When using the Promise TX2+ SATA controller on PA-RISC, the system often
crashes with kernel panic, for example just writing data with the dd
utility will make it crash.
Kernel panic - not syncing: drivers/parisc/sba_iommu.c: I/O MMU @ 000000000000a000 is out of mapping resources
CPU: 0 PID: 18442 Comm: mkspadfs Not tainted 4.4.0-rc2 #2
Backtrace:
[<000000004021497c>] show_stack+0x14/0x20
[<0000000040410bf0>] dump_stack+0x88/0x100
[<000000004023978c>] panic+0x124/0x360
[<0000000040452c18>] sba_alloc_range+0x698/0x6a0
[<0000000040453150>] sba_map_sg+0x260/0x5b8
[<000000000c18dbb4>] ata_qc_issue+0x264/0x4a8 [libata]
[<000000000c19535c>] ata_scsi_translate+0xe4/0x220 [libata]
[<000000000c19a93c>] ata_scsi_queuecmd+0xbc/0x320 [libata]
[<0000000040499bbc>] scsi_dispatch_cmd+0xfc/0x130
[<000000004049da34>] scsi_request_fn+0x6e4/0x970
[<00000000403e95a8>] __blk_run_queue+0x40/0x60
[<00000000403e9d8c>] blk_run_queue+0x3c/0x68
[<000000004049a534>] scsi_run_queue+0x2a4/0x360
[<000000004049be68>] scsi_end_request+0x1a8/0x238
[<000000004049de84>] scsi_io_completion+0xfc/0x688
[<0000000040493c74>] scsi_finish_command+0x17c/0x1d0
The cause of the crash is not exhaustion of the IOMMU space, there is
plenty of free pages. The function sba_alloc_range is called with size
0x11000, thus the pages_needed variable is 0x11. The function
sba_search_bitmap is called with bits_wanted 0x11 and boundary size is
0x10 (because dma_get_seg_boundary(dev) returns 0xffff).
The function sba_search_bitmap attempts to allocate 17 pages that must not
cross 16-page boundary - it can't satisfy this requirement
(iommu_is_span_boundary always returns true) and fails even if there are
many free entries in the IOMMU space.
How did it happen that we try to allocate 17 pages that don't cross
16-page boundary? The cause is in the function iommu_coalesce_chunks. This
function tries to coalesce adjacent entries in the scatterlist. The
function does several checks if it may coalesce one entry with the next,
one of those checks is this:
if (startsg->length + dma_len > max_seg_size)
break;
When it finishes coalescing adjacent entries, it allocates the mapping:
sg_dma_len(contig_sg) = dma_len;
dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE);
sg_dma_address(contig_sg) =
PIDE_FLAG
| (iommu_alloc_range(ioc, dev, dma_len) << IOVP_SHIFT)
| dma_offset;
It is possible that (startsg->length + dma_len > max_seg_size) is false
(we are just near the 0x10000 max_seg_size boundary), so the funcion
decides to coalesce this entry with the next entry. When the coalescing
succeeds, the function performs
dma_len = ALIGN(dma_len + dma_offset, IOVP_SIZE);
And now, because of non-zero dma_offset, dma_len is greater than 0x10000.
iommu_alloc_range (a pointer to sba_alloc_range) is called and it attempts
to allocate 17 pages for a device that must not cross 16-page boundary.
To fix the bug, we must make sure that dma_len after addition of
dma_offset and alignment doesn't cross the segment boundary. I.e. change
if (startsg->length + dma_len > max_seg_size)
break;
to
if (ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > max_seg_size)
break;
This patch makes this change (it precalculates max_seg_boundary at the
beginning of the function iommu_coalesce_chunks). I also added a check
that the mapping length doesn't exceed dma_get_seg_boundary(dev) (it is
not needed for Promise TX2+ SATA, but it may be needed for other devices
that have dma_get_seg_boundary lower than dma_get_max_seg_size).
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
- Two DM btree bufio buffer leak fixes that resolve reported BUG_ONs
during DM thinp metadata close's dm_bufio_client_destroy().
- A DM thinp range discard fix to handle discarding a partially mapped
range.
- A DM thinp metadata snapshot fix to make sure the btree roots saved in
the metadata snapshot are the most current.
- A DM space map metadata refcounting fix that improves both DM thinp
and DM cache metadata.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEbBAABAgAGBQJWaufCAAoJEMUj8QotnQNa4EQH93vh356VNEug+6iDpsIgRvpI
loKaQMJOqkSfByoHuY1fRhsKKgaBsf3Nzb+u1wv/jEI2+MgNWkAWRHa0FAFBevLE
Hk7cB5KV44NCsiB1QwOdr6OpSuZPQ2XZrrMfieLC5kxwNeP/9GslY5x+EHUHqfTj
lTJljCBjBCG0J+8HK4BTNzqi2t5pH/Aurzzz3+uWyplC/uGa0eNobaMxM83P8Izx
fx17rf72qAA9KcjKgyuAnwxom2mZGt5b8Jd8Btz0oK0hs3pOloJzsF9jOrSSBydF
edvitDdLWyo3lXys04C51bMZFzzNSpiK2T6WTWfgz92cHUyM993UMqqQaKUnDA==
=EC7n
-----END PGP SIGNATURE-----
Merge tag 'dm-4.4-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mike Snitzer:
"Five stable fixes:
- Two DM btree bufio buffer leak fixes that resolve reported BUG_ONs
during DM thinp metadata close's dm_bufio_client_destroy().
- A DM thinp range discard fix to handle discarding a partially
mapped range.
- A DM thinp metadata snapshot fix to make sure the btree roots saved
in the metadata snapshot are the most current.
- A DM space map metadata refcounting fix that improves both DM thinp
and DM cache metadata"
* tag 'dm-4.4-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm btree: fix bufio buffer leaks in dm_btree_del() error path
dm space map metadata: fix ref counting bug when bootstrapping a new space map
dm thin metadata: fix bug when taking a metadata snapshot
dm thin metadata: fix bug in dm_thin_remove_range()
dm btree: fix leak of bufio-backed block in btree_split_sibling error path
Pull drm fixes from Dave Airlie:
"Not too much this time.
- One nouveau workaround extended to a few more GPUs
- Some amdgpu big endian fixes, and a regression fixer
- Some vmwgfx fixes
- One ttm locking fix
- One vgaarb fix"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
vgaarb: fix signal handling in vga_get()
radeon: Fix VCE IB test on Big-Endian systems
radeon: Fix VCE ring test for Big-Endian systems
radeon/cik: Fix GFX IB test on Big-Endian
drm/amdgpu: fix the lost duplicates checking
drm/nouveau/pmu: remove whitelist for PGOB-exit WAR, enable by default
drm/vmwgfx: Implement the cursor_set2 callback v2
drm/vmwgfx: fix a warning message
drm/ttm: Fixed a read/write lock imbalance
There are few defects in vga_get() related to signal hadning:
- we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE
case;
- if we found pending signal we must remove ourself from wait queue
and change task state back to running;
- -ERESTARTSYS is more appropriate, I guess.
Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
Cc: stable@vger.kernel.org
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
some big endian fixes and one regression fix.
* 'drm-fixes-4.4' of git://people.freedesktop.org/~agd5f/linux:
radeon: Fix VCE IB test on Big-Endian systems
radeon: Fix VCE ring test for Big-Endian systems
radeon/cik: Fix GFX IB test on Big-Endian
drm/amdgpu: fix the lost duplicates checking
Most are minor to important fixes. There is one performance enhancement
that I took on the grounds that failing to check if other processes can
run before running what's intended to be a background, idle-time task
is a bug, even though the primary effect of the fix is to improve
performance (and it was a very simple patch).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWZ1KiAAoJELgmozMOVy/d9wYQALgNhjeRqhwyXlbF66NjIxd/
IpEfv13JzjehemVnOnH52K0cv6aTPQFIEGvOyf1czeAHK/iZdwbtPlVIr57fQuoP
67F9ayE72NoB74qQvWJmSny7LUrvVHxU8MfhTumkXShF4MaouseRC03LV5QqDyoL
9DAZxiT24WfX0gpG7IqN6HTG1dYwt/cDPvc9rjbdcnpEXNy3Upnl9SwV8S8LIqV+
RYgHdL03pCew5FxrgoLiRFM+duGqnF2AynVM4wjy0Abe47VRcDz3aIE44v+L+tLJ
WG6011faEhRCdiSLq/AUlGbocRgqnnBbkabpj+7twwBx6+7BF5S7/FWv8sq74ADM
vfRB7EMnbtS5GOpDMmjenVUOg5muDTzbuq/0JFYg+zsySWcYqFxELR+Euramf3M8
Z/gvzjlVbzkgWY35itxnWkKqtVxOyWz2qHOdkoVC/qXJzthbfjpeuw9E3tUAsyui
ADLqZGMFux5/gnk05og0rYIkZCCeXTvwlbMOjVX5+aQQpE0I6Ryw3gDm+Jn/3reA
0H+KR7zWMP24XDy2LCvF+VvjwuDQdgCMGQTREFLxniJvlKYccBe5Yu2rzv85WYmX
hMAH3llz8fTt4oNmvsi+udYD2yNjhQZSuG2A5KuVVXDMItI7hsNx1p0aSLcbAZUW
+cYgv8uMYap5nSTq1oqq
=9HqU
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma
Pull rdma fixes from Doug Ledford:
"Most are minor to important fixes.
There is one performance enhancement that I took on the grounds that
failing to check if other processes can run before running what's
intended to be a background, idle-time task is a bug, even though the
primary effect of the fix is to improve performance (and it was a very
simple patch)"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
IB/mlx5: Postpone remove_keys under knowledge of coming preemption
IB/mlx4: Use vmalloc for WR buffers when needed
IB/mlx4: Use correct order of variables in log message
iser-target: Remove explicit mlx4 work-around
mlx4: Expose correct max_sge_rd limit
IB/mad: Require CM send method for everything except ClassPortInfo
IB/cma: Add a missing rcu_read_unlock()
IB core: Fix ib_sg_to_pages()
IB/srp: Fix srp_map_sg_fr()
IB/srp: Fix indirect data buffer rkey endianness
IB/srp: Initialize dma_length in srp_map_idb
IB/srp: Fix possible send queue overflow
IB/srp: Fix a memory leak
IB/sa: Put netlink request into the request list before sending
IB/iser: use sector_div instead of do_div
IB/core: use RCU for uverbs id lookup
IB/qib: Minor fixes to qib per SFF 8636
IB/core: Fix user mode post wr corruption
IB/qib: Fix qib_mr structure
Again less intensive changes in this rc: you can find only a few
HD-audio fixes (noise fixes for Intel Broxton chip and a few Thinkpad
models, quirks for Alienware 17 and Packard Bell DOTS) in addition
to a long-standing rme96 bug fix.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWaVzzAAoJEGwxgFQ9KSmkLEkP/3/Ti7++NAjUMdc/rp4EcOSu
5k2cun58FPRaLgYZcS6cBRyhysSQHwFvFmk59di7xv7z8JDFTSMT1IREI+Obz8l9
5N6poiU34hLLL5UChtAjvBjliRKH4thV5YXHUIBwJg76q/vg5DaGUZ0nh6R0oj+7
K4EcGeS49oRiaYlDpoLQw+BfCVcVN9eCR6fFdWL8biFHPptRdnEV+pdzuUVnxsrV
v2noR6ilH+obUiFuMzQNYAW9fi4t/bTfs5oaJE98o02r0waRBt9JsJ35vJMECwGy
KOCryvZOAezt9DwVbI6JdkAswUkNl/9F4RYcUXY49kudHOLxkuGUUOHiOKdq/1oY
Gf0aqAJYsxr7OEPNejL5l82mWTbUjihxpAuo5z0dIcgYu7Q+uLXNQQNiwr6d4TFf
1V1tV2SRmFvhc95rQdHiwY2nMOaoK1rwTnGpaxwvZb+17JBAIT3NjPvaEZndXQMx
CEfgRJndSyrryZfWZeyEs7D7S1h2BBqtfwPFuTEq+0qZWT5B/5JkqQoe0cLtBaUA
JDJAdy5oNX1Q6jdOsl6grm/nRa0rQ1nRqUC6t4RKUlTRsIhP1VNkaW5ZxXm75PMv
kGaDuMvvkwwm5XuqIx3u2EIK/fnFbLEG7s1kh7DtPm2Hx4xZe+EHRObHOvuCWiAz
/Wh+peNCyv0Tvef6lxuX
=J1LA
-----END PGP SIGNATURE-----
Merge tag 'sound-4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"Again less intensive changes in this rc: you can find only a few
HD-audio fixes (noise fixes for Intel Broxton chip and a few Thinkpad
models, quirks for Alienware 17 and Packard Bell DOTS) in addition to
a long-standing rme96 bug fix"
* tag 'sound-4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/ca0132 - quirk for Alienware 17 2015
ALSA: hda - Fix noise problems on Thinkpad T440s
ALSA: hda - Fixing speaker noise on the two latest thinkpad models
ALSA: hda - Add inverted dmic for Packard Bell DOTS
ALSA: hda - Fix playback noise with 24/32 bit sample size on BXT
ALSA: rme96: Fix unexpected volume reset after rate changes
If dm_btree_del()'s call to push_frame() fails, e.g. due to
btree_node_validator finding invalid metadata, the dm_btree_del() error
path must unlock all frames (which have active dm-bufio buffers) that
were pushed onto the del_stack.
Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio
buffers have leaked, e.g.:
device-mapper: bufio: leaked buffer 3, hold count 1, list 0
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
- Various fixes for removing redundancy, const'ifying structs,
avoiding stack usage, fixing WARN usage (Krzysztof Kozlowski,
Julia Lawall, Kees Cook, Dan Carpenter)
- Revert No-IOMMU mode as the intended user has not emerged
(Alex Williamson)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWaLTPAAoJECObm247sIsi+bcQAJ8YacU2jLM92/m9Ciw5P76A
fGFrP6Pb9VmCJ2nnyglOI7Puw3EXl/BN6tHnvRUbqIOHR4HmsBxvNmknj984glfH
FgoE64R1QLmk2AcQOCkgr/eCxWilQ8udh4ztTVQjbynA2jiOxmD97CX87DkFqzeW
BNGs2TOpnStvLWBJgTITLpmUPApTIyBUAjsMtAKxUc0r+E/9KgnOyXXuq9tNCCrQ
tDyJng11a9xrYmRDlarpySuJ9A/fUyAcQ1p5+JdTugT8r1rCcbZxk+ofajG5gqI1
gtlPmmBYi255OOrPjHMVcCbKHgEet6cUNsgC4L+tHBUv0/ZzFZeXCliWM+MLx5iS
nJ6+fOMxd9lWDCAjgGUHrTObIYxhNq7XykjeT3C9A/4N5MuK7mVqnpR+CTun1y73
JKByNMEB5KDeVQKdPqTlX9nwG7ki7n+0YR7hEYyq+eAk9s4QUEjGoOb5bavTxCnM
gn4KFZNDXTn5EIhZZVNG916nYm+gvDasDSzOuuNrhDpGuWWgDH9ZIE0bHcYWaXXE
lECw5WPmH8zQSuVJLq3wkAG596kNHkBGw4Pg6zRXA/llUFqqGVb6BYY+Tz9Mu+NP
OfqrKVnK2EExblsUYBKJkBYFIikqAC+D0UVpBsGiCneNFaqDPvCANcfQaObTdzBz
Y3nt0+FpY+bCqEDge0u+
=im4y
-----END PGP SIGNATURE-----
Merge tag 'vfio-v4.4-rc5' of git://github.com/awilliam/linux-vfio
Pull VFIO fixes from Alex Williamson:
- Various fixes for removing redundancy, const'ifying structs, avoiding
stack usage, fixing WARN usage (Krzysztof Kozlowski, Julia Lawall,
Kees Cook, Dan Carpenter)
- Revert No-IOMMU mode as the intended user has not emerged (Alex
Williamson)
* tag 'vfio-v4.4-rc5' of git://github.com/awilliam/linux-vfio:
Revert: "vfio: Include No-IOMMU mode"
vfio: fix a warning message
vfio: platform: remove needless stack usage
vfio-pci: constify pci_error_handlers structures
vfio: Drop owner assignment from platform_driver
- Fix incorrect warning about overlapping memory regions
- Export of_irq_find_parent again which was made static in 4.4, but has
users pending for 4.5.
- Fix of_msi_map_rid declaration location
- Fix re-entrancy for of_fdt_unflatten_tree
- Clean-up of phys_addr_t printks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWaEnyAAoJEPr7XbWNvGHDH90P/1JSGowb+SbRcnnsrdC3mm4A
EhuohOWeF9LYOMLfPm01dDL/165mso61HWs1T7qdZInAWEcwTHGrBz6GVUjzqA5D
jYL1ONAEC8VaScRQ51JYg9s9be/pDyGqmdDHjTIqB4yFf+JVGkJFWwNi6RLWjAQz
J0PmNN32GMcRK9MPC02XjcYeEyVWuTFWkX4h1WpG+YnMfZ3M2b4ITOKDZDPx7iKb
benPM3i2jPeZnkHsMT8sCJ5QpwoTtWyuh3G3l8zfoK1dH4S9e4Egwq0o2+DWXBXU
bTTn+nrGtiw73h6naWA/gbllo+fuzDj+PqyH8bfNHPW33PBgUIJRNs8ZoBwyFcEg
2qxIQMK65JXxwXTWOPKwIPajh/2qSj5OgrtRSQp05IAjd4xve4CQHEWMh8R2CO2x
hcmXwJuALsbU021bWGbsJ23aF7TUrxUrk6cUKisarbPWBVGUOAkblYzC5B14w5+F
XyoyM2d5R8xPKlN69o/5Sd0/1+gpazYscXUM031udFvq1P7RxKxst/Z9oScYl4fq
AocQlRERHFu1nfHGoV0Vw4yRuJnZG2xpmN8uGdOfMLErJkgmVeKSQV0RUEBtnRMT
l4jcAlumGqpuK7Nvqb30+I8FtB0ksNkg49dIpuyyj+fL5dRVHs6yY9hiTqqmk7yH
wfFq3DubsUxATlq7pqYD
=Y8J4
-----END PGP SIGNATURE-----
Merge tag 'devicetree-fixes-for-4.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
Pull DT fixes from Rob Herring:
"I think this should be all for 4.4:
- Fix incorrect warning about overlapping memory regions
- Export of_irq_find_parent again which was made static in 4.4, but
has users pending for 4.5.
- Fix of_msi_map_rid declaration location
- Fix re-entrancy for of_fdt_unflatten_tree
- Clean-up of phys_addr_t printks"
* tag 'devicetree-fixes-for-4.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
of/irq: move of_msi_map_rid declaration to the correct ifdef section
of/irq: Export of_irq_find_parent again
of/fdt: Add mutex protection for calls to __unflatten_device_tree()
of/address: fix typo in comment block of of_translate_one()
of: do not use 0x in front of %pa
of: Fix comparison of reserved memory regions
clock type are the major changes here. There's also a couple fixes for
the TI, sunxi, and scpi clock drivers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCAAGBQJWaI8lAAoJENidgRMleOc9yTUP/0YexYihbhTEFnwc5sI5vPJr
Men/1Gxmn8K+oL/sSMD5rr8K9bVR9ZVi9o8sBlDPB0jODfWNLvRzsdPTpm9/Fixb
RnGAZz8EcpZ2inM7HtLAu19m2GcWCxkG2NRjE8/2mDduS6Avxa6ko4bYY5g56wRt
6EET6yD3EVkTYwf+OG/7QwlccHVNnnOee04yWy7NAgHzSqMpmB3SXGQ/wZGRBkPS
ivm3cdT91FNjboiJtuI9j8ZkX+cUpiqdK8XBA+IaWnlo8GOeEdcET6yYLha+Pvyg
/7I0rjs7CvuPFbg/dVsosnXIiBl5RV2e+WnhgDKNHe9ldCfyrC8NaO5JBj6IsSG3
+0AWGcGzQDl5hztSavy7iUEdNZvj7GHGJctJAD4+wpUceECURniPFNp0sKKHXY7U
buAWQC9d+GnVwctT9109BVSyu6ON5+c5zoh+zryIfexsudfFopiksgQeA79vIBah
hAXxo9eXBTAsybvqz/l/COo4VjZUeWXGRfmNfFEqUCZPzIUHqtjITNfsdA4I6zOz
uOPIpYmxnbdvvw5NTrpHI2SxsOf+1N3gYbN3xJZSrVmjZW8ZGs+43aTghIu0HGWh
8YSP7OQ9hXdCtaKVnoxWWk5JNpaN7DQ9Yh+HyHfCiXmHDFtBArMXzD7ilKmcP7V/
YaZftt/eFkg+xhLoMD7W
=ZGfK
-----END PGP SIGNATURE-----
Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
Pull clk fixes from Stephen Boyd:
"One small build fix, a couple do_div() fixes, and a fix for the gpio
basic clock type are the major changes here. There's also a couple
fixes for the TI, sunxi, and scpi clock drivers"
* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
clk: sunxi: pll2: Fix clock running too fast
clk: scpi: add missing of_node_put
clk: qoriq: fix memory leak
imx/clk-pllv2: fix wrong do_div() usage
imx/clk-pllv1: fix wrong do_div() usage
clk: mmp: add linux/clk.h includes
clk: ti: drop locking code from mux/divider drivers
clk: ti816x: Add missing dmtimer clkdev entries
clk: ti: fapll: fix wrong do_div() usage
clk: ti: clkt_dpll: fix wrong do_div() usage
clk: gpio: Get parent clk names in of_gpio_clk_setup()
some hardware.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlZof7kACgkQIXnXXONXERehTQCeI3y8x6wza8XwhNFUxrCtG5wc
0ioAoJS0ybm+wN5tLUjXLUlhwqK9j9jT
=lJdc
-----END PGP SIGNATURE-----
Merge tag 'for-linus-4.4-1' of git://git.code.sf.net/p/openipmi/linux-ipmi
Pull IPMI fix from Corey Minyard:
"Fix an Oops if an interrupt occurs at startup. This can happen on
some hardware"
* tag 'for-linus-4.4-1' of git://git.code.sf.net/p/openipmi/linux-ipmi:
ipmi: move timer init to before irq is setup
We encountered a panic on boot in ipmi_si on a dell per320 due to an
uninitialized timer as follows.
static int smi_start_processing(void *send_info,
ipmi_smi_t intf)
{
/* Try to claim any interrupts. */
if (new_smi->irq_setup)
new_smi->irq_setup(new_smi);
--> IRQ arrives here and irq handler tries to modify uninitialized timer
which triggers BUG_ON(!timer->function) in __mod_timer().
Call Trace:
<IRQ>
[<ffffffffa0532617>] start_new_msg+0x47/0x80 [ipmi_si]
[<ffffffffa053269e>] start_check_enables+0x4e/0x60 [ipmi_si]
[<ffffffffa0532bd8>] smi_event_handler+0x1e8/0x640 [ipmi_si]
[<ffffffff810f5584>] ? __rcu_process_callbacks+0x54/0x350
[<ffffffffa053327c>] si_irq_handler+0x3c/0x60 [ipmi_si]
[<ffffffff810efaf0>] handle_IRQ_event+0x60/0x170
[<ffffffff810f245e>] handle_edge_irq+0xde/0x180
[<ffffffff8100fc59>] handle_irq+0x49/0xa0
[<ffffffff8154643c>] do_IRQ+0x6c/0xf0
[<ffffffff8100ba53>] ret_from_intr+0x0/0x11
/* Set up the timer that drives the interface. */
setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
The following patch fixes the problem.
To: Openipmi-developer@lists.sourceforge.net
To: Corey Minyard <minyard@acm.org>
CC: linux-kernel@vger.kernel.org
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Tony Camuso <tcamuso@redhat.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # Applies cleanly to 3.10-, needs small rework before
ROL on a 32 bit integer with a shift of 32 or more is undefined and the
result is arch-dependent. Avoid this by handling the trivial case of
roling by 0 correctly.
The trivial solution of checking if shift is 0 breaks gcc's detection
of this code as a ROL instruction, which is unacceptable.
This bug was reported and fixed in GCC
(https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157):
The standard rotate idiom,
(x << n) | (x >> (32 - n))
is recognized by gcc (for concreteness, I discuss only the case that x
is an uint32_t here).
However, this is portable C only for n in the range 0 < n < 32. For n
== 0, we get x >> 32 which gives undefined behaviour according to the
C standard (6.5.7, Bitwise shift operators). To portably support n ==
0, one has to write the rotate as something like
(x << n) | (x >> ((-n) & 31))
And this is apparently not recognized by gcc.
Note that this is broken on older GCCs and will result in slower ROL.
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When applying block operations (BOPs) do not remove them from the
uncommitted BOP ring-buffer until after they've been applied -- in case
we recurse.
Also, perform BOP_INC operation, in dm_sm_metadata_create() and
sm_metadata_extend(), in terms of the uncommitted BOP ring-buffer rather
than using direct calls to sm_ll_inc().
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
When you take a metadata snapshot the btree roots for the mapping and
details tree need to have their reference counts incremented so they
persist for the lifetime of the metadata snap.
The roots being incremented were those currently written in the
superblock, which could possibly be out of date if concurrent IO is
triggering new mappings, breaking of sharing, etc.
Fix this by performing a commit with the metadata lock held while taking
a metadata snapshot.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
Pull vfs fixes from Al Viro:
"A couple of fixes, both -stable fodder (9p one all way back to 2.6.32,
dio - to all branches where "Fix negative return from dio read beyond
eof" will end up it; it's a fixup to commit marked for -stable)"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
fix the regression from "direct-io: Fix negative return from dio read beyond eof"
9p: ->evict_inode() should kick out ->i_data, not ->i_mapping
MSI
Only use the generic MSI layer when domain is hierarchical (Marc Zyngier)
Altera host bridge driver
Fix loop in tlp_read_packet() (Dan Carpenter)
Fix Requester ID for config accesses (Ley Foon Tan)
Check TLP completion status (Ley Foon Tan)
Fix error when INTx is 4 (Ley Foon Tan)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWaE7hAAoJEFmIoMA60/r8ttwQAI7sv6+hLB+xSv8j43Xlh/wr
M58VLpLHhsh0c5bhViIfTj3m56QPb1FqxzD1jD8NB29twPzf/j96UUUFHXZH5Amm
kVdFVzslgpfBusGJeedL0Nei4R9TCVCaQv1BKODcLGGUZx1f29mlYLmgSVz7n3V0
oihjN4R352yjsH0goTHxsSHjnwR7mdzKmK6lWFAFgujQK3+eJ8WE+qniP0Rh5IWS
voqQBE7N9vXzTqrBbEJYS1KZFUn7gBkkVPo1xFtniIHXZoT23in2Cg17eUQdMymN
6oXzzgiHkcJizuFhcxhtf7KitEbJk+6YWXxH03u5onDZQQNpJpcz17Us+vK3G4bb
hdCMzOnZ2HAZgNP8W9yGdTB9Px9d6l1Kt3py3Nb9xJemMtl2IWVnxbRk/uu2ddF+
83eX074U0lZqb8vAkR64EByKi8q+126BV5e+P7t3YgqJ1nA3luvk+bZsEiBFOePb
hCNSSR2sP6mtYnVW0T3YPnZYJkrM3N28+JrZtP75szLjBNj3vmX2ani/dEJLAlkR
UA6EoBiyJQvFyoZ2/pRb3dDYuNWoSP4yEAcZYwUFHmfs8AdF87Jl3BGH7HHW4C+8
sendp2WisODovdUa9/QKA0VX9VAStlzTIy5g+smMgZ340yp1Bl4HHxnZhN2kSR/P
RZVNePtY/5DX60andYLb
=3jiK
-----END PGP SIGNATURE-----
Merge tag 'pci-v4.4-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
"These are more fixes I'd like to have in v4.4. Several for the Altera
driver added for v4.4, and one for an MSI domain problem that affects
several arm64 platforms:
MSI:
- Only use the generic MSI layer when domain is hierarchical (Marc
Zyngier)
Altera host bridge driver:
- Fix loop in tlp_read_packet() (Dan Carpenter)
- Fix Requester ID for config accesses (Ley Foon Tan)
- Check TLP completion status (Ley Foon Tan)
- Fix error when INTx is 4 (Ley Foon Tan)"
* tag 'pci-v4.4-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: altera: Fix error when INTx is 4
PCI: altera: Check TLP completion status
PCI: altera: Fix Requester ID for config accesses
PCI: altera: Fix loop in tlp_read_packet()
PCI/MSI: Only use the generic MSI layer when domain is hierarchical
The Alienware 17 (2015) has the same card and pin configuration of the
Alienware 15, so the same quirks must be applied.
Signed-off-by: Gabriele Martino <g.martino@gmx.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In checking fixes for of_irq_find_parent declaration location, I found
that of_msi_map_rid is also wrong. of_msi_map_rid is not implemented for
Sparc, so it should not be in the Sparc specific section of the header.
Move it to just depend on OF_IRQ.
Cc: Frank Rowand <frowand.list@gmail.com>
Signed-off-by: Rob Herring <robh@kernel.org>
of_irq_find_parent was made static since it had no users outside of
of_irq.c. Export it again since we are going to use it again.
Signed-off-by: Carlo Caione <carlo@endlessm.com>
[robh: move of_irq_find_parent to correct ifdef section]
Signed-off-by: Rob Herring <robh@kernel.org>
Lenovo Thinkpad T440s suffers from constant background noises, and it
seems to be a generic hardware issue on this model:
https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/T440s-speaker-noise/td-p/1339883
As the noise comes from the analog loopback path, disabling the path
is the easy workaround.
Also, the machine gives significant cracking noises at PM suspend. A
workaround found by trial-and-error is to disable the shutup callback
currently used for ALC269-variant.
This patch addresses these noise issues by introducing a new fixup
chain. Although the same workaround might be applicable to other
Thinkpad models, it's applied only to T440s (17aa:220c) in this patch,
so far, just to be safe (you chicken!). As a compromise, a new model
option string "tp440" is provided now, though, so that owners of other
Thinkpad models can test it more easily.
Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=958504
Reported-and-tested-by: Tim Hardeck <thardeck@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This patch makes the VCE IB test pass on Big-Endian systems. It converts
to little-endian the contents of the VCE message.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
This patch fixes the VCE ring test when running on Big-Endian machines.
Every write to the ring needs to be translated to little-endian.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
This patch makes the IB test on the GFX ring pass for CI-based cards
installed in Big-Endian machines.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Pull request of 2015-12-08
A couple of fixes for vmwgfx. A WARN() fix by Dan Carpenter,
a TTM read/write lock imbalance causing occasional hangs with Wayland and
an implementation of cursor_set2 to fix incorrectly offset Wayland cursors.
* tag 'vmwgfx-fixes-4.4-151208' of git://people.freedesktop.org/~thomash/linux:
drm/vmwgfx: Implement the cursor_set2 callback v2
drm/vmwgfx: fix a warning message
drm/ttm: Fixed a read/write lock imbalance
Just the one commit I mentioned earlier, making the PGOB workaround the
default.
* 'linux-4.4' of https://github.com/skeggsb/linux:
drm/nouveau/pmu: remove whitelist for PGOB-exit WAR, enable by default
Pull uml fixes from Richard Weinberger:
"This contains various bug fixes, most of them are fall out from the
merge window"
* 'for-linus-4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
um: fix returns without va_end
um: Fix fpstate handling
arch: um: fix error when linking vmlinux.
um: Fix get_signal() usage
NVIDIA have indicated that the workaround is required on all GK10[467]
boards that have the PGOB fuse set.
I've left the commandline option in place for now, as paranoia.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
The remove_keys() logic is performed as garbage collection task. Such
task is intended to be run when no other active processes are running.
The need_resched() will return TRUE if there are user tasks to be
activated in near future.
In such case, we don't execute remove_keys() and postpone
the garbage collection work to try to run in next cycle,
in order to free CPU resources to other tasks.
The possible pseudo-code to trigger such scenario:
1. Allocate a lot of MR to fill the cache above the limit.
2. Wait a small amount of time "to calm" the system.
3. Start CPU extensive operations on multi-node cluster.
4. Expect performance degradation during MR cache shrink operation.
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
There are several hits that WR buffer allocation(kmalloc) failed.
It failed at order 3 and/or 4 contigous pages allocation. At the same time
there are actually 100MB+ free memory but well fragmented.
So try vmalloc when kmalloc failed.
Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
There is a mis-order in mlx4 log. Fix it.
Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Pull cgroup fixes from Tejun Heo:
"More change than I'd have liked at this stage. The pids controller
and the changes made to cgroup core to support it introduced and
revealed several important issues.
- Assigning membership to a newly created task and migrating it can
race leading to incorrect accounting. Oleg fixed it by widening
threadgroup synchronization. It looks like we'll be able to merge
it with a different percpu rwsem which is used in fork path making
things simpler and cheaper.
- The recent change to extend cgroup membership to zombies (so that
pid accounting can extend till the pid is actually released) missed
pinning the underlying data structures leading to use-after-free.
Fixed.
- v2 hierarchy was calling subsystem callbacks with the wrong target
cgroup_subsys_state based on the incorrect assumption that they
share the same target. pids is the first controller affected by
this. Subsys callbacks updated so that they can deal with
multi-target migrations"
* 'for-4.4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroup_pids: don't account for the root cgroup
cgroup: fix handling of multi-destination migration from subtree_control enabling
cgroup_freezer: simplify propagation of CGROUP_FROZEN clearing in freezer_attach()
cgroup: pids: kill pids_fork(), simplify pids_can_fork() and pids_cancel_fork()
cgroup: pids: fix race between cgroup_post_fork() and cgroup_migrate()
cgroup: make css_set pin its css's to avoid use-afer-free
cgroup: fix cftype->file_offset handling
Pull libata fixes from Tejun Heo:
"Nothing too interesting. All are device specific additions and
workarounds"
* 'for-4.4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
ata/sata_fsl.c: add ATA_FLAG_NO_LOG_PAGE to blacklist the controller for log page reads
libata-eh.c: Introduce new ata port flag for controller which lockup on read log page
sata_sil: disable trim
AHCI: Fix softreset failed issue of Port Multiplier
sata/mvebu: use #ifdef around suspend/resume code
ahci: Order SATA device IDs for codename Lewisburg
ahci: Add Device ID for Intel Sunrise Point PCH
When using va_list ensure that va_start will be followed by va_end.
Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
On gcc Ubuntu 4.8.4-2ubuntu1~14.04, linking vmlinux fails with:
arch/um/os-Linux/built-in.o: In function `os_timer_create':
/android/kernel/android/arch/um/os-Linux/time.c:51: undefined reference to `timer_create'
arch/um/os-Linux/built-in.o: In function `os_timer_set_interval':
/android/kernel/android/arch/um/os-Linux/time.c:84: undefined reference to `timer_settime'
arch/um/os-Linux/built-in.o: In function `os_timer_remain':
/android/kernel/android/arch/um/os-Linux/time.c:109: undefined reference to `timer_gettime'
arch/um/os-Linux/built-in.o: In function `os_timer_one_shot':
/android/kernel/android/arch/um/os-Linux/time.c:132: undefined reference to `timer_settime'
arch/um/os-Linux/built-in.o: In function `os_timer_disable':
/android/kernel/android/arch/um/os-Linux/time.c:145: undefined reference to `timer_settime'
This is because -lrt appears in the generated link commandline
after arch/um/os-Linux/built-in.o. Fix this by removing -lrt from
arch/um/Makefile and adding it to the UM-specific section of
scripts/link-vmlinux.sh.
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
If get_signal() returns us a signal to post
we must not call it again, otherwise the already
posted signal will be overridden.
Before commit a610d6e672 this was the case as we stopped
the while after a successful handle_signal().
Cc: <stable@vger.kernel.org> # 3.10-
Fixes: a610d6e672 ("pull clearing RESTORE_SIGMASK into block_sigmask()")
Signed-off-by: Richard Weinberger <richard@nod.at>
Pull perf fixes from Ingo Molnar:
"This tree includes four core perf fixes for misc bugs, three fixes to
x86 PMU drivers, and two updates to old email addresses"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf: Do not send exit event twice
perf/x86/intel: Fix INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_NA macro
perf/x86/intel: Make L1D_PEND_MISS.FB_FULL not constrained on Haswell
perf: Fix PERF_EVENT_IOC_PERIOD deadlock
treewide: Remove old email address
perf/x86: Fix LBR call stack save/restore
perf: Update email address in MAINTAINERS
perf/core: Robustify the perf_cgroup_from_task() RCU checks
perf/core: Fix RCU problem with cgroup context switching code
Sure, it's better to bail out of past-the-eof read and return 0 than return
a bogus negative value on such. Only we'd better make sure we are bailing out
with 0 and not -ENOMEM...
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
For block devices the pagecache is associated with the inode
on bdevfs, not with the aliasing ones on the mountable filesystems.
The latter have its own ->i_data empty and ->i_mapping pointing
to the (unique per major/minor) bdevfs inode. That guarantees
cache coherence between all block device inodes with the same
device number.
Eviction of an alias inode has no business trying to evict the
pages belonging to bdevfs one; moreover, ->i_mapping is only
safe to access when the thing is opened. At the time of
->evict_inode() the victim is definitely *not* opened. We are
about to kill the address space embedded into struct inode
(inode->i_data) and that's what we need to empty of any pages.
9p instance tries to empty inode->i_mapping instead, which is
both unsafe and bogus - if we have several device nodes with
the same device number in different places, closing one of them
should not try to empty the (shared) page cache.
Fortunately, other instances in the tree are OK; they are
evicting from &inode->i_data instead, as 9p one should.
Cc: stable@vger.kernel.org # v2.6.32+, ones prior to 2.6.36 need only half of that
Reported-by: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com>
Tested-by: "Suzuki K. Poulose" <Suzuki.Poulose@arm.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
The driver now exposes sufficient limits so we can
avoid having mlx4 specific work-around.
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Receipt of CM MAD with other than the Send method for an attribute
other than the ClassPortInfo attribute is invalid.
CM attributes other than ClassPortInfo only use the send method.
The SRP initiator does not maintain a timeout policy for CM connect
requests relies on the CM layer to do that. The result was that
the SRP initiator hung as the connect request never completed.
A new SRP target has been observed to respond to Send CM REQ
with GetResp of CM REQ with bad status. This is non conformant
with IBA spec but exposes a vulnerability in the current MAD/CM
code which will respond to the incoming GetResp of CM REQ as if
it was a valid incoming Send of CM REQ rather than tossing
this on the floor. It also causes the MAD layer not to
retransmit the original REQ even though it has not received a REP.
Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Hal Rosenstock <hal@mellanox.com>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
__unflatten_device_tree() calls unflatten_dt_node(), which declares
a static variable. It is therefore not reentrant.
One of the callers of __unflatten_device_tree(), unflatten_device_tree(),
is only called once during early initialization and does not need to be
protected. The other caller, of_fdt_unflatten_tree(), can be called at
any time, possibly multiple times in parallel. This can happen, for
example, if multiple devicetree overlays have to be loaded and installed.
Without this protection, errors such as the following may be seen.
kernel: End of tree marker overwritten: e6a3a458
kernel: find_target_node:
Failed to find target-indirect node at /fragment@0
kernel: __of_overlay_create: of_build_overlay_info() failed for tree@/
Add a mutex to of_fdt_unflatten_tree() to make the call reentrant.
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org # v4.1+
Signed-off-by: Rob Herring <robh@kernel.org>
Fixes native drm clients like Fedora 23 Wayland which now appears to
be able to use cursor hotspots without strange cursor offsets.
Also fixes a couple of ignored error paths.
Since the core drm cursor hotspot is incompatible with the legacy vmwgfx
hotspot (the core drm hotspot is reset when the drm_mode_cursor ioctl
is used), we need to keep track of both and add them when the device
hotspot is set. We assume that either is always zero.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
We have two latest thinkpad laptop models which are all based on the
Intel skylake platforms, and all of them have the codec alc293 on
them. When the machines boot to the desktop, an greeting dialogue
shows up with the notification sound. But on these two models, there
is noise with the notification sound. We have 3 SKUs for each of
the models, all of them have this problem.
So far, this problem is only specific to these two thinkpad models,
we did not find this problem on the old thinkpad models with the
codec alc293 or alc292.
A workaround for this problem is disabling the aamix.
Cc: stable@vger.kernel.org
BugLink: https://bugs.launchpad.net/bugs/1523517
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
