This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
- Add support to read unique ID (UID), there is no one register
field to read UID, instead UID is constructed from various bits
of information burned into the fuses during the manufactoring
process.
UID is constructed to 64 bit as below from below UID register
<CID:4><VENDOR:4><FAB:6><LOT:26><WAFER:6><X:9><Y:9>
snchen [Fri, 14 Oct 2016 09:44:57 +0000 (17:44 +0800)]
spi: tegra: fixed polling mode tranfer timeout
The change "set INTR_MASK only once" cause polling mode failed.
Interrupt mask has to be cleared in case of polling mode during setup.
Check against transfer direction is invalid during setup and will fail.
Removed direction check.
Martin Chi [Mon, 24 Oct 2016 08:57:37 +0000 (16:57 +0800)]
gpio: pca953x: fix gpio input on gpio offsets >= 8
This change fixes a regression introduced by commit f5f0b7aa8 (gpio: pca953x: make the register access by GPIO bank)
When the pca953x driver was converted to using 8-bit reads/writes
the bitmask in pca953x_gpio_get_value wasn't adjusted with a
modulus BANK_SZ and consequently looks at the wrong bits in the
input register.
Gagan Grover [Wed, 12 Oct 2016 11:35:06 +0000 (17:05 +0530)]
gpu: nvgpu: fix use-after-free in case of error notifier
A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier
Fix this by introducing mutex error_notifier_mutex for
error notifier accesses
Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier
In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized
This reverts commit 4791baae56adddc8a97fa25dc27e46aa83ebf90d.
The original commit caused the device mode to stop working.
Hence reverting the commit
boot.img size decreased by 91552 bytes.
Henry Lin [Sun, 14 Aug 2016 17:17:11 +0000 (01:17 +0800)]
xhci-tegra: t210: wait for U3 entry in bus suspend
In T210, U3 entry delay is expected as LFPS dectector WAR needs to
use two mailbox commands to implement. The two mailbox commands can be
finished among 2 ms most of time. But, in worst case, they may
take up to hundreds of ms. Waiting for U3 entry in bus suspend
for some time can avoid xhci-tegra driver to stop system suspend
for long U3 entry delay frequently.
This change:
Adjust proper mclk_multiplier for setting modes
Correct line length for 10bit mode to 2200 from 2640
Change fps/et limitation to a reasonable range
Fix Corruption/hung issue for Bug 200226718 by using
regmap_write instead of regmap_util_write_table_8
for et/gain/framelength update.
Deepak Nibade [Thu, 4 Aug 2016 14:12:38 +0000 (19:42 +0530)]
gpu: nvgpu: initialize local variable
Initialize character array buf in gk20a_channel_ioctl() to zero
Keeping it uninitialized can result in leaking kernel stack
info to user space since we pass this buffer to UMD
serial: tegra: correct error handling sequence to avoid system hang
- Correct the error handling sequence to avoid FIFO errors
i.e handle break error first followed by other errors as
handling break error will clear other errors
- Handle break error by fifo flush as per IAS
- serial: tegra: keep rx irq disabled if there are spurious
errors and then tty buffer is exhausted and re-enable the
interrupts after 500msec.
Frank Chen [Tue, 2 Aug 2016 22:09:01 +0000 (15:09 -0700)]
drivers: camera: Fix power on function calls
Since sensor and forcuser has the same V4L2 group id,
when device s_power callback is called, the power_on
function of sensor and foucser will both be called,
even though only one of them needs to be powered on.
Switched to subdev s_power call to power on either
sensor or focuser, instead of both of them.
Joe Korty [Wed, 25 May 2016 12:10:46 +0000 (17:40 +0530)]
Fix error code to correct pointer type
To return an errno code inside a pointer,
the error code must first be converted to
the correct pointer type.
drivers/media/v4l2-core/v4l2-of.c:
In function 'v4l2_of_alloc_parse_endpoint':
drivers/media/v4l2-core/v4l2-of.c:227:10: warning:
return makes pointer from integer without
a cast [-Wint-conversion]
return -ENOMEM;
drivers/media/v4l2-core/v4l2-of.c:254:9: warning:
return makes pointer from integer without
a cast [-Wint-conversion]
return rval;
Joe Korty [Wed, 25 May 2016 07:04:24 +0000 (12:34 +0530)]
Use correct format specifier
Use %zd, not %d, to display size_t arguments
drivers/media/platform/tegra/imx091.c:2826:35:
warning: format '%d' expects argument of type 'int',
but argument 5 has type 'long unsigned int' [-Wformat=]
Alex Waterman [Mon, 23 May 2016 20:58:15 +0000 (13:58 -0700)]
arm64: tegra21: emc: Make sure the DLL always has a clock
Ensure the DLL always has a clock. If it does not then the DLL will
not be able to swap to a new clock source. That is to say the DLL
requires both the old and new clock source to be active when its
source is changed.
Erik Lilliebjerg [Mon, 18 Jul 2016 04:48:59 +0000 (21:48 -0700)]
iio: imu: nvi v.336 Add DMP AUX support
- Add DMP support for devices on the auxiliary ports behind the MPU/ICM. Due
to the differences between the MPU and ICM DMPs, the auxiliary port API was
extended that allowed the DMP dependencies to be removed from the auxiliary
device's external drivers.
- Updated the pressure calculations for the BMP280 driver to the latest BMP280
specification.
- Fix ICM DMP FW v.2 significant motion default parameters.
- Add realtime sensor configuration for significant motion.
- Fix ICM DMP FW v.2 maximum period by limiting accelerometer slowest clock
setting to gyros since the FW v.2 WAR requires the same speed.
Deepak Nibade [Mon, 27 Jun 2016 08:43:26 +0000 (14:13 +0530)]
video: tegra: host: fix integer overflow
Below addition on 32 bit architecture machines could
cause integer overflow since we will assign overflowed
value to "num_unpins"
s64 num_unpins = num_cmdbufs + num_relocs
Fix this and other calculations by explicitly typecasting
variables to u64 first
Deepak Nibade [Mon, 27 Jun 2016 08:33:15 +0000 (14:03 +0530)]
video: tegra: host: fix possible overflow with num_syncpt_incrs
We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];
If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack
Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack
i2c: tegra: fix unknown interrupt issue after ARB lost
For i2c transaction with repeat start (We post 7W [header + data
for Write followed by read in FIFO]) and unmask required interrupts.
But HW starts processing if there are atleast 3W in FIFO and during
this time if ARB lost error occurs then current data in FIFO is cleared
and chance of posting remaining data after FIFO is cleared. Now
SW handles the ARB lost error as interrupts are enabled later after
posting all packets and after clearing the ARB lost interrupt the
packet mode is disabled(Normal mode), which causes the Normal mode
interrupt(Unknown interrupt in case of packet mode) due to stale
data in fifo.
- To fix this, enable (unmask) error interrupt before posting the
packets into FIFO and clear the packet mode disable before clearing
ARB lost error also for other errors(NACK/FIFO overflow).
- Dont issue bus clear for ARB lost error if bus is operating in
multimaster mode.
Deepak Nibade [Tue, 24 May 2016 08:21:26 +0000 (13:51 +0530)]
gpu: nvgpu: suppress prints in submit path
When we run out of gpfifo space or private command buffer
space, we have error spew like below :
__gk20a_channel_syncpt_incr: not enough priv cmd buffer space
gk20a_submit_channel_gpfifo: fail
Dumping these prints to UART cause increase in submit
latencies
But on these failures, we return -ENOSPC to UMD and then
UMD retries the submit, hence it might be unnecessary to dump
these prints
Hence, remove the error prints of insufficient space
and use gk20a_dbg_fn() instead of gk20a_err() to print failure
in gk20a_submit_channel_gpfifo()
During a critical thermal trip, orderly_poweroff is called.
However, if the userspace is slow to react to poweroff (systemd),
and the thermal zone is configured with polling mode because of
either polling_delay or passive_delay, thermal_core may end up
in calling orderly_poweroff multiple times.
This eventually slows the userspace even more by
scheduling overwhelming number of threads in the system.
Relevant dump_stack spew during the shutdown process:
dump_backtrace+0x0/0xf4
show_stack+0x14/0x1c
dump_stack+0x20/0x28
handle_critical_trips+0x80/0xa0
handle_thermal_trip+0x40/0x64
thermal_zone_device_update+0xf0/0x110
thermal_zone_device_check+0x10/0x18
process_one_work+0x274/0x430
worker_thread+0x184/0x294
kthread+0xc0/0xc8
We should not try to spawn-off more threads once we have
decided to shutdown i.e. we should disable polling mode
once it is known that a critical trip is going to result
in a poweroff. This patch does that by setting the polling
and passive delay to zero which cancels the repeated work
and allows userspace to shutdown.
Fix s/g/query dv timings compliance, report not
supported if the sub device on CSI does not support
the timing fops.
Fix s/g crop fops for sub devices which does not
support cropping.
Fix subdev used in s/g param fops.
Ignore only frame height or width short/long errors
from CSI. Resolution mismatch can occur the actual lines
can be inclusive of embedded data lines which application
ignores anyway. Report failure only when the pixel parser
or CIL status is wrong.
Add maxframerate field as part of pixelformat
to distinguish different framerate ranges support
as two different modes in sensor drivers.
e.g: 4k@(0-30) and 4K@(0-60).
More parameters might be changed in sensor with a
framerate range for optimal usage.
In print_avi_infoframe, it allocates array buffer of 17 bytes.
It might run into a case to access array buffer at byte position 28.
in hdmi_infoframe_unpack when switch case value is SPD.
Ahung Cheng [Fri, 3 Jun 2016 10:22:05 +0000 (18:22 +0800)]
drivers: media: camera: Gang Mode from device tree
Add support for reversing CSI mapping by looking for a new entry,
gang-mode. Set gang mode to GANG_MODE_R_L, instead of default
GANG_MODE_L_R, to swap input ports.
Bitan Biswas [Wed, 17 Feb 2016 12:24:10 +0000 (17:54 +0530)]
mmc: sdhci: allow clock enable in suspend sequence
Some host with SDHCI_QUIRK2_NON_STD_RTPM deviation
need to enable clock in the suspend sequence.
This change enables such platforms to
suspend properly.
Joe Korty [Wed, 25 May 2016 13:09:41 +0000 (18:39 +0530)]
Fix uninitialized variable
Quiet gcc warning by giving 'in6' an initial
value of NULL.
Technically this is wrong, but there seems to
be no path through the function where 'in6' is
not set then used. If that is wrong, we will
get a NULL pointer kernel panic. Though bad,
that is better then the current situation,
where some random spot in the kernel gets
modified via the following of an undefined
pointer value in 'in6'.
include/net/ipv6.h:417:34: warning:
'in6' may be used uninitialized in this function
[-Wmaybe-uninitialized]
return ((ul1[0] ^ ul2[0]) | (ul1[1] ^ ul2[1])) == 0UL;
net/ipv4/tcp.c:3513:19: note: 'in6' was declared here
struct in6_addr *in6;
Joe Korty [Wed, 25 May 2016 13:05:34 +0000 (18:35 +0530)]
Remove unused variables and labels
drivers/media/i2c/imx185.c:548:6:
warning: unused variable 'i' [-Wunused-variable]
drivers/media/i2c/imx185.c:644:1:
warning:
label 'fail' defined but not used [-Wunused-label]
drivers/media/i2c/imx185.c:999:7:
warning:unused variable 'dt_name' [-Wunused-variable]
drivers/media/i2c/imx185.c:560:9:
warning: 'gain' may be used uninitialized in this
function [-Wmaybe-uninitialized]
Joe Korty [Wed, 25 May 2016 12:58:56 +0000 (18:28 +0530)]
Silence uninitialized variable warning
When we go through the switch() case
where 'send_direct' is not initialized, the
code later on that uses 'send_direct' will
be skipped over. So it is safe to set this
'send_direct' to any value we want in order
to quiet this gcc warning.
net/mac80211/cfg.c: In function 'ieee80211_tdls_mgmt':
net/mac80211/cfg.c:3225:5: warning:
'send_direct' may be used uninitialized in this
function [-Wmaybe-uninitialized]
if (send_direct) {
Joe Korty [Wed, 25 May 2016 12:57:27 +0000 (18:27 +0530)]
Add default case in switch statement
Provide a reasonable default value
(ie, the original value) for smps_mode
when a new value is not being assigned.
This forces the value of 'changed' to be correct
when no attempt at changing is being done to
'smps_mode'.
net/mac80211/ht.c: In function
'ieee80211_ht_cap_ie_to_sta_ht_cap':
net/mac80211/ht.c:232:5: warning:
'smps_mode' may be used uninitialized in this
function [-Wmaybe-uninitialized]
if (smps_mode != sta->sta.smps_mode)
Joe Korty [Wed, 25 May 2016 12:47:49 +0000 (18:17 +0530)]
Fix 'const' propagation prob
The strings pointed to are unchanging while in use,
so add a 'const' to the string definition.
drivers/usb/misc/usb_nvshieldled.c:
In function 'nvshieldled_probe':
drivers/usb/misc/usb_nvshieldled.c:394:7: warning:
passing argument 3 of 'of_property_read_string' from
incompatible pointer type [-Wincompatible-pointer-types]
&edp_name)) {
In file included from drivers/usb/misc/usb_nvshieldled.c:26:0:
include/linux/of.h:268:12: note: expected 'const char **' but
argument is of type 'char **'
extern int of_property_read_string(struct device_node *np,
Gaurav Singh [Wed, 25 May 2016 12:45:10 +0000 (18:15 +0530)]
Fix the casting issue
Allow a 64 bit pointer to be cast and put into a
32-bit integer, when that pointer points to a
location within a 32 bit userspace.
Normally this is a very bad thing to do, the compiler
is right to warn us about this, but in this very
specific case, it is OK.
In file included from fs/compat_binfmt_elf.c:128:0:
fs/binfmt_elf.c: In function 'create_elf_tables':
/cuba/jak/tegra/r23.1/a/arch/arm64/include/asm/elf.h:143:7:
warning: cast from pointer to
integer of different size [-Wpointer-to-int-cast]
(elf_addr_t)current->mm->context.vdso);
fs/binfmt_elf.c:216:26: note:
in definition of macro 'NEW_AUX_ENT'
elf_info[ei_index++] = val;
fs/binfmt_elf.c:226:2: note:
in expansion of macro 'ARCH_DLINFO'
ARCH_DLINFO;
Joe Korty [Wed, 25 May 2016 12:56:24 +0000 (18:26 +0530)]
Fix uninitialized variable
sound/soc/codecs/rt5639.c: In function 'rt5639_pll_calc':
sound/soc/codecs/rt5639.c:2833:19: warning:
'm_t' may be used uninitialized in this
function [-Wmaybe-uninitialized]
pll_code->m_code = m;
Joe Korty [Wed, 25 May 2016 12:54:57 +0000 (18:24 +0530)]
Fix kernel warnings
1) rt5659_enable_push_button_irq() is not yet being
used, so comment it out with #ifdef FIXME.
2) Give mt_t an initial value of zero, for those
paths where it is not initialized.
sound/soc/codecs/rt5659.c:1314:13: warning:
'rt5659_enable_push_button_irq' defined but
not used [-Wunused-function]
static void
rt5659_enable_push_button_irq(struct snd_soc_codec *codec,
sound/soc/codecs/rt5659.c: In function 'rt5659_pll_calc':
sound/soc/codecs/rt5659.c:3636:19: warning:
'm_t' may be used uninitialized in this
function [-Wmaybe-uninitialized]
pll_code->m_code = m;
JC Kuo [Sun, 20 Dec 2015 06:37:02 +0000 (14:37 +0800)]
xhci-hcd: support soft retry on SS transfer error
This commit implements XHCI "soft retry" for SuperSpeed endpoints which
encounters transfer errors.
When transfer error happens on an SuperSpeed endpoint, XHCI driver will
1. queue a "reset endpoint" command with TSP=1 (Transfer State Preserve)
2. invoke a HCD driver specific callback "->endpoint_soft_retry()" to let
HCD driver has a chance to configure its hardware
3. ring door bell for the endpoint upon seeing the command completion
Return error if otp read or fuse id read fails
Turn off power before returning error and remove
check for device not available during power off as
it's already verified during power on.