memcpy helper functions
Alexandre Courbot [Wed, 24 Feb 2016 05:42:14 +0000 (14:42 +0900)]
drm/nouveau/core: add gpuobj memcpy helper functions

Add memcpy functions to copy a buffer to a gpuobj and vice-versa. This
will be used by the secure boot code.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gm200: enable graphics device
Ben Skeggs [Wed, 24 Feb 2016 04:05:54 +0000 (14:05 +1000)]
drm/nouveau/gm200: enable graphics device

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gm200: s/gm204/gm200/
Ben Skeggs [Wed, 24 Feb 2016 04:03:40 +0000 (14:03 +1000)]
drm/nouveau/gr/gm200: s/gm204/gm200/

Most of the per-chipset differences will go away when we fully switch
to using the register lists provided by the firmware files, which will
leave all the remaining code "belonging" to GM200.

This is a preemptive rename from GM204 to GM200.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/bios/devinit: properly handle unknown generic conditions
Ben Skeggs [Wed, 17 Feb 2016 18:10:04 +0000 (04:10 +1000)]
drm/nouveau/bios/devinit: properly handle unknown generic conditions

Upon encountering an unknown condition code, the script interpreter
is supposed to skip 'size' bytes and continue at the next devinit
token.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/bios/devinit: rename INIT_DP_CONDITION to INIT_GENERIC_CONDITION
Ben Skeggs [Wed, 17 Feb 2016 18:03:39 +0000 (04:03 +1000)]
drm/nouveau/bios/devinit: rename INIT_DP_CONDITION to INIT_GENERIC_CONDITION

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/ltc/gm107: fix slice intr offset
Ben Skeggs [Thu, 11 Feb 2016 02:23:03 +0000 (12:23 +1000)]
drm/nouveau/ltc/gm107: fix slice intr offset

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/devinit/gf100-: detect if BIOS invoked devinit
Alexandre Courbot [Thu, 11 Feb 2016 02:10:04 +0000 (11:10 +0900)]
drm/nouveau/devinit/gf100-: detect if BIOS invoked devinit

It is not advisable to perform devinit if it has already been done.
VBIOS will very likely have invoked devinit if the GPU is the primary
graphics device, but there is no accurate way to detect this fact yet.

This patch adds such a method for gf100 and later chips, by means of the
NV_PTOP_SCRATCH1_DEVINIT_COMPLETED bit. This bit is set to 1 by devinit,
and reset to 0 when the GPU is powered.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/devinit/nv50: remove unneeded variable
Alexandre Courbot [Thu, 11 Feb 2016 02:09:52 +0000 (11:09 +0900)]
drm/nouveau/devinit/nv50: remove unneeded variable

We never use any nv50-specific member in this nv50_devinit_preinit().

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau: s/gm204/gm200/ in a number of places
Ben Skeggs [Wed, 10 Feb 2016 22:35:32 +0000 (08:35 +1000)]
drm/nouveau: s/gm204/gm200/ in a number of places

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau: recognise GM200 chipset
Ben Skeggs [Wed, 10 Feb 2016 22:25:35 +0000 (08:25 +1000)]
drm/nouveau: recognise GM200 chipset

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/device/tegra: fix uninitialized IRQ number
Alexandre Courbot [Thu, 28 Jan 2016 03:30:06 +0000 (12:30 +0900)]
drm/nouveau/device/tegra: fix uninitialized IRQ number

nvkm_device_tegra_new initializes the irq member of the Tegra device
to -1 in order to signal that it is uninitialized. However,
nvkm_device_tegra_fini tests it against 0 to check whether an IRQ has
been allocated or not. This leads to free_irq being called on -1 during
device initialization.

Fix this by using 0 as the uninitialized value everywhere.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/device: call nvkm_device_fini if nvkm_device_init fails
Alexandre Courbot [Mon, 25 Jan 2016 09:44:23 +0000 (18:44 +0900)]
drm/nouveau/device: call nvkm_device_fini if nvkm_device_init fails

nvkm_device_fini is never called if a failure occurs in
nvkm_device_init, even when unloading the module. This can lead to a
resources leak (one example is the Tegra interrupt which would never be
freed in that case). Fix this by calling nvkm_device_fini in
nvkm_device_init's failure path.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/gr/gf100: use the nvkm_firmware functions
Alexandre Courbot [Mon, 18 Jan 2016 06:07:10 +0000 (15:07 +0900)]
drm/nouveau/gr/gf100: use the nvkm_firmware functions

Use the nvkm_firmware_* functions when loading external firmware to
avoid duplicate code.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/core: add firmware handling functions
Alexandre Courbot [Mon, 18 Jan 2016 06:07:09 +0000 (15:07 +0900)]
drm/nouveau/core: add firmware handling functions

Add two functions nvkm_firmware_get() and nvkm_firmware_put() to load a
firmware file and free its resources, respectively. Since firmware files
are becoming a necessity for new GPUs, and their location has been
standardized to nvidia/chip/, this will prevent duplicate and
error-prone name-generation code.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agodrm/nouveau/ltc/gm107: wait on relevant bit in gm107_ltc_cbc_wait
Alexandre Courbot [Fri, 15 Jan 2016 02:53:24 +0000 (11:53 +0900)]
drm/nouveau/ltc/gm107: wait on relevant bit in gm107_ltc_cbc_wait

Patch "ltc/gm107: use nvkm_mask to set cbc_ctrl1" sets the 3rd bit
of the CTRL1 register instead of writing it entirely in
gm107_ltc_cbc_clear(). As a counterpart, gm107_ltc_cbc_wait() must also
be modified to wait on that single bit only, otherwise a timeout may
occur if some other bit of that register is set. This happened at least
on GM206 when running glmark2-drm.

While we are at it, use the more compact nvkm_wait_msec() to wait for
the bit to clear.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
8 years agoMerge tag 'drm-vc4-fixes-2016-03-03' of github.com:anholt/linux into drm-next
Dave Airlie [Sun, 13 Mar 2016 23:48:04 +0000 (09:48 +1000)]
Merge tag 'drm-vc4-fixes-2016-03-03' of github.com:anholt/linux into drm-next

This pull request fixes the major VC4 HDMI modesetting bugs found when
the first wave of users showed up in Raspbian.

* tag 'drm-vc4-fixes-2016-03-03' of github.com:anholt/linux:
  drm/vc4: Initialize scaler DISPBKGND on modeset.
  drm/vc4: Fix setting of vertical timings in the CRTC.
  drm/vc4: Fix the name of the VSYNCD_EVEN register.
  drm/vc4: Add another reg to HDMI debug dumping.
  drm/vc4: Bring HDMI up from power off if necessary.
  drm/vc4: Fix a framebuffer reference leak on async flip interrupt.

8 years agoMerge branch 'exynos-drm-next' of git://git.kernel.org/pub/scm/linux/kernel/git/daein...
Dave Airlie [Sun, 13 Mar 2016 23:46:46 +0000 (09:46 +1000)]
Merge branch 'exynos-drm-next' of git://git./linux/kernel/git/daeinki/drm-exynos into drm-next

* 'exynos-drm-next' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
  drm/exynos: add DRM_EXYNOS_GEM_MAP ioctl

8 years agoMerge drm-fixes into drm-next.
Dave Airlie [Sun, 13 Mar 2016 23:42:34 +0000 (09:42 +1000)]
Merge drm-fixes into drm-next.

Nouveau wanted this to avoid some worse conflicts when I merge that.

8 years agodrm/exynos: add DRM_EXYNOS_GEM_MAP ioctl
Joonyoung Shim [Tue, 8 Mar 2016 05:12:59 +0000 (14:12 +0900)]
drm/exynos: add DRM_EXYNOS_GEM_MAP ioctl

The commit d931589c01a2 ("drm/exynos: remove DRM_EXYNOS_GEM_MAP_OFFSET
ioctl") removed it same with the ioctl that this patch adds. The reason
that removed DRM_EXYNOS_GEM_MAP_OFFSET was we could use
DRM_IOCTL_MODE_MAP_DUMB. Both did exactly same thing.

Now we again will revive it as DRM_EXYNOS_GEM_MAP because of render
node. DRM_IOCTL_MODE_MAP_DUMB isn't permitted in render node.

Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
8 years agoMerge tag 'drm-intel-fixes-2016-03-11' of git://anongit.freedesktop.org/drm-intel...
Dave Airlie [Fri, 11 Mar 2016 20:53:30 +0000 (06:53 +1000)]
Merge tag 'drm-intel-fixes-2016-03-11' of git://anongit.freedesktop.org/drm-intel into drm-next

Two i915 regression fixes.

* tag 'drm-intel-fixes-2016-03-11' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: Actually retry with bit-banging after GMBUS timeout
  drm/i915: Fix bogus dig_port_map[] assignment for pre-HSW

8 years agoMerge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Linus Torvalds [Fri, 11 Mar 2016 20:35:54 +0000 (12:35 -0800)]
Merge tag 'armsoc-fixes' of git://git./linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "Two more fixes for 4.5:

   - One is a fix for OMAP that is urgently needed to avoid DRA7xx chips
     from premature aging, by always keeping the Ethernet clock enabled.

   - The other solves a I/O memory layout issue on Armada, where SROM
     and PCI memory windows were conflicting in some configurations"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window
  ARM: dts: dra7: do not gate cpsw clock due to errata i877
  ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property

8 years agoMerge tag 'media/v4.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab...
Linus Torvalds [Fri, 11 Mar 2016 20:32:02 +0000 (12:32 -0800)]
Merge tag 'media/v4.5-5' of git://git./linux/kernel/git/mchehab/linux-media

Pull media fix from Mauro Carvalho Chehab:
 "One last time fix: It adds a code that prevents some media tools like
  media-ctl to hide some entities that have their IDs out of the range
  expected by those apps"

* tag 'media/v4.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] media-device: map new functions into old types for legacy API

8 years agoARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window
Thomas Petazzoni [Tue, 8 Mar 2016 15:59:57 +0000 (16:59 +0100)]
ARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window

When the Crypto SRAM mappings were added to the Device Tree files
describing the Armada XP boards in commit c466d997bb16 ("ARM: mvebu:
define crypto SRAM ranges for all armada-xp boards"), the fact that
those mappings were overlaping with the PCIe memory aperture was
overlooked. Due to this, we currently have for all Armada XP platforms
a situation that looks like this:

Memory mapping on Armada XP boards with internal registers at
0xf1000000:

 - 0x00000000 -> 0xf0000000 3.75G  RAM
 - 0xf0000000 -> 0xf1000000 16M NOR flashes (AXP GP / AXP DB)
 - 0xf1000000 -> 0xf1100000 1M internal registers
 - 0xf8000000 -> 0xffe0000 126M PCIe memory aperture
 - 0xf8100000 -> 0xf8110000 64KB Crypto SRAM #0 => OVERLAPS WITH PCIE !
 - 0xf8110000 -> 0xf8120000 64KB Crypto SRAM #1 => OVERLAPS WITH PCIE !
 - 0xffe00000 -> 0xfff00000 1M PCIe I/O aperture
 - 0xfff0000  -> 0xffffffff 1M BootROM

The overlap means that when PCIe devices are added, depending on their
memory window needs, they might or might not be mapped into the
physical address space. Indeed, they will not be mapped if the area
allocated in the PCIe memory aperture by the PCI core overlaps with
one of the Crypto SRAM. Typically, a Intel IGB PCIe NIC that needs 8MB
of PCIe memory will see its PCIe memory window allocated from
0xf80000000 for 8MB, which overlaps with the Crypto SRAM windows. Due
to this, the PCIe window is not created, and any attempt to access the
PCIe window makes the kernel explode:

[    3.302213] igb: Copyright (c) 2007-2014 Intel Corporation.
[    3.307841] pci 0000:00:09.0: enabling device (0140 -> 0143)
[    3.313539] mvebu_mbus: cannot add window '4:f8', conflicts with another window
[    3.320870] mvebu-pcie soc:pcie-controller: Could not create MBus window at [mem 0xf8000000-0xf87fffff]: -22
[    3.330811] Unhandled fault: external abort on non-linefetch (0x1008) at 0xf08c0018

This problem does not occur on Armada 370 boards, because we use the
following memory mapping (for boards that have internal registers at
0xf1000000):

 - 0x00000000 -> 0xf0000000 3.75G  RAM
 - 0xf0000000 -> 0xf1000000 16M NOR flashes (AXP GP / AXP DB)
 - 0xf1000000 -> 0xf1100000 1M internal registers
 - 0xf1100000 -> 0xf1110000 64KB Crypto SRAM #0 => OK !
 - 0xf8000000 -> 0xffe0000 126M PCIe memory
 - 0xffe00000 -> 0xfff00000 1M PCIe I/O
 - 0xfff0000  -> 0xffffffff 1M BootROM

Obviously, the solution is to align the location of the Crypto SRAM
mappings of Armada XP to be similar with the ones on Armada 370, i.e
have them between the "internal registers" area and the beginning of
the PCIe aperture.

However, we have a special case with the OpenBlocks AX3-4 platform,
which has a 128 MB NOR flash. Currently, this NOR flash is mapped from
0xf0000000 to 0xf8000000. This is possible because on OpenBlocks
AX3-4, the internal registers are not at 0xf1000000. And this explains
why the Crypto SRAM mappings were not configured at the same place on
Armada XP.

Hence, the solution is two-fold:

 (1) Move the NOR flash mapping on Armada XP OpenBlocks AX3-4 from
     0xe8000000 to 0xf0000000. This frees the 0xf0000000 ->
     0xf80000000 space.

 (2) Move the Crypto SRAM mappings on Armada XP to be similar to
     Armada 370 (except of course that Armada XP has two Crypto SRAM
     and not one).

After this patch, the memory mapping on Armada XP boards with
registers at 0xf1 is:

 - 0x00000000 -> 0xf0000000 3.75G  RAM
 - 0xf0000000 -> 0xf1000000 16M NOR flashes (AXP GP / AXP DB)
 - 0xf1000000 -> 0xf1100000 1M internal registers
 - 0xf1100000 -> 0xf1110000 64KB Crypto SRAM #0
 - 0xf1110000 -> 0xf1120000 64KB Crypto SRAM #1
 - 0xf8000000 -> 0xffe0000 126M PCIe memory
 - 0xffe00000 -> 0xfff00000 1M PCIe I/O
 - 0xfff0000  -> 0xffffffff 1M BootROM

And the memory mapping for the special case of the OpenBlocks AX3-4
(internal registers at 0xd0000000, NOR of 128 MB):

 - 0x00000000 -> 0xc0000000 3G  RAM
 - 0xd0000000 -> 0xd1000000 1M internal registers
 - 0xe800000  -> 0xf0000000 128M NOR flash
 - 0xf1100000 -> 0xf1110000 64KB Crypto SRAM #0
 - 0xf1110000 -> 0xf1120000 64KB Crypto SRAM #1
 - 0xf8000000 -> 0xffe0000 126M PCIe memory
 - 0xffe00000 -> 0xfff00000 1M PCIe I/O
 - 0xfff0000  -> 0xffffffff 1M BootROM

Fixes: c466d997bb16 ("ARM: mvebu: define crypto SRAM ranges for all armada-xp boards")
Reported-by: Phil Sutter <phil@nwl.cc>
Cc: Phil Sutter <phil@nwl.cc>
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
8 years agoMerge tag 'dmaengine-fix-4.5' of git://git.infradead.org/users/vkoul/slave-dma
Linus Torvalds [Fri, 11 Mar 2016 18:57:18 +0000 (10:57 -0800)]
Merge tag 'dmaengine-fix-4.5' of git://git.infradead.org/users/vkoul/slave-dma

Pull dmaengine fixes from Vinod Koul:
 "Two fixes showed up in last few days, and they should be included in
  4.5.  Summary:

  Two more late fixes to drivers, nothing major here:

   - A memory leak fix in fsdma unmap the dma descriptors on freeup

   - A fix in xdmac driver for residue calculation of dma descriptor"

* tag 'dmaengine-fix-4.5' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: at_xdmac: fix residue computation
  dmaengine: fsldma: fix memory leak

8 years agoMerge tag 'pm+acpi-4.5-final' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
Linus Torvalds [Fri, 11 Mar 2016 18:45:03 +0000 (10:45 -0800)]
Merge tag 'pm+acpi-4.5-final' of git://git./linux/kernel/git/rafael/linux-pm

Pull power management and ACPI fixes from Rafael Wysocki:
 "Two more fixes for issues introduced recently, one in the generic
  device properties framework and one in ACPICA.

  Specifics:

   - Revert a recent ACPICA commit that has been reverted upstream,
     because it caused problems to happen on user systems and the
     problem it attempted to address will not be relevant any more after
     upcoming ACPI specification changes (Bob Moore).

   - Fix crash in the generic device properties framework introduced by
     a recent change that forgot to check pointers against error values
     in addition to checking them against NULL (Heikki Krogerus)"

* tag 'pm+acpi-4.5-final' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  device property: fwnode->secondary may contain ERR_PTR(-ENODEV)
  ACPICA: Revert "Parser: Fix for SuperName method invocation"

8 years agoMerge tag 'xfs-for-linus-4.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 11 Mar 2016 18:21:32 +0000 (10:21 -0800)]
Merge tag 'xfs-for-linus-4.5-rc7' of git://git./linux/kernel/git/dgc/linux-xfs

Pull xfs fixes from Dave Chinner:
 "This is a fix for a regression introduced in 4.5-rc1 by the new torn
  log write detection code.  The regression only affects people moving a
  clean filesystem between machines/kernels of different architecture
  (such as changing between 32 bit and 64 bit kernels), but this is the
  recommended (and only!) safe way to migrate a filesystem between
  architectures so we really need to ensure it works.

  The changes are larger than I'd prefer right at the end of the release
  cycle, but the majority of the change is just factoring code to enable
  the detection of a clean log at the correct time to avoid this issue.

  Changes:

   - Only perform torn log write detection on dirty logs.  This prevents
     failures being detected due to a clean filesystem being moved
     between machines or kernels of different architectures (e.g.  32 ->
     64 bit, BE -> LE, etc).  This fixes a regression introduced by the
     torn log write detection in 4.5-rc1"

* tag 'xfs-for-linus-4.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs:
  xfs: only run torn log write detection on dirty logs
  xfs: refactor in-core log state update to helper
  xfs: refactor unmount record detection into helper
  xfs: separate log head record discovery from verification

8 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Linus Torvalds [Fri, 11 Mar 2016 18:13:49 +0000 (10:13 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs

Pull vfs fixes from Al Viro:
 "A couple of fixes: Fix for my dumb braino in ncpfs and a long-standing
  breakage on recovery from failed rename() in jffs2"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  jffs2: reduce the breakage on recovery from halfway failed rename()
  ncpfs: fix a braino in OOM handling in ncp_fill_cache()

8 years agoMerge branches 'device-properties-fixes' and 'acpica-fixes'
Rafael J. Wysocki [Fri, 11 Mar 2016 13:22:54 +0000 (14:22 +0100)]
Merge branches 'device-properties-fixes' and 'acpica-fixes'

* device-properties-fixes:
  device property: fwnode->secondary may contain ERR_PTR(-ENODEV)

* acpica-fixes:
  ACPICA: Revert "Parser: Fix for SuperName method invocation"

8 years agodrm/i915: Actually retry with bit-banging after GMBUS timeout
Ville SyrjÀlÀ [Mon, 7 Mar 2016 15:56:57 +0000 (17:56 +0200)]
drm/i915: Actually retry with bit-banging after GMBUS timeout

After the GMBUS transfer times out, we set force_bit=1 and
return -EAGAIN expecting the i2c core to call the .master_xfer
hook again so that we will retry the same transfer via bit-banging.
This is in case the gmbus hardware is somehow faulty.

Unfortunately we left adapter->retries to 0, meaning the i2c core
didn't actually do the retry. Let's tell the core we want one retry
when we return -EAGAIN.

Note that i2c-algo-bit also uses this retry count for some internal
retries, so we'll end up increasing those a bit as well.

Cc: Jani Nikula <jani.nikula@intel.com>
Cc: drm-intel-fixes@lists.freedesktop.org
Fixes: bffce907d640 ("drm/i915: abstract i2c bit banging fallback in gmbus xfer")
Signed-off-by: Ville SyrjÀlÀ <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1457366220-29409-2-git-send-email-ville.syrjala@linux.intel.com
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 8b1f165a4a8f64c28cf42d10e1f4d3b451dedc51)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
8 years agoMerge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Thu, 10 Mar 2016 18:42:15 +0000 (10:42 -0800)]
Merge tag 'for-linus' of git://git./virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "A few simple fixes for ARM, x86, PPC and generic code.

  The x86 MMU fix is a bit larger because the surrounding code needed a
  cleanup, but nothing worrisome"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0
  KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
  kvm: cap halt polling at exactly halt_poll_ns
  KVM: s390: correct fprs on SIGP (STOP AND) STORE STATUS
  KVM: VMX: disable PEBS before a guest entry
  KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit

8 years agoMerge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Linus Torvalds [Thu, 10 Mar 2016 18:39:04 +0000 (10:39 -0800)]
Merge tag 'arm64-fixes' of git://git./linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "I thought we were done for 4.5, but then the 64k-page chaps came
  crawling out of the woodwork.  *sigh*

  The vmemmap fix I sent for -rc7 caused a regression with 64k pages and
  sparsemem and at some point during the release cycle the new hugetlb
  code using contiguous ptes started failing the libhugetlbfs tests with
  64k pages enabled.

  So here are a couple of patches that fix the vmemmap alignment and
  disable the new hugetlb page sizes whilst a proper fix is being
  developed:

   - Temporarily disable huge pages built using contiguous ptes

   - Ensure vmemmap region is sufficiently aligned for sparsemem
     sections"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: hugetlb: partial revert of 66b3923a1a0f
  arm64: account for sparsemem section alignment when choosing vmemmap offset

8 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Linus Torvalds [Thu, 10 Mar 2016 18:36:07 +0000 (10:36 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux

Pull s390 fixes from Martin Schwidefsky:
 "Three bug fixes:
   - The fix for the page table corruption (CVE-2016-2143)
   - The diagnose statistics introduced a regression for the dasd diag
     driver
   - Boot crash on systems without the set-program-parameters facility"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/mm: four page table levels vs. fork
  s390/cpumf: Fix lpp detection
  s390/dasd: fix diag 0x250 inline assembly

8 years ago[media] media-device: map new functions into old types for legacy API
Mauro Carvalho Chehab [Sat, 5 Mar 2016 10:13:39 +0000 (07:13 -0300)]
[media] media-device: map new functions into old types for legacy API

The legacy media controller userspace API exposes entity types that
carry both type and function information. The new API replaces the type
with a function. It preserves backward compatibility by defining legacy
functions for the existing types and using them in drivers.

This works fine, as long as newer entity functions won't be added.

Unfortunately, some tools, like media-ctl with --print-dot argument
rely on the now legacy MEDIA_ENT_T_V4L2_SUBDEV and MEDIA_ENT_T_DEVNODE
numeric ranges to identify what entities will be shown.

Also, if the entity doesn't match those ranges, it will ignore the
major/minor information on devnodes, and won't be getting the devnode
name via udev or sysfs.

As we're now adding devices outside the old range, the legacy ioctl
needs to map the new entity functions into a type at the old range,
or otherwise we'll have a regression.

Detected on all released media-ctl versions (e. g. versions <= 1.10).

Fix this by deriving the type from the function to emulate the legacy
API if the function isn't in the legacy functions range.

Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
8 years agodmaengine: at_xdmac: fix residue computation
Ludovic Desroches [Thu, 10 Mar 2016 09:17:55 +0000 (10:17 +0100)]
dmaengine: at_xdmac: fix residue computation

When computing the residue we need two pieces of information: the current
descriptor and the remaining data of the current descriptor. To get
that information, we need to read consecutively two registers but we
can't do it in an atomic way. For that reason, we have to check manually
that current descriptor has not changed.

Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Suggested-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
Reported-by: David Engraf <david.engraf@sysgo.com>
Tested-by: David Engraf <david.engraf@sysgo.com>
Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel
eXtended DMA Controller driver")
Cc: stable@vger.kernel.org #4.1 and later
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
8 years agoKVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0
Paolo Bonzini [Wed, 9 Mar 2016 13:28:02 +0000 (14:28 +0100)]
KVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0

KVM has special logic to handle pages with pte.u=1 and pte.w=0 when
CR0.WP=1.  These pages' SPTEs flip continuously between two states:
U=1/W=0 (user and supervisor reads allowed, supervisor writes not allowed)
and U=0/W=1 (supervisor reads and writes allowed, user writes not allowed).

When SMEP is in effect, however, U=0 will enable kernel execution of
this page.  To avoid this, KVM also sets NX=1 in the shadow PTE together
with U=0, making the two states U=1/W=0/NX=gpte.NX and U=0/W=1/NX=1.
When guest EFER has the NX bit cleared, the reserved bit check thinks
that the latter state is invalid; teach it that the smep_andnot_wp case
will also use the NX bit of SPTEs.

Cc: stable@vger.kernel.org
Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.inel.com>
Fixes: c258b62b264fdc469b6d3610a907708068145e3b
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agoKVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo
Paolo Bonzini [Tue, 8 Mar 2016 11:13:39 +0000 (12:13 +0100)]
KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo

Yes, all of these are needed. :) This is admittedly a bit odd, but
kvm-unit-tests access.flat tests this if you run it with "-cpu host"
and of course ept=0.

KVM runs the guest with CR0.WP=1, so it must handle supervisor writes
specially when pte.u=1/pte.w=0/CR0.WP=0.  Such writes cause a fault
when U=1 and W=0 in the SPTE, but they must succeed because CR0.WP=0.
When KVM gets the fault, it sets U=0 and W=1 in the shadow PTE and
restarts execution.  This will still cause a user write to fault, while
supervisor writes will succeed.  User reads will fault spuriously now,
and KVM will then flip U and W again in the SPTE (U=1, W=0).  User reads
will be enabled and supervisor writes disabled, going back to the
originary situation where supervisor writes fault spuriously.

When SMEP is in effect, however, U=0 will enable kernel execution of
this page.  To avoid this, KVM also sets NX=1 in the shadow PTE together
with U=0.  If the guest has not enabled NX, the result is a continuous
stream of page faults due to the NX bit being reserved.

The fix is to force EFER.NX=1 even if the CPU is taking care of the EFER
switch.  (All machines with SMEP have the CPU_LOAD_IA32_EFER vm-entry
control, so they do not use user-return notifiers for EFER---if they did,
EFER.NX would be forced to the same value as the host).

There is another bug in the reserved bit check, which I've split to a
separate patch for easier application to stable kernels.

Cc: stable@vger.kernel.org
Cc: Andy Lutomirski <luto@amacapital.net>
Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Fixes: f6577a5fa15d82217ca73c74cd2dcbc0f6c781dd
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8 years agos390/mm: four page table levels vs. fork
Martin Schwidefsky [Mon, 15 Feb 2016 13:46:49 +0000 (14:46 +0100)]
s390/mm: four page table levels vs. fork

The fork of a process with four page table levels is broken since
git commit 6252d702c5311ce9 "[S390] dynamic page tables."

All new mm contexts are created with three page table levels and
an asce limit of 4TB. If the parent has four levels dup_mmap will
add vmas to the new context which are outside of the asce limit.
The subsequent call to copy_page_range will walk the three level
page table structure of the new process with non-zero pgd and pud
indexes. This leads to memory clobbers as the pgd_index *and* the
pud_index is added to the mm->pgd pointer without a pgd_deref
in between.

The init_new_context() function is selecting the number of page
table levels for a new context. The function is used by mm_init()
which in turn is called by dup_mm() and mm_alloc(). These two are
used by fork() and exec(). The init_new_context() function can
distinguish the two cases by looking at mm->context.asce_limit,
for fork() the mm struct has been copied and the number of page
table levels may not change. For exec() the mm_alloc() function
set the new mm structure to zero, in this case a three-level page
table is created as the temporary stack space is located at
STACK_TOP_MAX = 4TB.

This fixes CVE-2016-2143.

Reported-by: Marcin Koƛcielnicki <koriakin@0x04.net>
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
8 years agoMerge tag 'spi-fix-v4.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Linus Torvalds [Thu, 10 Mar 2016 04:24:23 +0000 (20:24 -0800)]
Merge tag 'spi-fix-v4.5-rc7' of git://git./linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A few driver specific fixes for the Rockchip and i.MX SPI controllers,
  especially for the i.MX they're annoying bugs if you run into them"

* tag 'spi-fix-v4.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: imx: fix spi resource leak with dma transfer
  spi: imx: allow only WML aligned transfers to use DMA
  spi: rockchip: add missing spi_master_put
  spi: rockchip: disable runtime pm when in err case

8 years agoMerge remote-tracking branch 'spi/fix/rockchip' into spi-linus
Mark Brown [Thu, 10 Mar 2016 03:42:24 +0000 (10:42 +0700)]
Merge remote-tracking branch 'spi/fix/rockchip' into spi-linus

8 years agoMerge remote-tracking branch 'spi/fix/imx' into spi-linus
Mark Brown [Thu, 10 Mar 2016 03:42:22 +0000 (10:42 +0700)]
Merge remote-tracking branch 'spi/fix/imx' into spi-linus

8 years agoMerge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Thu, 10 Mar 2016 03:33:05 +0000 (19:33 -0800)]
Merge tag 'ext4_for_linus_stable' of git://git./linux/kernel/git/tytso/ext4

Pull ext4 fix from Ted Ts'o:
 "This fixes a regression which crept in v4.5-rc5"

* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: iterate over buffer heads correctly in move_extent_per_page()

8 years agoMerge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Thu, 10 Mar 2016 03:12:37 +0000 (19:12 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "A few imx fixes I missed from a couple of weeks ago, they still aren't
  that big and fix some regression and a fail to boot problem.

  Other than that, a couple of regression fixes for radeon/amdgpu, one
  regression fix for vmwgfx and one regression fix for tda998x"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  Revert "drm/radeon/pm: adjust display configuration after powerstate"
  drm/amdgpu/dp: add back special handling for NUTMEG
  drm/radeon/dp: add back special handling for NUTMEG
  drm/i2c: tda998x: Choose between atomic or non atomic dpms helper
  drm/vmwgfx: Add back ->detect() and ->fill_modes()
  drm/radeon: Fix error handling in radeon_flip_work_func.
  drm/amdgpu: Fix error handling in amdgpu_flip_work_func.
  drm/imx: Add missing DRM_FORMAT_RGB565 to ipu_plane_formats
  drm/imx: notify DRM core about CRTC vblank state
  gpu: ipu-v3: Reset IPU before activating IRQ
  gpu: ipu-v3: Do not bail out on missing optional port nodes

8 years agoMerge tag 'trace-fixes-v4.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Thu, 10 Mar 2016 03:01:58 +0000 (19:01 -0800)]
Merge tag 'trace-fixes-v4.5-rc7' of git://git./linux/kernel/git/rostedt/linux-trace

Pull tracing fix from Steven Rostedt:
 "I previously sent a fix that prevents all trace events from being
  called if the current cpu is offline.

  But I forgot that in 3.18, we added lockdep checks to test RCU usage
  even when the event is disabled.  Although there cannot be any bug
  when a cpu is going offline, we now get false warnings triggered by
  the added checks of the event being disabled.

  I removed the check from the tracepoint code itself, and added it to
  the condition section (which is "1" for 'no condition').  This way the
  online cpu check will get checked in all the right locations"

* tag 'trace-fixes-v4.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing: Fix check for cpu online when event is disabled

8 years agoext4: iterate over buffer heads correctly in move_extent_per_page()
Eryu Guan [Sun, 21 Feb 2016 23:38:44 +0000 (18:38 -0500)]
ext4: iterate over buffer heads correctly in move_extent_per_page()

In commit bcff24887d00 ("ext4: don't read blocks from disk after extents
being swapped") bh is not updated correctly in the for loop and wrong
data has been written to disk. generic/324 catches this on sub-page
block size ext4.

Fixes: bcff24887d00 ("ext4: don't read blocks from disk after extentsbeing swapped")
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
8 years agoMerge branch 'akpm' (patches from Andrew)
Linus Torvalds [Thu, 10 Mar 2016 02:27:52 +0000 (18:27 -0800)]
Merge branch 'akpm' (patches from Andrew)

Merge fixes from Andrew Morton:
 "13 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  dma-mapping: avoid oops when parameter cpu_addr is null
  mm/hugetlb: use EOPNOTSUPP in hugetlb sysctl handlers
  memremap: check pfn validity before passing to pfn_to_page()
  mm, thp: fix migration of PTE-mapped transparent huge pages
  dax: check return value of dax_radix_entry()
  ocfs2: fix return value from ocfs2_page_mkwrite()
  arm64: kasan: clear stale stack poison
  sched/kasan: remove stale KASAN poison after hotplug
  kasan: add functions to clear stack poison
  mm: fix mixed zone detection in devm_memremap_pages
  list: kill list_force_poison()
  mm: __delete_from_page_cache show Bad page if mapped
  mm/hugetlb: hugetlb_no_page: rate-limit warning message

8 years agodma-mapping: avoid oops when parameter cpu_addr is null
Zhen Lei [Wed, 9 Mar 2016 22:08:38 +0000 (14:08 -0800)]
dma-mapping: avoid oops when parameter cpu_addr is null

To keep consistent with kfree, which tolerate ptr is NULL.  We do this
because sometimes we may use goto statement, so that success and failure
case can share parts of the code.  But unfortunately, dma_free_coherent
called with parameter cpu_addr is null will cause oops, such as showed
below:

  Unable to handle kernel paging request at virtual address ffffffc020d3b2b8
  pgd = ffffffc083a61000
  [ffffffc020d3b2b8] *pgd=0000000000000000, *pud=0000000000000000
  CPU: 4 PID: 1489 Comm: malloc_dma_1 Tainted: G           O    4.1.12 #1
  Hardware name: ARM64 (DT)
  PC is at __dma_free_coherent.isra.10+0x74/0xc8
  LR is at __dma_free+0x9c/0xb0
  Process malloc_dma_1 (pid: 1489, stack limit = 0xffffffc0837fc020)
  [...]
  Call trace:
    __dma_free_coherent.isra.10+0x74/0xc8
    __dma_free+0x9c/0xb0
    malloc_dma+0x104/0x158 [dma_alloc_coherent_mtmalloc]
    kthread+0xec/0xfc

Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agomm/hugetlb: use EOPNOTSUPP in hugetlb sysctl handlers
Jan Stancek [Wed, 9 Mar 2016 22:08:35 +0000 (14:08 -0800)]
mm/hugetlb: use EOPNOTSUPP in hugetlb sysctl handlers

Replace ENOTSUPP with EOPNOTSUPP.  If hugepages are not supported, this
value is propagated to userspace.  EOPNOTSUPP is part of uapi and is
widely supported by libc libraries.

It gives nicer message to user, rather than:

  # cat /proc/sys/vm/nr_hugepages
  cat: /proc/sys/vm/nr_hugepages: Unknown error 524

And also LTP's proc01 test was failing because this ret code (524)
was unexpected:

  proc01      1  TFAIL  :  proc01.c:396: read failed: /proc/sys/vm/nr_hugepages: errno=???(524): Unknown error 524
  proc01      2  TFAIL  :  proc01.c:396: read failed: /proc/sys/vm/nr_hugepages_mempolicy: errno=???(524): Unknown error 524
  proc01      3  TFAIL  :  proc01.c:396: read failed: /proc/sys/vm/nr_overcommit_hugepages: errno=???(524): Unknown error 524

Signed-off-by: Jan Stancek <jstancek@redhat.com>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agomemremap: check pfn validity before passing to pfn_to_page()
Ard Biesheuvel [Wed, 9 Mar 2016 22:08:32 +0000 (14:08 -0800)]
memremap: check pfn validity before passing to pfn_to_page()

In memremap's helper function try_ram_remap(), we dereference a struct
page pointer that was derived from a PFN that is known to be covered by
a 'System RAM' iomem region, and is thus assumed to be a 'valid' PFN,
i.e., a PFN that has a struct page associated with it and is covered by
the kernel direct mapping.

However, the assumption that there is a 1:1 relation between the System
RAM iomem region and the kernel direct mapping is not universally valid
on all architectures, and on ARM and arm64, 'System RAM' may include
regions for which pfn_valid() returns false.

Generally speaking, both __va() and pfn_to_page() should only ever be
called on PFNs/physical addresses for which pfn_valid() returns true, so
add that check to try_ram_remap().

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agomm, thp: fix migration of PTE-mapped transparent huge pages
Kirill A. Shutemov [Wed, 9 Mar 2016 22:08:30 +0000 (14:08 -0800)]
mm, thp: fix migration of PTE-mapped transparent huge pages

We don't have native support of THP migration, so we have to split huge
page into small pages in order to migrate it to different node.  This
includes PTE-mapped huge pages.

I made mistake in refcounting patchset: we don't actually split
PTE-mapped huge page in queue_pages_pte_range(), if we step on head
page.

The result is that the head page is queued for migration, but none of
tail pages: putting head page on queue takes pin on the page and any
subsequent attempts of split_huge_pages() would fail and we skip queuing
tail pages.

unmap_and_move_huge_page() will eventually split the huge pages, but
only one of 512 pages would get migrated.

Let's fix the situation.

Fixes: 248db92da13f2507 ("migrate_pages: try to split pages on queuing")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agodax: check return value of dax_radix_entry()
Ross Zwisler [Wed, 9 Mar 2016 22:08:27 +0000 (14:08 -0800)]
dax: check return value of dax_radix_entry()

dax_pfn_mkwrite() previously wasn't checking the return value of the
call to dax_radix_entry(), which was a mistake.

Instead, capture this return value and return the appropriate VM_FAULT_
value.

Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Matthew Wilcox <willy@linux.intel.com>
Cc: Dave Chinner <david@fromorbit.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agoocfs2: fix return value from ocfs2_page_mkwrite()
Jan Kara [Wed, 9 Mar 2016 22:08:24 +0000 (14:08 -0800)]
ocfs2: fix return value from ocfs2_page_mkwrite()

ocfs2_page_mkwrite() could mistakenly return error code instead of
mkwrite status value.  Fix it.

Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <joseph.qi@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agoarm64: kasan: clear stale stack poison
Mark Rutland [Wed, 9 Mar 2016 22:08:21 +0000 (14:08 -0800)]
arm64: kasan: clear stale stack poison

Functions which the compiler has instrumented for KASAN place poison on
the stack shadow upon entry and remove this poison prior to returning.

In the case of cpuidle, CPUs exit the kernel a number of levels deep in
C code.  Any instrumented functions on this critical path will leave
portions of the stack shadow poisoned.

If CPUs lose context and return to the kernel via a cold path, we
restore a prior context saved in __cpu_suspend_enter are forgotten, and
we never remove the poison they placed in the stack shadow area by
functions calls between this and the actual exit of the kernel.

Thus, (depending on stackframe layout) subsequent calls to instrumented
functions may hit this stale poison, resulting in (spurious) KASAN
splats to the console.

To avoid this, clear any stale poison from the idle thread for a CPU
prior to bringing a CPU online.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agosched/kasan: remove stale KASAN poison after hotplug
Mark Rutland [Wed, 9 Mar 2016 22:08:18 +0000 (14:08 -0800)]
sched/kasan: remove stale KASAN poison after hotplug

Functions which the compiler has instrumented for KASAN place poison on
the stack shadow upon entry and remove this poision prior to returning.

In the case of CPU hotplug, CPUs exit the kernel a number of levels deep
in C code.  Any instrumented functions on this critical path will leave
portions of the stack shadow poisoned.

When a CPU is subsequently brought back into the kernel via a different
path, depending on stackframe, layout calls to instrumented functions
may hit this stale poison, resulting in (spurious) KASAN splats to the
console.

To avoid this, clear any stale poison from the idle thread for a CPU
prior to bringing a CPU online.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Cc: Alexander Potapenko <glider@google.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agokasan: add functions to clear stack poison
Mark Rutland [Wed, 9 Mar 2016 22:08:15 +0000 (14:08 -0800)]
kasan: add functions to clear stack poison

Functions which the compiler has instrumented for ASAN place poison on
the stack shadow upon entry and remove this poison prior to returning.

In some cases (e.g. hotplug and idle), CPUs may exit the kernel a
number of levels deep in C code.  If there are any instrumented
functions on this critical path, these will leave portions of the idle
thread stack shadow poisoned.

If a CPU returns to the kernel via a different path (e.g. a cold
entry), then depending on stack frame layout subsequent calls to
instrumented functions may use regions of the stack with stale poison,
resulting in (spurious) KASAN splats to the console.

Contemporary GCCs always add stack shadow poisoning when ASAN is
enabled, even when asked to not instrument a function [1], so we can't
simply annotate functions on the critical path to avoid poisoning.

Instead, this series explicitly removes any stale poison before it can
be hit.  In the common hotplug case we clear the entire stack shadow in
common code, before a CPU is brought online.

On architectures which perform a cold return as part of cpu idle may
retain an architecture-specific amount of stack contents.  To retain the
poison for this retained context, the arch code must call the core KASAN
code, passing a "watermark" stack pointer value beyond which shadow will
be cleared.  Architectures which don't perform a cold return as part of
idle do not need any additional code.

This patch (of 3):

Functions which the compiler has instrumented for KASAN place poison on
the stack shadow upon entry and remove this poision prior to returning.

In some cases (e.g.  hotplug and idle), CPUs may exit the kernel a number
of levels deep in C code.  If there are any instrumented functions on this
critical path, these will leave portions of the stack shadow poisoned.

If a CPU returns to the kernel via a different path (e.g.  a cold entry),
then depending on stack frame layout subsequent calls to instrumented
functions may use regions of the stack with stale poison, resulting in
(spurious) KASAN splats to the console.

To avoid this, we must clear stale poison from the stack prior to
instrumented functions being called.  This patch adds functions to the
KASAN core for removing poison from (portions of) a task's stack.  These
will be used by subsequent patches to avoid problems with hotplug and
idle.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agomm: fix mixed zone detection in devm_memremap_pages
Dan Williams [Wed, 9 Mar 2016 22:08:13 +0000 (14:08 -0800)]
mm: fix mixed zone detection in devm_memremap_pages

The check for whether we overlap "System RAM" needs to be done at
section granularity.  For example a system with the following mapping:

    100000000-37bffffff : System RAM
    37c000000-837ffffff : Persistent Memory

...is unable to use devm_memremap_pages() as it would result in two
zones colliding within a given section.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8 years agolist: kill list_force_poison()
Dan Williams [Wed, 9 Mar 2016 22:08:10 +0000 (14:08 -0800)]
list: kill list_force_poison()

Given we have uninitialized list_heads being passed to list_add() it
will always be the case that those uninitialized values randomly trigger
the poison value.  Especially since a list_add() operation will seed the
stack with the poison value for later stack allocations to trip over.

For example, see these two false positive reports:

  list_add attempted on force-poisoned entry
  WARNING: at lib/list_debug.c:34
  [..]
  NIP [c00000000043c390] __list_add+0xb0/0x150
  LR [c00000000043c38c] __list_add+0xac/0x150
  Call Trace:
    __list_add+0xac/0x150 (unreliable)
    __down+0x4c/0xf8
    down+0x68/0x70
    xfs_buf_lock+0x4c/0x150 [xfs]

  list_add attempted on force-poisoned entry(0000000000000500),
   new->next == d0000000059ecdb0, new->prev == 0000000000000500
  WARNING: at lib/list_debug.c:33
  [..]
  NIP [c00000000042db78] __list_add+0xa8/0x140
  LR [c00000000042db74] __list_add+0xa4/0x140
  Call Trace:
    __list_add+0xa4/0x140 (unreliable)
    rwsem_down_read_failed+0x6c/0x1a0
    down_read+0x58/0x60
    xfs_log_commit_cil+0x7c/0x600 [xfs]

Fixes: commit 5c2c2587b132 ("mm, dax, pmem: introduce {get|put}_dev_pagemap() for dax-gup")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reported-by: Eryu Guan <eguan@redhat.com>
Tested-by: Eryu Guan <eguan@redhat.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>