From 0e9118d225b57432638f1fb6a9da575a0e924778 Mon Sep 17 00:00:00 2001 From: Sreelakshmi Gownipalli Date: Wed, 10 Jul 2019 23:25:28 -0700 Subject: [PATCH 001/386] diag: Clear the local masks only during local usb disconnect Clear the masks on the apps only during usb disconnect on local usb diag channel but not for the remote proc usb disconnect. Change-Id: I1d3f828f9fecf628bc15f3f62ce1e4dc482c57db Signed-off-by: Sreelakshmi Gownipalli --- drivers/char/diag/diag_usb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/char/diag/diag_usb.c b/drivers/char/diag/diag_usb.c index 92c4fc187001..43cf043eb7d5 100644 --- a/drivers/char/diag/diag_usb.c +++ b/drivers/char/diag/diag_usb.c @@ -253,7 +253,8 @@ static void usb_disconnect_work_fn(struct work_struct *work) ch->name, atomic_read(&ch->disconnected), atomic_read(&ch->connected)); if (!atomic_read(&ch->connected) && - driver->usb_connected && diag_mask_param()) + driver->usb_connected && diag_mask_param() && + ch->id == DIAG_USB_LOCAL) diag_clear_masks(0); usb_disconnect(ch); From c8ede1ab813856a1b36e357811debef576e6d245 Mon Sep 17 00:00:00 2001 From: Rohith Kollalsi Date: Fri, 17 Jul 2020 15:00:44 +0530 Subject: [PATCH 002/386] usb: gadget: Revert increase write buffer size Commit 3fb319966d33 ("usb: gadget: increase write buffer size") brings additional memory requirement and leads to memory allocation failure when trying to allocate buffer to the request in usb_cser_alloc_req. Hence revert it to fix this. Change-Id: Iff5d6a2502d7ff094422fc66c20dff13d5b8d4ca Signed-off-by: Rohith Kollalsi --- drivers/usb/gadget/function/f_cdev.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/function/f_cdev.c b/drivers/usb/gadget/function/f_cdev.c index 2451aab593ba..b0faafca4b1b 100644 --- a/drivers/usb/gadget/function/f_cdev.c +++ b/drivers/usb/gadget/function/f_cdev.c @@ -57,11 +57,8 @@ #define BRIDGE_RX_QUEUE_SIZE 8 #define BRIDGE_RX_BUF_SIZE 2048 #define BRIDGE_TX_QUEUE_SIZE 8 -#if IS_ENABLED(CONFIG_ARCH_SM8150) -#define BRIDGE_TX_BUF_SIZE (50 * 1024) -#else -#define BRIDGE_TX_BUF_SIZE 2048 -#endif +#define BRIDGE_TX_BUF_SIZE 2048 + #define GS_LOG2_NOTIFY_INTERVAL 5 /* 1 << 5 == 32 msec */ #define GS_NOTIFY_MAXPACKET 10 /* notification + 2 bytes */ From 2ebb5e6cd3eec9cfd6e9b8c34d057bb3bbfa4df3 Mon Sep 17 00:00:00 2001 From: spuligil Date: Fri, 17 Jul 2020 18:00:45 -0700 Subject: [PATCH 003/386] fw-api: CL 11068717 - update fw common interface files Change-Id: Ie5e6b775d0380a6e1e175b9a2746def9d7f8494a WMI: add tx_time,rx_time fields in wmi_channel_stats CRs-Fixed: 2262693 --- fw/wmi_unified.h | 8 +++++++- fw/wmi_version.h | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fw/wmi_unified.h b/fw/wmi_unified.h index d7f1ec7b3946..c45460096c0c 100644 --- a/fw/wmi_unified.h +++ b/fw/wmi_unified.h @@ -8052,8 +8052,14 @@ typedef struct { A_UINT32 center_freq1; /** msecs the radio is awake (32 bits number accruing over time) */ A_UINT32 radio_awake_time; - /** msecs the CCA register is busy (32 bits number accruing over time) */ + /** msecs the CCA register is busy (32 bits number accruing over time) + * Includes rx_time but not tx_time. + */ A_UINT32 cca_busy_time; + /** msecs the radio is transmitting (32 bits number accruing over time) */ + A_UINT32 tx_time; + /** msecs the radio is in active receive (32 bits number accruing over time) */ + A_UINT32 rx_time; } wmi_channel_stats; /* diff --git a/fw/wmi_version.h b/fw/wmi_version.h index 6be23827697f..e2b9b54dfe73 100644 --- a/fw/wmi_version.h +++ b/fw/wmi_version.h @@ -36,7 +36,7 @@ #define __WMI_VER_MINOR_ 0 /** WMI revision number has to be incremented when there is a * change that may or may not break compatibility. */ -#define __WMI_REVISION_ 869 +#define __WMI_REVISION_ 870 /** The Version Namespace should not be normally changed. Only * host and firmware of the same WMI namespace will work From 54dde8e6994ea1dfdcaacbc0b3bc24450e7d007c Mon Sep 17 00:00:00 2001 From: Vulupala Shashank Reddy Date: Fri, 17 Jul 2020 17:27:29 +0530 Subject: [PATCH 004/386] qcacld-3.0: Remove ucfg_pkt_capture_deregister_callbacks ucfg_pkt_capture_deregister_callbacks getting called twice while deregistering packet capture mode. Remove ucfg_pkt_capture_deregister_callbacks from wlan_hdd_del_monitor. Change-Id: Id69288b390d9508396e4fb4ca4adcea3f0548deb CRs-Fixed: 2734980 --- core/hdd/src/wlan_hdd_main.c | 1 - 1 file changed, 1 deletion(-) diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 87ba68553d0c..d724ca64c583 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -16647,7 +16647,6 @@ bool wlan_hdd_check_mon_concurrency(void) void wlan_hdd_del_monitor(struct hdd_context *hdd_ctx, struct hdd_adapter *adapter, bool rtnl_held) { - ucfg_pkt_capture_deregister_callbacks(adapter->vdev); wlan_hdd_release_intf_addr(hdd_ctx, adapter->mac_addr.bytes); hdd_stop_adapter(hdd_ctx, adapter); hdd_close_adapter(hdd_ctx, adapter, true); From 6b01339966bc8f98dd76ee7b7a46139993df5c86 Mon Sep 17 00:00:00 2001 From: snandini Date: Sun, 19 Jul 2020 05:47:17 -0700 Subject: [PATCH 005/386] Release 5.2.03.29J Release 5.2.03.29J Change-Id: I4962afd81f5e8e59c02c538240cb71a9308d82b1 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index cf9473de94f2..7ceb6aa6a381 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "I" +#define QWLAN_VERSION_EXTRA "J" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29I" +#define QWLAN_VERSIONSTR "5.2.03.29J" #endif /* QWLAN_VERSION_H */ From 8f0a4c737f8042d6e05b64e7a37a31bc31cd1c84 Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Mon, 8 Jun 2020 10:00:55 +0530 Subject: [PATCH 006/386] qcacld-3.0: Change the size of Measurement Request IE To process up to 5 Measurement Request in a single beacon report request, modify the size of Measurement Request IE to 5. Change-Id: I87025ce12886cc3129b01de6eb48b45e85babe9a CRs-Fixed: 2712109 --- core/mac/src/cfg/cfgUtil/dot11f.frms | 2 +- core/mac/src/include/dot11f.h | 4 ++-- core/mac/src/sys/legacy/src/utils/src/dot11f.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/core/mac/src/cfg/cfgUtil/dot11f.frms b/core/mac/src/cfg/cfgUtil/dot11f.frms index 2a26f1c2e3e9..45acee437934 100644 --- a/core/mac/src/cfg/cfgUtil/dot11f.frms +++ b/core/mac/src/cfg/cfgUtil/dot11f.frms @@ -4031,7 +4031,7 @@ FRAME RadioMeasurementRequest FF DialogToken; FF NumOfRepetitions; //Measurement Request IE. - MANDIE MeasurementRequest[1..2]; + MANDIE MeasurementRequest[1..5]; } FRAME RadioMeasurementReport diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h index 2700c0f6332a..ae403351014c 100644 --- a/core/mac/src/include/dot11f.h +++ b/core/mac/src/include/dot11f.h @@ -26,7 +26,7 @@ * * * This file was automatically generated by 'framesc' - * Wed Feb 12 20:42:23 2020 from the following file(s): + * Mon Jun 8 09:41:47 2020 from the following file(s): * * dot11f.frms * @@ -10347,7 +10347,7 @@ typedef struct sDot11fRadioMeasurementRequest{ tDot11fFfDialogToken DialogToken; tDot11fFfNumOfRepetitions NumOfRepetitions; uint16_t num_MeasurementRequest; - tDot11fIEMeasurementRequest MeasurementRequest[2]; + tDot11fIEMeasurementRequest MeasurementRequest[5]; } tDot11fRadioMeasurementRequest; #define DOT11F_RADIOMEASUREMENTREQUEST (25) diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c index 7de2c0093a1e..638f5ea0c0ff 100644 --- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c +++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c @@ -24,7 +24,7 @@ * * * This file was automatically generated by 'framesc' - * Wed Feb 12 20:42:23 2020 from the following file(s): + * Mon Jun 8 09:41:47 2020 from the following file(s): * * dot11f.frms * @@ -11281,7 +11281,7 @@ static const tIEDefn IES_RadioMeasurementRequest[] = { { offsetof(tDot11fRadioMeasurementRequest, MeasurementRequest), offsetof(tDot11fIEMeasurementRequest, present), offsetof(tDot11fRadioMeasurementRequest, num_MeasurementRequest), - "MeasurementRequest", 2, 6, 18, SigIeMeasurementRequest, {0, 0, 0, 0, 0}, + "MeasurementRequest", 5, 6, 18, SigIeMeasurementRequest, {0, 0, 0, 0, 0}, 0, DOT11F_EID_MEASUREMENTREQUEST, 0, 1, }, {0, 0, 0, NULL, 0, 0, 0, 0, {0, 0, 0, 0, 0}, 0, 0xff, 0, },}; From b8956515d7c1df2100d918b3af7befeb5fa85d46 Mon Sep 17 00:00:00 2001 From: snandini Date: Mon, 20 Jul 2020 03:37:33 -0700 Subject: [PATCH 007/386] Release 5.2.03.29K Release 5.2.03.29K Change-Id: I5fc1b56f9e2e4ec089f8eefcd7bf74d6fd27f7fb CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 7ceb6aa6a381..e79876eea024 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "J" +#define QWLAN_VERSION_EXTRA "K" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29J" +#define QWLAN_VERSIONSTR "5.2.03.29K" #endif /* QWLAN_VERSION_H */ From 596c6fc72444b218fb9dad84554aab74a120e187 Mon Sep 17 00:00:00 2001 From: Vulupala Shashank Reddy Date: Sat, 18 Jul 2020 21:27:01 +0530 Subject: [PATCH 008/386] qcacld-3.0: Gracefully deregister packet capture callbacks Deregistering packet capture callbacks can call while processing mon thread which can lead to race condition. To address this, deregister packet capture callbacks after mon thread successfully processes its current packet. Change-Id: I09640128a57ef6adac4e6a025cb81667e49b6e4c CRs-Fixed: 2735587 --- .../core/inc/wlan_pkt_capture_mon_thread.h | 3 +++ .../core/src/wlan_pkt_capture_main.c | 24 +++++++++++++++++++ .../core/src/wlan_pkt_capture_mon_thread.c | 15 ++++++++++-- 3 files changed, 40 insertions(+), 2 deletions(-) diff --git a/components/pkt_capture/core/inc/wlan_pkt_capture_mon_thread.h b/components/pkt_capture/core/inc/wlan_pkt_capture_mon_thread.h index 006fa0a0854e..630d92201d98 100644 --- a/components/pkt_capture/core/inc/wlan_pkt_capture_mon_thread.h +++ b/components/pkt_capture/core/inc/wlan_pkt_capture_mon_thread.h @@ -28,6 +28,7 @@ #define PKT_CAPTURE_RX_POST_EVENT 0x01 #define PKT_CAPTURE_RX_SUSPEND_EVENT 0x02 #define PKT_CAPTURE_RX_SHUTDOWN_EVENT 0x04 +#define PKT_CAPTURE_REGISTER_EVENT 0x08 /* * Maximum number of packets to be allocated for @@ -81,6 +82,7 @@ struct pkt_capture_mon_pkt { * @suspend_mon_event: Completion to suspend packet capture MON thread * @resume_mon_event: Completion to resume packet capture MON thread * @mon_shutdown: Completion for packet capture MON thread shutdown + * @mon_register_event: Completion for packet capture register * @mon_wait_queue: Waitq for packet capture MON thread * @mon_event_flag: Mon event flag * @mon_thread_queue: MON buffer queue @@ -97,6 +99,7 @@ struct pkt_capture_mon_context { struct completion suspend_mon_event; struct completion resume_mon_event; struct completion mon_shutdown; + struct completion mon_register_event; wait_queue_head_t mon_wait_queue; unsigned long mon_event_flag; struct list_head mon_thread_queue; diff --git a/components/pkt_capture/core/src/wlan_pkt_capture_main.c b/components/pkt_capture/core/src/wlan_pkt_capture_main.c index 8bd6de1ed1bf..2f62dcd1628c 100644 --- a/components/pkt_capture/core/src/wlan_pkt_capture_main.c +++ b/components/pkt_capture/core/src/wlan_pkt_capture_main.c @@ -99,6 +99,13 @@ pkt_capture_register_callbacks(struct wlan_objmgr_vdev *vdev, if (QDF_IS_STATUS_ERROR(status)) goto register_ev_handlers_fail; + /* + * set register event bit so that mon thread will start + * processing packets in queue. + */ + set_bit(PKT_CAPTURE_REGISTER_EVENT, + &vdev_priv->mon_ctx->mon_event_flag); + mode = pkt_capture_get_mode(psoc); status = tgt_pkt_capture_send_mode(vdev, mode); if (QDF_IS_STATUS_ERROR(status)) { @@ -149,6 +156,23 @@ QDF_STATUS pkt_capture_deregister_callbacks(struct wlan_objmgr_vdev *vdev) if (QDF_IS_STATUS_ERROR(status)) pkt_capture_err("Unable to send packet capture mode to fw"); + /* + * Clear packet capture register event so that mon thread will + * stop processing packets in queue. + */ + clear_bit(PKT_CAPTURE_REGISTER_EVENT, + &vdev_priv->mon_ctx->mon_event_flag); + set_bit(PKT_CAPTURE_RX_POST_EVENT, + &vdev_priv->mon_ctx->mon_event_flag); + wake_up_interruptible(&vdev_priv->mon_ctx->mon_wait_queue); + + /* + * Wait till current packet process completes in mon thread and + * flush the remaining packet in queue. + */ + wait_for_completion(&vdev_priv->mon_ctx->mon_register_event); + pkt_capture_drop_monpkt(vdev_priv->mon_ctx); + status = tgt_pkt_capture_unregister_ev_handler(vdev); if (QDF_IS_STATUS_ERROR(status)) pkt_capture_err("Unable to unregister event handlers"); diff --git a/components/pkt_capture/core/src/wlan_pkt_capture_mon_thread.c b/components/pkt_capture/core/src/wlan_pkt_capture_mon_thread.c index f8c2a62a191e..a37eb1963732 100644 --- a/components/pkt_capture/core/src/wlan_pkt_capture_mon_thread.c +++ b/components/pkt_capture/core/src/wlan_pkt_capture_mon_thread.c @@ -324,7 +324,17 @@ static int pkt_capture_mon_thread(void *arg) shutdown = true; break; } - pkt_capture_process_from_queue(mon_ctx); + + /* + * if packet capture deregistratin happens stop + * processing packets in queue because mon cb will + * be set to NULL. + */ + if (test_bit(PKT_CAPTURE_REGISTER_EVENT, + &mon_ctx->mon_event_flag)) + pkt_capture_process_from_queue(mon_ctx); + else + complete(&mon_ctx->mon_register_event); if (test_bit(PKT_CAPTURE_RX_SUSPEND_EVENT, &mon_ctx->mon_event_flag)) { @@ -351,7 +361,7 @@ void pkt_capture_close_mon_thread(struct pkt_capture_mon_context *mon_ctx) if (!mon_ctx->mon_thread) return; - /* Shut down Tlshim Rx thread */ + /* Shut down mon thread */ set_bit(PKT_CAPTURE_RX_SHUTDOWN_EVENT, &mon_ctx->mon_event_flag); set_bit(PKT_CAPTURE_RX_POST_EVENT, @@ -487,6 +497,7 @@ pkt_capture_alloc_mon_thread(struct pkt_capture_mon_context *mon_ctx) init_completion(&mon_ctx->suspend_mon_event); init_completion(&mon_ctx->resume_mon_event); init_completion(&mon_ctx->mon_shutdown); + init_completion(&mon_ctx->mon_register_event); mon_ctx->mon_event_flag = 0; spin_lock_init(&mon_ctx->mon_queue_lock); spin_lock_init(&mon_ctx->mon_pkt_freeq_lock); From 17369a469cee1726ea44cfe644175bd2d9e2d586 Mon Sep 17 00:00:00 2001 From: snandini Date: Mon, 20 Jul 2020 05:47:45 -0700 Subject: [PATCH 009/386] Release 5.2.03.29L Release 5.2.03.29L Change-Id: I2266132cc553e14fd8c72e1339645160b05f5ba5 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index e79876eea024..1a7ee07493da 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "K" +#define QWLAN_VERSION_EXTRA "L" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29K" +#define QWLAN_VERSIONSTR "5.2.03.29L" #endif /* QWLAN_VERSION_H */ From 284bb7823c606d6ef177e5620ae971324e75e31a Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Sun, 12 Jul 2020 15:51:29 +0530 Subject: [PATCH 010/386] qcacld-3.0: Don't allow roam invoke if roaming offload is not initialized Roam invoke is done by driver if reconnect to same bssid is received or driver FASTREASSOC command is received from the supplicant. If rso is not enabled at firmware for the given vdev, then still roam invoke is sent to firmware and firmware sends roam invoke failure as part of which disconnection occurs. Check if roaming rso enabled at firmware or supplicant disabled roaming is set and rso stop is sent, else return failure for the reassociation request from userspace. Send failure only if the kernel version is greater than 4.9, since the fix to handle reassociation failure is available from this version. Change-Id: I0feae326be751e50f7327c91739cd7dddab500e9 CRs-Fixed: 2724686 --- core/hdd/src/wlan_hdd_cfg80211.c | 2 +- core/hdd/src/wlan_hdd_ioctl.c | 32 ++++++++++++++++++++++++++++++++ core/sme/inc/sme_api.h | 18 ++++++++++++++++++ core/sme/src/common/sme_api.c | 14 +++++++++++++- 4 files changed, 64 insertions(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 080b87e15ab6..e3660fc1e91d 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -21602,7 +21602,7 @@ static int __wlan_hdd_cfg80211_connect(struct wiphy *wiphy, * Check if this is reassoc to same bssid, if reassoc is success, return */ status = wlan_hdd_reassoc_bssid_hint(adapter, req); - if (!status) + if (!status || status == -EPERM) return status; /* Try disconnecting if already in connected state */ diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c index 9d51622f459d..bf538110484b 100644 --- a/core/hdd/src/wlan_hdd_ioctl.c +++ b/core/hdd/src/wlan_hdd_ioctl.c @@ -830,6 +830,31 @@ QDF_STATUS hdd_wma_send_fastreassoc_cmd(struct hdd_adapter *adapter, } #endif +#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)) +/** + * hdd_is_fast_reassoc_allowed - check if roam offload is enabled on the given + * vdev else, don't allow roam invoke to be triggered. + * @mac_handle: Opaque mac handle + * @vdev_id: vdev_id + * + * This API should return true if kernel version is less than 4.9, because + * the earlier versions don't have the fix to handle reassociation failure. + * + * Return: true if roaming module initialization is done else false + */ +static bool +hdd_is_fast_reassoc_allowed(mac_handle_t mac_handle, uint8_t vdev_id) +{ + return sme_is_fast_reassoc_allowed(mac_handle, vdev_id); +} +#else +static inline bool +hdd_is_fast_reassoc_allowed(mac_handle_t mac_handle, uint8_t vdev_id) +{ + return true; +} +#endif + /** * hdd_reassoc() - perform a userspace-directed reassoc * @adapter: Adapter upon which the command was received @@ -900,6 +925,13 @@ int hdd_reassoc(struct hdd_adapter *adapter, const uint8_t *bssid, /* Proceed with reassoc */ if (roaming_offload_enabled(hdd_ctx)) { + if (!hdd_is_fast_reassoc_allowed(adapter->hdd_ctx->mac_handle, + adapter->session_id)) { + hdd_err("LFR3: vdev[%d] RSO is not enabled", + adapter->session_id); + ret = -EPERM; + goto exit; + } status = hdd_wma_send_fastreassoc_cmd(adapter, bssid, (int)channel); if (status != QDF_STATUS_SUCCESS) { diff --git a/core/sme/inc/sme_api.h b/core/sme/inc/sme_api.h index 61add962964c..8bcaca0bb3f6 100644 --- a/core/sme/inc/sme_api.h +++ b/core/sme/inc/sme_api.h @@ -2092,6 +2092,18 @@ QDF_STATUS sme_get_beacon_frm(tHalHandle hal, struct csr_roam_profile *profile, int *channel); #ifdef WLAN_FEATURE_ROAM_OFFLOAD + +/** + * sme_is_fast_reassoc_allowed - API to check if roam invoke is + * allowed. Get the roam enabled vdev id and allow roaming only on + * that vdev id. + * @mac_handle: Opaque mac handle + * @vdev_id: vdev id + * + * Return: true if roam invoke is allowed, else return false + */ +bool sme_is_fast_reassoc_allowed(mac_handle_t mac_handle, uint8_t vdev_id); + /** * sme_fast_reassoc() - invokes FAST REASSOC command * @hal: handle returned by mac_open @@ -2106,6 +2118,12 @@ QDF_STATUS sme_get_beacon_frm(tHalHandle hal, struct csr_roam_profile *profile, QDF_STATUS sme_fast_reassoc(tHalHandle hal, struct csr_roam_profile *profile, const tSirMacAddr bssid, int channel, uint8_t vdev_id, const tSirMacAddr connected_bssid); +#else +static inline +bool sme_is_fast_reassoc_allowed(mac_handle_t mac_handle, uint8_t vdev_id) +{ + return true; +} #endif /** * sme_congestion_register_callback() - registers congestion callback diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c index 50d4d2ffb40a..2c76352cdc2a 100644 --- a/core/sme/src/common/sme_api.c +++ b/core/sme/src/common/sme_api.c @@ -15670,6 +15670,19 @@ free_scan_flter: } #ifdef WLAN_FEATURE_ROAM_OFFLOAD +bool sme_is_fast_reassoc_allowed(mac_handle_t mac_handle, uint8_t vdev_id) +{ + tpAniSirGlobal mac = MAC_CONTEXT(mac_handle); + uint8_t roam_enabled_session_id; + + roam_enabled_session_id = csr_get_roam_enabled_sta_sessionid(mac); + if (roam_enabled_session_id != CSR_SESSION_ID_INVALID && + roam_enabled_session_id != vdev_id) + return false; + + return true; +} + QDF_STATUS sme_fast_reassoc(tHalHandle hal, struct csr_roam_profile *profile, const tSirMacAddr bssid, int channel, uint8_t vdev_id, const tSirMacAddr connected_bssid) @@ -15694,7 +15707,6 @@ QDF_STATUS sme_fast_reassoc(tHalHandle hal, struct csr_roam_profile *profile, return status; } - #endif QDF_STATUS sme_set_del_pmkid_cache(tHalHandle hal, uint8_t session_id, From e97219e57891b0c7d4ffde9b193e14facf244026 Mon Sep 17 00:00:00 2001 From: snandini Date: Tue, 21 Jul 2020 01:46:41 -0700 Subject: [PATCH 011/386] Release 5.2.03.29M Release 5.2.03.29M Change-Id: I4c37108024bca43c7d02bc5501b8971091b4de17 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 1a7ee07493da..19d39f6bff83 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "L" +#define QWLAN_VERSION_EXTRA "M" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29L" +#define QWLAN_VERSIONSTR "5.2.03.29M" #endif /* QWLAN_VERSION_H */ From 986520c8bcafa53af144ba3ba9dcb2ef5f359743 Mon Sep 17 00:00:00 2001 From: spuligil Date: Tue, 21 Jul 2020 06:00:50 -0700 Subject: [PATCH 012/386] fw-api: CL 11091714 - update fw common interface files Change-Id: Iad727fb1f80a63c7c261b7fafbf313ef1e11093a WMI: indicate in vdev start whether SW encryption is enabled CRs-Fixed: 2262693 --- fw/wmi_unified.h | 6 ++++++ fw/wmi_version.h | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/fw/wmi_unified.h b/fw/wmi_unified.h index c45460096c0c..0b53c0b3d248 100644 --- a/fw/wmi_unified.h +++ b/fw/wmi_unified.h @@ -9644,6 +9644,12 @@ typedef struct { * of assoc request/response */ #define WMI_UNIFIED_VDEV_START_LDPC_RX_ENABLED (1<<3) +/** Indicates HW encryption is disabled, and SW encryption is enabled. + * If This flag is set, indicates that HW encryption will be disabled + * and SW encryption will be enabled. + * If SW encryption is enabled, key plumbing will not happen in FW. + */ +#define WMI_UNIFIED_VDEV_START_HW_ENCRYPTION_DISABLED (1<<4) /* BSS color 0-6 */ #define WMI_HEOPS_COLOR_GET_D2(he_ops) WMI_GET_BITS(he_ops, 0, 6) diff --git a/fw/wmi_version.h b/fw/wmi_version.h index e2b9b54dfe73..a891e5dd59cf 100644 --- a/fw/wmi_version.h +++ b/fw/wmi_version.h @@ -36,7 +36,7 @@ #define __WMI_VER_MINOR_ 0 /** WMI revision number has to be incremented when there is a * change that may or may not break compatibility. */ -#define __WMI_REVISION_ 870 +#define __WMI_REVISION_ 871 /** The Version Namespace should not be normally changed. Only * host and firmware of the same WMI namespace will work From 02d519386e7d4173d77c91bd549d415c15e9bfb7 Mon Sep 17 00:00:00 2001 From: spuligil Date: Tue, 21 Jul 2020 18:00:38 -0700 Subject: [PATCH 013/386] fw-api: CL 11101099 - update fw common interface files Change-Id: I407d3e85595ef6d8e33e0df348c1a89a09c8f465 HTT: deprecate fisa_control_bits bitfields, introduce fisa_control_bits_v2 CRs-Fixed: 2262693 --- fw/htt.h | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/fw/htt.h b/fw/htt.h index da9101e4e106..f92938dfdffe 100644 --- a/fw/htt.h +++ b/fw/htt.h @@ -205,9 +205,10 @@ * 3.81 Add ppdu_start_tsf field in HTT_TX_WBM_COMPLETION_V2. * 3.82 Add WIN_SIZE field to HTT_T2H_MSG_TYPE_RX_DELBA msg. * 3.83 Shrink seq_idx field in HTT PPDU ID from 3 bits to 2. + * 3.84 Add fisa_control_bits_v2 def. */ #define HTT_CURRENT_VERSION_MAJOR 3 -#define HTT_CURRENT_VERSION_MINOR 83 +#define HTT_CURRENT_VERSION_MINOR 84 #define HTT_NUM_TX_FRAG_DESC 1024 @@ -6054,6 +6055,10 @@ PREPACK struct htt_h2t_msg_type_fisa_config_t { * [17:0] */ union { + /* + * fisa_control_bits structure is deprecated. + * Please use fisa_control_bits_v2 going forward. + */ struct { A_UINT32 fisa_enable: 1, ipsec_skip_search: 1, @@ -6072,6 +6077,11 @@ PREPACK struct htt_h2t_msg_type_fisa_config_t { fisa_aggr_limit: 4, reserved: 14; } fisa_control_bits; + struct { + A_UINT32 fisa_enable: 1, + fisa_aggr_limit: 4, + reserved: 27; + } fisa_control_bits_v2; A_UINT32 fisa_control_value; } u_fisa_control; @@ -6277,6 +6287,29 @@ PREPACK struct htt_h2t_msg_type_fisa_config_t { ((_var) |= ((_val) << HTT_RX_FISA_CONFIG_FISA_AGGR_LIMIT_S)); \ } while (0) +/* Dword 1: fisa_control_value fisa config */ +#define HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_M 0x00000001 +#define HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_S 0 +#define HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_GET(_var) \ + (((_var) & HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_M) >> \ + HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_S) +#define HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_SET(_var, _val) \ + do { \ + HTT_CHECK_SET_VAL(HTT_RX_FISA_CONFIG_FISA_V2_ENABLE, _val); \ + ((_var) |= ((_val) << HTT_RX_FISA_CONFIG_FISA_V2_ENABLE_S)); \ + } while (0) + +/* Dword 1: fisa_control_value fisa_aggr_limit */ +#define HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_M 0x0000001e +#define HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_S 1 +#define HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_GET(_var) \ + (((_var) & HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_M) >> \ + HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_S) +#define HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_SET(_var, _val) \ + do { \ + HTT_CHECK_SET_VAL(HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT, _val); \ + ((_var) |= ((_val) << HTT_RX_FISA_CONFIG_FISA_V2_AGGR_LIMIT_S)); \ + } while (0) PREPACK struct htt_h2t_msg_rx_fse_setup_t { A_UINT32 msg_type:8, /* HTT_H2T_MSG_TYPE_RX_FSE_SETUP_CFG */ From 7e2ba127c7e3243c3e78fea0dd0e416b676fcdf0 Mon Sep 17 00:00:00 2001 From: Pankaj Singh Date: Tue, 21 Jul 2020 23:36:41 +0530 Subject: [PATCH 014/386] qcacmn: Extend Tdls external mode config support Current implementation of external mode requires supplicant to send tdls peer mac address. On matching of stats tdls implict link procedure is trigger for configured peer. Fix, to allow both configured peer and other peer that supports tdls to establish the tdls link on matching stats. Change-Id: I8f65e6dcc9dec565623ac2d8d2c77e12570f8bfb CRs-Fixed: 2737995 --- umac/tdls/core/src/wlan_tdls_cmds_process.c | 16 ++++++++++++++-- .../dispatcher/inc/wlan_tdls_public_structs.h | 15 ++++++++++++--- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/umac/tdls/core/src/wlan_tdls_cmds_process.c b/umac/tdls/core/src/wlan_tdls_cmds_process.c index a39954f01c3b..6ea0df8e2619 100644 --- a/umac/tdls/core/src/wlan_tdls_cmds_process.c +++ b/umac/tdls/core/src/wlan_tdls_cmds_process.c @@ -1718,12 +1718,23 @@ static QDF_STATUS tdls_config_force_peer( } feature = soc_obj->tdls_configs.tdls_feature_flags; - if (!TDLS_IS_EXTERNAL_CONTROL_ENABLED(feature) || + if (!(TDLS_IS_EXTERNAL_CONTROL_ENABLED(feature) || + TDLS_IS_LIBERAL_EXTERNAL_CONTROL_ENABLED(feature)) || !TDLS_IS_IMPLICIT_TRIG_ENABLED(feature)) { tdls_err("TDLS ext ctrl or Imp Trig not enabled, %x", feature); return QDF_STATUS_E_NOSUPPORT; } + /* + * In case of liberal external mode, supplicant will provide peer mac + * address but driver has to behave similar to implict mode ie. + * establish tdls link with any peer that supports tdls and meets stats. + */ + if (TDLS_IS_LIBERAL_EXTERNAL_CONTROL_ENABLED(feature)) { + tdls_debug("liberal mode set"); + return QDF_STATUS_SUCCESS; + } + peer_update_param = qdf_mem_malloc(sizeof(*peer_update_param)); if (!peer_update_param) { tdls_err("memory allocation failed"); @@ -1860,7 +1871,8 @@ QDF_STATUS tdls_process_remove_force_peer(struct tdls_oper_request *req) } feature = soc_obj->tdls_configs.tdls_feature_flags; - if (!TDLS_IS_EXTERNAL_CONTROL_ENABLED(feature) || + if (!(TDLS_IS_EXTERNAL_CONTROL_ENABLED(feature) || + TDLS_IS_LIBERAL_EXTERNAL_CONTROL_ENABLED(feature)) || !TDLS_IS_IMPLICIT_TRIG_ENABLED(feature)) { tdls_err("TDLS ext ctrl or Imp Trig not enabled, %x", feature); status = QDF_STATUS_E_NOSUPPORT; diff --git a/umac/tdls/dispatcher/inc/wlan_tdls_public_structs.h b/umac/tdls/dispatcher/inc/wlan_tdls_public_structs.h index 76d8498392f8..e645f6e1e522 100644 --- a/umac/tdls/dispatcher/inc/wlan_tdls_public_structs.h +++ b/umac/tdls/dispatcher/inc/wlan_tdls_public_structs.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2017-2018, 2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -379,6 +379,11 @@ struct tx_frame { qdf_timer_t tx_timer; }; +enum tdls_configured_external_control { + TDLS_STRICT_EXTERNAL_CONTROL = 1, + TDLS_LIBERAL_EXTERNAL_CONTROL = 2, +}; + /** * enum tdls_feature_bit * @TDLS_FEATURE_OFF_CHANNEL: tdls off channel @@ -388,7 +393,8 @@ struct tx_frame { * @TDLS_FEATURE_SCAN: tdls scan * @TDLS_FEATURE_ENABLE: tdls enabled * @TDLS_FEAUTRE_IMPLICIT_TRIGGER: tdls implicit trigger - * @TDLS_FEATURE_EXTERNAL_CONTROL: tdls external control + * @TDLS_FEATURE_EXTERNAL_CONTROL: enforce strict tdls external control + * @TDLS_FEATURE_LIBERAL_EXTERNAL_CONTROL: liberal external tdls control */ enum tdls_feature_bit { TDLS_FEATURE_OFF_CHANNEL, @@ -398,7 +404,8 @@ enum tdls_feature_bit { TDLS_FEATURE_SCAN, TDLS_FEATURE_ENABLE, TDLS_FEAUTRE_IMPLICIT_TRIGGER, - TDLS_FEATURE_EXTERNAL_CONTROL + TDLS_FEATURE_EXTERNAL_CONTROL, + TDLS_FEATURE_LIBERAL_EXTERNAL_CONTROL, }; #define TDLS_IS_OFF_CHANNEL_ENABLED(flags) \ @@ -417,6 +424,8 @@ enum tdls_feature_bit { CHECK_BIT(flags, TDLS_FEAUTRE_IMPLICIT_TRIGGER) #define TDLS_IS_EXTERNAL_CONTROL_ENABLED(flags) \ CHECK_BIT(flags, TDLS_FEATURE_EXTERNAL_CONTROL) +#define TDLS_IS_LIBERAL_EXTERNAL_CONTROL_ENABLED(flags) \ + CHECK_BIT(flags, TDLS_FEATURE_LIBERAL_EXTERNAL_CONTROL) /** * struct tdls_user_config - TDLS user configuration From e540f109874ed9de10425ba1bfa01636c57d67fd Mon Sep 17 00:00:00 2001 From: Abhishek Ambure Date: Sat, 18 Jul 2020 20:00:19 +0530 Subject: [PATCH 015/386] qcacld-3.0: Don't set mon iface chan if iface is down during SSR After SSR host reinits and as a part of start all adapters host starts monitor mode and sets the channel. To set the channel for monitor mode, host send vdev start command to fw, at the same time host checks for interfaces down during SSR. If the monitor mode is down during SSR, host stops monitor mode adapter and sends vdev delete command to fw. As a result, fw doesn't respond to vdev start command and host receives only vdev delete response. Thus vdev response timer timeout and host triggers self recovery. Hence do not set monitor mode channel if monitor interfaces is down during SSR. Change-Id: Ia381de3e0797e597158f028d7bded5fc33019150 CRs-Fixed: 2733706 --- core/hdd/src/wlan_hdd_main.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index d724ca64c583..9d222a335790 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -7454,8 +7454,20 @@ QDF_STATUS hdd_start_all_adapters(struct hdd_context *hdd_ctx) } hdd_start_station_adapter(adapter); hdd_set_mon_rx_cb(adapter->dev); - wlan_hdd_set_mon_chan(adapter, adapter->mon_chan, - adapter->mon_bandwidth); + + /* + * Do not set channel for monitor mode if monitor iface + * went down during SSR, as for set channels host sends + * vdev start command to FW. For the interfaces went + * down during SSR, host stops those adapters by sending + * vdev stop/down/delete commands to FW. So FW doesn't + * sends response for vdev start and vdev start response + * timer expires and thus host triggers ASSERT. + */ + if (!test_bit(DOWN_DURING_SSR, &adapter->event_flags)) + wlan_hdd_set_mon_chan( + adapter, adapter->mon_chan, + adapter->mon_bandwidth); break; default: break; From f0f483b30fbd92656f1abcf55f2ab136d63d8a7a Mon Sep 17 00:00:00 2001 From: snandini Date: Wed, 22 Jul 2020 13:48:42 -0700 Subject: [PATCH 016/386] Release 5.2.03.29N Release 5.2.03.29N Change-Id: I19d3c64bc5c434e0d8706ffb2fcfaab69c73929d CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 19d39f6bff83..c5b27d8008bc 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "M" +#define QWLAN_VERSION_EXTRA "N" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29M" +#define QWLAN_VERSIONSTR "5.2.03.29N" #endif /* QWLAN_VERSION_H */ From c4bbffaedf87ed28062f7d212d9d364d6cb34fb0 Mon Sep 17 00:00:00 2001 From: Chao Bi Date: Tue, 14 Jul 2020 09:27:21 +0800 Subject: [PATCH 017/386] ARM: dts: msm: Enable PCIe0 for S8155 Single LV GVM Enable PCIe0 device node for S8155 QUIN single LV virtual machine platform. Change-Id: I92fdec754a74b596185154d25e22400e345081d6 Signed-off-by: Chao Bi --- arch/arm64/boot/dts/qcom/sa8155-vm-lv.dtsi | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sa8155-vm-lv.dtsi b/arch/arm64/boot/dts/qcom/sa8155-vm-lv.dtsi index ae9b50481609..5ef00509798f 100644 --- a/arch/arm64/boot/dts/qcom/sa8155-vm-lv.dtsi +++ b/arch/arm64/boot/dts/qcom/sa8155-vm-lv.dtsi @@ -49,3 +49,11 @@ /delete-property/ qcom,client-id; qcom,client-id = "7816"; }; + +&pcie0_msi { + status = "ok"; +}; + +&pcie0 { + status = "ok"; +}; From 8de7cac603f113579bc977a82fda92f0ad3aabfb Mon Sep 17 00:00:00 2001 From: Jianmin Zhu Date: Thu, 16 Jul 2020 11:53:22 +0800 Subject: [PATCH 018/386] qcacld-3.0: Fix data stall after sta roaming disabled and reconnection When reassociate, roaming is disabled by wpa_supplicant, but RSO stop reason REASON_SUPPLICANT_DISABLED_ROAMING is ignored and roam scan mode isn't cleared to 0 before vdev WMI_ROAM_FW_OFFLOAD_ENABLE_FLAG flag is cleared. Then host can't receive peer unmap/map event when wlan disconnect and reconnect, host dp peer id isn't updated, Rx frames are dropped for peer id mismatch. Fix: When roaming is disabled, make sure roam scan mode is cleared to 0 before vdev WMI_ROAM_FW_OFFLOAD_ENABLE_FLAG flag is cleared. Change-Id: Ia471998cf631948d8ffa701e67fcee22eebb0fa0 CRs-Fixed: 2734351 --- core/wma/src/wma_scan_roam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index dd2ed4495b12..8c57061f272a 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -1954,7 +1954,8 @@ QDF_STATUS wma_process_roaming_config(tp_wma_handle wma_handle, if (roam_req->reason == REASON_ROAM_STOP_ALL || roam_req->reason == REASON_DISCONNECTED || - roam_req->reason == REASON_ROAM_SYNCH_FAILED) { + roam_req->reason == REASON_ROAM_SYNCH_FAILED || + roam_req->reason == REASON_SUPPLICANT_DISABLED_ROAMING) { mode = WMI_ROAM_SCAN_MODE_NONE; } else { if (csr_roamIsRoamOffloadEnabled(pMac)) From 674a91294e160dc7aa52ee51e57731c704029480 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Thu, 23 Jul 2020 00:18:23 +0530 Subject: [PATCH 019/386] qcacld-3.0: Flush pmksa cache for SAP when SAP stop In certain case, the active SAP interface will be deleted by __wlan_hdd_del_virtual_intf by upper layer. In that case, Driver should flush pmksa in SAP cache. Change-Id: I9a152df7a4c27aef82664f039fbca18259d6b63a CRs-Fixed: 2635424 --- core/hdd/src/wlan_hdd_main.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 9d222a335790..e4c27f0541c5 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -6308,6 +6308,14 @@ QDF_STATUS hdd_stop_adapter_ext(struct hdd_context *hdd_ctx, /* Diassociate with all the peers before stop ap post */ if (test_bit(SOFTAP_BSS_STARTED, &adapter->event_flags)) wlan_hdd_del_station(adapter); + + qdf_ret_status = + sme_roam_del_pmkid_from_cache(hdd_ctx->mac_handle, + adapter->session_id, + NULL, true); + if (QDF_IS_STATUS_ERROR(qdf_ret_status)) + hdd_err("Cannot flush PMKSA Cache"); + /* Flush IPA exception path packets */ sap_config = &adapter->session.ap.sap_config; if (sap_config) From 0d92ddba8b2cc3f9c1ead65d39de7134e472814f Mon Sep 17 00:00:00 2001 From: snandini Date: Thu, 23 Jul 2020 11:52:46 -0700 Subject: [PATCH 020/386] Release 5.2.03.29O Release 5.2.03.29O Change-Id: I15738e14ba294cfe9466fd4098a0f73f65da4027 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index c5b27d8008bc..566fef9ebcdf 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "N" +#define QWLAN_VERSION_EXTRA "O" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29N" +#define QWLAN_VERSIONSTR "5.2.03.29O" #endif /* QWLAN_VERSION_H */ From 5bc34e319c87a7d9664264789880aacc20738edc Mon Sep 17 00:00:00 2001 From: gaurank kathpalia Date: Sun, 19 Jul 2020 22:20:49 +0530 Subject: [PATCH 021/386] qcacld-3.0: Free blacklist when user turns off Wifi Free blacklist (BTM etc.) when the user turns off Wifi to let the user connect to the AP again if it got blacklisted because of any reason. Change-Id: Id52b30482244f89939e7e23632df7405c3072ee6 CRs-Fixed: 2736342 --- core/hdd/src/wlan_hdd_main.c | 12 ++++++++++++ core/sme/inc/csr_api.h | 1 + core/sme/inc/sme_api.h | 2 ++ core/sme/src/common/sme_api.c | 7 +++++++ core/sme/src/csr/csr_api_roam.c | 4 ++-- 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index e4c27f0541c5..8c79b31a9de9 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -14121,6 +14121,17 @@ static int wlan_hdd_state_ctrl_param_open(struct inode *inode, return 0; } +static void hdd_inform_wifi_off(void) +{ + struct hdd_context *hdd_ctx = cds_get_context(QDF_MODULE_ID_HDD); + + if (!hdd_ctx) { + hdd_err("Invalid hdd/pdev context"); + return; + } + sme_free_blacklist(hdd_ctx->mac_handle); +} + static ssize_t wlan_hdd_state_ctrl_param_write(struct file *filp, const char __user *user_buf, size_t count, @@ -14139,6 +14150,7 @@ static ssize_t wlan_hdd_state_ctrl_param_write(struct file *filp, if (strncmp(buf, wlan_off_str, strlen(wlan_off_str)) == 0) { pr_debug("Wifi turning off from UI\n"); + hdd_inform_wifi_off(); goto exit; } diff --git a/core/sme/inc/csr_api.h b/core/sme/inc/csr_api.h index db51bfad0a28..42466639fbba 100644 --- a/core/sme/inc/csr_api.h +++ b/core/sme/inc/csr_api.h @@ -1818,6 +1818,7 @@ typedef void (*tCsrTsmStatsCallback)(tAniTrafStrmMetrics tsmMetrics, #endif /* FEATURE_WLAN_ESE */ typedef void (*tCsrSnrCallback)(int8_t snr, uint32_t staId, void *pContext); +void csr_assoc_rej_free_rssi_disallow_list(struct sAniSirGlobal *mac); /** * csr_roam_issue_ft_preauth_req() - Initiate Preauthentication request * @max_ctx: Global MAC context diff --git a/core/sme/inc/sme_api.h b/core/sme/inc/sme_api.h index 8bcaca0bb3f6..f73b17ec3fe2 100644 --- a/core/sme/inc/sme_api.h +++ b/core/sme/inc/sme_api.h @@ -1058,6 +1058,8 @@ uint8_t sme_get_roam_bmiss_final_bcnt(tHalHandle hHal); QDF_STATUS sme_set_roam_beacon_rssi_weight(tHalHandle hHal, uint8_t sessionId, const uint8_t nRoamBeaconRssiWeight); uint8_t sme_get_roam_beacon_rssi_weight(tHalHandle hHal); +void sme_free_blacklist(tHalHandle mac_handle); + /** * sme_get_roam_rssi_diff() - get Roam rssi diff * @mac_handle: The handle returned by mac_open diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c index 2c76352cdc2a..ed4269af7af4 100644 --- a/core/sme/src/common/sme_api.c +++ b/core/sme/src/common/sme_api.c @@ -10574,6 +10574,13 @@ QDF_STATUS sme_set_auto_shutdown_timer(tHalHandle hHal, uint32_t timer_val) } #endif +void sme_free_blacklist(tHalHandle mac_handle) +{ + tpAniSirGlobal mac_ctx = PMAC_STRUCT(mac_handle); + + csr_assoc_rej_free_rssi_disallow_list(mac_ctx); +} + #ifdef FEATURE_WLAN_CH_AVOID /* * sme_ch_avoid_update_req() - diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c index ac17c55867d7..e95ba62f3100 100644 --- a/core/sme/src/csr/csr_api_roam.c +++ b/core/sme/src/csr/csr_api_roam.c @@ -584,7 +584,7 @@ static void csr_close_stats_ll(struct sAniSirGlobal *mac_ctx) * * Return: void */ -static void csr_assoc_rej_free_rssi_disallow_list(struct sAniSirGlobal *mac) +void csr_assoc_rej_free_rssi_disallow_list(struct sAniSirGlobal *mac) { QDF_STATUS status; struct sir_rssi_disallow_lst *cur_node; @@ -603,7 +603,6 @@ static void csr_assoc_rej_free_rssi_disallow_list(struct sAniSirGlobal *mac) cur_lst = next_lst; next_lst = NULL; } - qdf_list_destroy(list); qdf_mutex_release(&mac->roam.rssi_disallow_bssid_lock); } @@ -635,6 +634,7 @@ static QDF_STATUS csr_roam_rssi_disallow_bssid_deinit( struct sAniSirGlobal *mac_ctx) { csr_assoc_rej_free_rssi_disallow_list(mac_ctx); + qdf_list_destroy(&mac_ctx->roam.rssi_disallow_bssid); qdf_mutex_destroy(&mac_ctx->roam.rssi_disallow_bssid_lock); return QDF_STATUS_SUCCESS; } From fc71c9c638179acb31f207d9a44ed586bbe145ce Mon Sep 17 00:00:00 2001 From: snandini Date: Thu, 23 Jul 2020 13:49:15 -0700 Subject: [PATCH 022/386] Release 5.2.03.29P Release 5.2.03.29P Change-Id: I8f479da43c305fd4996ab17fd06fb92c395f7e02 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 566fef9ebcdf..12e1c02a01a1 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "O" +#define QWLAN_VERSION_EXTRA "P" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29O" +#define QWLAN_VERSIONSTR "5.2.03.29P" #endif /* QWLAN_VERSION_H */ From 3f39fc4eb8e69994e7084fa78eeeeaa8e75c29b8 Mon Sep 17 00:00:00 2001 From: Prasadarao Durvasula Date: Wed, 22 Jul 2020 19:48:07 +0530 Subject: [PATCH 023/386] drivers: rpmsg: fix to avoid dump stack in rpm-smd driver While rpm driver flushing messages in lpm mode, use rpmsg_trysend instead of rpmsg_send to avoid the dump stack. qcom_smd driver is going to sleep when tx ring buffer is full if rpmsg_send is used while flushing. rpm-smd is using spinlock while flushing the messages. Under spinlock it should not go to sleep. dump stack is shown because of this. Use rpmsg_trysend to avoid showing dump stack. Change-Id: I02ac6c273d49bbfd329c1be9820c53f637052b41 Signed-off-by: Prasadarao Durvasula Signed-off-by: Sivasri Kumar Vanka --- drivers/rpmsg/rpm-smd.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/rpmsg/rpm-smd.c b/drivers/rpmsg/rpm-smd.c index 9039d1ea1810..4dc6be851466 100644 --- a/drivers/rpmsg/rpm-smd.c +++ b/drivers/rpmsg/rpm-smd.c @@ -707,6 +707,24 @@ static struct msm_rpm_driver_data msm_rpm_data = { .smd_open = COMPLETION_INITIALIZER(msm_rpm_data.smd_open), }; +static int trysend_count = 20; +module_param(trysend_count, int, 0664); +static int msm_rpm_trysend_smd_buffer(char *buf, uint32_t size) +{ + int ret; + int count = 0; + + do { + ret = rpmsg_trysend(rpm->rpm_channel, buf, size); + if (!ret) + break; + udelay(10); + count++; + } while (count < trysend_count); + + return ret; +} + static int msm_rpm_flush_requests(bool print) { struct rb_node *t; @@ -724,7 +742,7 @@ static int msm_rpm_flush_requests(bool print) set_msg_id(s->buf, msm_rpm_get_next_msg_id()); - ret = rpmsg_send(rpm->rpm_channel, s->buf, get_buf_len(s->buf)); + ret = msm_rpm_trysend_smd_buffer(s->buf, get_buf_len(s->buf)); WARN_ON(ret != 0); trace_rpm_smd_send_sleep_set(get_msg_id(s->buf), type, id); From 2176c119e4b6e9a51e4ea353df531fa998c7a1b1 Mon Sep 17 00:00:00 2001 From: Avaneesh Kumar Dwivedi Date: Wed, 3 Jun 2020 14:29:36 +0530 Subject: [PATCH 024/386] defconfig: msm: Disable STACKPROTECTOR_STRONG to compile 32 bit kernel Clang does not support 32 bit kernel compilation with stackprotector strong so disable it. Change-Id: I440801775eceb8c207d6ca0b17ef3d6c87edd85e Signed-off-by: Avaneesh Kumar Dwivedi --- arch/arm/configs/vendor/sdm429-bg-perf_defconfig | 1 - arch/arm/configs/vendor/sdm429-bg_defconfig | 1 - 2 files changed, 2 deletions(-) diff --git a/arch/arm/configs/vendor/sdm429-bg-perf_defconfig b/arch/arm/configs/vendor/sdm429-bg-perf_defconfig index fa92c8e76d54..c4718cb229b7 100644 --- a/arch/arm/configs/vendor/sdm429-bg-perf_defconfig +++ b/arch/arm/configs/vendor/sdm429-bg-perf_defconfig @@ -41,7 +41,6 @@ CONFIG_EMBEDDED=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_PROFILING=y -CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y CONFIG_MODULE_FORCE_UNLOAD=y diff --git a/arch/arm/configs/vendor/sdm429-bg_defconfig b/arch/arm/configs/vendor/sdm429-bg_defconfig index 167ce3b8f5d0..1e26a8c5a0b5 100644 --- a/arch/arm/configs/vendor/sdm429-bg_defconfig +++ b/arch/arm/configs/vendor/sdm429-bg_defconfig @@ -42,7 +42,6 @@ CONFIG_EMBEDDED=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_PROFILING=y -CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y CONFIG_MODULE_FORCE_UNLOAD=y From e4c69e81b90baa9718760282af06cadc88b5776d Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Tue, 9 Jun 2020 11:44:47 +0530 Subject: [PATCH 025/386] qcacld-3.0: Allow the driver to process multiple measurement req As per requirement, the driver should able to process up to MAX_MEASUREMENT_REQUEST (5) measurement request in a single beacon report request. Update driver logic to process up to 5 measurement request and make sure the driver should not issue rrm scan for the duplicate channel. Change-Id: Iea3be8a0efef605852ac6b6b54dd06774ac0adac CRs-Fixed: 2712112 --- core/mac/src/pe/include/rrm_api.h | 18 ++++ core/mac/src/pe/include/rrm_global.h | 6 +- core/mac/src/pe/rrm/rrm_api.c | 146 +++++++++++++++++---------- core/sme/src/rrm/sme_rrm.c | 52 +++++++++- 4 files changed, 167 insertions(+), 55 deletions(-) diff --git a/core/mac/src/pe/include/rrm_api.h b/core/mac/src/pe/include/rrm_api.h index f154666d42fd..34bd6f0f64c8 100644 --- a/core/mac/src/pe/include/rrm_api.h +++ b/core/mac/src/pe/include/rrm_api.h @@ -101,4 +101,22 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal pMac, void lim_update_rrm_capability(tpAniSirGlobal mac_ctx, tpSirSmeJoinReq join_req); +/** + * rrm_reject_req - Reject rrm request + * @radiomes_report: radio measurement report + * @rrm_req: Array of Measurement request IEs + * @num_report: Num of report + * @index: Measurement index + * @measurement_type: Measurement Type + * + * Reject the Radio Resource Measurement request, if one is + * already in progress + * + * Return: QDF_STATUS + */ +QDF_STATUS rrm_reject_req(tpSirMacRadioMeasureReport *radiomes_report, + tDot11fRadioMeasurementRequest *rrm_req, + uint8_t *num_report, uint8_t index, + uint8_t measurement_type); + #endif diff --git a/core/mac/src/pe/include/rrm_global.h b/core/mac/src/pe/include/rrm_global.h index 057eab251cc6..378f37afe315 100644 --- a/core/mac/src/pe/include/rrm_global.h +++ b/core/mac/src/pe/include/rrm_global.h @@ -27,7 +27,9 @@ ========================================================================*/ -#define MAX_MEASUREMENT_REQUEST 2 +#define MAX_MEASUREMENT_REQUEST 5 +#define MAX_NUM_CHANNELS 255 + #define DEFAULT_RRM_IDX 0 typedef enum eRrmRetStatus { @@ -218,6 +220,8 @@ typedef struct sRrmPEContext { uint8_t DialogToken; uint16_t prev_rrm_report_seq_num; tpRRMReq pCurrentReq[MAX_MEASUREMENT_REQUEST]; + uint8_t beacon_rpt_chan_list[MAX_NUM_CHANNELS]; + uint8_t beacon_rpt_chan_num; } tRrmPEContext, *tpRrmPEContext; /* 2008 11k spec reference: 18.4.8.5 RCPI Measurement */ diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index c24bb529de42..a9a8898ea47e 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -1112,58 +1112,33 @@ QDF_STATUS rrm_process_beacon_req(tpAniSirGlobal mac_ctx, tSirMacAddr peer, tRrmRetStatus rrm_status = eRRM_SUCCESS; tpSirMacRadioMeasureReport report; tpRRMReq curr_req; + QDF_STATUS status = QDF_STATUS_SUCCESS; - if (index >= MAX_MEASUREMENT_REQUEST || - mac_ctx->rrm.rrmPEContext.pCurrentReq[index]) { - if (*radiomes_report == NULL) { - /* - * Allocate memory to send reports for - * any subsequent requests. - */ - *radiomes_report = qdf_mem_malloc(sizeof(*report) * - (rrm_req->num_MeasurementRequest - index)); - if (NULL == *radiomes_report) { - pe_err("Unable to allocate memory during RRM Req processing"); - return QDF_STATUS_E_NOMEM; - } - pe_debug("rrm beacon type refused of %d report in beacon table", - *num_report); - } - report = *radiomes_report; - report[*num_report].refused = 1; - report[*num_report].type = SIR_MAC_RRM_BEACON_TYPE; - report[*num_report].token = - rrm_req->MeasurementRequest[index].measurement_token; - (*num_report)++; - return QDF_STATUS_SUCCESS; - } else { - curr_req = mac_ctx->rrm.rrmPEContext.pCurrentReq[index]; - if (curr_req) { - qdf_mem_free(curr_req); - mac_ctx->rrm.rrmPEContext.pCurrentReq[index] = NULL; - } + if (index >= MAX_MEASUREMENT_REQUEST) { + status = rrm_reject_req(&report, rrm_req, num_report, index, + rrm_req->MeasurementRequest[index]. + measurement_type); + return status; + } - curr_req = qdf_mem_malloc(sizeof(*curr_req)); - if (NULL == curr_req) { - pe_err("Unable to allocate memory during RRM Req processing"); - qdf_mem_free(*radiomes_report); - mac_ctx->rrm.rrmPEContext.pCurrentReq[index] = NULL; - return QDF_STATUS_E_NOMEM; - } - pe_debug("Processing Beacon Report request idx:%d", index); - curr_req->dialog_token = rrm_req->DialogToken.token; - curr_req->token = rrm_req-> - MeasurementRequest[index].measurement_token; - curr_req->sendEmptyBcnRpt = true; - curr_req->measurement_idx = index; - mac_ctx->rrm.rrmPEContext.pCurrentReq[index] = curr_req; - rrm_status = rrm_process_beacon_report_req(mac_ctx, curr_req, - &rrm_req->MeasurementRequest[index], session_entry); - if (eRRM_SUCCESS != rrm_status) { - rrm_process_beacon_request_failure(mac_ctx, - session_entry, peer, rrm_status, index); - rrm_cleanup(mac_ctx, index); - } + curr_req = qdf_mem_malloc(sizeof(*curr_req)); + if (!curr_req) { + mac_ctx->rrm.rrmPEContext.pCurrentReq[index] = NULL; + return QDF_STATUS_E_NOMEM; + } + pe_debug("Processing Beacon Report request %d", index); + curr_req->dialog_token = rrm_req->DialogToken.token; + curr_req->token = + rrm_req->MeasurementRequest[index].measurement_token; + curr_req->sendEmptyBcnRpt = true; + curr_req->measurement_idx = index; + mac_ctx->rrm.rrmPEContext.pCurrentReq[index] = curr_req; + rrm_status = rrm_process_beacon_report_req(mac_ctx, curr_req, + &rrm_req->MeasurementRequest[index], session_entry); + if (eRRM_SUCCESS != rrm_status) { + rrm_process_beacon_request_failure(mac_ctx, + session_entry, peer, rrm_status, index); + rrm_cleanup(mac_ctx, index); } return QDF_STATUS_SUCCESS; @@ -1212,6 +1187,36 @@ QDF_STATUS update_rrm_report(tpAniSirGlobal mac_ctx, return QDF_STATUS_SUCCESS; } +QDF_STATUS rrm_reject_req(tpSirMacRadioMeasureReport *radiomes_report, + tDot11fRadioMeasurementRequest *rrm_req, + uint8_t *num_report, uint8_t index, + uint8_t measurement_type) +{ + tpSirMacRadioMeasureReport report; + + if (!*radiomes_report) { + /* + * Allocate memory to send reports for + * any subsequent requests. + */ + *radiomes_report = qdf_mem_malloc(sizeof(*report) * + (rrm_req->num_MeasurementRequest - index)); + if (!*radiomes_report) + return QDF_STATUS_E_NOMEM; + + pe_debug("rrm beacon refused of %d report, index: %d in beacon table", + *num_report, index); + } + report = *radiomes_report; + report[*num_report].refused = 1; + report[*num_report].type = measurement_type; + report[*num_report].token = + rrm_req->MeasurementRequest[index].measurement_token; + (*num_report)++; + + return QDF_STATUS_SUCCESS; +} + /* -------------------------------------------------------------------- */ /** * rrm_process_radio_measurement_request - Process rrm request @@ -1230,10 +1235,11 @@ rrm_process_radio_measurement_request(tpAniSirGlobal mac_ctx, tDot11fRadioMeasurementRequest *rrm_req, tpPESession session_entry) { - uint8_t i; + uint8_t i, index; QDF_STATUS status = QDF_STATUS_SUCCESS; tpSirMacRadioMeasureReport report = NULL; uint8_t num_report = 0; + bool reject = false; if (!rrm_req->num_MeasurementRequest) { report = qdf_mem_malloc(sizeof(tSirMacRadioMeasureReport)); @@ -1268,6 +1274,39 @@ rrm_process_radio_measurement_request(tpAniSirGlobal mac_ctx, goto end; } + for (index = 0; index < MAX_MEASUREMENT_REQUEST; index++) { + if (mac_ctx->rrm.rrmPEContext.pCurrentReq[index]) { + reject = true; + pe_debug("RRM req for index: %d is already in progress", + index); + break; + } + } + + if (reject == true) { + for (i = 0; i < rrm_req->num_MeasurementRequest; i++) { + status = + rrm_reject_req(&report, rrm_req, &num_report, i, + rrm_req->MeasurementRequest[i]. + measurement_type); + if (QDF_IS_STATUS_ERROR(status)) { + pe_debug("Fail to Reject rrm req for index: %d", + i); + return status; + } + } + + goto end; + } + + /* + * Clear global beacon_rpt_chan_list before processing every new + * beacon report request. + */ + qdf_mem_zero(mac_ctx->rrm.rrmPEContext.beacon_rpt_chan_list, + sizeof(uint8_t) * MAX_NUM_CHANNELS); + mac_ctx->rrm.rrmPEContext.beacon_rpt_chan_num = 0; + for (i = 0; i < rrm_req->num_MeasurementRequest; i++) { switch (rrm_req->MeasurementRequest[i].measurement_type) { case SIR_MAC_RRM_BEACON_TYPE: @@ -1388,9 +1427,10 @@ tpRRMCaps rrm_get_capabilities(tpAniSirGlobal pMac, tpPESession pSessionEntry) QDF_STATUS rrm_initialize(tpAniSirGlobal pMac) { tpRRMCaps pRRMCaps = &pMac->rrm.rrmPEContext.rrmEnabledCaps; + uint8_t i; - pMac->rrm.rrmPEContext.pCurrentReq[0] = NULL; - pMac->rrm.rrmPEContext.pCurrentReq[1] = NULL; + for (i = 0; i < MAX_MEASUREMENT_REQUEST; i++) + pMac->rrm.rrmPEContext.pCurrentReq[i] = NULL; pMac->rrm.rrmPEContext.txMgmtPower = 0; pMac->rrm.rrmPEContext.DialogToken = 0; diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c index e53ebae4dbf8..02804f6a62c1 100644 --- a/core/sme/src/rrm/sme_rrm.c +++ b/core/sme/src/rrm/sme_rrm.c @@ -1072,13 +1072,19 @@ QDF_STATUS sme_rrm_process_beacon_report_req_ind(tpAniSirGlobal pMac, { tpSirBeaconReportReqInd pBeaconReq = (tpSirBeaconReportReqInd) pMsgBuf; tpRrmSMEContext pSmeRrmContext; - uint32_t len = 0, i = 0; + uint32_t len = 0, i = 0, j = 0; uint8_t country[WNI_CFG_COUNTRY_CODE_LEN]; uint32_t session_id; struct csr_roam_session *session; QDF_STATUS status; + uint8_t local_num_channel, local_bcn_chan_freq; + uint8_t *local_rrm_freq_list; + tRrmPEContext rrm_context; + bool chan_valid = true; pSmeRrmContext = &pMac->rrm.rrmSmeContext[pBeaconReq->measurement_idx]; + rrm_context = pMac->rrm.rrmPEContext; + status = csr_roam_get_session_id_from_bssid(pMac, (struct qdf_mac_addr *) pBeaconReq->bssId, &session_id); @@ -1192,6 +1198,50 @@ QDF_STATUS sme_rrm_process_beacon_report_req_ind(tpAniSirGlobal pMac, } } + local_rrm_freq_list = pSmeRrmContext->channelList.ChannelList; + local_num_channel = 0; + for (i = 0; i < pSmeRrmContext->channelList.numOfChannels; i++) { + local_bcn_chan_freq = local_rrm_freq_list[i]; + chan_valid = true; + + if (pBeaconReq->measurement_idx > 0) { + for (j = 0; j < rrm_context.beacon_rpt_chan_num; j++) { + if (rrm_context.beacon_rpt_chan_list[j] == + local_bcn_chan_freq) { + /* + * Ignore this channel, As this is already + * included in previous request + */ + chan_valid = false; + break; + } + } + } + + if (chan_valid) { + rrm_context. + beacon_rpt_chan_list[rrm_context.beacon_rpt_chan_num] = + local_bcn_chan_freq; + rrm_context.beacon_rpt_chan_num++; + + if (rrm_context.beacon_rpt_chan_num >= + MAX_NUM_CHANNELS) { + /* this should never happen */ + sme_err("Reset beacon_rpt_chan_num : %d", + rrm_context.beacon_rpt_chan_num); + rrm_context.beacon_rpt_chan_num = 0; + } + local_rrm_freq_list[local_num_channel] = + local_bcn_chan_freq; + local_num_channel++; + } + } + + if (local_num_channel == 0) + goto cleanup; + + pSmeRrmContext->channelList.numOfChannels = local_num_channel; + /* Copy session bssid */ qdf_mem_copy(pSmeRrmContext->sessionBssId.bytes, pBeaconReq->bssId, sizeof(tSirMacAddr)); From 9391cf8ad132875dabe53387033a7d4fae24d927 Mon Sep 17 00:00:00 2001 From: snandini Date: Fri, 24 Jul 2020 11:59:00 -0700 Subject: [PATCH 026/386] Release 5.2.03.29Q Release 5.2.03.29Q Change-Id: I452e6f395e8a5bff9f67f78b2327267b0ba3559d CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 12e1c02a01a1..dafd5bf3e449 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "P" +#define QWLAN_VERSION_EXTRA "Q" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29P" +#define QWLAN_VERSIONSTR "5.2.03.29Q" #endif /* QWLAN_VERSION_H */ From 01eae892f5bc45c64f9eb890d3ba30983b4a8b29 Mon Sep 17 00:00:00 2001 From: spuligil Date: Sat, 25 Jul 2020 18:00:41 -0700 Subject: [PATCH 027/386] fw-api: CL 11145073 - update fw common interface files Change-Id: I6ff07fc440c21b1f1498d425516419ba69855478 WMI: add AP blacklist reason, source, and time to roam msgs CRs-Fixed: 2262693 --- fw/wmi_unified.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++ fw/wmi_version.h | 2 +- 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/fw/wmi_unified.h b/fw/wmi_unified.h index 0b53c0b3d248..6bb8e967e5aa 100644 --- a/fw/wmi_unified.h +++ b/fw/wmi_unified.h @@ -14541,6 +14541,30 @@ typedef struct { A_UINT32 btk[ROAM_OFFLOAD_BTK_BYTES>>2]; /* BTK offload. As this 4 byte aligned, we don't declare it as tlv array */ } wmi_roam_ese_offload_tlv_param; +typedef enum { + WMI_BL_REASON_NUD_FAILURE = 1, + WMI_BL_REASON_STA_KICKOUT, + WMI_BL_REASON_ROAM_HO_FAILURE, + /* Assoc resp with status code 71 - POOR RSSI CONDITIONS */ + WMI_BL_REASON_ASSOC_REJECT_POOR_RSSI, + /* Assoc resp with status code 34 - DENIED_POOR_CHANNEL_CONDITIONS */ + WMI_BL_REASON_ASSOC_REJECT_OCE, + WMI_BL_REASON_USERSPACE_BL, + WMI_BL_REASON_USERSPACE_AVOID_LIST, + WMI_BL_REASON_BTM_DIASSOC_IMMINENT, + WMI_BL_REASON_BTM_BSS_TERMINATION, + WMI_BL_REASON_BTM_MBO_RETRY, + /* Reassoc resp with status code 34 - DENIED_POOR_CHANNEL_CONDITIONS */ + WMI_BL_REASON_REASSOC_RSSI_REJECT, + /* Reassoc resp with status code 17 - DENIED_NO_MORE_STAS */ + WMI_BL_REASON_REASSOC_NO_MORE_STAS, +} WMI_BLACKLIST_REASON_ID; + +typedef enum { + WMI_BL_SOURCE_HOST = 1, + WMI_BL_SOURCE_FW, +} WMI_BLACKLIST_SOURCE_ID; + typedef struct { /** TLV tag and len; tag equals WMITLV_TAG_STRUC_wmi_roam_blacklist_with_timeout_tlv_param */ A_UINT32 tlv_header; @@ -14550,6 +14574,18 @@ typedef struct { A_UINT32 timeout; /** rssi (dBm units) when put in blacklist */ A_INT32 rssi; + /* Blacklist reason from WMI_BLACKLIST_REASON_ID */ + A_UINT32 reason; + /* Source of adding AP to BL from WMI_BLACKLIST_SOURCE_ID */ + A_UINT32 source; + /* + * timestamp is the absolute time w.r.t host timer which is synchronized + * between the host and target. + * This timestamp indicates the time when AP added to blacklist. + */ + A_UINT32 timestamp; + /* Original timeout value in milli seconds when AP added to BL */ + A_UINT32 original_timeout; } wmi_roam_blacklist_with_timeout_tlv_param; /** WMI_ROAM_BLACKLIST_EVENT: generated whenever STA needs to move AP to blacklist for a particluar time @@ -28168,6 +28204,18 @@ typedef struct { A_UINT32 remaining_disallow_duration; /** AP will be allowed for candidate, when AP RSSI better than expected RSSI units in dBm */ A_INT32 expected_rssi; + /* Blacklist reason from WMI_BLACKLIST_REASON_ID */ + A_UINT32 reason; + /* Source of adding AP to BL from WMI_BLACKLIST_SOURCE_ID */ + A_UINT32 source; + /* + * timestamp is the absolute time w.r.t host timer which is synchronized + * between the host and target. + * This timestamp indicates the time when AP added to blacklist. + */ + A_UINT32 timestamp; + /* Original timeout value in milli seconds when AP added to BL */ + A_UINT32 original_timeout; } wmi_pdev_bssid_disallow_list_config_param; typedef enum { @@ -28402,6 +28450,10 @@ typedef struct { A_UINT32 vendor_specific1[7]; }; }; + /* BTM BSS termination timeout value in milli seconds */ + A_UINT32 btm_bss_termination_timeout; + /* BTM MBO assoc retry timeout value in milli seconds */ + A_UINT32 btm_mbo_assoc_retry_timeout; } wmi_roam_trigger_reason; typedef struct { @@ -28448,6 +28500,18 @@ typedef struct { A_UINT32 cu_score; /* AP current cu score */ A_UINT32 total_score; /* AP total score */ A_UINT32 etp; /* AP Estimated Throughput (ETP) value in mbps */ + /* Blacklist reason from WMI_BLACKLIST_REASON_ID */ + A_UINT32 bl_reason; + /* Source of adding AP to BL from WMI_BLACKLIST_SOURCE_ID */ + A_UINT32 bl_source; + /* + * timestamp is the absolute time w.r.t host timer which is synchronized + * between the host and target. + * This timestamp indicates the time when AP added to blacklist. + */ + A_UINT32 bl_timestamp; + /* Original timeout value in milli seconds when AP added to BL */ + A_UINT32 bl_original_timeout; } wmi_roam_ap_info; typedef enum { diff --git a/fw/wmi_version.h b/fw/wmi_version.h index a891e5dd59cf..1c9ece2f85a5 100644 --- a/fw/wmi_version.h +++ b/fw/wmi_version.h @@ -36,7 +36,7 @@ #define __WMI_VER_MINOR_ 0 /** WMI revision number has to be incremented when there is a * change that may or may not break compatibility. */ -#define __WMI_REVISION_ 871 +#define __WMI_REVISION_ 872 /** The Version Namespace should not be normally changed. Only * host and firmware of the same WMI namespace will work From 34b5b5ad093e7ce99e90e081268570a2178ae7d4 Mon Sep 17 00:00:00 2001 From: Pankaj Singh Date: Tue, 21 Jul 2020 23:46:09 +0530 Subject: [PATCH 028/386] qcacld-3.0: Extend Tdls external mode config support Current implementation of external mode requires supplicant to send tdls peer mac address. On matching of stats tdls implict link procedure is trigger for configured peer. Fix, to allow both configured peer and other peer that supports tdls to establish the tdls link. Change-Id: I8f65e6dcc9dec565623ac2d8d2c77e12570f8bfb CRs-Fixed: 2733830 --- core/hdd/inc/wlan_hdd_cfg.h | 12 +++++++++--- core/hdd/src/wlan_hdd_main.c | 6 ++++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/core/hdd/inc/wlan_hdd_cfg.h b/core/hdd/inc/wlan_hdd_cfg.h index ab04758cfe25..b4df9b53b1cc 100644 --- a/core/hdd/inc/wlan_hdd_cfg.h +++ b/core/hdd/inc/wlan_hdd_cfg.h @@ -6932,7 +6932,7 @@ enum hdd_link_speed_rpt_type { * * gTDLSExternalControl - Enable external TDLS control. * @Min: 0 - * @Max: 1 + * @Max: 2 * @Default: 1 * * This ini is used to enable/disable external TDLS control. @@ -6940,6 +6940,12 @@ enum hdd_link_speed_rpt_type { * control allows a user to add a MAC address of potential TDLS peers so * that the CLD driver can initiate implicit TDLS setup to only those peers * when criteria for TDLS setup (throughput and RSSI threshold) is met. + * There are two flavors of external control supported. If control default + * is set 1 it means strict external control where only for configured + * tdls peer mac address tdls link will be established. If control default + * is set 2 it means liberal tdls external control needed. It means + * tdls link will be established with configured peer mac address as well + * as any other peer which supports tdls. * * Related: gEnableTDLSSupport, gEnableTDLSImplicitTrigger. * @@ -6951,7 +6957,7 @@ enum hdd_link_speed_rpt_type { */ #define CFG_TDLS_EXTERNAL_CONTROL "gTDLSExternalControl" #define CFG_TDLS_EXTERNAL_CONTROL_MIN (0) -#define CFG_TDLS_EXTERNAL_CONTROL_MAX (1) +#define CFG_TDLS_EXTERNAL_CONTROL_MAX (2) #define CFG_TDLS_EXTERNAL_CONTROL_DEFAULT (1) /* @@ -18190,7 +18196,7 @@ struct hdd_config { uint32_t fTDLSRxFrameThreshold; uint32_t fTDLSPuapsdPTIWindow; uint32_t fTDLSPuapsdPTRTimeout; - bool fTDLSExternalControl; + uint8_t fTDLSExternalControl; uint32_t fEnableTDLSOffChannel; uint32_t fEnableTDLSWmmMode; uint8_t fTDLSPrefOffChanNum; diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 8c79b31a9de9..7751c71902c0 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -1184,8 +1184,10 @@ static int hdd_update_tdls_config(struct hdd_context *hdd_ctx) (cfg->fEnableTDLSSupport ? 1 << TDLS_FEATURE_ENABLE : 0) | (cfg->fEnableTDLSImplicitTrigger ? 1 << TDLS_FEAUTRE_IMPLICIT_TRIGGER : 0) | - (cfg->fTDLSExternalControl ? - 1 << TDLS_FEATURE_EXTERNAL_CONTROL : 0)); + (cfg->fTDLSExternalControl & TDLS_STRICT_EXTERNAL_CONTROL ? + 1 << TDLS_FEATURE_EXTERNAL_CONTROL : 0) | + (cfg->fTDLSExternalControl & TDLS_LIBERAL_EXTERNAL_CONTROL ? + 1 << TDLS_FEATURE_LIBERAL_EXTERNAL_CONTROL : 0 )); config->tdls_vdev_nss_2g = GET_VDEV_NSS_CHAIN(cfg->rx_nss_2g, QDF_TDLS_MODE); config->tdls_vdev_nss_5g = GET_VDEV_NSS_CHAIN(cfg->rx_nss_5g, From b726fa2e27f5be377ee99c2b084d1d0e4073071c Mon Sep 17 00:00:00 2001 From: snandini Date: Sun, 26 Jul 2020 07:48:38 -0700 Subject: [PATCH 029/386] Release 5.2.03.29R Release 5.2.03.29R Change-Id: I3012bb9ce3793bf7895a239270abb426e722f417 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index dafd5bf3e449..5feb6b7d0515 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "Q" +#define QWLAN_VERSION_EXTRA "R" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29Q" +#define QWLAN_VERSIONSTR "5.2.03.29R" #endif /* QWLAN_VERSION_H */ From f43d94665c18f6247daa203760f41b8d1cc5dc6b Mon Sep 17 00:00:00 2001 From: Zhiqiang Tu Date: Mon, 27 Jul 2020 10:54:29 +0800 Subject: [PATCH 030/386] ARM: dts: msm: Disable dma mode for SSC QUPV3 on SA6155P VM Disable dma mode for SSC QUPV3 SPI on SA6155P virtual machine. Change-Id: I80a23d19e6176369daa05e33ec986e93f84fa396 Signed-off-by: Zhiqiang Tu --- arch/arm64/boot/dts/qcom/sa6155p-vm-qupv3.dtsi | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sa6155p-vm-qupv3.dtsi b/arch/arm64/boot/dts/qcom/sa6155p-vm-qupv3.dtsi index a3b8ff0bb9ef..5b77a4412e49 100644 --- a/arch/arm64/boot/dts/qcom/sa6155p-vm-qupv3.dtsi +++ b/arch/arm64/boot/dts/qcom/sa6155p-vm-qupv3.dtsi @@ -1,4 +1,4 @@ -/* Copyright (c) 2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2019-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -426,6 +426,7 @@ pinctrl-1 = <&qupv3_se9_spi_sleep>; spi-max-frequency = <50000000>; qcom,wrapper-core = <&qupv3_2>; + qcom,disable-dma; status = "disabled"; }; @@ -445,6 +446,7 @@ pinctrl-1 = <&qupv3_se10_spi_sleep>; spi-max-frequency = <50000000>; qcom,wrapper-core = <&qupv3_2>; + qcom,disable-dma; status = "disabled"; }; }; From 75d23cd208fb44679a7e26e3f20c4ca3a7572a1b Mon Sep 17 00:00:00 2001 From: Ashish Kumar Dhanotiya Date: Mon, 20 Jul 2020 11:56:31 +0530 Subject: [PATCH 031/386] qcacld-3.0: Complete the wait events out of the lock in ssr Currently When SSR occurs, wait events gets complete in init_deinit lock, there is a case when ssr within ssr occurs the second ssr waits for init deinit mutex lock which is held by the first ssr in the process of reinit, in the reinit there are some events for which there are waits one such event is in htc_wait_recv_ctrl_message api which waits for BMI request/response to complete and because of which the second ssr also waits for the mutex which leads to issues in the modem subsystem. To address above issue, complete the wait events out of the mutex so that when second ssr comes it completes all the wait events before it starts wait on the mutex so that first ssr releases the mutex as it does not wait on any event. Change-Id: Ifdf75a057a585eb4ba744c1145c146f7c6927691 CRs-Fixed: 2735824 --- core/hdd/src/wlan_hdd_driver_ops.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/core/hdd/src/wlan_hdd_driver_ops.c b/core/hdd/src/wlan_hdd_driver_ops.c index d1df160920cf..d5c658f8091e 100644 --- a/core/hdd/src/wlan_hdd_driver_ops.c +++ b/core/hdd/src/wlan_hdd_driver_ops.c @@ -1519,12 +1519,10 @@ static void wlan_hdd_set_the_pld_uevent(struct pld_uevent_data *uevent) { switch (uevent->uevent) { case PLD_RECOVERY: - cds_set_target_ready(false); - cds_set_recovery_in_progress(true); - break; case PLD_FW_DOWN: cds_set_target_ready(false); cds_set_recovery_in_progress(true); + qdf_complete_wait_events(); break; case PLD_FW_HANG_EVENT: break; @@ -1565,17 +1563,13 @@ static void wlan_hdd_handle_the_pld_uevent(struct pld_uevent_data *uevent) switch (uevent->uevent) { case PLD_RECOVERY: - cds_set_target_ready(false); hdd_pld_ipa_uc_shutdown_pipes(); - qdf_complete_wait_events(); break; case PLD_FW_DOWN: - cds_set_target_ready(false); wlan_cfg80211_cleanup_scan_queue(hdd_ctx->pdev, NULL); if (pld_is_fw_rejuvenate(hdd_ctx->parent_dev) && ucfg_ipa_is_enabled()) ucfg_ipa_fw_rejuvenate_send_msg(hdd_ctx->pdev); - qdf_complete_wait_events(); break; case PLD_FW_HANG_EVENT: hdd_info("Received fimrware hang event"); @@ -1633,6 +1627,7 @@ static void wlan_hdd_pld_uevent(struct device *dev, wlan_hdd_set_the_pld_uevent(uevent); hdd_psoc_idle_timer_stop(hdd_ctx); + mutex_lock(&hdd_init_deinit_lock); wlan_hdd_handle_the_pld_uevent(uevent); mutex_unlock(&hdd_init_deinit_lock); From c193c0324b190323a1a605a5078205b55b6adc15 Mon Sep 17 00:00:00 2001 From: snandini Date: Mon, 27 Jul 2020 09:48:26 -0700 Subject: [PATCH 032/386] Release 5.2.03.29S Release 5.2.03.29S Change-Id: I270aa0ca93c3edcd0af6ac94367183a1e9dada2e CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 5feb6b7d0515..003961371421 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "R" +#define QWLAN_VERSION_EXTRA "S" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29R" +#define QWLAN_VERSIONSTR "5.2.03.29S" #endif /* QWLAN_VERSION_H */ From 4bfc42ae80fcb17f9e87d2533857d204a741e3fa Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Tue, 28 Jul 2020 14:00:26 +0530 Subject: [PATCH 033/386] qcacld-3.0: Print current RSSI of AP after roam scan is complete In wma_get_trigger_detail_str() driver prints the roam trigger detail for Low rssi and Periodic scan triggers, the RSSI value of the current AP is the value before roam scan is triggered. But the firmware considers the rssi of the current AP after roam scan is complete to calculate the next RSSI threshold. So there could be mismatch in the current rssi value and next rssi threshold when roam_info->rssi_trig_data.threshold is used to print the current AP rssi. Use roam_info->current_rssi to print the current connected AP rssi in the roam trigger logging. Change-Id: Ib154bb3cbdfe13dbcdd8c8830cdafb6daefa34b5 CRs-Fixed: 2739346 --- core/wma/src/wma_scan_roam.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index 8c57061f272a..3271058a770f 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -3403,8 +3403,16 @@ wma_get_trigger_detail_str(struct wmi_roam_trigger_info *roam_info, char *buf) return; case WMI_ROAM_TRIGGER_REASON_LOW_RSSI: case WMI_ROAM_TRIGGER_REASON_PERIODIC: - buf_cons = qdf_snprint(temp, buf_left, "Cur_rssi_threshold: %d", - roam_info->rssi_trig_data.threshold); + /* + * Use roam_info->current_rssi get the RSSI of current AP after + * roam scan is triggered. This avoids discrepency with the + * next rssi threshold value printed in roam scan details. + * roam_info->rssi_trig_data.threshold gives the rssi of AP + * before the roam scan was triggered. + */ + buf_cons = qdf_snprint(temp, buf_left, + " Current AP RSSI: %d", + roam_info->current_rssi); temp += buf_cons; buf_left -= buf_cons; return; From d4e268cfb5dfcead6ade956e59bc89c36b7979e0 Mon Sep 17 00:00:00 2001 From: Venkata Rao Kakani Date: Wed, 15 Jul 2020 15:20:32 +0530 Subject: [PATCH 034/386] ARM: dts: msm: enable virtio_blk names Add virtio_blk names to enable naming to virtual disks. Change-Id: Ib53ee385a07dc124cb4be649f3a700213d16a24e Signed-off-by: Venkata Rao Kakani --- .../bindings/soc/qcom/blocknames.txt | 18 ++++++++++++++++++ arch/arm64/boot/dts/qcom/quin-vm-common.dtsi | 10 ++++++++++ 2 files changed, 28 insertions(+) create mode 100644 Documentation/devicetree/bindings/soc/qcom/blocknames.txt diff --git a/Documentation/devicetree/bindings/soc/qcom/blocknames.txt b/Documentation/devicetree/bindings/soc/qcom/blocknames.txt new file mode 100644 index 000000000000..a0f4b39b8eda --- /dev/null +++ b/Documentation/devicetree/bindings/soc/qcom/blocknames.txt @@ -0,0 +1,18 @@ +* rename block devices + +Required properties: + +- compatible: "qcom,blkdev-rename" compatibility string +- actual-dev: Name of the disk assigned by generic driver +- rename-dev: Re-name of the disk to set for disks + +Example: + +rename_blk: rename_blk { + compatible = "qcom,blkdev-rename"; + actual-dev = "vda", "vdb", "vdc", + "vdd", "vde", "vdf", + "vdg", "vdh"; + rename-dev = "la_system", "la_userdata", "la_vendor", + "la_persist", "modem", "bluetooth", + "la_misc", "vbmeta"; diff --git a/arch/arm64/boot/dts/qcom/quin-vm-common.dtsi b/arch/arm64/boot/dts/qcom/quin-vm-common.dtsi index 8c6dc3bebce6..32bf904067fa 100644 --- a/arch/arm64/boot/dts/qcom/quin-vm-common.dtsi +++ b/arch/arm64/boot/dts/qcom/quin-vm-common.dtsi @@ -79,6 +79,16 @@ }; }; }; + + rename_blk: rename_blk { + compatible = "qcom,blkdev-rename"; + actual-dev = "vda", "vdb", "vdc", + "vdd", "vde", "vdf", + "vdg", "vdh"; + rename-dev = "la_system", "la_userdata", "la_vendor", + "la_persist", "modem", "bluetooth", + "la_misc", "vbmeta"; + }; }; &soc { From f7db9e4814c80fd6f8b37e6c11a8369250984a09 Mon Sep 17 00:00:00 2001 From: snandini Date: Tue, 28 Jul 2020 03:47:14 -0700 Subject: [PATCH 035/386] Release 5.2.03.29T Release 5.2.03.29T Change-Id: Idf5116ff69883235c4876ca4117c49c1585cc636 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 003961371421..99fac2bdd3a0 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "S" +#define QWLAN_VERSION_EXTRA "T" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29S" +#define QWLAN_VERSIONSTR "5.2.03.29T" #endif /* QWLAN_VERSION_H */ From ae1db3226fd9f85c647e17fb64cd3046282aab25 Mon Sep 17 00:00:00 2001 From: Ashish Kumar Dhanotiya Date: Tue, 28 Jul 2020 18:01:38 +0530 Subject: [PATCH 036/386] qcacmn: Fix KW issue in the regulatory component There is a KW error reported in the function, reg_compute_chan_to_freq. This is because min_chan_range and max_chan_range can be assigned values, that can cause array out of bounds issue. To fix the issue, add explicit range checks against min_chan_range and max_chang_range before iterating through master_chan_list to avoid out of bound access. Change-Id: Id5cd032fb899475720080b29012a6de1b5d4a916 CRs-Fixed: 2727082 --- umac/regulatory/core/src/reg_services.c | 5 +++++ umac/regulatory/dispatcher/inc/reg_services_public_struct.h | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/umac/regulatory/core/src/reg_services.c b/umac/regulatory/core/src/reg_services.c index f1551c36f80f..1baca29531a2 100644 --- a/umac/regulatory/core/src/reg_services.c +++ b/umac/regulatory/core/src/reg_services.c @@ -1911,6 +1911,11 @@ static uint16_t reg_compute_chan_to_freq(struct wlan_objmgr_pdev *pdev, return 0; } + if (min_chan_range < MIN_CHANNEL || max_chan_range > MAX_CHANNEL) { + reg_err("Channel range is invalid"); + return 0; + } + chan_list = pdev_priv_obj->mas_chan_list; for (count = min_chan_range; count <= max_chan_range; count++) { diff --git a/umac/regulatory/dispatcher/inc/reg_services_public_struct.h b/umac/regulatory/dispatcher/inc/reg_services_public_struct.h index b1de2cf75b62..41bcc03473cb 100644 --- a/umac/regulatory/dispatcher/inc/reg_services_public_struct.h +++ b/umac/regulatory/dispatcher/inc/reg_services_public_struct.h @@ -167,6 +167,9 @@ enum channel_enum { NUM_CHANNELS, + MIN_CHANNEL = CHAN_ENUM_1, + MAX_CHANNEL = (NUM_CHANNELS - 1), + MIN_24GHZ_CHANNEL = CHAN_ENUM_1, MAX_24GHZ_CHANNEL = CHAN_ENUM_14, NUM_24GHZ_CHANNELS = (MAX_24GHZ_CHANNEL - MIN_24GHZ_CHANNEL + 1), @@ -235,6 +238,9 @@ enum channel_enum { NUM_CHANNELS, + MIN_CHANNEL = CHAN_ENUM_1, + MAX_CHANNEL = (NUM_CHANNELS - 1), + MIN_24GHZ_CHANNEL = CHAN_ENUM_1, MAX_24GHZ_CHANNEL = CHAN_ENUM_14, NUM_24GHZ_CHANNELS = (MAX_24GHZ_CHANNEL - MIN_24GHZ_CHANNEL + 1), From d17463c4d09eaa6c12c351bf2568ed8b3995f54b Mon Sep 17 00:00:00 2001 From: Jianmin Zhu Date: Fri, 24 Jul 2020 22:31:11 +0800 Subject: [PATCH 037/386] qcacld-3.0: Avoid vdev deleted but roam capability is held In dual sta case, only 1st connected STA has roam capability, If interface wlan1 is down, it's vdev1 is deleted, but roam capability may be held if vdev down isn't sent, then wlan0 and vdev0 can't get roam capability any more. Fix: check wma vdev valid flag when check roam capability, if a vdev has been deleted, the wma vdev valid flag should have be cleared, then always think it has no roam capability, other vdev can get roam capability. Change-Id: I3c818b132c3fd931ffb5e71f16f17610e9c15a28 CRs-Fixed: 2727821 --- core/wma/src/wma_utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/wma/src/wma_utils.c b/core/wma/src/wma_utils.c index a9504c7c0360..c484ac3117e4 100644 --- a/core/wma/src/wma_utils.c +++ b/core/wma/src/wma_utils.c @@ -4712,7 +4712,8 @@ static void wma_update_roam_offload_flag(tp_wma_handle wma, uint8_t vdev_id, } for (id = 0; id < wma->max_bssid; id++) { - if (wma->interfaces[id].roam_offload_enabled) + if (wma_is_vdev_valid(id) && + wma->interfaces[id].roam_offload_enabled) roam_offload_vdev_id = id; } From bb6a611b4ad05a60081fd46014b26c2ad192f9a5 Mon Sep 17 00:00:00 2001 From: snandini Date: Wed, 29 Jul 2020 01:46:55 -0700 Subject: [PATCH 038/386] Release 5.2.03.29U Release 5.2.03.29U Change-Id: I82fdcdd7f0ebd2361fae9d912a9447e341bc1f32 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 99fac2bdd3a0..cd6a21522db5 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "T" +#define QWLAN_VERSION_EXTRA "U" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29T" +#define QWLAN_VERSIONSTR "5.2.03.29U" #endif /* QWLAN_VERSION_H */ From f22fa317fe17052f427336fd5b12c64bfbe0b723 Mon Sep 17 00:00:00 2001 From: Lakshit Tyagi Date: Fri, 17 Jul 2020 14:03:55 +0530 Subject: [PATCH 039/386] ARM: dts: Update AXI bus votes for EMAC in QCS405 Update ab votes for AXI bus to support bi-directional data rates. Change-Id: If50906e88c00d469da7d976904c61e1d790d9749 Signed-off-by: Lakshit Tyagi --- arch/arm64/boot/dts/qcom/qcs405.dtsi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/qcs405.dtsi b/arch/arm64/boot/dts/qcom/qcs405.dtsi index dfbb2146b1c9..67ecaf2d430a 100644 --- a/arch/arm64/boot/dts/qcom/qcs405.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs405.dtsi @@ -1718,9 +1718,9 @@ qcom,msm-bus,num-paths = <2>; qcom,msm-bus,vectors-KBps = <98 512 0 0>, <1 781 0 0>, /* No vote */ - <98 512 1250 0>, <1 781 0 40000>, /* 10Mbps vote */ - <98 512 12500 0>, <1 781 0 40000>, /* 100Mbps vote */ - <98 512 125000 0>, <1 781 0 40000>; /* 1000Mbps vote */ + <98 512 2500 0>, <1 781 0 40000>, /* 10Mbps vote */ + <98 512 25000 0>, <1 781 0 40000>, /* 100Mbps vote */ + <98 512 250000 0>, <1 781 0 40000>; /* 1000Mbps vote */ qcom,bus-vector-names = "0", "10", "100", "1000"; clocks = <&clock_gcc GCC_ETH_AXI_CLK>, <&clock_gcc GCC_ETH_PTP_CLK>, From 470531c9d6bce3614bfa863f501f4234a90138f3 Mon Sep 17 00:00:00 2001 From: Suresh Kumar Allam Date: Wed, 29 Jul 2020 16:11:25 +0530 Subject: [PATCH 040/386] arm: dts: qcom: add support for bus scaling Add support for bus scaling in qseecom DT node for mdm9607. Change-Id: Idbbc859227b6b1acaf9d378bb30ccf8061b3c4e0 Signed-off-by: Suresh Kumar Allam --- arch/arm64/boot/dts/qcom/mdm9607.dtsi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/mdm9607.dtsi b/arch/arm64/boot/dts/qcom/mdm9607.dtsi index a21deb71ecec..285495da97d7 100644 --- a/arch/arm64/boot/dts/qcom/mdm9607.dtsi +++ b/arch/arm64/boot/dts/qcom/mdm9607.dtsi @@ -1679,7 +1679,7 @@ qcom,ce-opp-freq = <100000000>; }; - qcom_seecom: qseecom@87a80000 { + qcom_seecom: qseecom@88000000 { compatible = "qcom,qseecom"; reg = <0x88000000 0x500000>; reg-names = "secapp-region"; @@ -1687,6 +1687,7 @@ qcom,hlos-num-ce-hw-instances = <1>; qcom,hlos-ce-hw-instance = <0>; qcom,qsee-ce-hw-instance = <0>; + qcom,support-bus-scaling; qcom,msm-bus,name = "qseecom-noc"; qcom,msm-bus,num-cases = <4>; qcom,msm-bus,num-paths = <1>; From 52d333c98b7589dcfbad2b531b5efd6900183d66 Mon Sep 17 00:00:00 2001 From: Srikanth Marepalli Date: Thu, 16 Jul 2020 23:26:51 +0530 Subject: [PATCH 041/386] qcacmn: FT-SAE roam fails due to null TLV in RSO Command The commit Ibe64fb346a24962e59ca461c3099270d8766adc5 has missed some changes in 2.0.3 driver, as the propagation did not included all the required mainline changes. And due to the missing change the wmi_roam_11r_offload_tlv_param TLV in RSO command was not filled and hence it resulted in FT-SAE roaming failure. This fix brings in the missing changes that was part of this mainline commit and fixes the FT-SAE roaming. Change-Id: I29699ced7d9e9bf2d2bf675c49f3239a9e1e67f7 CRs-Fixed: 2737095 --- wmi/src/wmi_unified_tlv.c | 192 ++++++++++++++++++++++++-------------- 1 file changed, 123 insertions(+), 69 deletions(-) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 015484e47c06..9b4e8ec1f65c 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -6465,12 +6465,61 @@ wmi_fill_sae_single_pmk_param(struct roam_offload_scan_params *params, roam_offload_11i->flags |= 1 << WMI_ROAM_OFFLOAD_FLAG_SAE_SAME_PMKID; } + +/** + * fill_roam_offload_11r_params() - Fill roam scan params to send it to fw + * @auth_mode: Authentication mode + * @roam_offload_11r: TLV to be filled with 11r params + * @roam_req: roam request param + */ +static void +fill_roam_offload_11r_params(u32 auth_mode, + wmi_roam_11r_offload_tlv_param *roam_offload_11r, + struct roam_offload_scan_params *roam_req) +{ + u8 *psk_msk, len; + + if (auth_mode == WMI_AUTH_FT_RSNA_FILS_SHA256 || + auth_mode == WMI_AUTH_FT_RSNA_FILS_SHA384) { + psk_msk = roam_req->roam_fils_params.fils_ft; + len = roam_req->roam_fils_params.fils_ft_len; + } else { + psk_msk = roam_req->psk_pmk; + len = roam_req->pmk_len; + } + + /* + * For SHA384 based akm, the pmk length is 48 bytes. So fill + * first 32 bytes in roam_offload_11r->psk_msk and the remaining + * bytes in roam_offload_11r->psk_msk_ext buffer + */ + roam_offload_11r->psk_msk_len = len > ROAM_OFFLOAD_PSK_MSK_BYTES ? + ROAM_OFFLOAD_PSK_MSK_BYTES : len; + qdf_mem_copy(roam_offload_11r->psk_msk, psk_msk, + roam_offload_11r->psk_msk_len); + roam_offload_11r->psk_msk_ext_len = 0; + + if (len > ROAM_OFFLOAD_PSK_MSK_BYTES) { + roam_offload_11r->psk_msk_ext_len = + len - roam_offload_11r->psk_msk_len; + qdf_mem_copy(roam_offload_11r->psk_msk_ext, + &psk_msk[roam_offload_11r->psk_msk_len], + roam_offload_11r->psk_msk_ext_len); + } +} #else static inline void wmi_fill_sae_single_pmk_param(struct roam_offload_scan_params *params, wmi_roam_11i_offload_tlv_param *roam_offload_11i) { } + +static void +fill_roam_offload_11r_params(u32 auth_mode, + wmi_roam_11r_offload_tlv_param *roam_offload_11r, + struct roam_offload_scan_params *roam_req) +{ +} #endif #define ROAM_OFFLOAD_PMK_EXT_BYTES 16 @@ -6486,10 +6535,10 @@ wmi_fill_sae_single_pmk_param(struct roam_offload_scan_params *params, * * Return: QDF status */ -static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, - wmi_start_scan_cmd_fixed_param * - scan_cmd_fp, - struct roam_offload_scan_params *roam_req) +static QDF_STATUS +send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, + wmi_start_scan_cmd_fixed_param *scan_cmd_fp, + struct roam_offload_scan_params *roam_req) { wmi_buf_t buf = NULL; QDF_STATUS status; @@ -6517,58 +6566,61 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, sizeof(wmi_start_scan_cmd_fixed_param); #ifdef WLAN_FEATURE_ROAM_OFFLOAD wmi_debug("auth_mode = %d", auth_mode); - if (roam_req->is_roam_req_valid && - roam_req->roam_offload_enabled) { - len += sizeof(wmi_roam_offload_tlv_param); + if (roam_req->is_roam_req_valid && + roam_req->roam_offload_enabled) { + len += sizeof(wmi_roam_offload_tlv_param); + len += WMI_TLV_HDR_SIZE; + if ((auth_mode != WMI_AUTH_NONE) && + ((auth_mode != WMI_AUTH_OPEN) || + (auth_mode == WMI_AUTH_OPEN && + roam_req->mdid.mdie_present && + roam_req->is_11r_assoc) || + roam_req->is_ese_assoc)) { len += WMI_TLV_HDR_SIZE; - if ((auth_mode != WMI_AUTH_NONE) && - ((auth_mode != WMI_AUTH_OPEN) || + if (roam_req->is_ese_assoc) + len += sizeof(wmi_roam_ese_offload_tlv_param); + else if ((auth_mode == WMI_AUTH_FT_RSNA) || + (auth_mode == WMI_AUTH_FT_RSNA_PSK) || + (auth_mode == WMI_AUTH_FT_RSNA_SAE) || + (auth_mode == + WMI_AUTH_FT_RSNA_SUITE_B_8021X_SHA384) || + (auth_mode == + WMI_AUTH_FT_RSNA_FILS_SHA256) || + (auth_mode == + WMI_AUTH_FT_RSNA_FILS_SHA384) || (auth_mode == WMI_AUTH_OPEN && roam_req->mdid.mdie_present && - roam_req->is_11r_assoc) || - roam_req->is_ese_assoc)) { - len += WMI_TLV_HDR_SIZE; - if (roam_req->is_ese_assoc) - len += - sizeof(wmi_roam_ese_offload_tlv_param); - else if (auth_mode == WMI_AUTH_FT_RSNA || - auth_mode == WMI_AUTH_FT_RSNA_PSK || - (auth_mode == WMI_AUTH_OPEN && - roam_req->mdid.mdie_present && - roam_req->is_11r_assoc)) - len += - sizeof(wmi_roam_11r_offload_tlv_param); - else - len += - sizeof(wmi_roam_11i_offload_tlv_param); - } else { - len += WMI_TLV_HDR_SIZE; - } - - len += (sizeof(*assoc_ies) + (2*WMI_TLV_HDR_SIZE) - + roundup(roam_req->assoc_ie_length, - sizeof(uint32_t))); - - if (roam_req->add_fils_tlv) { - fils_tlv_len = sizeof( - wmi_roam_fils_offload_tlv_param); - len += WMI_TLV_HDR_SIZE + fils_tlv_len; - } + roam_req->is_11r_assoc)) + len += sizeof(wmi_roam_11r_offload_tlv_param); + else + len += sizeof(wmi_roam_11i_offload_tlv_param); } else { - if (roam_req->is_roam_req_valid) - WMI_LOGD("%s : roam offload = %d", - __func__, roam_req->roam_offload_enabled); - len += (4 * WMI_TLV_HDR_SIZE); + len += WMI_TLV_HDR_SIZE; } - if (roam_req->is_roam_req_valid && - roam_req->roam_offload_enabled) { - roam_req->mode = roam_req->mode | - WMI_ROAM_SCAN_MODE_ROAMOFFLOAD; + + len += (sizeof(*assoc_ies) + (2 * WMI_TLV_HDR_SIZE) + + roundup(roam_req->assoc_ie_length, sizeof(uint32_t))); + + if (roam_req->add_fils_tlv) { + fils_tlv_len = sizeof(wmi_roam_fils_offload_tlv_param); + len += WMI_TLV_HDR_SIZE + fils_tlv_len; } + } else { + if (roam_req->is_roam_req_valid) + WMI_LOGD("%s : roam offload = %d", __func__, + roam_req->roam_offload_enabled); + else + WMI_LOGD("%s : roam_req is NULL", __func__); + + len += (4 * WMI_TLV_HDR_SIZE); + } + + if (roam_req->is_roam_req_valid && roam_req->roam_offload_enabled) + roam_req->mode |= WMI_ROAM_SCAN_MODE_ROAMOFFLOAD; #endif /* WLAN_FEATURE_ROAM_OFFLOAD */ - if (roam_req->mode == (WMI_ROAM_SCAN_MODE_NONE - |WMI_ROAM_SCAN_MODE_ROAMOFFLOAD)) + if (roam_req->mode == + (WMI_ROAM_SCAN_MODE_NONE | WMI_ROAM_SCAN_MODE_ROAMOFFLOAD)) len = sizeof(wmi_roam_scan_mode_fixed_param); buf = wmi_buf_alloc(wmi_handle, len); @@ -6582,7 +6634,7 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, WMITLV_SET_HDR(&roam_scan_mode_fp->tlv_header, WMITLV_TAG_STRUC_wmi_roam_scan_mode_fixed_param, WMITLV_GET_STRUCT_TLVLEN - (wmi_roam_scan_mode_fixed_param)); + (wmi_roam_scan_mode_fixed_param)); roam_scan_mode_fp->min_delay_roam_trigger_reason_bitmask = roam_req->roam_trigger_reason_bitmask; @@ -6590,8 +6642,8 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, WMI_SEC_TO_MSEC(roam_req->min_delay_btw_roam_scans); roam_scan_mode_fp->roam_scan_mode = roam_req->mode; roam_scan_mode_fp->vdev_id = roam_req->vdev_id; - if (roam_req->mode == (WMI_ROAM_SCAN_MODE_NONE | - WMI_ROAM_SCAN_MODE_ROAMOFFLOAD)) { + if (roam_req->mode == + (WMI_ROAM_SCAN_MODE_NONE | WMI_ROAM_SCAN_MODE_ROAMOFFLOAD)) { roam_scan_mode_fp->flags |= WMI_ROAM_SCAN_MODE_FLAG_REPORT_STATUS; goto send_roam_scan_mode_cmd; @@ -6607,7 +6659,7 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_STRUC_wmi_start_scan_cmd_fixed_param, WMITLV_GET_STRUCT_TLVLEN - (wmi_start_scan_cmd_fixed_param)); + (wmi_start_scan_cmd_fixed_param)); #ifdef WLAN_FEATURE_ROAM_OFFLOAD buf_ptr += sizeof(wmi_start_scan_cmd_fixed_param); if (roam_req->is_roam_req_valid && roam_req->roam_offload_enabled) { @@ -6688,11 +6740,18 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, (wmi_roam_ese_offload_tlv_param)); buf_ptr += sizeof(wmi_roam_ese_offload_tlv_param); - } else if (auth_mode == WMI_AUTH_FT_RSNA - || auth_mode == WMI_AUTH_FT_RSNA_PSK - || (auth_mode == WMI_AUTH_OPEN - && roam_req->mdid.mdie_present && - roam_req->is_11r_assoc)) { + } else if (auth_mode == WMI_AUTH_FT_RSNA || + auth_mode == WMI_AUTH_FT_RSNA_PSK || + auth_mode == WMI_AUTH_FT_RSNA_SAE || + (auth_mode == + WMI_AUTH_FT_RSNA_SUITE_B_8021X_SHA384) || + (auth_mode == + WMI_AUTH_FT_RSNA_FILS_SHA256) || + (auth_mode == + WMI_AUTH_FT_RSNA_FILS_SHA384) || + (auth_mode == WMI_AUTH_OPEN && + roam_req->mdid.mdie_present && + roam_req->is_11r_assoc)) { WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC, 0); buf_ptr += WMI_TLV_HDR_SIZE; @@ -6706,11 +6765,9 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, qdf_mem_copy(roam_offload_11r->r0kh_id, roam_req->rokh_id, roam_offload_11r->r0kh_id_len); - qdf_mem_copy(roam_offload_11r->psk_msk, - roam_req->psk_pmk, - sizeof(roam_req->psk_pmk)); - roam_offload_11r->psk_msk_len = - roam_req->pmk_len; + fill_roam_offload_11r_params(auth_mode, + roam_offload_11r, + roam_req); roam_offload_11r->mdie_present = roam_req->mdid.mdie_present; roam_offload_11r->mdid = @@ -6732,8 +6789,9 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle, WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC, WMITLV_GET_STRUCT_TLVLEN(0)); buf_ptr += WMI_TLV_HDR_SIZE; - WMI_LOGD("psk_msk_len = %d", - roam_offload_11r->psk_msk_len); + WMI_LOGD("psk_msk_len = %d psk_msk_ext:%d", + roam_offload_11r->psk_msk_len, + roam_offload_11r->psk_msk_ext_len); if (roam_offload_11r->psk_msk_len) QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMI, QDF_TRACE_LEVEL_DEBUG, @@ -6866,12 +6924,8 @@ send_roam_scan_mode_cmd: wmi_mtrace(WMI_ROAM_SCAN_MODE, NO_SESSION, 0); status = wmi_unified_cmd_send(wmi_handle, buf, len, WMI_ROAM_SCAN_MODE); - if (QDF_IS_STATUS_ERROR(status)) { - WMI_LOGE( - "wmi_unified_cmd_send WMI_ROAM_SCAN_MODE returned Error %d", - status); + if (QDF_IS_STATUS_ERROR(status)) wmi_buf_free(buf); - } return status; } From bcfbb4ebdac1f1420d7e15fe131772edda695bc4 Mon Sep 17 00:00:00 2001 From: Wyes Karny Date: Mon, 6 Jul 2020 22:17:22 +0530 Subject: [PATCH 042/386] msm: camera: isp: Dumping state monitor array to debug logs During dumping state monitor array info logs, tasklet is taking more time to print the logs, that is causing delay in processing the next irqs in the tasklet. This is causing the isp state going to bubble state repeatedly. So changing the dump state monitor array logs to debug logs. Change-Id: Id58d6b3aa7e7da4338ef2f69c6b76e4c1477efbc Signed-off-by: Wyes Karny --- drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c b/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c index 78d9a6637135..0ac45e3565d5 100644 --- a/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c +++ b/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c @@ -228,7 +228,7 @@ static void __cam_isp_ctx_dump_state_monitor_array( ctx_monitor = ctx_isp->cam_isp_ctx_state_monitor; if (log_rate_limit) - CAM_INFO_RATE_LIMIT_CUSTOM(CAM_ISP, 5, 20, + CAM_DBG(CAM_ISP, "Dumping state information for preceding requests"); else CAM_INFO(CAM_ISP, @@ -241,7 +241,7 @@ static void __cam_isp_ctx_dump_state_monitor_array( CAM_ISP_CTX_STATE_MONITOR_MAX_ENTRIES); if (log_rate_limit) { - CAM_INFO_RATE_LIMIT_CUSTOM(CAM_ISP, 5, 20, + CAM_DBG(CAM_ISP, "time[%lld] last reported req_id[%u] frame id[%lld] applied id[%lld] current state[%s] next state[%s] hw_event[%s]", ctx_monitor[index].evt_time_stamp, ctx_monitor[index].last_reported_id, From a76a30ae88d4dc9165c703310c8c48b264b1f8cd Mon Sep 17 00:00:00 2001 From: Ajay Agarwal Date: Thu, 30 Jul 2020 12:23:02 +0530 Subject: [PATCH 043/386] defconfig: sa515m: Disable UAC driver USB Audio Class feature is not required on SA515. Disable it. Change-Id: I50687621de2ced647db67f3d7b2c851a875c261a Signed-off-by: Ajay Agarwal --- arch/arm/configs/vendor/sa515m-perf_defconfig | 1 - arch/arm/configs/vendor/sa515m_defconfig | 1 - 2 files changed, 2 deletions(-) diff --git a/arch/arm/configs/vendor/sa515m-perf_defconfig b/arch/arm/configs/vendor/sa515m-perf_defconfig index 8b002ff2c108..9b01e9f0a689 100644 --- a/arch/arm/configs/vendor/sa515m-perf_defconfig +++ b/arch/arm/configs/vendor/sa515m-perf_defconfig @@ -322,7 +322,6 @@ CONFIG_USB_CONFIGFS_RNDIS=y CONFIG_USB_CONFIGFS_MASS_STORAGE=y CONFIG_USB_CONFIGFS_F_FS=y CONFIG_USB_CONFIGFS_UEVENT=y -CONFIG_USB_CONFIGFS_F_UAC1=y CONFIG_USB_CONFIGFS_F_DIAG=y CONFIG_USB_CONFIGFS_F_CDEV=y CONFIG_USB_CONFIGFS_F_GSI=y diff --git a/arch/arm/configs/vendor/sa515m_defconfig b/arch/arm/configs/vendor/sa515m_defconfig index 98c80cfb7720..bc64df02ed11 100644 --- a/arch/arm/configs/vendor/sa515m_defconfig +++ b/arch/arm/configs/vendor/sa515m_defconfig @@ -324,7 +324,6 @@ CONFIG_USB_CONFIGFS_RNDIS=y CONFIG_USB_CONFIGFS_MASS_STORAGE=y CONFIG_USB_CONFIGFS_F_FS=y CONFIG_USB_CONFIGFS_UEVENT=y -CONFIG_USB_CONFIGFS_F_UAC1=y CONFIG_USB_CONFIGFS_F_DIAG=y CONFIG_USB_CONFIGFS_F_CDEV=y CONFIG_USB_CONFIGFS_F_GSI=y From 0d91355e54e7c2783ae581170533746dec9d8f9b Mon Sep 17 00:00:00 2001 From: Utkarsh Bhatnagar Date: Mon, 27 Jul 2020 12:24:25 +0530 Subject: [PATCH 044/386] qcacld-3.0: Add pointer sanity check for sta_ds In lim_process_assoc_cleanup, Add pointer sanity check for sta_ds Change-Id: I74ad0e11213c0bec1473984f312f18b5f1082082 CRs-Fixed: 2743614 --- core/mac/src/pe/lim/lim_process_assoc_req_frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c index 78ab23f5b9b1..5cf505bd1af2 100644 --- a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c +++ b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c @@ -1854,7 +1854,7 @@ void lim_process_assoc_cleanup(tpAniSirGlobal mac_ctx, qdf_mem_free(assoc_req); /* to avoid double free */ - if (assoc_req_copied && session->parsedAssocReq) + if (sta_ds && assoc_req_copied && session->parsedAssocReq) session->parsedAssocReq[sta_ds->assocId] = NULL; } From f8eff39d5cead7ffca7407e60e97326b5a8bf979 Mon Sep 17 00:00:00 2001 From: snandini Date: Thu, 30 Jul 2020 07:47:56 -0700 Subject: [PATCH 045/386] Release 5.2.03.29V Release 5.2.03.29V Change-Id: Ia18a7663f477ea8a288aac675b63b35f7d1713b1 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index cd6a21522db5..3579a10030d8 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "U" +#define QWLAN_VERSION_EXTRA "V" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29U" +#define QWLAN_VERSIONSTR "5.2.03.29V" #endif /* QWLAN_VERSION_H */ From ba41a303200fd02666abe548e25c2f484d1c06da Mon Sep 17 00:00:00 2001 From: Chetan C R Date: Wed, 1 Jul 2020 17:08:40 +0530 Subject: [PATCH 046/386] ARM: dts: msm: add rpmcc header for SDM660 Add rpmcc header in usbc-audio-mtp-overlay support for SDM660 target. Change-Id: Id30ef53f945c9fda69e8634cc6a422369fecb830 Signed-off-by: Chetan C R --- arch/arm64/boot/dts/qcom/sdm660-usbc-audio-mtp-overlay.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/sdm660-usbc-audio-mtp-overlay.dts b/arch/arm64/boot/dts/qcom/sdm660-usbc-audio-mtp-overlay.dts index 661437a49e92..20ec19a543e7 100644 --- a/arch/arm64/boot/dts/qcom/sdm660-usbc-audio-mtp-overlay.dts +++ b/arch/arm64/boot/dts/qcom/sdm660-usbc-audio-mtp-overlay.dts @@ -13,6 +13,7 @@ /dts-v1/; /plugin/; #include +#include #include "sdm660-mtp.dtsi" #include "sdm660-external-codec.dtsi" From b3201eeadff46a22d1a485a398424a80c2c56e26 Mon Sep 17 00:00:00 2001 From: "Jinesh K. Jayakumar" Date: Mon, 20 Jul 2020 23:41:21 -0400 Subject: [PATCH 047/386] msm: ipa: eth: Prevent suspend for 2 seconds after device resume Hold wake lock for 2 seconds after a device resume for allowing the device to settle and link interrupts to arrive after a resume. Change-Id: I91fd3d689895a9526d66d613a273cb7cc231fb2e Signed-off-by: Jinesh K. Jayakumar --- .../msm/ipa/ipa_v3/ethernet/ipa_eth.c | 7 +++-- .../msm/ipa/ipa_v3/ethernet/ipa_eth_i.h | 30 +++++++++++++++++-- .../msm/ipa/ipa_v3/ethernet/ipa_eth_pci.c | 6 ++-- 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth.c b/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth.c index 8a64c5a6e7b1..71c7c6ffbad7 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth.c +++ b/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth.c @@ -571,9 +571,10 @@ static int ipa_eth_pm_notifier_event_suspend_prepare( * and reverts the device suspension by aborting the system suspend. */ if (ipa_eth_net_check_active(eth_dev)) { - pr_info("%s: %s is active, preventing suspend for some time", - IPA_ETH_SUBSYS, eth_dev->net_dev->name); - ipa_eth_dev_wakeup_event(eth_dev); + pr_info("%s: %s is active, preventing suspend for %u ms", + IPA_ETH_SUBSYS, eth_dev->net_dev->name, + IPA_ETH_WAKE_TIME_MS); + pm_wakeup_dev_event(eth_dev->dev, IPA_ETH_WAKE_TIME_MS, false); return NOTIFY_BAD; } diff --git a/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_i.h b/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_i.h index f92da41cd7aa..2ffc31c27da7 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_i.h +++ b/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_i.h @@ -35,8 +35,12 @@ #define IPA_ETH_IPC_LOGDBG_DEFAULT false #endif +/* Time to remain awake after a suspend abort due to NIC activity */ #define IPA_ETH_WAKE_TIME_MS 500 +/* Time for NIC HW to settle down (ex. receive link interrupt) after a resume */ +#define IPA_ETH_RESUME_SETTLE_MS 2000 + #define IPA_ETH_PFDEV (ipa3_ctx ? ipa3_ctx->pdev : NULL) #define IPA_ETH_SUBSYS "ipa_eth" @@ -161,9 +165,31 @@ extern bool ipa_eth_ipc_logdbg; bool ipa_eth_is_ready(void); bool ipa_eth_all_ready(void); -static inline void ipa_eth_dev_wakeup_event(struct ipa_eth_device *eth_dev) +static inline void ipa_eth_dev_assume_active_ms( + struct ipa_eth_device *eth_dev, + unsigned int msec) { - pm_wakeup_dev_event(eth_dev->dev, IPA_ETH_WAKE_TIME_MS, false); + eth_dev_priv(eth_dev)->assume_active += + DIV_ROUND_UP(msec, IPA_ETH_WAKE_TIME_MS); + pm_system_wakeup(); +} + +static inline void ipa_eth_dev_assume_active_inc( + struct ipa_eth_device *eth_dev, + unsigned int count) +{ + eth_dev_priv(eth_dev)->assume_active += count; + pm_system_wakeup(); +} + +static inline void ipa_eth_dev_assume_active_dec( + struct ipa_eth_device *eth_dev, + unsigned int count) +{ + if (eth_dev_priv(eth_dev)->assume_active > count) + eth_dev_priv(eth_dev)->assume_active -= count; + else + eth_dev_priv(eth_dev)->assume_active = 0; } struct ipa_eth_device *ipa_eth_alloc_device( diff --git a/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_pci.c b/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_pci.c index 1095306b009f..80f4a80b7181 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_pci.c +++ b/drivers/platform/msm/ipa/ipa_v3/ethernet/ipa_eth_pci.c @@ -374,7 +374,7 @@ static int ipa_eth_pci_suspend_late_handler(struct device *dev) IPA_ETH_SUBSYS, eth_dev->net_dev->name); /* Have PM_SUSPEND_PREPARE give us one wakeup time quanta */ - eth_dev_priv(eth_dev)->assume_active++; + ipa_eth_dev_assume_active_inc(eth_dev, 1); return -EAGAIN; } @@ -428,8 +428,8 @@ static int ipa_eth_pci_resume_handler(struct device *dev) "Device resume delegated to net driver"); rc = eth_dev_pm_ops(eth_dev)->resume(dev); - /* Give some time after a resume for the device to settle */ - eth_dev_priv(eth_dev)->assume_active++; + /* Give some time for device to settle after a resume */ + ipa_eth_dev_assume_active_ms(eth_dev, IPA_ETH_RESUME_SETTLE_MS); } if (rc) From a421185cff92caf154bdc97960ff2f0343b1d95a Mon Sep 17 00:00:00 2001 From: Ashok Vuyyuru Date: Fri, 17 Jul 2020 11:39:09 +0530 Subject: [PATCH 048/386] msm: ipa3: Configure correct aggeragtion byte limit IPA HW will treat aggeragtion byte limit value 1 consider as 1K. Adding changes to configuring the aggeragtion byte value w.r.t IPA HW requirement. Change-Id: Ibe9353a39971296f7e4b04f30039457c07c63033 Signed-off-by: Ashok Vuyyuru --- drivers/platform/msm/ipa/ipa_v3/ipa_odl.c | 4 +++- drivers/platform/msm/ipa/ipa_v3/ipa_odl.h | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c index 384a06520911..c0a0d1150060 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c @@ -627,7 +627,9 @@ static long ipa_adpl_ioctl(struct file *filp, switch (cmd) { case IPA_IOC_ODL_GET_AGG_BYTE_LIMIT: odl_pipe_info.agg_byte_limit = - ipa3_odl_ctx->odl_sys_param.ipa_ep_cfg.aggr.aggr_byte_limit; + /*Modem expecting value in bytes. so passing 15 = 15*1024*/ + (ipa3_odl_ctx->odl_sys_param.ipa_ep_cfg.aggr.aggr_byte_limit * + 1024); if (copy_to_user((void __user *)arg, &odl_pipe_info, sizeof(odl_pipe_info))) { retval = -EFAULT; diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.h b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.h index 2aedda4d6b28..c8fb2df487c0 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.h +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.h @@ -13,7 +13,7 @@ #ifndef _IPA3_ODL_H_ #define _IPA3_ODL_H_ -#define IPA_ODL_AGGR_BYTE_LIMIT (15 * 1024) +#define IPA_ODL_AGGR_BYTE_LIMIT 15 #define IPA_ODL_RX_RING_SIZE 192 #define MAX_QUEUE_TO_ODL 1024 #define CONFIG_SUCCESS 1 From 13c2a11be9d93c7beb950b1a02179c60ac812a6e Mon Sep 17 00:00:00 2001 From: Swetha Chikkaboraiah Date: Wed, 22 Jul 2020 18:30:52 +0530 Subject: [PATCH 049/386] defconfig: Sync with Android-4.14 configs atoll, sm6150, sm8150, trinket configuration to be in sync with Android-4.14 configs. Change-Id: I434a3402084dbbbfc063476dacfaa17a534fe254 Signed-off-by: Swetha Chikkaboraiah --- arch/arm64/configs/vendor/atoll-perf_defconfig | 2 ++ arch/arm64/configs/vendor/atoll_defconfig | 2 ++ arch/arm64/configs/vendor/sdmsteppe-perf_defconfig | 2 ++ arch/arm64/configs/vendor/sdmsteppe_defconfig | 2 ++ arch/arm64/configs/vendor/sm8150-perf_defconfig | 2 ++ arch/arm64/configs/vendor/sm8150_defconfig | 2 ++ arch/arm64/configs/vendor/trinket-perf_defconfig | 2 ++ arch/arm64/configs/vendor/trinket_defconfig | 2 ++ 8 files changed, 16 insertions(+) diff --git a/arch/arm64/configs/vendor/atoll-perf_defconfig b/arch/arm64/configs/vendor/atoll-perf_defconfig index b1e9f28548a5..e210e133ba58 100644 --- a/arch/arm64/configs/vendor/atoll-perf_defconfig +++ b/arch/arm64/configs/vendor/atoll-perf_defconfig @@ -660,6 +660,7 @@ CONFIG_QCOM_LLCC_PMU=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_QCOM_QFPROM=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y @@ -720,6 +721,7 @@ CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/atoll_defconfig b/arch/arm64/configs/vendor/atoll_defconfig index fbef2f880c30..b29571e95795 100644 --- a/arch/arm64/configs/vendor/atoll_defconfig +++ b/arch/arm64/configs/vendor/atoll_defconfig @@ -690,6 +690,7 @@ CONFIG_QCOM_LLCC_PMU=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_QCOM_QFPROM=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y @@ -808,6 +809,7 @@ CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig index f047816a92f1..78a7083ede12 100644 --- a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig @@ -639,6 +639,7 @@ CONFIG_QCOM_LLCC_PMU=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y CONFIG_ESOC=y @@ -698,6 +699,7 @@ CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/sdmsteppe_defconfig b/arch/arm64/configs/vendor/sdmsteppe_defconfig index 08f1335b7e42..1a19ceae68c9 100644 --- a/arch/arm64/configs/vendor/sdmsteppe_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe_defconfig @@ -676,6 +676,7 @@ CONFIG_QCOM_LLCC_PMU=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y CONFIG_ESOC=y @@ -793,6 +794,7 @@ CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/sm8150-perf_defconfig b/arch/arm64/configs/vendor/sm8150-perf_defconfig index 8a28cd1b66cb..ae15a4356331 100644 --- a/arch/arm64/configs/vendor/sm8150-perf_defconfig +++ b/arch/arm64/configs/vendor/sm8150-perf_defconfig @@ -647,6 +647,7 @@ CONFIG_QCOM_LLCC_PMU=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y CONFIG_ESOC=y @@ -708,6 +709,7 @@ CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/sm8150_defconfig b/arch/arm64/configs/vendor/sm8150_defconfig index 968babe45d68..a5dcf088d624 100644 --- a/arch/arm64/configs/vendor/sm8150_defconfig +++ b/arch/arm64/configs/vendor/sm8150_defconfig @@ -677,6 +677,7 @@ CONFIG_QCOM_LLCC_PMU=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y CONFIG_ESOC=y @@ -795,6 +796,7 @@ CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/trinket-perf_defconfig b/arch/arm64/configs/vendor/trinket-perf_defconfig index d6b5f618497e..410b592072d2 100644 --- a/arch/arm64/configs/vendor/trinket-perf_defconfig +++ b/arch/arm64/configs/vendor/trinket-perf_defconfig @@ -631,6 +631,7 @@ CONFIG_QTI_MPM=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_QCOM_QFPROM=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y @@ -684,6 +685,7 @@ CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y diff --git a/arch/arm64/configs/vendor/trinket_defconfig b/arch/arm64/configs/vendor/trinket_defconfig index 5132a6da3b89..3c9c5e44c4b4 100644 --- a/arch/arm64/configs/vendor/trinket_defconfig +++ b/arch/arm64/configs/vendor/trinket_defconfig @@ -663,6 +663,7 @@ CONFIG_PHY_XGENE=y CONFIG_RAS=y CONFIG_ANDROID=y CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y CONFIG_QCOM_QFPROM=y CONFIG_NVMEM_SPMI_SDAM=y CONFIG_SENSORS_SSC=y @@ -772,6 +773,7 @@ CONFIG_SECURITY=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SMACK=y CONFIG_CRYPTO_GCM=y From 598483700106abbc2c84ff2dec8f25cea54d68c3 Mon Sep 17 00:00:00 2001 From: "Thomas (Wonyoung) Yun" Date: Wed, 8 Jul 2020 19:48:11 -0400 Subject: [PATCH 050/386] soc: qcom: hgsl: Support DBQ count upto 9 3 DBQs can be assigned to one GVM and have different priority such as low, medium and high based on the context priority. Change-Id: Ie7ab4c6837528954ca56033bb2e7c515a16b27f8 Signed-off-by: Thomas (Wonyoung) Yun --- drivers/soc/qcom/hgsl/hgsl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/soc/qcom/hgsl/hgsl.c b/drivers/soc/qcom/hgsl/hgsl.c index 80f9b7436ca5..f459774e3911 100644 --- a/drivers/soc/qcom/hgsl/hgsl.c +++ b/drivers/soc/qcom/hgsl/hgsl.c @@ -31,7 +31,9 @@ #define HGSL_DEVICE_NAME "hgsl" #define HGSL_DEV_NUM 1 -#define MAX_DB_QUEUE 4 + +/* Support upto 3 GVMs: 3 DBQs(Low/Medium/High priority) per GVM */ +#define MAX_DB_QUEUE 9 #define IORESOURCE_HWINF "hgsl_reg_hwinf" #define IORESOURCE_GMUCX "hgsl_reg_gmucx" From edf099388ad0c8b7c071ce98eadde8b64bb469d5 Mon Sep 17 00:00:00 2001 From: wadesong Date: Thu, 30 Jul 2020 17:29:15 +0800 Subject: [PATCH 051/386] cnss: Enable cnss utils code for Auto platforms Add macro CONFIG_CNSS_UTILS into SA8155p's kernel config files so the cnss utils APIs can be utilized by wlan driver. Change-Id: I5b37e8673f5c4d84af6d02b512563499631beb7d Signed-off-by: Wade Song --- arch/arm64/configs/vendor/sa8155-perf_defconfig | 1 + arch/arm64/configs/vendor/sa8155_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm64/configs/vendor/sa8155-perf_defconfig b/arch/arm64/configs/vendor/sa8155-perf_defconfig index e15c2f8b3418..5032fae84d52 100644 --- a/arch/arm64/configs/vendor/sa8155-perf_defconfig +++ b/arch/arm64/configs/vendor/sa8155-perf_defconfig @@ -318,6 +318,7 @@ CONFIG_CNSS2=y CONFIG_CNSS2_DEBUG=y CONFIG_CNSS2_QMI=y CONFIG_CNSS_ASYNC=y +CONFIG_CNSS_UTILS=y CONFIG_CNSS_GENL=y CONFIG_NVM=y CONFIG_NVM_RRPC=y diff --git a/arch/arm64/configs/vendor/sa8155_defconfig b/arch/arm64/configs/vendor/sa8155_defconfig index 189f980e5bd8..359ae8a3e879 100644 --- a/arch/arm64/configs/vendor/sa8155_defconfig +++ b/arch/arm64/configs/vendor/sa8155_defconfig @@ -329,6 +329,7 @@ CONFIG_CNSS2=y CONFIG_CNSS2_DEBUG=y CONFIG_CNSS2_QMI=y CONFIG_CNSS_ASYNC=y +CONFIG_CNSS_UTILS=y CONFIG_CNSS_GENL=y CONFIG_NVM=y CONFIG_NVM_RRPC=y From b28af78e6f87dd30c907f1bd0ef5a0559870ff45 Mon Sep 17 00:00:00 2001 From: Pradeep P V K Date: Fri, 5 Jun 2020 18:38:21 +0530 Subject: [PATCH 052/386] mtd: msm_qpic_nand: Use flash device ECC capability for erase page Page codeword's ECC data is used to determine if the page is actually erased or not. On an erased page, this data is all 0xFF. The acceptable bitflips on this ECC data is flash device dependent. So, always check against flash device ECC capability value for erase page determination. Change-Id: Ib3889f91c871b5f131fe8bc960ffa68ac11e0633 Signed-off-by: Pradeep P V K --- drivers/mtd/devices/msm_qpic_nand.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/mtd/devices/msm_qpic_nand.c b/drivers/mtd/devices/msm_qpic_nand.c index 8cb1feb3dcd1..dbfea5707488 100644 --- a/drivers/mtd/devices/msm_qpic_nand.c +++ b/drivers/mtd/devices/msm_qpic_nand.c @@ -1995,7 +1995,7 @@ free_dma: if (last_pos < ecc_bytes_percw_in_bits) num_zero_bits++; - if (num_zero_bits > MAX_ECC_BIT_FLIPS) { + if (num_zero_bits > info->flash_dev.ecc_capability) { *erased_page = false; goto free_mem; } @@ -2007,7 +2007,8 @@ free_dma: ecc_temp += chip->ecc_parity_bytes; } - if ((n == cwperpage) && (num_zero_bits <= MAX_ECC_BIT_FLIPS)) + if ((n == cwperpage) && + (num_zero_bits <= info->flash_dev.ecc_capability)) *erased_page = true; free_mem: kfree(ecc); @@ -2662,7 +2663,7 @@ free_dma: if (last_pos < ecc_bytes_percw_in_bits) num_zero_bits++; - if (num_zero_bits > MAX_ECC_BIT_FLIPS) { + if (num_zero_bits > info->flash_dev.ecc_capability) { *erased_page = false; goto free_mem; } @@ -2674,7 +2675,8 @@ free_dma: ecc_temp += chip->ecc_parity_bytes; } - if ((n == cwperpage) && (num_zero_bits <= MAX_ECC_BIT_FLIPS)) + if ((n == cwperpage) && + (num_zero_bits <= info->flash_dev.ecc_capability)) *erased_page = true; free_mem: kfree(ecc); From 396092f066738c2d7ced99ddcffa4c18bc062296 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Thu, 2 Jul 2020 20:47:48 +0530 Subject: [PATCH 053/386] qcacmn: Fix possible OOB access while sending ext stats request In 32-bit systems, currently there is possible oob access in send_stats_ext_req_cmd_tlv() is preq->request_data_len is uin32_t max and len is also of type uint32_t. Fix possible OOB access while sending ext stats request message to firmware by validating the requested data length against the difference between wmi max message size(WMI_SVC_MSG_MAX_SIZE), size of the wmi command fixed param and wmi tlv header size WMI_TLV_HDR_SIZE. Change-Id: I769c9a6b7c0e0f76e2ec1070cac6c69768816454 CRs-Fixed: 2724256 --- wmi/src/wmi_unified_tlv.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index 9b4e8ec1f65c..410fa1cea5cb 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -9869,6 +9869,14 @@ static QDF_STATUS send_stats_ext_req_cmd_tlv(wmi_unified_t wmi_handle, wmi_buf_t buf; size_t len; uint8_t *buf_ptr; + uint16_t max_wmi_msg_size = wmi_get_max_msg_len(wmi_handle); + + if (preq->request_data_len > (max_wmi_msg_size - WMI_TLV_HDR_SIZE - + sizeof(*cmd))) { + wmi_err("Data length=%d is greater than max wmi msg size", + preq->request_data_len); + return QDF_STATUS_E_FAILURE; + } len = sizeof(*cmd) + WMI_TLV_HDR_SIZE + preq->request_data_len; From 924955c1abe6e839db0c4dbd43c78e7af3909ff2 Mon Sep 17 00:00:00 2001 From: Akhil P Oommen Date: Thu, 16 Jul 2020 00:49:09 +0530 Subject: [PATCH 054/386] msm: kgsl: Mark the scratch buffer as privileged Mark the scratch buffer as privileged so that it can only be accessed by GPU through the ringbuffer. To accomplish this, we need to: 1. Move the preemption data out of the scratch buffer. 2. Disable the shadow rptr feature. 3. Trigger RPTR update from GPU using a WHERE_AM_I packet. 4. Add support for the new ucode. Change-Id: I9b388f55f53b69028b9bbb2306cb43fd1297c52f Signed-off-by: Akhil P Oommen --- drivers/gpu/msm/adreno.c | 13 ++++++++ drivers/gpu/msm/adreno.h | 7 +++-- drivers/gpu/msm/adreno_a5xx.c | 13 +++++--- drivers/gpu/msm/adreno_a5xx.h | 4 +-- drivers/gpu/msm/adreno_a5xx_preempt.c | 8 ++--- drivers/gpu/msm/adreno_a6xx.c | 4 +-- drivers/gpu/msm/adreno_a6xx.h | 4 +-- drivers/gpu/msm/adreno_a6xx_preempt.c | 33 ++++++++++---------- drivers/gpu/msm/adreno_ioctl.c | 4 +-- drivers/gpu/msm/adreno_pm4types.h | 4 ++- drivers/gpu/msm/adreno_ringbuffer.c | 44 +++++++++++++++++++++++++-- drivers/gpu/msm/adreno_ringbuffer.h | 5 ++- drivers/gpu/msm/kgsl.h | 13 ++------ 13 files changed, 105 insertions(+), 51 deletions(-) diff --git a/drivers/gpu/msm/adreno.c b/drivers/gpu/msm/adreno.c index e3fd8f3acdbb..3dd8cbeefffd 100644 --- a/drivers/gpu/msm/adreno.c +++ b/drivers/gpu/msm/adreno.c @@ -4178,6 +4178,19 @@ static int adreno_resume_device(struct kgsl_device *device, return 0; } +u32 adreno_get_ucode_version(const u32 *data) +{ + u32 version; + + version = data[1]; + + if ((version & 0xf) != 0xa) + return version; + + version &= ~0xfff; + return version | ((data[3] & 0xfff000) >> 12); +} + static const struct kgsl_functable adreno_functable = { /* Mandatory functions */ .regread = adreno_regread, diff --git a/drivers/gpu/msm/adreno.h b/drivers/gpu/msm/adreno.h index 905dd4009a7e..1cc4fc05fac5 100644 --- a/drivers/gpu/msm/adreno.h +++ b/drivers/gpu/msm/adreno.h @@ -289,8 +289,8 @@ enum adreno_preempt_states { /** * struct adreno_preemption * @state: The current state of preemption - * @counters: Memory descriptor for the memory where the GPU writes the - * preemption counters on switch + * @scratch: Memory descriptor for the memory where the GPU writes the + * current ctxt record address and preemption counters on switch * @timer: A timer to make sure preemption doesn't stall * @work: A work struct for the preemption worker (for 5XX) * @token_submit: Indicates if a preempt token has been submitted in @@ -302,7 +302,7 @@ enum adreno_preempt_states { */ struct adreno_preemption { atomic_t state; - struct kgsl_memdesc counters; + struct kgsl_memdesc scratch; struct timer_list timer; struct work_struct work; bool token_submit; @@ -1209,6 +1209,7 @@ void adreno_cx_misc_regwrite(struct adreno_device *adreno_dev, void adreno_cx_misc_regrmw(struct adreno_device *adreno_dev, unsigned int offsetwords, unsigned int mask, unsigned int bits); +u32 adreno_get_ucode_version(const u32 *data); #define ADRENO_TARGET(_name, _id) \ diff --git a/drivers/gpu/msm/adreno_a5xx.c b/drivers/gpu/msm/adreno_a5xx.c index ba46bd46d450..925a288efd8c 100644 --- a/drivers/gpu/msm/adreno_a5xx.c +++ b/drivers/gpu/msm/adreno_a5xx.c @@ -2154,12 +2154,15 @@ static int a5xx_post_start(struct adreno_device *adreno_dev) *cmds++ = 0xF; } - if (adreno_is_preemption_enabled(adreno_dev)) + if (adreno_is_preemption_enabled(adreno_dev)) { cmds += _preemption_init(adreno_dev, rb, cmds, NULL); + rb->_wptr = rb->_wptr - (42 - (cmds - start)); + ret = adreno_ringbuffer_submit_spin_nosync(rb, NULL, 2000); + } else { + rb->_wptr = rb->_wptr - (42 - (cmds - start)); + ret = adreno_ringbuffer_submit_spin(rb, NULL, 2000); + } - rb->_wptr = rb->_wptr - (42 - (cmds - start)); - - ret = adreno_ringbuffer_submit_spin(rb, NULL, 2000); if (ret) adreno_spin_idle_debug(adreno_dev, "hw initialization failed to idle\n"); @@ -2497,7 +2500,7 @@ static int _load_firmware(struct kgsl_device *device, const char *fwfile, memcpy(firmware->memdesc.hostptr, &fw->data[4], fw->size - 4); firmware->size = (fw->size - 4) / sizeof(uint32_t); - firmware->version = *(unsigned int *)&fw->data[4]; + firmware->version = adreno_get_ucode_version((u32 *)fw->data); done: release_firmware(fw); diff --git a/drivers/gpu/msm/adreno_a5xx.h b/drivers/gpu/msm/adreno_a5xx.h index 08f56d6701f2..71e9e69895f0 100644 --- a/drivers/gpu/msm/adreno_a5xx.h +++ b/drivers/gpu/msm/adreno_a5xx.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2015-2017,2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2015-2017,2019-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -112,7 +112,7 @@ void a5xx_crashdump_init(struct adreno_device *adreno_dev); void a5xx_hwcg_set(struct adreno_device *adreno_dev, bool on); -#define A5XX_CP_RB_CNTL_DEFAULT (((ilog2(4) << 8) & 0x1F00) | \ +#define A5XX_CP_RB_CNTL_DEFAULT ((1 << 27) | ((ilog2(4) << 8) & 0x1F00) | \ (ilog2(KGSL_RB_DWORDS >> 1) & 0x3F)) /* GPMU interrupt multiplexor */ #define FW_INTR_INFO (0) diff --git a/drivers/gpu/msm/adreno_a5xx_preempt.c b/drivers/gpu/msm/adreno_a5xx_preempt.c index cb7a65f92135..39283db8f100 100644 --- a/drivers/gpu/msm/adreno_a5xx_preempt.c +++ b/drivers/gpu/msm/adreno_a5xx_preempt.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2017,2019 The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2017,2019-2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -575,7 +575,7 @@ static void _preemption_close(struct adreno_device *adreno_dev) unsigned int i; del_timer(&preempt->timer); - kgsl_free_global(device, &preempt->counters); + kgsl_free_global(device, &preempt->scratch); a5xx_preemption_iommu_close(adreno_dev); FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { @@ -611,14 +611,14 @@ int a5xx_preemption_init(struct adreno_device *adreno_dev) (unsigned long) adreno_dev); /* Allocate mem for storing preemption counters */ - ret = kgsl_allocate_global(device, &preempt->counters, + ret = kgsl_allocate_global(device, &preempt->scratch, adreno_dev->num_ringbuffers * A5XX_CP_CTXRECORD_PREEMPTION_COUNTER_SIZE, 0, 0, "preemption_counters"); if (ret) goto err; - addr = preempt->counters.gpuaddr; + addr = preempt->scratch.gpuaddr; /* Allocate mem for storing preemption switch record */ FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { diff --git a/drivers/gpu/msm/adreno_a6xx.c b/drivers/gpu/msm/adreno_a6xx.c index a780c1bb1600..cbd3d39305d2 100644 --- a/drivers/gpu/msm/adreno_a6xx.c +++ b/drivers/gpu/msm/adreno_a6xx.c @@ -1211,7 +1211,7 @@ static int a6xx_post_start(struct adreno_device *adreno_dev) rb->_wptr = rb->_wptr - (42 - (cmds - start)); - ret = adreno_ringbuffer_submit_spin(rb, NULL, 2000); + ret = adreno_ringbuffer_submit_spin_nosync(rb, NULL, 2000); if (ret) adreno_spin_idle_debug(adreno_dev, "hw preemption initialization failed to idle\n"); @@ -1357,7 +1357,7 @@ static int _load_firmware(struct kgsl_device *device, const char *fwfile, if (!ret) { memcpy(firmware->memdesc.hostptr, &fw->data[4], fw->size - 4); firmware->size = (fw->size - 4) / sizeof(uint32_t); - firmware->version = *(unsigned int *)&fw->data[4]; + firmware->version = adreno_get_ucode_version((u32 *)fw->data); } release_firmware(fw); diff --git a/drivers/gpu/msm/adreno_a6xx.h b/drivers/gpu/msm/adreno_a6xx.h index 49085651f208..5127f18d2c54 100644 --- a/drivers/gpu/msm/adreno_a6xx.h +++ b/drivers/gpu/msm/adreno_a6xx.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -101,7 +101,7 @@ struct cpu_gpu_lock { /* Size of the performance counter save/restore block (in bytes) */ #define A6XX_CP_PERFCOUNTER_SAVE_RESTORE_SIZE (4 * 1024) -#define A6XX_CP_RB_CNTL_DEFAULT (((ilog2(4) << 8) & 0x1F00) | \ +#define A6XX_CP_RB_CNTL_DEFAULT ((1 << 27) | ((ilog2(4) << 8) & 0x1F00) | \ (ilog2(KGSL_RB_DWORDS >> 1) & 0x3F)) /* diff --git a/drivers/gpu/msm/adreno_a6xx_preempt.c b/drivers/gpu/msm/adreno_a6xx_preempt.c index 760cef5891af..ac928a65514d 100644 --- a/drivers/gpu/msm/adreno_a6xx_preempt.c +++ b/drivers/gpu/msm/adreno_a6xx_preempt.c @@ -324,8 +324,8 @@ void a6xx_preemption_trigger(struct adreno_device *adreno_dev) kgsl_sharedmem_writel(device, &iommu->smmu_info, PREEMPT_SMMU_RECORD(context_idr), contextidr); - kgsl_sharedmem_readq(&device->scratch, &gpuaddr, - SCRATCH_PREEMPTION_CTXT_RESTORE_ADDR_OFFSET(next->id)); + kgsl_sharedmem_readq(&preempt->scratch, &gpuaddr, + next->id * sizeof(u64)); /* * Set a keepalive bit before the first preemption register write. @@ -546,12 +546,10 @@ unsigned int a6xx_preemption_pre_ibsubmit( rb->perfcounter_save_restore_desc.gpuaddr); if (context) { - struct kgsl_device *device = KGSL_DEVICE(adreno_dev); struct adreno_context *drawctxt = ADRENO_CONTEXT(context); struct adreno_ringbuffer *rb = drawctxt->rb; - uint64_t dest = - SCRATCH_PREEMPTION_CTXT_RESTORE_GPU_ADDR(device, - rb->id); + uint64_t dest = adreno_dev->preempt.scratch.gpuaddr + + sizeof(u64) * rb->id; *cmds++ = cp_mem_packet(adreno_dev, CP_MEM_WRITE, 2, 2); cmds += cp_gpuaddr(adreno_dev, cmds, dest); @@ -569,9 +567,8 @@ unsigned int a6xx_preemption_post_ibsubmit(struct adreno_device *adreno_dev, struct adreno_ringbuffer *rb = adreno_dev->cur_rb; if (rb) { - struct kgsl_device *device = KGSL_DEVICE(adreno_dev); - uint64_t dest = SCRATCH_PREEMPTION_CTXT_RESTORE_GPU_ADDR(device, - rb->id); + uint64_t dest = adreno_dev->preempt.scratch.gpuaddr + + sizeof(u64) * rb->id; *cmds++ = cp_mem_packet(adreno_dev, CP_MEM_WRITE, 2, 2); cmds += cp_gpuaddr(adreno_dev, cmds, dest); @@ -732,7 +729,7 @@ static void _preemption_close(struct adreno_device *adreno_dev) unsigned int i; del_timer(&preempt->timer); - kgsl_free_global(device, &preempt->counters); + kgsl_free_global(device, &preempt->scratch); a6xx_preemption_iommu_close(adreno_dev); FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { @@ -771,15 +768,19 @@ int a6xx_preemption_init(struct adreno_device *adreno_dev) setup_timer(&preempt->timer, _a6xx_preemption_timer, (unsigned long) adreno_dev); - /* Allocate mem for storing preemption counters */ - ret = kgsl_allocate_global(device, &preempt->counters, - adreno_dev->num_ringbuffers * - A6XX_CP_CTXRECORD_PREEMPTION_COUNTER_SIZE, 0, 0, - "preemption_counters"); + /* + * Allocate a scratch buffer to keep the below table: + * Offset: What + * 0x0: Context Record address + * 0x10: Preemption Counters + */ + ret = kgsl_allocate_global(device, &preempt->scratch, PAGE_SIZE, 0, 0, + "preemption_scratch"); if (ret) goto err; - addr = preempt->counters.gpuaddr; + addr = preempt->scratch.gpuaddr + + KGSL_PRIORITY_MAX_RB_LEVELS * sizeof(u64); /* Allocate mem for storing preemption switch record */ FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { diff --git a/drivers/gpu/msm/adreno_ioctl.c b/drivers/gpu/msm/adreno_ioctl.c index 82629c6fcf23..d18aa19ad563 100644 --- a/drivers/gpu/msm/adreno_ioctl.c +++ b/drivers/gpu/msm/adreno_ioctl.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2018,2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -168,7 +168,7 @@ static long adreno_ioctl_preemption_counters_query( levels_to_copy = gpudev->num_prio_levels; if (copy_to_user((void __user *) (uintptr_t) read->counters, - adreno_dev->preempt.counters.hostptr, + adreno_dev->preempt.scratch.hostptr, levels_to_copy * size_level)) return -EFAULT; diff --git a/drivers/gpu/msm/adreno_pm4types.h b/drivers/gpu/msm/adreno_pm4types.h index 2a330b4474aa..543496399044 100644 --- a/drivers/gpu/msm/adreno_pm4types.h +++ b/drivers/gpu/msm/adreno_pm4types.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2017,2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -103,6 +103,8 @@ /* A5XX Enable yield in RB only */ #define CP_YIELD_ENABLE 0x1C +#define CP_WHERE_AM_I 0x62 + /* Enable/Disable/Defer A5x global preemption model */ #define CP_PREEMPT_ENABLE_GLOBAL 0x69 diff --git a/drivers/gpu/msm/adreno_ringbuffer.c b/drivers/gpu/msm/adreno_ringbuffer.c index 2ee57e9a5ce6..e32562296809 100644 --- a/drivers/gpu/msm/adreno_ringbuffer.c +++ b/drivers/gpu/msm/adreno_ringbuffer.c @@ -204,7 +204,7 @@ void adreno_ringbuffer_submit(struct adreno_ringbuffer *rb, adreno_ringbuffer_wptr(adreno_dev, rb); } -int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, +int adreno_ringbuffer_submit_spin_nosync(struct adreno_ringbuffer *rb, struct adreno_submit_time *time, unsigned int timeout) { struct adreno_device *adreno_dev = ADRENO_RB_DEVICE(rb); @@ -213,6 +213,38 @@ int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, return adreno_spin_idle(adreno_dev, timeout); } +/* + * adreno_ringbuffer_submit_spin() - Submit the cmds and wait until GPU is idle + * @rb: Pointer to ringbuffer + * @time: Pointer to adreno_submit_time + * @timeout: timeout value in ms + * + * Add commands to the ringbuffer and wait until GPU goes to idle. This routine + * inserts a WHERE_AM_I packet to trigger a shadow rptr update. So, use + * adreno_ringbuffer_submit_spin_nosync() if the previous cmd in the RB is a + * CSY packet because CSY followed by WHERE_AM_I is not legal. + */ +int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, + struct adreno_submit_time *time, unsigned int timeout) +{ + struct adreno_device *adreno_dev = ADRENO_RB_DEVICE(rb); + struct kgsl_device *device = KGSL_DEVICE(adreno_dev); + unsigned int *cmds; + + if (adreno_is_a3xx(adreno_dev)) + return adreno_ringbuffer_submit_spin_nosync(rb, time, timeout); + + cmds = adreno_ringbuffer_allocspace(rb, 3); + if (IS_ERR(cmds)) + return PTR_ERR(cmds); + + *cmds++ = cp_packet(adreno_dev, CP_WHERE_AM_I, 2); + cmds += cp_gpuaddr(adreno_dev, cmds, + SCRATCH_RPTR_GPU_ADDR(device, rb->id)); + + return adreno_ringbuffer_submit_spin_nosync(rb, time, timeout); +} + unsigned int *adreno_ringbuffer_allocspace(struct adreno_ringbuffer *rb, unsigned int dwords) { @@ -337,12 +369,13 @@ int adreno_ringbuffer_probe(struct adreno_device *adreno_dev, bool nopreempt) { struct kgsl_device *device = KGSL_DEVICE(adreno_dev); struct adreno_gpudev *gpudev = ADRENO_GPU_DEVICE(adreno_dev); + unsigned int priv = KGSL_MEMDESC_RANDOM | KGSL_MEMDESC_PRIVILEGED; int i, r = 0; int status = -ENOMEM; if (!adreno_is_a3xx(adreno_dev)) { status = kgsl_allocate_global(device, &device->scratch, - PAGE_SIZE, 0, KGSL_MEMDESC_RANDOM, "scratch"); + PAGE_SIZE, 0, priv, "scratch"); if (status != 0) return status; } @@ -564,6 +597,8 @@ adreno_ringbuffer_addcmds(struct adreno_ringbuffer *rb, if (gpudev->preemption_post_ibsubmit && adreno_is_preemption_enabled(adreno_dev)) total_sizedwords += 10; + else if (!adreno_is_a3xx(adreno_dev)) + total_sizedwords += 3; /* * a5xx uses 64 bit memory address. pm4 commands that involve read/write @@ -775,6 +810,11 @@ adreno_ringbuffer_addcmds(struct adreno_ringbuffer *rb, adreno_is_preemption_enabled(adreno_dev)) ringcmds += gpudev->preemption_post_ibsubmit(adreno_dev, ringcmds); + else if (!adreno_is_a3xx(adreno_dev)) { + *ringcmds++ = cp_packet(adreno_dev, CP_WHERE_AM_I, 2); + ringcmds += cp_gpuaddr(adreno_dev, ringcmds, + SCRATCH_RPTR_GPU_ADDR(device, rb->id)); + } /* * If we have more ringbuffer commands than space reserved diff --git a/drivers/gpu/msm/adreno_ringbuffer.h b/drivers/gpu/msm/adreno_ringbuffer.h index 9eb0c92213f3..14b4ecc2e192 100644 --- a/drivers/gpu/msm/adreno_ringbuffer.h +++ b/drivers/gpu/msm/adreno_ringbuffer.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -178,6 +178,9 @@ int adreno_ringbuffer_issue_internal_cmds(struct adreno_ringbuffer *rb, void adreno_ringbuffer_submit(struct adreno_ringbuffer *rb, struct adreno_submit_time *time); +int adreno_ringbuffer_submit_spin_nosync(struct adreno_ringbuffer *rb, + struct adreno_submit_time *time, unsigned int timeout); + int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, struct adreno_submit_time *time, unsigned int timeout); diff --git a/drivers/gpu/msm/kgsl.h b/drivers/gpu/msm/kgsl.h index 3c877f722f23..1091205e6aa3 100644 --- a/drivers/gpu/msm/kgsl.h +++ b/drivers/gpu/msm/kgsl.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2008-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2008-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -71,13 +71,11 @@ /* * SCRATCH MEMORY: The scratch memory is one page worth of data that * is mapped into the GPU. This allows for some 'shared' data between - * the GPU and CPU. For example, it will be used by the GPU to write - * each updated RPTR for each RB. + * the GPU and CPU. * * Used Data: * Offset: Length(bytes): What * 0x0: 4 * KGSL_PRIORITY_MAX_RB_LEVELS: RB0 RPTR - * 0x10: 8 * KGSL_PRIORITY_MAX_RB_LEVELS: RB0 CTXT RESTORE ADDR */ /* Shadow global helpers */ @@ -85,13 +83,6 @@ #define SCRATCH_RPTR_GPU_ADDR(dev, id) \ ((dev)->scratch.gpuaddr + SCRATCH_RPTR_OFFSET(id)) -#define SCRATCH_PREEMPTION_CTXT_RESTORE_ADDR_OFFSET(id) \ - (SCRATCH_RPTR_OFFSET(KGSL_PRIORITY_MAX_RB_LEVELS) + \ - ((id) * sizeof(uint64_t))) -#define SCRATCH_PREEMPTION_CTXT_RESTORE_GPU_ADDR(dev, id) \ - ((dev)->scratch.gpuaddr + \ - SCRATCH_PREEMPTION_CTXT_RESTORE_ADDR_OFFSET(id)) - /* Timestamp window used to detect rollovers (half of integer range) */ #define KGSL_TIMESTAMP_WINDOW 0x80000000 From 378f04203da6176cee84dd96821abbfff2973586 Mon Sep 17 00:00:00 2001 From: Arun Kumar Khandavalli Date: Mon, 3 Aug 2020 20:15:14 +0530 Subject: [PATCH 055/386] qcacld-3.0: Validate mac handle before accessing In the wifi on/off stress test there is race wherein the mac handle being accessed before it is initialized. Validate the mac handle before accessing. Change-Id: Ie7006923a5b3deebefb6a7df4c2e1445bdbda706 CRs-Fixed: 2746677 --- core/hdd/src/wlan_hdd_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 7751c71902c0..358e81907a93 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -14127,7 +14127,7 @@ static void hdd_inform_wifi_off(void) { struct hdd_context *hdd_ctx = cds_get_context(QDF_MODULE_ID_HDD); - if (!hdd_ctx) { + if (!hdd_ctx || !hdd_ctx->mac_handle) { hdd_err("Invalid hdd/pdev context"); return; } From 0a6a44bf6155936a7714df6b9f138b0eda6e9757 Mon Sep 17 00:00:00 2001 From: Chao Yu Date: Wed, 29 Jul 2020 21:21:36 +0800 Subject: [PATCH 056/386] f2fs: compress: disable compression mount option if compression is off If CONFIG_F2FS_FS_COMPRESSION is off, don't allow to configure or show compression related mount option. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim --- fs/f2fs/super.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 3cd40a085049..9fec034ec62e 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -459,9 +459,12 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) { struct f2fs_sb_info *sbi = F2FS_SB(sb); substring_t args[MAX_OPT_ARGS]; +#ifdef CONFIG_F2FS_FS_COMPRESSION unsigned char (*ext)[F2FS_EXTENSION_LEN]; + int ext_cnt; +#endif char *p, *name; - int arg = 0, ext_cnt; + int arg = 0; kuid_t uid; kgid_t gid; int ret; @@ -852,6 +855,7 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) case Opt_checkpoint_enable: clear_opt(sbi, DISABLE_CHECKPOINT); break; +#ifdef CONFIG_F2FS_FS_COMPRESSION case Opt_compress_algorithm: if (!f2fs_sb_has_compression(sbi)) { f2fs_err(sbi, "Compression feature if off"); @@ -914,6 +918,13 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) F2FS_OPTION(sbi).compress_ext_cnt++; kfree(name); break; +#else + case Opt_compress_algorithm: + case Opt_compress_log_size: + case Opt_compress_extension: + f2fs_info(sbi, "compression options not supported"); + break; +#endif default: f2fs_err(sbi, "Unrecognized mount option \"%s\" or missing value", p); @@ -1609,7 +1620,9 @@ static int f2fs_show_options(struct seq_file *seq, struct dentry *root) else if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_NOBARRIER) seq_printf(seq, ",fsync_mode=%s", "nobarrier"); +#ifdef CONFIG_F2FS_FS_COMPRESSION f2fs_show_compress_options(seq, sbi->sb); +#endif return 0; } From cd4b3d3511ef0653b28ab463b8ead024850b5bc9 Mon Sep 17 00:00:00 2001 From: Daeho Jeong Date: Thu, 30 Jul 2020 14:09:28 +0900 Subject: [PATCH 057/386] f2fs: make file immutable even if releasing zero compression block When we use F2FS_IOC_RELEASE_COMPRESS_BLOCKS ioctl, if we can't find any compressed blocks in the file even with large file size, the ioctl just ends up without changing the file's status as immutable. It makes the user, who expects that the file is immutable when it returns successfully, confused. Signed-off-by: Daeho Jeong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim --- fs/f2fs/file.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index d4ad53edd56b..1e60830fd9e2 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -3475,14 +3475,14 @@ static int f2fs_release_compress_blocks(struct file *filp, unsigned long arg) if (ret) goto out; - if (!F2FS_I(inode)->i_compr_blocks) - goto out; - F2FS_I(inode)->i_flags |= F2FS_IMMUTABLE_FL; f2fs_set_inode_flags(inode); inode->i_ctime = current_time(inode); f2fs_mark_inode_dirty_sync(inode, true); + if (!F2FS_I(inode)->i_compr_blocks) + goto out; + down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); down_write(&F2FS_I(inode)->i_mmap_sem); From 70f1b70f80616c2cf0039d6166ffb3c74d6fb542 Mon Sep 17 00:00:00 2001 From: Yufen Yu Date: Fri, 31 Jul 2020 02:18:13 -0400 Subject: [PATCH 058/386] f2fs: replace test_and_set/clear_bit() with set/clear_bit() Since set/clear_inode_flag() don't need to return value to show if flag is set, we can just call set/clear_bit() here. Signed-off-by: Yufen Yu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim --- fs/f2fs/f2fs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 6a05eceeaf67..48c70cbb9cca 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -2656,7 +2656,7 @@ static inline void __mark_inode_dirty_flag(struct inode *inode, static inline void set_inode_flag(struct inode *inode, int flag) { - test_and_set_bit(flag, F2FS_I(inode)->flags); + set_bit(flag, F2FS_I(inode)->flags); __mark_inode_dirty_flag(inode, flag, true); } @@ -2667,7 +2667,7 @@ static inline int is_inode_flag_set(struct inode *inode, int flag) static inline void clear_inode_flag(struct inode *inode, int flag) { - test_and_clear_bit(flag, F2FS_I(inode)->flags); + clear_bit(flag, F2FS_I(inode)->flags); __mark_inode_dirty_flag(inode, flag, false); } From dcadebaa944676b746a1a9f83d1074803d2ed401 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Sat, 1 Aug 2020 11:24:50 +0800 Subject: [PATCH 059/386] f2fs: update_sit_entry: Make the judgment condition of f2fs_bug_on more intuitive Current judgment condition of f2fs_bug_on in function update_sit_entry(): new_vblocks >> (sizeof(unsigned short) << 3) || new_vblocks > sbi->blocks_per_seg which equivalents to: new_vblocks < 0 || new_vblocks > sbi->blocks_per_seg The latter is more intuitive. Signed-off-by: Zhihao Cheng Reported-by: Jack Qiu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim --- fs/f2fs/segment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 543878c6222c..c0df36ebac62 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -2165,7 +2165,7 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del) new_vblocks = se->valid_blocks + del; offset = GET_BLKOFF_FROM_SEG0(sbi, blkaddr); - f2fs_bug_on(sbi, (new_vblocks >> (sizeof(unsigned short) << 3) || + f2fs_bug_on(sbi, (new_vblocks < 0 || (new_vblocks > sbi->blocks_per_seg))); se->valid_blocks = new_vblocks; From 30702abe9883971b98b2c4975f1d7e538010e02e Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 3 Aug 2020 19:37:12 -0700 Subject: [PATCH 060/386] f2fs: prepare a waiter before entering io_schedule This is to avoid sleep() in the waiter thread. [ 20.157753] ------------[ cut here ]------------ [ 20.158393] do not call blocking ops when !TASK_RUNNING; state=2 set at [<0000000096354225>] prepare_to_wait+0xcd/0x430 [ 20.159858] WARNING: CPU: 1 PID: 1152 at kernel/sched/core.c:7142 __might_sleep+0x149/0x1a0 ... [ 20.176110] __submit_merged_write_cond+0x191/0x310 [ 20.176739] f2fs_submit_merged_write+0x18/0x20 [ 20.177323] f2fs_wait_on_all_pages+0x269/0x2d0 [ 20.177899] ? block_operations+0x980/0x980 [ 20.178441] ? __kasan_check_read+0x11/0x20 [ 20.178975] ? finish_wait+0x260/0x260 [ 20.179488] ? percpu_counter_set+0x147/0x230 [ 20.180049] do_checkpoint+0x1757/0x2a50 [ 20.180558] f2fs_write_checkpoint+0x840/0xaf0 [ 20.181126] f2fs_sync_fs+0x287/0x4a0 Reported-by: Eric Biggers Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim --- fs/f2fs/checkpoint.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c index 2a93d5857146..7a9cd6910f90 100644 --- a/fs/f2fs/checkpoint.c +++ b/fs/f2fs/checkpoint.c @@ -1258,8 +1258,6 @@ void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type) DEFINE_WAIT(wait); for (;;) { - prepare_to_wait(&sbi->cp_wait, &wait, TASK_UNINTERRUPTIBLE); - if (!get_pages(sbi, type)) break; @@ -1271,6 +1269,8 @@ void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type) FS_CP_META_IO); else if (type == F2FS_WB_CP_DATA) f2fs_submit_merged_write(sbi, DATA); + + prepare_to_wait(&sbi->cp_wait, &wait, TASK_UNINTERRUPTIBLE); io_schedule_timeout(DEFAULT_IO_TIMEOUT); } finish_wait(&sbi->cp_wait, &wait); From 7190233b82e499ee3c0735b8ef60a573b3cde9c9 Mon Sep 17 00:00:00 2001 From: Wyes Karny Date: Wed, 6 May 2020 21:15:02 +0530 Subject: [PATCH 061/386] msm: camera: reqmgr: reset slots after deactivating session After Deactivate request comes in link control we are deactivating the link and resetting every slots in the in_q. CRs-Fixed: 2685198 Change-Id: I3f152d6486ccfe81ec44ea27ed992aacf18342bc Signed-off-by: Wyes Karny --- .../msm/camera/cam_req_mgr/cam_req_mgr_core.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c index dfbc9b07e4a4..bb0f1fdde118 100644 --- a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c +++ b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c @@ -3422,6 +3422,8 @@ int cam_req_mgr_link_control(struct cam_req_mgr_link_control *control) struct cam_req_mgr_connected_device *dev = NULL; struct cam_req_mgr_link_evt_data evt_data; + struct cam_req_mgr_req_queue *in_q = NULL; + struct cam_req_mgr_slot *slot = NULL; if (!control) { CAM_ERR(CAM_CRM, "Control command is NULL"); @@ -3485,6 +3487,18 @@ int cam_req_mgr_link_control(struct cam_req_mgr_link_control *control) if (dev->ops && dev->ops->process_evt) dev->ops->process_evt(&evt_data); } + in_q = link->req.in_q; + /* reset all slots */ + for (j = 0; j < in_q->num_slots; j++) { + slot = &in_q->slot[j]; + slot->req_id = -1; + slot->sync_mode = + CAM_REQ_MGR_SYNC_MODE_NO_SYNC; + slot->skip_idx = 1; + slot->status = CRM_SLOT_STATUS_NO_REQ; + } + in_q->wr_idx = 0; + in_q->rd_idx = 0; } else { CAM_ERR(CAM_CRM, "Invalid link control command"); rc = -EINVAL; From 544f6bf014acc9dbfe2e80bdc67ddbfd671a24a3 Mon Sep 17 00:00:00 2001 From: Tejas Prajapati Date: Thu, 11 Jun 2020 10:16:57 +0530 Subject: [PATCH 062/386] msm: camera: reqmgr: increase the rd idx if no lower pd device For link with maximum pipeline delay of 1 e.g., TPG use case or sensors with pipeline delay of 1, if the request is not submitted before 2 consecutive triggers we do not get chance to increment rd idx, in the mean time the slot which was last applied will be reset and we will not be able to apply request even if new requests are scheduled. This will cause the camera to not apply any request further, hence increasing the rd idx if no lower pd devices are pending will fix the issue. Change-Id: Ib2eddc9c6a0ce5e73cf19873c6ce54169e29a6e1 Signed-off-by: Tejas Prajapati --- .../media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c index bb0f1fdde118..6fa26b2eb13f 100644 --- a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c +++ b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c @@ -2295,6 +2295,8 @@ static int cam_req_mgr_process_trigger(void *priv, void *data) CAM_DBG(CAM_REQ, "No pending req to apply to lower pd devices"); rc = 0; + __cam_req_mgr_inc_idx(&in_q->rd_idx, + 1, in_q->num_slots); goto release_lock; } __cam_req_mgr_inc_idx(&in_q->rd_idx, 1, in_q->num_slots); From fabb8e16f0dfbf5ddaefd243a244b55beabee94b Mon Sep 17 00:00:00 2001 From: Ayush Kumar Date: Thu, 9 Apr 2020 02:44:09 +0530 Subject: [PATCH 063/386] msm: camera: reqmgr: Skip apply for initial sync req on slave link This change is to stop slave link to apply initial sync request in the same frame duration in which master apply initial sync request. Slave link should wait for the master link to apply initial sync request first and then slave should apply initial sync request in the next frame. Change-Id: I8f1f54bbf674df1c578e6041eaa08869949728b3 Signed-off-by: Ayush Kumar --- .../msm/camera/cam_req_mgr/cam_req_mgr_core.c | 47 +++++++++++++++++-- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c index bb0f1fdde118..0aa009ab1bc3 100644 --- a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c +++ b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c @@ -696,13 +696,19 @@ static int32_t __cam_req_mgr_find_slot_for_req( */ static int __cam_req_mgr_check_sync_for_mslave( struct cam_req_mgr_core_link *link, - struct cam_req_mgr_slot *slot) + struct cam_req_mgr_slot *slot, + uint64_t request_id) { struct cam_req_mgr_core_link *sync_link = NULL; struct cam_req_mgr_slot *sync_slot = NULL; + struct cam_req_mgr_slot *sync_rd_slot = NULL; int sync_slot_idx = 0, prev_idx, next_idx, rd_idx, sync_rd_idx, rc = 0; int64_t req_id = 0, sync_req_id = 0; int32_t sync_num_slots = 0; + uint64_t sync_frame_duration = 0; + int32_t sync_req_status = 0; + uint64_t sof_timestamp_delta = 0; + int sync_link_idx = 0; if (!link->sync_link) { CAM_ERR(CAM_CRM, "Sync link null"); @@ -713,6 +719,12 @@ static int __cam_req_mgr_check_sync_for_mslave( req_id = slot->req_id; sync_num_slots = sync_link->req.in_q->num_slots; sync_rd_idx = sync_link->req.in_q->rd_idx; + sync_rd_slot = &sync_link->req.in_q->slot[sync_rd_idx]; + + sof_timestamp_delta = + link->sof_timestamp >= sync_link->sof_timestamp + ? link->sof_timestamp - sync_link->sof_timestamp + : sync_link->sof_timestamp - link->sof_timestamp; CAM_DBG(CAM_CRM, "link_hdl %x req %lld frame_skip_flag %d open_req_cnt:%d initial_sync_req [%lld,%lld] is_master:%d", @@ -742,6 +754,10 @@ static int __cam_req_mgr_check_sync_for_mslave( return -EINVAL; } + if (sync_link->prev_sof_timestamp) + sync_frame_duration = sync_link->sof_timestamp - + sync_link->prev_sof_timestamp; + if (link->is_master) { rc = __cam_req_mgr_inject_delay(link->req.l_tbl, slot->idx); if (rc) { @@ -763,7 +779,6 @@ static int __cam_req_mgr_check_sync_for_mslave( CAM_DBG(CAM_CRM, "Req: %lld [master] not ready on link: %x, rc=%d", req_id, link->link_hdl, rc); - link->sync_link_sof_skip = true; return rc; } @@ -830,10 +845,34 @@ static int __cam_req_mgr_check_sync_for_mslave( CAM_DBG(CAM_CRM, "Req: %lld [slave] not ready on link: %x, rc=%d", req_id, link->link_hdl, rc); - link->sync_link_sof_skip = true; return rc; } + sync_link_idx = __cam_req_mgr_find_slot_for_req( + sync_link->req.in_q, request_id); + if (sync_link_idx != -1) { + sync_req_status = + sync_link->req.in_q->slot[sync_link_idx].status; + if (sync_req_status != CRM_SLOT_STATUS_REQ_APPLIED) { + CAM_DBG(CAM_CRM, + "Skipping initial sync req %lld id %d as master not applied", + request_id, sync_link_idx); + return -EINVAL; + } + } else + sync_req_status = 0; + + if ((sync_link->initial_sync_req == req_id) && + (sync_req_status == CRM_SLOT_STATUS_REQ_APPLIED) && + (sof_timestamp_delta < (sync_frame_duration / 2)) && + (((sync_link_idx - sync_rd_idx + sync_num_slots) % + sync_num_slots) <= 1) && + (sync_rd_slot->status != + CRM_SLOT_STATUS_REQ_APPLIED)) { + CAM_DBG(CAM_CRM, "Skipping initial sync req for slave"); + return -EINVAL; + } + next_idx = link->req.in_q->rd_idx; rd_idx = sync_link->req.in_q->rd_idx; __cam_req_mgr_inc_idx(&next_idx, @@ -1215,7 +1254,7 @@ static int __cam_req_mgr_process_req(struct cam_req_mgr_core_link *link, } rc = __cam_req_mgr_check_sync_for_mslave( - link, slot); + link, slot, trigger_data->req_id); } else { rc = __cam_req_mgr_check_sync_req_is_ready( link, slot); From 211b719b02687fdf94de8d328563257908a634a3 Mon Sep 17 00:00:00 2001 From: Swetha Chikkaboraiah Date: Wed, 22 Jul 2020 19:14:19 +0530 Subject: [PATCH 064/386] defconfig: msm: Sync config with Android-4.14 configs Update atoll, sm6150, sm8150, trinket configuration to be in sync with Android-4.14 configs. Change-Id: I8e3ab0c5c107910f0a5b5129258315e8ddee4a99 Signed-off-by: Swetha Chikkaboraiah --- arch/arm64/configs/vendor/atoll-perf_defconfig | 10 ++++++---- arch/arm64/configs/vendor/atoll_defconfig | 9 +++++---- arch/arm64/configs/vendor/sdmsteppe-perf_defconfig | 10 ++++++---- arch/arm64/configs/vendor/sdmsteppe_defconfig | 9 +++++---- arch/arm64/configs/vendor/sm8150-perf_defconfig | 10 ++++++---- arch/arm64/configs/vendor/sm8150_defconfig | 9 +++++---- arch/arm64/configs/vendor/trinket-perf_defconfig | 9 +++++---- arch/arm64/configs/vendor/trinket_defconfig | 8 ++++---- 8 files changed, 42 insertions(+), 32 deletions(-) diff --git a/arch/arm64/configs/vendor/atoll-perf_defconfig b/arch/arm64/configs/vendor/atoll-perf_defconfig index e210e133ba58..275711ae60d2 100644 --- a/arch/arm64/configs/vendor/atoll-perf_defconfig +++ b/arch/arm64/configs/vendor/atoll-perf_defconfig @@ -17,18 +17,17 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_BPF=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -39,6 +38,7 @@ CONFIG_BLK_DEV_INITRD=y # CONFIG_RD_LZ4 is not set CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_SLUB_DEBUG is not set # CONFIG_COMPAT_BRK is not set @@ -48,7 +48,6 @@ CONFIG_PROFILING=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -78,6 +77,7 @@ CONFIG_ARMV8_DEPRECATED=y CONFIG_SWP_EMULATION=y CONFIG_CP15_BARRIER_EMULATION=y CONFIG_SETEND_EMULATION=y +CONFIG_ARM64_SW_TTBR0_PAN=y # CONFIG_ARM64_VHE is not set CONFIG_RANDOMIZE_BASE=y # CONFIG_EFI is not set @@ -245,6 +245,7 @@ CONFIG_NET_ACT_MIRRED=y CONFIG_NET_ACT_SKBEDIT=y CONFIG_QRTR=y CONFIG_QRTR_SMD=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -320,6 +321,8 @@ CONFIG_CNSS_GENL=y CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set +CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_ATMEL_MXT=y CONFIG_TOUCHSCREEN_ST=y @@ -457,7 +460,6 @@ CONFIG_HID_NINTENDO=y CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y CONFIG_HID_QVR=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/atoll_defconfig b/arch/arm64/configs/vendor/atoll_defconfig index b29571e95795..a6768083758e 100644 --- a/arch/arm64/configs/vendor/atoll_defconfig +++ b/arch/arm64/configs/vendor/atoll_defconfig @@ -16,12 +16,12 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y CONFIG_DEBUG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y @@ -29,7 +29,6 @@ CONFIG_CGROUP_BPF=y CONFIG_CGROUP_DEBUG=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -41,6 +40,7 @@ CONFIG_BLK_DEV_INITRD=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_COMPAT_BRK is not set CONFIG_SLAB_FREELIST_RANDOM=y @@ -50,7 +50,6 @@ CONFIG_KPROBES=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -84,6 +83,7 @@ CONFIG_ARMV8_DEPRECATED=y CONFIG_SWP_EMULATION=y CONFIG_CP15_BARRIER_EMULATION=y CONFIG_SETEND_EMULATION=y +CONFIG_ARM64_SW_TTBR0_PAN=y # CONFIG_ARM64_VHE is not set CONFIG_RANDOMIZE_BASE=y CONFIG_KRYO_PMU_WORKAROUND=y @@ -253,6 +253,7 @@ CONFIG_NET_ACT_SKBEDIT=y CONFIG_DNS_RESOLVER=y CONFIG_QRTR=y CONFIG_QRTR_SMD=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -330,6 +331,7 @@ CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_ATMEL_MXT=y CONFIG_TOUCHSCREEN_ST=y @@ -472,7 +474,6 @@ CONFIG_HID_NINTENDO=y CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y CONFIG_HID_QVR=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig index 78a7083ede12..b8b40266447c 100644 --- a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig @@ -16,18 +16,17 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_BPF=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -38,6 +37,7 @@ CONFIG_BLK_DEV_INITRD=y # CONFIG_RD_LZ4 is not set CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_SLUB_DEBUG is not set # CONFIG_COMPAT_BRK is not set @@ -47,7 +47,6 @@ CONFIG_PROFILING=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -73,6 +72,7 @@ CONFIG_ARMV8_DEPRECATED=y CONFIG_SWP_EMULATION=y CONFIG_CP15_BARRIER_EMULATION=y CONFIG_SETEND_EMULATION=y +CONFIG_ARM64_SW_TTBR0_PAN=y # CONFIG_ARM64_VHE is not set CONFIG_RANDOMIZE_BASE=y # CONFIG_EFI is not set @@ -240,6 +240,7 @@ CONFIG_NET_ACT_MIRRED=y CONFIG_NET_ACT_SKBEDIT=y CONFIG_QRTR=y CONFIG_QRTR_SMD=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -315,6 +316,8 @@ CONFIG_CNSS_GENL=y CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set +CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_ST=y CONFIG_TOUCHSCREEN_HIMAX_CHIPSET=y @@ -441,7 +444,6 @@ CONFIG_HID_NINTENDO=y CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y CONFIG_HID_QVR=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/sdmsteppe_defconfig b/arch/arm64/configs/vendor/sdmsteppe_defconfig index 1a19ceae68c9..8a7d11896f95 100644 --- a/arch/arm64/configs/vendor/sdmsteppe_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe_defconfig @@ -15,12 +15,12 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y CONFIG_DEBUG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y @@ -28,7 +28,6 @@ CONFIG_CGROUP_BPF=y CONFIG_CGROUP_DEBUG=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -40,6 +39,7 @@ CONFIG_BLK_DEV_INITRD=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_COMPAT_BRK is not set CONFIG_SLAB_FREELIST_RANDOM=y @@ -48,7 +48,6 @@ CONFIG_PROFILING=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -79,6 +78,7 @@ CONFIG_ARMV8_DEPRECATED=y CONFIG_SWP_EMULATION=y CONFIG_CP15_BARRIER_EMULATION=y CONFIG_SETEND_EMULATION=y +CONFIG_ARM64_SW_TTBR0_PAN=y # CONFIG_ARM64_VHE is not set CONFIG_RANDOMIZE_BASE=y CONFIG_KRYO_PMU_WORKAROUND=y @@ -248,6 +248,7 @@ CONFIG_NET_ACT_SKBEDIT=y CONFIG_DNS_RESOLVER=y CONFIG_QRTR=y CONFIG_QRTR_SMD=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -325,6 +326,7 @@ CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_ST=y CONFIG_TOUCHSCREEN_HIMAX_CHIPSET=y @@ -465,7 +467,6 @@ CONFIG_HID_NINTENDO=y CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y CONFIG_HID_QVR=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/sm8150-perf_defconfig b/arch/arm64/configs/vendor/sm8150-perf_defconfig index ae15a4356331..813cca0c9dac 100644 --- a/arch/arm64/configs/vendor/sm8150-perf_defconfig +++ b/arch/arm64/configs/vendor/sm8150-perf_defconfig @@ -17,18 +17,17 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_BPF=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -39,6 +38,7 @@ CONFIG_BLK_DEV_INITRD=y # CONFIG_RD_LZ4 is not set CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_SLUB_DEBUG is not set # CONFIG_COMPAT_BRK is not set @@ -49,7 +49,6 @@ CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_REFCOUNT_FULL=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -78,6 +77,7 @@ CONFIG_ARMV8_DEPRECATED=y CONFIG_SWP_EMULATION=y CONFIG_CP15_BARRIER_EMULATION=y CONFIG_SETEND_EMULATION=y +CONFIG_ARM64_SW_TTBR0_PAN=y # CONFIG_ARM64_VHE is not set CONFIG_RANDOMIZE_BASE=y # CONFIG_EFI is not set @@ -249,6 +249,7 @@ CONFIG_QRTR=y CONFIG_QRTR_SMD=y CONFIG_QRTR_MHI=y CONFIG_QRTR_FIFO=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -325,6 +326,8 @@ CONFIG_CNSS_GENL=y CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set +CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_ST=y CONFIG_TOUCHSCREEN_SYNAPTICS_TCM=y @@ -451,7 +454,6 @@ CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y CONFIG_HID_QVR=y CONFIG_USB_HIDDEV=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/sm8150_defconfig b/arch/arm64/configs/vendor/sm8150_defconfig index a5dcf088d624..530e069147d0 100644 --- a/arch/arm64/configs/vendor/sm8150_defconfig +++ b/arch/arm64/configs/vendor/sm8150_defconfig @@ -16,12 +16,12 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y CONFIG_DEBUG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y @@ -29,7 +29,6 @@ CONFIG_CGROUP_BPF=y CONFIG_CGROUP_DEBUG=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -41,6 +40,7 @@ CONFIG_BLK_DEV_INITRD=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_COMPAT_BRK is not set CONFIG_SLAB_FREELIST_RANDOM=y @@ -51,7 +51,6 @@ CONFIG_REFCOUNT_FULL=y CONFIG_PANIC_ON_REFCOUNT_ERROR=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -85,6 +84,7 @@ CONFIG_ARMV8_DEPRECATED=y CONFIG_SWP_EMULATION=y CONFIG_CP15_BARRIER_EMULATION=y CONFIG_SETEND_EMULATION=y +CONFIG_ARM64_SW_TTBR0_PAN=y # CONFIG_ARM64_VHE is not set CONFIG_RANDOMIZE_BASE=y CONFIG_BUILD_ARM64_UNCOMPRESSED_KERNEL=y @@ -258,6 +258,7 @@ CONFIG_QRTR=y CONFIG_QRTR_SMD=y CONFIG_QRTR_MHI=y CONFIG_QRTR_FIFO=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -337,6 +338,7 @@ CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_ST=y CONFIG_TOUCHSCREEN_SYNAPTICS_TCM=y @@ -467,7 +469,6 @@ CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y CONFIG_HID_QVR=y CONFIG_USB_HIDDEV=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/trinket-perf_defconfig b/arch/arm64/configs/vendor/trinket-perf_defconfig index 410b592072d2..66a6f3c20d52 100644 --- a/arch/arm64/configs/vendor/trinket-perf_defconfig +++ b/arch/arm64/configs/vendor/trinket-perf_defconfig @@ -17,18 +17,17 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_BPF=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -39,6 +38,7 @@ CONFIG_BLK_DEV_INITRD=y # CONFIG_RD_LZ4 is not set CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_COMPAT_BRK is not set CONFIG_SLAB_FREELIST_RANDOM=y @@ -47,7 +47,6 @@ CONFIG_PROFILING=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -244,6 +243,7 @@ CONFIG_NET_ACT_MIRRED=y CONFIG_NET_ACT_SKBEDIT=y CONFIG_QRTR=y CONFIG_QRTR_SMD=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -316,6 +316,8 @@ CONFIG_CNSS_GENL=y CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set +CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_HIMAX_CHIPSET=y CONFIG_TOUCHSCREEN_HIMAX_I2C=y @@ -458,7 +460,6 @@ CONFIG_HID_MULTITOUCH=y CONFIG_HID_NINTENDO=y CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y diff --git a/arch/arm64/configs/vendor/trinket_defconfig b/arch/arm64/configs/vendor/trinket_defconfig index 3c9c5e44c4b4..0c31db9b7391 100644 --- a/arch/arm64/configs/vendor/trinket_defconfig +++ b/arch/arm64/configs/vendor/trinket_defconfig @@ -16,12 +16,12 @@ CONFIG_RCU_FAST_NO_HZ=y CONFIG_RCU_NOCB_CPU=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y +CONFIG_IKHEADERS=y CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y CONFIG_BLK_CGROUP=y CONFIG_DEBUG_BLK_CGROUP=y -CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_CPUACCT=y @@ -29,7 +29,6 @@ CONFIG_CGROUP_BPF=y CONFIG_CGROUP_DEBUG=y CONFIG_SCHED_CORE_CTL=y CONFIG_NAMESPACES=y -# CONFIG_UTS_NS is not set # CONFIG_PID_NS is not set CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y @@ -41,6 +40,7 @@ CONFIG_BLK_DEV_INITRD=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_KALLSYMS_ALL=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_EMBEDDED=y # CONFIG_COMPAT_BRK is not set CONFIG_SLAB_FREELIST_RANDOM=y @@ -49,7 +49,6 @@ CONFIG_PROFILING=y CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_MODVERSIONS=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -253,6 +252,7 @@ CONFIG_NET_ACT_SKBEDIT=y CONFIG_DNS_RESOLVER=y CONFIG_QRTR=y CONFIG_QRTR_SMD=y +CONFIG_BPF_JIT=y CONFIG_SOCKEV_NLMCAST=y CONFIG_BT=y CONFIG_MSM_BT_POWER=y @@ -328,6 +328,7 @@ CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=y CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_HIMAX_CHIPSET=y CONFIG_TOUCHSCREEN_HIMAX_I2C=y @@ -474,7 +475,6 @@ CONFIG_HID_MULTITOUCH=y CONFIG_HID_NINTENDO=y CONFIG_HID_PLANTRONICS=y CONFIG_HID_SONY=y -CONFIG_USB=y CONFIG_USB_ANNOUNCE_NEW_DEVICES=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_EHCI_HCD=y From c6c83b555988f298c666c2b5a5944bf343476f25 Mon Sep 17 00:00:00 2001 From: Ayush Kumar Date: Fri, 17 Apr 2020 18:48:22 +0530 Subject: [PATCH 065/386] msm: camera: reqmgr: Stop slot reset on buf done This change is to stop slot reset on link in case of buf done. If slot is required for applying either next or previous request on sync link, then stop the slot reset for the link. Change-Id: I296e450de94e273d17b1a9bb0879d879a63414f4 Signed-off-by: Ayush Kumar --- .../msm/camera/cam_req_mgr/cam_req_mgr_core.c | 54 ++++++++++++++++--- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c index bb0f1fdde118..06becd6f860b 100644 --- a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c +++ b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c @@ -2218,6 +2218,42 @@ end: return rc; } +static void cam_req_mgr_process_reset_for_dual_link( + struct cam_req_mgr_core_link *link, + struct cam_req_mgr_trigger_notify *trigger_data) +{ + int32_t idx = -1; + int32_t sync_idx = -1; + struct cam_req_mgr_req_queue *in_q = NULL; + struct cam_req_mgr_req_queue *sync_in_q = NULL; + + in_q = link->req.in_q; + sync_in_q = link->sync_link->req.in_q; + + sync_idx = __cam_req_mgr_find_slot_for_req(sync_in_q, + trigger_data->req_id); + if (link->is_master) + __cam_req_mgr_dec_idx(&sync_idx, + (link->max_delay - link->sync_link->max_delay), + sync_in_q->num_slots); + else + __cam_req_mgr_inc_idx(&sync_idx, + (link->sync_link->max_delay - link->max_delay), + sync_in_q->num_slots); + if (sync_idx != -1 && + (sync_in_q->slot[sync_in_q->rd_idx].status == + CRM_SLOT_STATUS_REQ_APPLIED)) { + idx = __cam_req_mgr_find_slot_for_req(in_q, + trigger_data->req_id); + CAM_DBG(CAM_CRM, "Reset req: %lld idx: %d link_hdl: %x", + trigger_data->req_id, idx, + link->link_hdl); + if (idx == in_q->last_applied_idx) + in_q->last_applied_idx = -1; + __cam_req_mgr_reset_req_slot(link, idx); + } +} + /** * cam_req_mgr_process_trigger() * @@ -2256,12 +2292,18 @@ static int cam_req_mgr_process_trigger(void *priv, void *data) mutex_lock(&link->req.lock); if (trigger_data->trigger == CAM_TRIGGER_POINT_SOF) { - idx = __cam_req_mgr_find_slot_for_req(in_q, - trigger_data->req_id); - if (idx >= 0) { - if (idx == in_q->last_applied_idx) - in_q->last_applied_idx = -1; - __cam_req_mgr_reset_req_slot(link, idx); + if (link->sync_link && + (link->is_master || link->sync_link->is_master)) { + cam_req_mgr_process_reset_for_dual_link(link, + trigger_data); + } else { + idx = __cam_req_mgr_find_slot_for_req(in_q, + trigger_data->req_id); + if (idx >= 0) { + if (idx == in_q->last_applied_idx) + in_q->last_applied_idx = -1; + __cam_req_mgr_reset_req_slot(link, idx); + } } } From 95d14e40821dab81209b64d9fbecc6e55af2da72 Mon Sep 17 00:00:00 2001 From: Ayush Kumar Date: Fri, 5 Jun 2020 00:55:14 +0530 Subject: [PATCH 066/386] msm: camera: core: Change return type Return different error number when new requests and update packets are rejected due to bad request id. This allows userspace to differentiate this specific reason for failure. Change-Id: I0b1e7086351b9438fd72a6d824bc20c8213b5ea8 Signed-off-by: Ayush Kumar --- drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c | 2 +- .../media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c b/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c index 78d9a6637135..18c3230b61a5 100644 --- a/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c +++ b/drivers/media/platform/msm/camera/cam_isp/cam_isp_context.c @@ -3363,7 +3363,7 @@ static int __cam_isp_ctx_config_dev_in_top_state( CAM_INFO(CAM_ISP, "request %lld has been flushed, reject packet", packet->header.request_id); - rc = -EINVAL; + rc = -EBADR; goto free_cpu_buf; } diff --git a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c index 6fa26b2eb13f..d7f277528f64 100644 --- a/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c +++ b/drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c @@ -3185,7 +3185,7 @@ int cam_req_mgr_schedule_request( CAM_INFO(CAM_CRM, "request %lld is flushed, last_flush_id to flush %u", sched_req->req_id, link->last_flush_id); - rc = -EINVAL; + rc = -EBADR; goto end; } From 0bcb21107196fe8530482c7c5d5770dac679e4fd Mon Sep 17 00:00:00 2001 From: Charan Teja Reddy Date: Mon, 18 May 2020 10:48:50 +0530 Subject: [PATCH 067/386] dma-buf: fix sleep-while-atomic in dmabuffs_dname There is a sleep-while-atomic reported when the selinux tries to dump the file path name of a dmabuf file using d_path(). Fix it. Flow will be like below: flush_unauthorized_files --> iterate_fd --> spin_lock --> Start of the atomic section match_file --> file_has_perm --> avc_has_perm --> avc_audit --> slow_avc_audit --> common_lsm_audit --> dump_common_audit_data --> audit_log_d_path --> d_path --> dmabuffs_dname --> mutex_lock--> Sleep while atomic. Change-Id: Ieed88a9093355d160e1c194d31fe33f1c7dadf60 Signed-off-by: Charan Teja Reddy Signed-off-by: Rahul Shahare --- drivers/dma-buf/dma-buf.c | 11 +++++++---- include/linux/dma-buf.h | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 4e8bcd708bff..62a9fa8b9019 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -92,10 +92,10 @@ static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen) goto out; } spin_unlock(&dentry->d_lock); - mutex_lock(&dmabuf->lock); + spin_lock(&dmabuf->name_lock); if (dmabuf->name) ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); - mutex_unlock(&dmabuf->lock); + spin_unlock(&dmabuf->name_lock); dmabuf_dent_put(dmabuf); out: return dynamic_dname(dentry, buffer, buflen, "/%s:%s", @@ -392,8 +392,10 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) kfree(name); goto out_unlock; } + spin_lock(&dmabuf->name_lock); kfree(dmabuf->name); dmabuf->name = name; + spin_unlock(&dmabuf->name_lock); out_unlock: mutex_unlock(&dmabuf->lock); @@ -463,10 +465,10 @@ static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file) /* Don't count the temporary reference taken inside procfs seq_show */ seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); - mutex_lock(&dmabuf->lock); + spin_lock(&dmabuf->name_lock); if (dmabuf->name) seq_printf(m, "name:\t%s\n", dmabuf->name); - mutex_unlock(&dmabuf->lock); + spin_unlock(&dmabuf->name_lock); } static const struct file_operations dma_buf_fops = { @@ -623,6 +625,7 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) dmabuf->size = exp_info->size; dmabuf->exp_name = exp_info->exp_name; dmabuf->owner = exp_info->owner; + spin_lock_init(&dmabuf->name_lock); init_waitqueue_head(&dmabuf->poll); dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h index 76647fd57a0e..df0e14110ecc 100644 --- a/include/linux/dma-buf.h +++ b/include/linux/dma-buf.h @@ -417,6 +417,7 @@ struct dma_buf { char *buf_name; ktime_t ktime; const char *name; + spinlock_t name_lock; struct module *owner; struct list_head list_node; void *priv; From 86550fb4e259c3f952c3a3263e6741f847967b5e Mon Sep 17 00:00:00 2001 From: Rahul Shahare Date: Mon, 3 Aug 2020 16:29:46 +0530 Subject: [PATCH 068/386] defconfig: Enable DEBUG LIST defconfig Enable CONFIG_DEBUG_LIST for atoll, sm8150, trinket & sdmsteppe perf_defconfig. Change-Id: If7d2667cd69926e9f4bb92f34885f68f0862f136 Signed-off-by: Rahul Shahare --- arch/arm64/configs/vendor/atoll-perf_defconfig | 1 + arch/arm64/configs/vendor/sdmsteppe-perf_defconfig | 1 + arch/arm64/configs/vendor/sm8150-perf_defconfig | 1 + arch/arm64/configs/vendor/trinket-perf_defconfig | 1 + 4 files changed, 4 insertions(+) diff --git a/arch/arm64/configs/vendor/atoll-perf_defconfig b/arch/arm64/configs/vendor/atoll-perf_defconfig index 0591bef7db46..839a2169b68d 100644 --- a/arch/arm64/configs/vendor/atoll-perf_defconfig +++ b/arch/arm64/configs/vendor/atoll-perf_defconfig @@ -698,6 +698,7 @@ CONFIG_MAGIC_SYSRQ=y CONFIG_PANIC_TIMEOUT=5 CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set +CONFIG_DEBUG_LIST=y CONFIG_IPC_LOGGING=y CONFIG_DEBUG_ALIGN_RODATA=y CONFIG_CORESIGHT=y diff --git a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig index c0658e01e8d5..302e81976aaa 100644 --- a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig @@ -676,6 +676,7 @@ CONFIG_MAGIC_SYSRQ=y CONFIG_PANIC_TIMEOUT=5 CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set +CONFIG_DEBUG_LIST=y CONFIG_IPC_LOGGING=y CONFIG_DEBUG_ALIGN_RODATA=y CONFIG_CORESIGHT=y diff --git a/arch/arm64/configs/vendor/sm8150-perf_defconfig b/arch/arm64/configs/vendor/sm8150-perf_defconfig index 0a0252777cfc..29c819bdcc33 100644 --- a/arch/arm64/configs/vendor/sm8150-perf_defconfig +++ b/arch/arm64/configs/vendor/sm8150-perf_defconfig @@ -684,6 +684,7 @@ CONFIG_MAGIC_SYSRQ=y CONFIG_PANIC_TIMEOUT=-1 CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set +CONFIG_DEBUG_LIST=y CONFIG_IPC_LOGGING=y CONFIG_DEBUG_ALIGN_RODATA=y CONFIG_CORESIGHT=y diff --git a/arch/arm64/configs/vendor/trinket-perf_defconfig b/arch/arm64/configs/vendor/trinket-perf_defconfig index 1af661907f0e..5742daf68ca1 100644 --- a/arch/arm64/configs/vendor/trinket-perf_defconfig +++ b/arch/arm64/configs/vendor/trinket-perf_defconfig @@ -661,6 +661,7 @@ CONFIG_MAGIC_SYSRQ=y CONFIG_PANIC_TIMEOUT=5 CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set +CONFIG_DEBUG_LIST=y CONFIG_IPC_LOGGING=y CONFIG_DEBUG_ALIGN_RODATA=y CONFIG_CORESIGHT=y From ba50707332a7e5e225a5121fe0dc9c302660b4ea Mon Sep 17 00:00:00 2001 From: Anjana Hari Date: Thu, 18 Jun 2020 22:24:24 +0530 Subject: [PATCH 069/386] mtd: msm_qpic_nand: Add support to read one codeword When the read requests received from upper layer are less than 516 bytes, then instead of reading the entire page, we can read only one codeword, thereby improving the read performance. This support is only applicable if the data requested lies in first codeword of the page. Modem KPI markers: All units in seconds | Parameter | With OCW | W/o OCW | Delta | | Modem Image Start Loading | 13.5542 | 14.6176 | 1.0634| | Modem out of reset | 19.8452 | 20.9962 | 1.151 | NAND Perf Stats: Obtained by reading 1GB data. All units in usec | Parameter | With OCW | W/o OCW | Delta | | min_read_time_us | 70 | 340.6 | 270.6 | | total_read_time_us | 17737604 | 18603376| 865772|. Change-Id: I1df9ea7b9193a900b38e3d7a4fe38e2212bbf705 Signed-off-by: Anjana Hari --- drivers/mtd/devices/msm_qpic_nand.c | 86 ++++++++++++++++++++++------- 1 file changed, 67 insertions(+), 19 deletions(-) diff --git a/drivers/mtd/devices/msm_qpic_nand.c b/drivers/mtd/devices/msm_qpic_nand.c index 8cb1feb3dcd1..15b702bdb6a0 100644 --- a/drivers/mtd/devices/msm_qpic_nand.c +++ b/drivers/mtd/devices/msm_qpic_nand.c @@ -26,6 +26,8 @@ #define MAX_DESC 16 #define SMEM_AARM_PARTITION_TABLE 9 #define SMEM_APPS 0 +#define ONE_CODEWORD_SIZE 516 + static bool enable_euclean; static bool enable_perfstats; @@ -1183,10 +1185,16 @@ static int msm_nand_validate_mtd_params(struct mtd_info *mtd, bool read, err = -EINVAL; goto out; } - args->page_count = ops->len / (mtd->writesize + mtd->oobsize); + if (ops->len <= ONE_CODEWORD_SIZE) + args->page_count = 1; + else + args->page_count = ops->len / + (mtd->writesize + mtd->oobsize); } else if (ops->mode == MTD_OPS_AUTO_OOB) { - if (ops->datbuf && (ops->len % mtd->writesize) != 0) { + if (ops->datbuf && (ops->len % + ((ops->len <= ONE_CODEWORD_SIZE) ? + ONE_CODEWORD_SIZE : mtd->writesize)) != 0) { /* when ops->datbuf is NULL, ops->len can be ooblen */ pr_err("unsupported data len %d for AUTO mode\n", ops->len); @@ -1199,7 +1207,10 @@ static int msm_nand_validate_mtd_params(struct mtd_info *mtd, bool read, if ((args->page_count == 0) && (ops->ooblen)) args->page_count = 1; } else if (ops->datbuf) { - args->page_count = ops->len / mtd->writesize; + if (ops->len <= ONE_CODEWORD_SIZE) + args->page_count = 1; + else + args->page_count = ops->len / mtd->writesize; } } @@ -1245,12 +1256,20 @@ static void msm_nand_update_rw_reg_data(struct msm_nand_chip *chip, struct msm_nand_rw_params *args, struct msm_nand_rw_reg_data *data) { + /* + * While reading one codeword, CW_PER_PAGE bits of QPIC_NAND_DEV0_CFG0 + * should be set to 0, which implies 1 codeword per page. 'n' below, + * is used to configure cfg0 for reading one full page or one single + * codeword. + */ + int n = (ops->len <= ONE_CODEWORD_SIZE) ? args->cwperpage : 1; + if (args->read) { if (ops->mode != MTD_OPS_RAW) { data->cmd = MSM_NAND_CMD_PAGE_READ_ECC; data->cfg0 = (chip->cfg0 & ~(7U << CW_PER_PAGE)) | - (((args->cwperpage-1) - args->start_sector) + (((args->cwperpage-n) - args->start_sector) << CW_PER_PAGE); data->cfg1 = chip->cfg1; data->ecc_bch_cfg = chip->ecc_bch_cfg; @@ -1258,7 +1277,7 @@ static void msm_nand_update_rw_reg_data(struct msm_nand_chip *chip, data->cmd = MSM_NAND_CMD_PAGE_READ_ALL; data->cfg0 = (chip->cfg0_raw & ~(7U << CW_PER_PAGE)) | - (((args->cwperpage-1) - args->start_sector) + (((args->cwperpage-n) - args->start_sector) << CW_PER_PAGE); data->cfg1 = chip->cfg1_raw; data->ecc_bch_cfg = chip->ecc_cfg_raw; @@ -1302,6 +1321,11 @@ static void msm_nand_prep_rw_cmd_desc(struct mtd_oob_ops *ops, uint32_t offset, size, last_read; struct sps_command_element *curr_ce, *start_ce; uint32_t *flags_ptr, *num_ce_ptr; + /* + * Variable to configure read_location register parameters + * while reading one codeword or one full page + */ + int n = (ops->len <= ONE_CODEWORD_SIZE) ? args->cwperpage : 1; if (curr_cw == args->start_sector) { curr_ce = start_ce = &cmd_list->setup_desc.ce[0]; @@ -1394,10 +1418,15 @@ static void msm_nand_prep_rw_cmd_desc(struct mtd_oob_ops *ops, if (ops->mode == MTD_OPS_AUTO_OOB) { if (ops->datbuf) { offset = 0; - size = (curr_cw < (args->cwperpage - 1)) ? 516 : - (512 - ((args->cwperpage - 1) << 2)); - last_read = (curr_cw < (args->cwperpage - 1)) ? 1 : - (ops->oobbuf ? 0 : 1); + if (ops->len <= ONE_CODEWORD_SIZE) { + size = ONE_CODEWORD_SIZE; + last_read = 1; + } else { + size = (curr_cw < (args->cwperpage - 1)) ? 516 : + (512 - ((args->cwperpage - 1) << 2)); + last_read = (curr_cw < (args->cwperpage - 1)) ? + 1 : (ops->oobbuf ? 0 : 1); + } rdata = (offset << 0) | (size << 16) | (last_read << 31); @@ -1413,7 +1442,7 @@ static void msm_nand_prep_rw_cmd_desc(struct mtd_oob_ops *ops, curr_ce++; } } - if (curr_cw == (args->cwperpage - 1) && ops->oobbuf) { + if (curr_cw == (args->cwperpage - n) && ops->oobbuf) { offset = 512 - ((args->cwperpage - 1) << 2); size = (args->cwperpage) << 2; if (size > args->oob_len_cmd) @@ -1471,6 +1500,11 @@ static int msm_nand_submit_rw_data_desc(struct mtd_oob_ops *ops, uint32_t sectordatasize, sectoroobsize; uint32_t sps_flags = 0; int err = 0; + /* + * Variable to configure sectordatasize and sectoroobsize + * while reading one codeword or one full page. + */ + int n = (ops->len <= ONE_CODEWORD_SIZE) ? args->cwperpage : 1; if (args->read) data_pipe_handle = info->sps.data_prod.handle; @@ -1479,7 +1513,7 @@ static int msm_nand_submit_rw_data_desc(struct mtd_oob_ops *ops, if (ops->mode == MTD_OPS_RAW) { if (ecc_parity_bytes && args->read) { - if (curr_cw == (args->cwperpage - 1)) + if (curr_cw == (args->cwperpage - n)) sps_flags |= SPS_IOVEC_FLAG_INT; /* read only ecc bytes */ @@ -1494,7 +1528,7 @@ static int msm_nand_submit_rw_data_desc(struct mtd_oob_ops *ops, sectordatasize = chip->cw_size; if (!args->read) sps_flags = SPS_IOVEC_FLAG_EOT; - if (curr_cw == (args->cwperpage - 1)) + if (curr_cw == (args->cwperpage - n)) sps_flags |= SPS_IOVEC_FLAG_INT; err = sps_transfer_one(data_pipe_handle, @@ -1507,8 +1541,13 @@ static int msm_nand_submit_rw_data_desc(struct mtd_oob_ops *ops, } } else if (ops->mode == MTD_OPS_AUTO_OOB) { if (ops->datbuf) { - sectordatasize = (curr_cw < (args->cwperpage - 1)) - ? 516 : (512 - ((args->cwperpage - 1) << 2)); + if (ops->len <= ONE_CODEWORD_SIZE) + sectordatasize = ONE_CODEWORD_SIZE; + else + sectordatasize = + (curr_cw < (args->cwperpage - 1)) + ? 516 : + (512 - ((args->cwperpage - 1) << 2)); if (!args->read) { sps_flags = SPS_IOVEC_FLAG_EOT; @@ -1516,7 +1555,7 @@ static int msm_nand_submit_rw_data_desc(struct mtd_oob_ops *ops, ops->oobbuf) sps_flags = 0; } - if ((curr_cw == (args->cwperpage - 1)) && !ops->oobbuf) + if ((curr_cw == (args->cwperpage - n)) && !ops->oobbuf) sps_flags |= SPS_IOVEC_FLAG_INT; err = sps_transfer_one(data_pipe_handle, @@ -1528,7 +1567,7 @@ static int msm_nand_submit_rw_data_desc(struct mtd_oob_ops *ops, args->data_dma_addr_curr += sectordatasize; } - if (ops->oobbuf && (curr_cw == (args->cwperpage - 1))) { + if (ops->oobbuf && (curr_cw == (args->cwperpage - n))) { sectoroobsize = args->cwperpage << 2; if (sectoroobsize > args->oob_len_data) sectoroobsize = args->oob_len_data; @@ -2755,6 +2794,9 @@ static int msm_nand_read_oob(struct mtd_info *mtd, loff_t from, data.addr0 = (rw_params.page << 16) | rw_params.oob_col; data.addr1 = (rw_params.page >> 16) & 0xff; + if (ops->len <= ONE_CODEWORD_SIZE) + cwperpage = 1; + for (n = rw_params.start_sector; n < cwperpage; n++) { struct sps_command_element *curr_ce, *start_ce; @@ -2832,7 +2874,7 @@ static int msm_nand_read_oob(struct mtd_info *mtd, loff_t from, } else if (ops->mode == MTD_OPS_AUTO_OOB) { if (ops->datbuf) submitted_num_desc = cwperpage - - rw_params.start_sector; + rw_params.start_sector; if (ops->oobbuf) submitted_num_desc++; } @@ -3052,7 +3094,10 @@ free_dma: } validate_mtd_params_failed: if (ops->mode != MTD_OPS_RAW) - ops->retlen = mtd->writesize * pages_read; + if (ops->len <= ONE_CODEWORD_SIZE) + ops->retlen = ONE_CODEWORD_SIZE; + else + ops->retlen = mtd->writesize * pages_read; else ops->retlen = (mtd->writesize + mtd->oobsize) * pages_read; ops->oobretlen = ops->ooblen - rw_params.oob_len_data; @@ -3125,8 +3170,11 @@ static int msm_nand_read_partial_page(struct mtd_info *mtd, ops->datbuf = no_copy ? actual_buf : bounce_buf; if (info->nand_chip.caps & MSM_NAND_CAP_PAGE_SCOPE_READ) err = msm_nand_read_pagescope(mtd, aligned_from, ops); - else + else { + if ((len <= ONE_CODEWORD_SIZE) && (offset == 0)) + ops->len = ONE_CODEWORD_SIZE; err = msm_nand_read_oob(mtd, aligned_from, ops); + } if (err == -EUCLEAN) { is_euclean = 1; err = 0; From 217c856dfc2a7f02c41b504723395ad7ab4d5262 Mon Sep 17 00:00:00 2001 From: Zhonglin Zhang Date: Thu, 29 Nov 2018 17:04:29 +0800 Subject: [PATCH 070/386] ath10k: tweak interface combinations Tune the way station and AP interface limits. Tested HW: WCN3990. Change-Id: Iddbdc6d33fe6d22d5cf45e287790424d9541b277 Signed-off-by: Zhonglin Zhang Signed-off-by: Rakesh Pillai Signed-off-by: Balaji Pothunoori --- drivers/net/wireless/ath/ath10k/mac.c | 17 +++++++++++++++++ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index a920660a114a..bd8f0a2d9cd7 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -8020,6 +8020,17 @@ static const struct ieee80211_iface_limit ath10k_tlv_if_limit_ibss[] = { }, }; +static const struct ieee80211_iface_limit ath10k_tlv_if_vap_limit[] = { + { + .max = 1, + .types = BIT(NL80211_IFTYPE_STATION), + }, + { + .max = 3, + .types = BIT(NL80211_IFTYPE_AP), + }, +}; + /* FIXME: This is not thouroughly tested. These combinations may over- or * underestimate hw/fw capabilities. */ @@ -8057,6 +8068,12 @@ static struct ieee80211_iface_combination ath10k_tlv_qcs_if_comb[] = { .max_interfaces = 2, .n_limits = ARRAY_SIZE(ath10k_tlv_if_limit_ibss), }, + { + .limits = ath10k_tlv_if_vap_limit, + .num_different_channels = 1, + .max_interfaces = 4, + .n_limits = ARRAY_SIZE(ath10k_tlv_if_vap_limit), + }, }; static const struct ieee80211_iface_limit ath10k_10_4_if_limits[] = { diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c index c4dfc61fc164..4a653915aa5f 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c @@ -1,7 +1,7 @@ /* * Copyright (c) 2005-2011 Atheros Communications Inc. * Copyright (c) 2011-2017 Qualcomm Atheros, Inc. - * Copyright (c) 2018-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -1579,7 +1579,7 @@ static struct sk_buff *ath10k_wmi_tlv_op_gen_init(struct ath10k *ar) cfg->max_frag_entries = __cpu_to_le32(2); cfg->num_tdls_vdevs = __cpu_to_le32(TARGET_TLV_NUM_TDLS_VDEVS); cfg->num_tdls_conn_table_entries = __cpu_to_le32(0x20); - cfg->beacon_tx_offload_max_vdev = __cpu_to_le32(2); + cfg->beacon_tx_offload_max_vdev = __cpu_to_le32(3); cfg->num_multicast_filter_entries = __cpu_to_le32(5); cfg->num_wow_filters = __cpu_to_le32(ar->wow.max_num_patterns); cfg->num_keep_alive_pattern = __cpu_to_le32(6); From 510d31c8fe42a818ccf850a5b8e449b4aa21d03f Mon Sep 17 00:00:00 2001 From: Balaji Pothunoori Date: Thu, 16 Jul 2020 15:16:12 +0530 Subject: [PATCH 071/386] ath10k: fix 4vap iface limit missing New FW enable WMI_SERVICE_VDEV_DIFFERENT_BEACON_INTERVAL_SUPPORT, add ath10k_tlv_if_vap_limit into ath10k_tlv_qcs_bcn_int_if_comb. Tested HW: WCN3990. Change-Id: I181cd7e0918a3a5fec15be9d9474557dec5b0fed Signed-off-by: Zhonglin Zhang Signed-off-by: Balaji Pothunoori --- drivers/net/wireless/ath/ath10k/mac.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index bd8f0a2d9cd7..25a4ca889b25 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -8047,6 +8047,14 @@ static struct ieee80211_iface_combination ath10k_tlv_if_comb[] = { .max_interfaces = 2, .n_limits = ARRAY_SIZE(ath10k_tlv_if_limit_ibss), }, + { + .limits = ath10k_tlv_if_vap_limit, + .num_different_channels = 1, + .max_interfaces = 4, + .beacon_int_infra_match = true, + .beacon_int_min_gcd = 1, + .n_limits = ARRAY_SIZE(ath10k_tlv_if_vap_limit), + }, }; static struct ieee80211_iface_combination ath10k_tlv_qcs_if_comb[] = { From c63292f6d43e6e49db0e11fa4897c6a3ab5d7bf3 Mon Sep 17 00:00:00 2001 From: Surabhi Vishnoi Date: Wed, 24 Apr 2019 20:39:31 +0530 Subject: [PATCH 072/386] ath10k: Add mesh point interface creation combination Currently WCN3990 supports 3 concurrent VAP creation. This leads to failure of mesh interface creation in concurrent cases. Add creation of mesh point interface in interface combination if CONFIG_MAC80211_MESH is enabled. Change-Id: I06e1f4c488208e80ab7dd622e35228001d026395 Signed-off-by: Surabhi Vishnoi Signed-off-by: Balaji Pothunoori --- drivers/net/wireless/ath/ath10k/mac.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 25a4ca889b25..e9017d8894a8 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -8027,7 +8027,10 @@ static const struct ieee80211_iface_limit ath10k_tlv_if_vap_limit[] = { }, { .max = 3, - .types = BIT(NL80211_IFTYPE_AP), + .types = BIT(NL80211_IFTYPE_AP) +#ifdef CONFIG_MAC80211_MESH + | BIT(NL80211_IFTYPE_MESH_POINT) +#endif }, }; From 93a6c2dd445316440df0e1f2832379693d6b0cb8 Mon Sep 17 00:00:00 2001 From: snandini Date: Tue, 4 Aug 2020 07:54:21 -0700 Subject: [PATCH 073/386] Release 5.2.03.29W Release 5.2.03.29W Change-Id: I3dac40ebbdce0c4846f3c2b0fb4534eddd1d82eb CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index 3579a10030d8..a05ee01f748e 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "V" +#define QWLAN_VERSION_EXTRA "W" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29V" +#define QWLAN_VERSIONSTR "5.2.03.29W" #endif /* QWLAN_VERSION_H */ From 21e9d894b1f7fa80dba8f41eacc93c365ab6903f Mon Sep 17 00:00:00 2001 From: Meghana Reddy Mula Date: Tue, 4 Aug 2020 21:57:46 +0530 Subject: [PATCH 074/386] drivers: ion: add dma type support Add dma type support for in-kernel ion_alloc. This is to support audio usecases. Change-Id: Ifb367e3c12645faeba4b59d7600d579afbb08c97 Signed-off-by: Meghana Reddy Mula --- drivers/staging/android/ion/ion.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index bc0679ec4d20..6f4b2fd05e12 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -1133,7 +1133,8 @@ struct dma_buf *ion_alloc(size_t len, unsigned int heap_id_mask, heap->type == ION_HEAP_TYPE_CARVEOUT || heap->type == (enum ion_heap_type)ION_HEAP_TYPE_HYP_CMA || heap->type == - (enum ion_heap_type)ION_HEAP_TYPE_SYSTEM_SECURE) { + (enum ion_heap_type)ION_HEAP_TYPE_SYSTEM_SECURE || + heap->type == (enum ion_heap_type)ION_HEAP_TYPE_DMA) { type_valid = true; } else { pr_warn("%s: heap type not supported, type:%d\n", From 39df14285f9ec4dbee227000926c1bd6c03961d5 Mon Sep 17 00:00:00 2001 From: Terence Ho Date: Thu, 30 Jul 2020 14:14:59 -0400 Subject: [PATCH 075/386] msm: ais: stop vfe path on error Stop vfe path on error to avoid system lockup from flood of error logs. Acked-by: Abderahmane Allalou . Change-Id: I56a7659bdddbf1f40270628503aeece677271858 Signed-off-by: Terence Ho --- .../msm/ais/ais_isp/vfe_hw/ais_vfe_core.c | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c index f55efb259565..ba06c0774a28 100644 --- a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c +++ b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c @@ -1101,22 +1101,27 @@ static int ais_vfe_handle_error( if (p_rdi->state != AIS_ISP_RESOURCE_STATE_STREAMING) continue; + CAM_ERR(CAM_ISP, "IFE%d Turn off RDI %d", + core_info->vfe_idx, path); + p_rdi->state = AIS_ISP_RESOURCE_STATE_ERROR; client_regs = &bus_hw_info->bus_client_reg[path]; - /* Disable WM and reg-update */ - cam_io_w_mb(0x0, core_info->mem_base + client_regs->cfg); - cam_io_w_mb(AIS_VFE_REGUP_RDI_ALL, core_info->mem_base + - top_hw_info->common_reg->reg_update_cmd); - cam_io_w_mb((1 << path), core_info->mem_base + - bus_hw_info->common_reg.sw_reset); - core_info->bus_wr_mask1 &= ~(1 << path); cam_io_w_mb(core_info->bus_wr_mask1, core_info->mem_base + bus_hw_irq_regs[1].mask_reg_offset); + /* Disable WM and reg-update */ + cam_io_w_mb(0x0, core_info->mem_base + client_regs->cfg); + cam_io_w_mb(AIS_VFE_REGUP_RDI_ALL, core_info->mem_base + + top_hw_info->common_reg->reg_update_cmd); + + cam_io_w_mb((1 << path), core_info->mem_base + + bus_hw_info->common_reg.sw_reset); + + core_info->event.type = AIS_IFE_MSG_OUTPUT_ERROR; core_info->event.path = path; @@ -1551,9 +1556,10 @@ irqreturn_t ais_vfe_irq(int irq_num, void *data) AIS_VFE_STATUS1_RDI_OVERFLOW_IRQ_SHFT) & AIS_VFE_STATUS1_RDI_OVERFLOW_IRQ_MSK; - CAM_ERR(CAM_ISP, "IFE%d Overflow 0x%x", - core_info->vfe_idx, - work_data.path); + CAM_ERR_RATE_LIMIT(CAM_ISP, + "IFE%d Overflow 0x%x", + core_info->vfe_idx, + work_data.path); work_data.evt_type = AIS_VFE_HW_IRQ_EVENT_ERROR; ais_vfe_dispatch_irq(vfe_hw, &work_data); } From 908ea794224d9f4b614fa1ac77bb3f80b4862b6d Mon Sep 17 00:00:00 2001 From: Srikanth Marepalli Date: Wed, 22 Jul 2020 02:24:52 +0530 Subject: [PATCH 076/386] qcacld-3.0: Parse FTIE with MIC length 24 for SHA384 AKMs The commit I5aa50145fcd3ba91b1c92d4817b7f0e4fc216e3f has missed some changes in 2.0.3 driver, as the propagation did not included all the required mainline changes. And due to the missing change the FT-SuiteB roam fails. This fix brings in the missing changes that was part of this mainline commit. For SHA384 based AKMs, add changes to reparse the association/reassociation response FT element. Introduce new FTIE structure with MIC defined as array of 24 bytes. With this, the R0KH-ID and R1KH-ID will be populated correctly in to the assoc response structure and ultimately RSO command will carry the right R0KH-ID to firmware. Change-Id: I483652d083f13bb7ce058fe487bd6f04f26a87c2 CRs-Fixed: 2747599 --- .../src/sys/legacy/src/utils/src/parser_api.c | 50 +++++++++++++++---- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/core/mac/src/sys/legacy/src/utils/src/parser_api.c b/core/mac/src/sys/legacy/src/utils/src/parser_api.c index d8cac206e072..72e4c43930aa 100644 --- a/core/mac/src/sys/legacy/src/utils/src/parser_api.c +++ b/core/mac/src/sys/legacy/src/utils/src/parser_api.c @@ -3080,12 +3080,16 @@ QDF_STATUS wlan_parse_ftie_sha384(uint8_t *frame, uint32_t frame_len, QDF_STATUS sir_convert_assoc_resp_frame2_struct(tpAniSirGlobal pMac, tpPESession session_entry, - uint8_t *pFrame, uint32_t nFrame, + u8 *frame, u32 frame_len, tpSirAssocRsp pAssocRsp) { tDot11fAssocResponse *ar; - uint32_t status; + enum ani_akm_type auth_type; + u32 status, ie_len; + QDF_STATUS qdf_status; uint8_t cnt = 0; + bool sha384_akm; + u8 *ie_ptr; ar = qdf_mem_malloc(sizeof(*ar)); if (!ar) { @@ -3096,7 +3100,7 @@ sir_convert_assoc_resp_frame2_struct(tpAniSirGlobal pMac, /* decrypt the cipher text using AEAD decryption */ if (lim_is_fils_connection(session_entry)) { status = aead_decrypt_assoc_rsp(pMac, session_entry, - ar, pFrame, &nFrame); + ar, frame, &frame_len); if (!QDF_IS_STATUS_SUCCESS(status)) { pe_err("FILS assoc rsp AEAD decrypt fails"); qdf_mem_free(ar); @@ -3104,13 +3108,12 @@ sir_convert_assoc_resp_frame2_struct(tpAniSirGlobal pMac, } } - status = dot11f_parse_assoc_response(pMac, pFrame, nFrame, ar, false); + status = dot11f_parse_assoc_response(pMac, frame, frame_len, ar, false); if (QDF_STATUS_SUCCESS != status) { qdf_mem_free(ar); return status; } - /* Capabilities */ pAssocRsp->capabilityInfo.ess = ar->Capabilities.ess; pAssocRsp->capabilityInfo.ibss = ar->Capabilities.ibss; @@ -3195,13 +3198,40 @@ sir_convert_assoc_resp_frame2_struct(tpAniSirGlobal pMac, (unsigned int)pAssocRsp->mdie[2]); } - if (ar->FTInfo.present) { - pe_debug("FT Info present %d %d %d", - ar->FTInfo.R0KH_ID.num_PMK_R0_ID, - ar->FTInfo.R0KH_ID.present, ar->FTInfo.R1KH_ID.present); + /* + * If the connection is based on SHA384 AKM suite, + * then the length of MIC is 24 bytes, but frame parser + * has FTIE MIC of 16 bytes only. This results in parsing FTIE + * failure and R0KH and R1KH are not sent to firmware over RSO + * command. Frame parser doesn't have + * info on the connected AKM. So parse the FTIE again if + * AKM is sha384 based and extract the R0KH and R1KH using the new + * parsing logic. + */ + auth_type = session_entry->connected_akm; + sha384_akm = lim_is_sha384_akm(auth_type); + if (sha384_akm) { + ie_ptr = frame + FIXED_PARAM_OFFSET_ASSOC_RSP; + ie_len = frame_len - FIXED_PARAM_OFFSET_ASSOC_RSP; + qdf_status = wlan_parse_ftie_sha384(ie_ptr, ie_len, pAssocRsp); + if (QDF_IS_STATUS_ERROR(qdf_status)) { + pe_err("FT IE parsing failed status:%d", status); + } else { + pe_debug("FT: R0KH present:%d len:%d R1KH present%d", + pAssocRsp->sha384_ft_subelem.r0kh_id.present, + pAssocRsp-> + sha384_ft_subelem.r0kh_id.num_PMK_R0_ID, + pAssocRsp->sha384_ft_subelem.r1kh_id.present); + ar->FTInfo.present = false; + } + } else if (ar->FTInfo.present) { + pe_debug("FT: R0KH present:%d, len:%d R1KH present:%d", + ar->FTInfo.R0KH_ID.present, + ar->FTInfo.R0KH_ID.num_PMK_R0_ID, + ar->FTInfo.R1KH_ID.present); pAssocRsp->ftinfoPresent = 1; qdf_mem_copy(&pAssocRsp->FTInfo, &ar->FTInfo, - sizeof(tDot11fIEFTInfo)); + sizeof(tDot11fIEFTInfo)); } if (ar->num_RICDataDesc && ar->num_RICDataDesc <= 2) { From 27ed32c27dfa7266c269778df00835da9b8374b2 Mon Sep 17 00:00:00 2001 From: snandini Date: Tue, 4 Aug 2020 15:47:56 -0700 Subject: [PATCH 077/386] Release 5.2.03.29X Release 5.2.03.29X Change-Id: I2f2c56ba275cb802b7c54f7befce373c0f345fb4 CRs-Fixed: 774533 --- core/mac/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mac/inc/qwlan_version.h b/core/mac/inc/qwlan_version.h index a05ee01f748e..0c905b94a313 100644 --- a/core/mac/inc/qwlan_version.h +++ b/core/mac/inc/qwlan_version.h @@ -32,9 +32,9 @@ #define QWLAN_VERSION_MAJOR 5 #define QWLAN_VERSION_MINOR 2 #define QWLAN_VERSION_PATCH 03 -#define QWLAN_VERSION_EXTRA "W" +#define QWLAN_VERSION_EXTRA "X" #define QWLAN_VERSION_BUILD 29 -#define QWLAN_VERSIONSTR "5.2.03.29W" +#define QWLAN_VERSIONSTR "5.2.03.29X" #endif /* QWLAN_VERSION_H */ From cc698efe13fc38df10b9b7684ac023888345f03b Mon Sep 17 00:00:00 2001 From: Jay Jayanna Date: Tue, 4 Aug 2020 15:50:33 -0700 Subject: [PATCH 078/386] dt-bindings: net: qrtr: Add Ethernet Device transport bindings The QRTR Ethernet driver acts as a transport driver for a device that is configured as an ethernet endpoint. Document the bindings for this qrtr transport. This is dependent on the QTI Ethernet adaption module to enable communication using ethernet. Change-Id: Ib96ee45d89a8aef2211233a18d04fb643bb00e14 Signed-off-by: Jay Jayanna --- .../bindings/net/qrtr-ethernet-dev.txt | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 Documentation/devicetree/bindings/net/qrtr-ethernet-dev.txt diff --git a/Documentation/devicetree/bindings/net/qrtr-ethernet-dev.txt b/Documentation/devicetree/bindings/net/qrtr-ethernet-dev.txt new file mode 100644 index 000000000000..94b9f9fd3374 --- /dev/null +++ b/Documentation/devicetree/bindings/net/qrtr-ethernet-dev.txt @@ -0,0 +1,30 @@ +QTI QRTR Ethernet Device transport binding + +- compatible: + Usage: required + Value type: + Definition: must be "qcom,qrtr-ethernet-dev" + +- qcom,net-id: + Usage: optional + Value type: + Definition: indicates what subnet this transport belongs to. Should be + passed into the qrtr core logic to determine if forwarding + is needed on this endpoint. + +- qcom,low-latency: + Usage: optional + Value type: + Definition: indicates whether this transport receiving thread needs to + be set to realtime priority for enhanced performance. + += EXAMPLE +The following example represents the qrtr ethernet dev transport node on a +device configured as an ethernet endpoint and needs to forward data from the +host to a modem co-processor. + + qcom,eth_dev_qrtr { + compatible = "qcom,qrtr-ethernet-dev"; + qcom,net-id = <4>; + qcom,low-latency; + }; From 84ab351eae884efb8fdafd253aab9ca723711994 Mon Sep 17 00:00:00 2001 From: Jay Jayanna Date: Tue, 4 Aug 2020 12:32:57 -0700 Subject: [PATCH 079/386] ARM: dts: msm: Add qrtr ethernet entry for sa2150p Add entry in devicetree for qrtr ethernet driver for sa2150p target. Change-Id: I85aa038202e9466ce427815d7d582c06125e481e Signed-off-by: Jay Jayanna --- arch/arm64/boot/dts/qcom/qcs405.dtsi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/qcs405.dtsi b/arch/arm64/boot/dts/qcom/qcs405.dtsi index dfbb2146b1c9..847ac8d0b647 100644 --- a/arch/arm64/boot/dts/qcom/qcs405.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs405.dtsi @@ -962,6 +962,11 @@ qcom,proc-img-to-load = "cdsp"; }; + qcom,eth_dev_qrtr { + compatible = "qcom,qrtr-ethernet-dev"; + qcom,low-latency; + }; + qcom,glink { compatible = "qcom,glink"; #address-cells = <1>; From 97666df8723a4672c5839b6e1e446e1e8f8d2276 Mon Sep 17 00:00:00 2001 From: Jay Jayanna Date: Fri, 24 Jul 2020 18:37:57 -0700 Subject: [PATCH 080/386] ARM: dts: msm: Add qrtr ethernet entry for sa515m Add entry in devicetree for qrtr ethernet driver for sa515m target. Change-Id: I6d44e968342b75ddee481c283ed2ffad2f06e963 Signed-off-by: Jay Jayanna --- arch/arm64/boot/dts/qcom/sdxprairie.dtsi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sdxprairie.dtsi b/arch/arm64/boot/dts/qcom/sdxprairie.dtsi index e2327a27c58e..4f25c7df5eaa 100644 --- a/arch/arm64/boot/dts/qcom/sdxprairie.dtsi +++ b/arch/arm64/boot/dts/qcom/sdxprairie.dtsi @@ -704,6 +704,12 @@ qcom,net-id = <3>; }; + eth_dev_qrtr: qcom,eth_dev_qrtr { + compatible = "qcom,qrtr-ethernet-dev"; + qcom,net-id = <4>; + qcom,low-latency; + }; + qcom,glinkpkt { compatible = "qcom,glinkpkt"; From cd883925d2309e809eab247941c1e3b6c2a6f207 Mon Sep 17 00:00:00 2001 From: Pavankumar Vijapur Date: Mon, 3 Aug 2020 12:07:06 +0530 Subject: [PATCH 081/386] defconfig: sa2150p-nand: Enable STMMAC driver Enable STMMAC driver for EMAC HW. Change-Id: Ibb7ef3dd27c1a51c6643fbcbdc2cbe84b63b6f11 Signed-off-by: Pavankumar Vijapur --- arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig | 4 +++- arch/arm64/configs/vendor/sa2150p-nand_defconfig | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig b/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig index 8949cf9519a0..f82beb43c771 100644 --- a/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig +++ b/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig @@ -238,6 +238,9 @@ CONFIG_DM_VERITY_FEC=y CONFIG_NETDEVICES=y CONFIG_DUMMY=y CONFIG_TUN=y +CONFIG_STMMAC_ETH=y +# CONFIG_DWMAC_GENERIC is not set +# CONFIG_DWMAC_IPQ806X is not set CONFIG_AT803X_PHY=y CONFIG_MICREL_PHY=y CONFIG_PPP=y @@ -280,7 +283,6 @@ CONFIG_SPMI=y CONFIG_SLIMBUS=y CONFIG_SLIMBUS_MSM_NGD=y CONFIG_PPS_CLIENT_GPIO=y -CONFIG_PTP_1588_CLOCK=y CONFIG_PINCTRL_QCS405=y CONFIG_FRAGMENTED_GPIO_ADDRESS_SPACE=y CONFIG_PINCTRL_QCOM_SPMI_PMIC=y diff --git a/arch/arm64/configs/vendor/sa2150p-nand_defconfig b/arch/arm64/configs/vendor/sa2150p-nand_defconfig index 1f8ddc2423f6..34ef8a6dc0ac 100644 --- a/arch/arm64/configs/vendor/sa2150p-nand_defconfig +++ b/arch/arm64/configs/vendor/sa2150p-nand_defconfig @@ -244,6 +244,9 @@ CONFIG_DM_VERITY_FEC=y CONFIG_NETDEVICES=y CONFIG_DUMMY=y CONFIG_TUN=y +CONFIG_STMMAC_ETH=y +# CONFIG_DWMAC_GENERIC is not set +# CONFIG_DWMAC_IPQ806X is not set CONFIG_AT803X_PHY=y CONFIG_MICREL_PHY=y CONFIG_PPP=y @@ -290,7 +293,6 @@ CONFIG_SPMI_MSM_PMIC_ARB_DEBUG=y CONFIG_SLIMBUS=y CONFIG_SLIMBUS_MSM_NGD=y CONFIG_PPS_CLIENT_GPIO=y -CONFIG_PTP_1588_CLOCK=y CONFIG_PINCTRL_QCS405=y CONFIG_FRAGMENTED_GPIO_ADDRESS_SPACE=y CONFIG_PINCTRL_QCOM_SPMI_PMIC=y From 813914455994fab10c34e4eb553b490194db3e80 Mon Sep 17 00:00:00 2001 From: Yimin Peng Date: Wed, 5 Aug 2020 13:28:24 +0800 Subject: [PATCH 082/386] ARM: dts: msm: Add device tree for sa8195 lxc gvm There will be specical devices setting for lxc gvm. Change-Id: If2bbf2d95e559ec42dbf5365160ea593239e8a82 Signed-off-by: Yimin Peng --- arch/arm64/boot/dts/qcom/Makefile | 1 + arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts | 23 ++++++++ .../arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi | 59 +++++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts create mode 100644 arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi diff --git a/arch/arm64/boot/dts/qcom/Makefile b/arch/arm64/boot/dts/qcom/Makefile index 86523cc11354..05fc49981f1d 100644 --- a/arch/arm64/boot/dts/qcom/Makefile +++ b/arch/arm64/boot/dts/qcom/Makefile @@ -206,6 +206,7 @@ dtb-$(CONFIG_QTI_GVM) += sa8155-vm-la.dtb \ sa8195-vm-la.dtb \ sa8195-vm-la-mt.dtb \ sa8195-vm-lv.dtb \ + sa8195-vm-lv-lxc.dtb \ sa8195-vm-lv-mt.dtb ifeq ($(CONFIG_BUILD_ARM64_DT_OVERLAY),y) diff --git a/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts new file mode 100644 index 000000000000..99342867dcbb --- /dev/null +++ b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts @@ -0,0 +1,23 @@ +/* Copyright (c) 2020, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and + * only version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +/dts-v1/; + +#include "sa8195-vm.dtsi" +#include "sa8195-vm-lv-lxc.dtsi" + +/ { + model = "Qualcomm Technologies, Inc. SA8195 Single LV Virtual Machine"; + compatible = "qcom,sa8195p"; + qcom,pmic-name = "PM8195"; + qcom,board-id = <0x1000002 0>; +}; diff --git a/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi new file mode 100644 index 000000000000..d2eceb74af93 --- /dev/null +++ b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi @@ -0,0 +1,59 @@ +/* Copyright (c) 2020, The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and + * only version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +/ { + reserved_memory: reserved-memory { + + pmem_shared: pmem_shared_region@a0000000 { + reg = <0x0 0xa0000000 0x0 0x20000000>; + label = "pmem_shared_mem"; + }; + }; + +}; + +&hab { + vmid = <3>; +}; + +&slpi_tlmm { + status = "ok"; +}; + +&apps_smmu { + status = "ok"; +}; + +&qupv3_se13_4uart { + status = "ok"; +}; + +&usb0 { + status = "ok"; +}; + +&usb2_phy0 { + status = "ok"; +}; + +&pcie0_msi { + status = "ok"; +}; + +&pcie0 { + status = "ok"; +}; + +&sde_kms_hyp { + /delete-property/ qcom,client-id; + qcom,client-id = "7816"; +}; From e7be522d8ee9b638cb410a9fda9257c087c207e6 Mon Sep 17 00:00:00 2001 From: Dundi Raviteja Date: Wed, 5 Aug 2020 12:25:23 +0530 Subject: [PATCH 083/386] defconfig: Disable CONFIG_CNSS_GENL for sdm429 CONFIG_CNSS_GENL is not needed for sdm429 target, hence disable it. Change-Id: Ie30d203a004858653bccb866ce0253f006ab7084 CRs-Fixed: 2750248 Signed-off-by: Dundi Raviteja --- arch/arm/configs/vendor/sdm429-bg-perf_defconfig | 1 - arch/arm/configs/vendor/sdm429-bg_defconfig | 1 - 2 files changed, 2 deletions(-) diff --git a/arch/arm/configs/vendor/sdm429-bg-perf_defconfig b/arch/arm/configs/vendor/sdm429-bg-perf_defconfig index f412e97df448..496ca6a531e8 100644 --- a/arch/arm/configs/vendor/sdm429-bg-perf_defconfig +++ b/arch/arm/configs/vendor/sdm429-bg-perf_defconfig @@ -299,7 +299,6 @@ CONFIG_USB_USBNET=y CONFIG_WIL6210=m CONFIG_WCNSS_MEM_PRE_ALLOC=y CONFIG_CLD_LL_CORE=y -CONFIG_CNSS_GENL=y CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set diff --git a/arch/arm/configs/vendor/sdm429-bg_defconfig b/arch/arm/configs/vendor/sdm429-bg_defconfig index 11011eee9bed..b0312ba13617 100644 --- a/arch/arm/configs/vendor/sdm429-bg_defconfig +++ b/arch/arm/configs/vendor/sdm429-bg_defconfig @@ -305,7 +305,6 @@ CONFIG_USB_RTL8152=y CONFIG_USB_USBNET=y CONFIG_WCNSS_MEM_PRE_ALLOC=y CONFIG_CLD_LL_CORE=y -CONFIG_CNSS_GENL=y CONFIG_INPUT_EVDEV=y CONFIG_KEYBOARD_GPIO=y # CONFIG_INPUT_MOUSE is not set From 1f563723a5ab3ae8b92bf08f6400aa6b7c551860 Mon Sep 17 00:00:00 2001 From: Sayali Lokhande Date: Wed, 5 Aug 2020 12:36:30 +0530 Subject: [PATCH 084/386] defconfig: Enable Incremental FS support for trinket This change enables Incremental FS support on trinket as required for Android R. Change-Id: I39b721721a19459fef28ce97f21517d423998df2 Signed-off-by: Sayali Lokhande --- arch/arm64/configs/vendor/trinket-perf_defconfig | 1 + arch/arm64/configs/vendor/trinket_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm64/configs/vendor/trinket-perf_defconfig b/arch/arm64/configs/vendor/trinket-perf_defconfig index 1af661907f0e..3891bdbf2e1d 100644 --- a/arch/arm64/configs/vendor/trinket-perf_defconfig +++ b/arch/arm64/configs/vendor/trinket-perf_defconfig @@ -644,6 +644,7 @@ CONFIG_QUOTA_NETLINK_INTERFACE=y CONFIG_QFMT_V2=y CONFIG_FUSE_FS=y CONFIG_OVERLAY_FS=y +CONFIG_INCREMENTAL_FS=y CONFIG_MSDOS_FS=y CONFIG_VFAT_FS=y CONFIG_TMPFS_POSIX_ACL=y diff --git a/arch/arm64/configs/vendor/trinket_defconfig b/arch/arm64/configs/vendor/trinket_defconfig index 26e416621815..f6bbfab6f5f9 100644 --- a/arch/arm64/configs/vendor/trinket_defconfig +++ b/arch/arm64/configs/vendor/trinket_defconfig @@ -676,6 +676,7 @@ CONFIG_QUOTA_NETLINK_INTERFACE=y CONFIG_QFMT_V2=y CONFIG_FUSE_FS=y CONFIG_OVERLAY_FS=y +CONFIG_INCREMENTAL_FS=y CONFIG_MSDOS_FS=y CONFIG_VFAT_FS=y CONFIG_TMPFS_POSIX_ACL=y From 5c5a7defb722f25c95d2200819d9ef804bfaf04f Mon Sep 17 00:00:00 2001 From: Paul Lawrence Date: Wed, 8 Apr 2020 10:10:53 -0700 Subject: [PATCH 085/386] ANDROID: Incremental fs: Clean up incfs_test build process Bug: 153557975 Test: incfs_test passes Signed-off-by: Paul Lawrence Change-Id: I57eef43a5d003e3d89a4c872d21e36376bc580a1 Git-repo: https://android.googlesource.com/kernel/common Git-commit: 3aee2b945b401a92b81d4b8c4f47fd990f644c4f Signed-off-by: Srinivasarao P --- .../selftests/filesystems/incfs/Makefile | 17 ++---- .../selftests/filesystems/incfs/config | 1 - .../selftests/filesystems/incfs/incfs_test.c | 52 ++++++++++--------- .../selftests/filesystems/incfs/utils.c | 28 +++++----- .../selftests/filesystems/incfs/utils.h | 2 +- 5 files changed, 48 insertions(+), 52 deletions(-) delete mode 100644 tools/testing/selftests/filesystems/incfs/config diff --git a/tools/testing/selftests/filesystems/incfs/Makefile b/tools/testing/selftests/filesystems/incfs/Makefile index 1f13573d3617..5b2e627ce883 100644 --- a/tools/testing/selftests/filesystems/incfs/Makefile +++ b/tools/testing/selftests/filesystems/incfs/Makefile @@ -1,18 +1,11 @@ # SPDX-License-Identifier: GPL-2.0 -CFLAGS += -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Wall -lssl -lcrypto -llz4 -CFLAGS += -I../../../../../usr/include/ -CFLAGS += -I../../../../include/uapi/ -CFLAGS += -I../../../../lib +CFLAGS += -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Wall +CFLAGS += -I../.. -I../../../../.. +LDLIBS := -llz4 -lcrypto EXTRA_SOURCES := utils.c -CFLAGS += $(EXTRA_SOURCES) - TEST_GEN_PROGS := incfs_test +$(TEST_GEN_PROGS): $(EXTRA_SOURCES) + include ../../lib.mk - -$(OUTPUT)incfs_test: incfs_test.c $(EXTRA_SOURCES) -all: $(OUTPUT)incfs_test - -clean: - rm -rf $(OUTPUT)incfs_test *.o diff --git a/tools/testing/selftests/filesystems/incfs/config b/tools/testing/selftests/filesystems/incfs/config deleted file mode 100644 index b6749837a318..000000000000 --- a/tools/testing/selftests/filesystems/incfs/config +++ /dev/null @@ -1 +0,0 @@ -CONFIG_INCREMENTAL_FS=y \ No newline at end of file diff --git a/tools/testing/selftests/filesystems/incfs/incfs_test.c b/tools/testing/selftests/filesystems/incfs/incfs_test.c index 527092853847..6809399eac97 100644 --- a/tools/testing/selftests/filesystems/incfs/incfs_test.c +++ b/tools/testing/selftests/filesystems/incfs/incfs_test.c @@ -2,27 +2,29 @@ /* * Copyright 2018 Google LLC */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include #include -#include -#include +#include +#include +#include +#include #include #include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + #include #include -#include "../../kselftest.h" +#include -#include "lz4.h" #include "utils.h" #define TEST_FAILURE 1 @@ -208,7 +210,7 @@ int open_file_by_id(const char *mnt_dir, incfs_uuid_t id, bool use_ioctl) { char *path = get_index_filename(mnt_dir, id); int cmd_fd = open_commands_file(mnt_dir); - int fd = open(path, O_RDWR); + int fd = open(path, O_RDWR | O_CLOEXEC); struct incfs_permit_fill permit_fill = { .file_descriptor = fd, }; @@ -281,7 +283,7 @@ static int emit_test_blocks(char *mnt_dir, struct test_file *file, .fill_blocks = ptr_to_u64(block_buf), }; ssize_t write_res = 0; - int fd; + int fd = -1; int error = 0; int i = 0; int blocks_written = 0; @@ -444,7 +446,7 @@ static loff_t read_whole_file(char *filename) loff_t bytes_read = 0; uint8_t buff[16 * 1024]; - fd = open(filename, O_RDONLY); + fd = open(filename, O_RDONLY | O_CLOEXEC); if (fd <= 0) return fd; @@ -476,7 +478,7 @@ static int read_test_file(uint8_t *buf, size_t len, char *filename, size_t bytes_to_read = len; off_t offset = ((off_t)block_idx) * INCFS_DATA_FILE_BLOCK_SIZE; - fd = open(filename, O_RDONLY); + fd = open(filename, O_RDONLY | O_CLOEXEC); if (fd <= 0) return fd; @@ -909,7 +911,7 @@ static bool iterate_directory(char *dir_to_iterate, bool root, int file_count) int i; /* Test directory iteration */ - int fd = open(dir_to_iterate, O_RDONLY | O_DIRECTORY); + int fd = open(dir_to_iterate, O_RDONLY | O_DIRECTORY | O_CLOEXEC); if (fd < 0) { print_error("Can't open directory\n"); @@ -1110,7 +1112,7 @@ static int basic_file_ops_test(char *mount_dir) char *path = concat_file_name(mount_dir, file->name); int fd; - fd = open(path, O_RDWR); + fd = open(path, O_RDWR | O_CLOEXEC); free(path); if (fd <= 0) { print_error("Can't open file"); @@ -1946,7 +1948,7 @@ static int validate_logs(char *mount_dir, int log_fd, struct test_file *file, char *filename = concat_file_name(mount_dir, file->name); int fd; - fd = open(filename, O_RDONLY); + fd = open(filename, O_RDONLY | O_CLOEXEC); free(filename); if (fd <= 0) return TEST_FAILURE; @@ -2178,7 +2180,7 @@ static int read_log_test(char *mount_dir) /* * Remount and check that logs start working again */ - drop_caches = open("/proc/sys/vm/drop_caches", O_WRONLY); + drop_caches = open("/proc/sys/vm/drop_caches", O_WRONLY | O_CLOEXEC); if (drop_caches == -1) goto failure; i = write(drop_caches, "3", 1); @@ -2268,7 +2270,7 @@ static int validate_ranges(const char *mount_dir, struct test_file *file) int cmd_fd = -1; struct incfs_permit_fill permit_fill; - fd = open(filename, O_RDONLY); + fd = open(filename, O_RDONLY | O_CLOEXEC); free(filename); if (fd <= 0) return TEST_FAILURE; @@ -2506,7 +2508,7 @@ static int validate_hash_ranges(const char *mount_dir, struct test_file *file) if (file->size <= 4096 / 32 * 4096) return 0; - fd = open(filename, O_RDONLY); + fd = open(filename, O_RDONLY | O_CLOEXEC); free(filename); if (fd <= 0) return TEST_FAILURE; @@ -2700,7 +2702,7 @@ int main(int argc, char *argv[]) // NOTE - this abuses the concept of randomness - do *not* ever do this // on a machine for production use - the device will think it has good // randomness when it does not. - fd = open("/dev/urandom", O_WRONLY); + fd = open("/dev/urandom", O_WRONLY | O_CLOEXEC); count = 4096; for (int i = 0; i < 128; ++i) ioctl(fd, RNDADDTOENTCNT, &count); diff --git a/tools/testing/selftests/filesystems/incfs/utils.c b/tools/testing/selftests/filesystems/incfs/utils.c index 545497685d14..e194f63ba922 100644 --- a/tools/testing/selftests/filesystems/incfs/utils.c +++ b/tools/testing/selftests/filesystems/incfs/utils.c @@ -2,27 +2,29 @@ /* * Copyright 2018 Google LLC */ -#include -#include #include -#include -#include +#include #include +#include +#include +#include +#include #include + #include #include -#include -#include -#include -#include -#include -#include -#include +#include +#include + #include #include #include "utils.h" +#ifndef __S_IFREG +#define __S_IFREG S_IFREG +#endif + int mount_fs(const char *mount_dir, const char *backing_dir, int read_timeout_ms) { @@ -184,7 +186,7 @@ int open_commands_file(const char *mount_dir) snprintf(cmd_file, ARRAY_SIZE(cmd_file), "%s/%s", mount_dir, INCFS_PENDING_READS_FILENAME); - cmd_fd = open(cmd_file, O_RDONLY); + cmd_fd = open(cmd_file, O_RDONLY | O_CLOEXEC); if (cmd_fd < 0) perror("Can't open commands file"); @@ -197,7 +199,7 @@ int open_log_file(const char *mount_dir) int cmd_fd; snprintf(cmd_file, ARRAY_SIZE(cmd_file), "%s/.log", mount_dir); - cmd_fd = open(cmd_file, O_RDWR); + cmd_fd = open(cmd_file, O_RDWR | O_CLOEXEC); if (cmd_fd < 0) perror("Can't open log file"); return cmd_fd; diff --git a/tools/testing/selftests/filesystems/incfs/utils.h b/tools/testing/selftests/filesystems/incfs/utils.h index 24b43287fcdd..9af63e4e922c 100644 --- a/tools/testing/selftests/filesystems/incfs/utils.h +++ b/tools/testing/selftests/filesystems/incfs/utils.h @@ -5,7 +5,7 @@ #include #include -#include "../../include/uapi/linux/incrementalfs.h" +#include #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof(arr[0])) From 9c52e6cfa6574620d90a8f3ebc2cd62d5f51a9e2 Mon Sep 17 00:00:00 2001 From: Pavankumar Vijapur Date: Wed, 5 Aug 2020 16:26:54 +0530 Subject: [PATCH 086/386] defconfig: sa2150p-nand: Enable SPIDEV driver Enable SPIDEV driver for HSM based use cases. Change-Id: I8b4577aaa71fa009b74b55802e9830e4fac07e21 Signed-off-by: Pavankumar Vijapur --- arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig | 1 + arch/arm64/configs/vendor/sa2150p-perf_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig b/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig index f82beb43c771..cd9423f0a52a 100644 --- a/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig +++ b/arch/arm64/configs/vendor/sa2150p-nand-perf_defconfig @@ -279,6 +279,7 @@ CONFIG_I2C_MUX=y CONFIG_I2C_MSM_V2=y CONFIG_SPI=y CONFIG_SPI_QUP=y +CONFIG_SPI_SPIDEV=y CONFIG_SPMI=y CONFIG_SLIMBUS=y CONFIG_SLIMBUS_MSM_NGD=y diff --git a/arch/arm64/configs/vendor/sa2150p-perf_defconfig b/arch/arm64/configs/vendor/sa2150p-perf_defconfig index c0a089b14414..e1e518583dcf 100644 --- a/arch/arm64/configs/vendor/sa2150p-perf_defconfig +++ b/arch/arm64/configs/vendor/sa2150p-perf_defconfig @@ -290,6 +290,7 @@ CONFIG_I2C_MUX=y CONFIG_I2C_MSM_V2=y CONFIG_SPI=y CONFIG_SPI_QUP=y +CONFIG_SPI_SPIDEV=y CONFIG_SPMI=y CONFIG_SLIMBUS_MSM_NGD=y CONFIG_PPS_CLIENT_GPIO=y From 22720b7169bafb6e9834ff6f859cd168f78ff6b5 Mon Sep 17 00:00:00 2001 From: Sneh Shah Date: Mon, 4 May 2020 12:10:00 +0530 Subject: [PATCH 087/386] net: stmmac: Reset mmc counters on read Reset mmc counters on read to fix wrong stats in ethtool. Change-Id: I572be9a3913f96e1feb5a845ee17a17e73be6262 Signed-off-by: Sneh Shah --- drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 ++ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h index 0b2b4cbb26cc..8da3f4c8a533 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h @@ -175,6 +175,8 @@ extern struct stmmac_emb_smmu_cb_ctx stmmac_emb_smmu_ctx; #define MICREL_PHY_ID 0x00221620 +#define MMC_CONFIG 0x24 + int ethqos_handle_prv_ioctl(struct net_device *dev, struct ifreq *rq, int cmd); int ethqos_init_pps(struct stmmac_priv *priv); diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c index 8875bfcdde16..39d9c2e4a3bf 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c @@ -544,6 +544,9 @@ static void stmmac_get_ethtool_stats(struct net_device *dev, u32 tx_queues_count = priv->plat->tx_queues_to_use; int i, j = 0; + /* enable reset on read for mmc counter */ + writel_relaxed(MMC_CONFIG, priv->mmcaddr); + /* Update the DMA HW counters for dwmac10/100 */ if (priv->hw->dma->dma_diagnostic_fr) priv->hw->dma->dma_diagnostic_fr(&dev->stats, From 0298a5d40809d15caa93880258fe9d0999d30f31 Mon Sep 17 00:00:00 2001 From: Chaoli Zhou Date: Tue, 4 Aug 2020 16:51:35 +0800 Subject: [PATCH 088/386] ARM: dts: msm: Increasing the CMA size Since dual wlan cards attach take up more than 30M DMA contiguous memory, so increasing the CMA size to fix calling dma_alloc_coherent failure issue from wlanhost driver side. Change-Id: Iae43f0654d4400a9cde884809f565d2e9011267b Signed-off-by: Chaoli Zhou --- arch/arm64/boot/dts/qcom/sdmshrike.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sdmshrike.dtsi b/arch/arm64/boot/dts/qcom/sdmshrike.dtsi index d417ff891224..0dc703237e77 100644 --- a/arch/arm64/boot/dts/qcom/sdmshrike.dtsi +++ b/arch/arm64/boot/dts/qcom/sdmshrike.dtsi @@ -719,7 +719,7 @@ alloc-ranges = <0x0 0x00000000 0x0 0xffffffff>; reusable; alignment = <0x0 0x400000>; - size = <0x0 0x2800000>; + size = <0x0 0x3c00000>; linux,cma-default; }; }; From abb512e3066f519873e7d2c483e25d5804450d71 Mon Sep 17 00:00:00 2001 From: Ashok Vuyyuru Date: Wed, 5 Aug 2020 19:17:30 +0530 Subject: [PATCH 089/386] msm: ipa3: Fix to save the ntn buffers in SMMU disabled case Not able to unmap the buffers due not saving data buffers when SMMU disabled on EMAC side. Adding changes to save the data buffer list in EMAC SMMU disabled case also. Change-Id: Ia22110b450477927c35942f2161c2730086da892 Signed-off-by: Ashok Vuyyuru --- .../msm/ipa/ipa_clients/ipa_uc_offload.c | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c b/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c index 7090b63f4cc3..67ed1fd76347 100644 --- a/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c +++ b/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c @@ -540,20 +540,16 @@ int ipa_uc_ntn_conn_pipes(struct ipa_ntn_conn_in_params *inp, goto fail; } - if (ntn_ctx->conn.dl.smmu_enabled) { - result = ipa_uc_ntn_alloc_conn_smmu_info(&ntn_ctx->conn.dl, - &inp->dl); - if (result) { - IPA_UC_OFFLOAD_ERR("alloc failure on TX\n"); - goto fail; - } - result = ipa_uc_ntn_alloc_conn_smmu_info(&ntn_ctx->conn.ul, - &inp->ul); - if (result) { - ipa_uc_ntn_free_conn_smmu_info(&ntn_ctx->conn.dl); - IPA_UC_OFFLOAD_ERR("alloc failure on RX\n"); - goto fail; - } + result = ipa_uc_ntn_alloc_conn_smmu_info(&ntn_ctx->conn.dl, &inp->dl); + if (result) { + IPA_UC_OFFLOAD_ERR("alloc failure on TX\n"); + goto fail; + } + result = ipa_uc_ntn_alloc_conn_smmu_info(&ntn_ctx->conn.ul, &inp->ul); + if (result) { + ipa_uc_ntn_free_conn_smmu_info(&ntn_ctx->conn.dl); + IPA_UC_OFFLOAD_ERR("alloc failure on RX\n"); + goto fail; } fail: From 340f78152e3d8e07431b33f0412a9d5061d4284f Mon Sep 17 00:00:00 2001 From: Om Parkash Date: Tue, 23 Jun 2020 14:03:29 +0530 Subject: [PATCH 090/386] jpeg: Add DMA driver implementation Add code to fill register settings and IRQ handler code for JPEG DMA. Change-Id: I67eba471e3205e94d3e8de5e9bab4be8c352fb6a Signed-off-by: Om Parkash --- .../camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c | 198 +++++++++----- .../camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.h | 4 +- .../cam_jpeg_dma_hw_info_ver_4_2_0.h | 53 ++++ .../jpeg_hw/jpeg_dma_hw/jpeg_dma_core.c | 242 +++++++++++++++++- .../jpeg_hw/jpeg_dma_hw/jpeg_dma_core.h | 41 ++- .../jpeg_hw/jpeg_dma_hw/jpeg_dma_dev.c | 17 +- .../jpeg_hw/jpeg_enc_hw/jpeg_enc_core.c | 4 +- .../jpeg_hw/jpeg_enc_hw/jpeg_enc_dev.c | 4 +- 8 files changed, 471 insertions(+), 92 deletions(-) create mode 100644 drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/cam_jpeg_dma_hw_info_ver_4_2_0.h diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c index ae26f61d717a..0b5855a9c28f 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c @@ -46,6 +46,112 @@ static struct cam_jpeg_hw_mgr g_jpeg_hw_mgr; static int32_t cam_jpeg_hw_mgr_cb(uint32_t irq_status, int32_t result_size, void *data); static int cam_jpeg_mgr_process_cmd(void *priv, void *data); +static int cam_jpeg_insert_cdm_change_base( + struct cam_hw_config_args *config_args, + struct cam_jpeg_hw_ctx_data *ctx_data, + struct cam_jpeg_hw_mgr *hw_mgr); + +static int cam_jpeg_process_next_hw_update(void *priv, void *data) +{ + int rc; + int i = 0; + struct cam_jpeg_hw_mgr *hw_mgr = priv; + struct cam_hw_update_entry *cmd; + struct cam_cdm_bl_request *cdm_cmd; + struct cam_hw_config_args *config_args = NULL; + struct cam_jpeg_hw_ctx_data *ctx_data = NULL; + uint32_t dev_type; + struct cam_jpeg_hw_cfg_req *p_cfg_req = NULL; + uint32_t cdm_cfg_to_insert = 0; + + if (!data || !priv) { + CAM_ERR(CAM_JPEG, "Invalid data"); + return -EINVAL; + } + + ctx_data = (struct cam_jpeg_hw_ctx_data *)data; + dev_type = ctx_data->jpeg_dev_acquire_info.dev_type; + p_cfg_req = hw_mgr->dev_hw_cfg_args[dev_type][0]; + config_args = (struct cam_hw_config_args *)&p_cfg_req->hw_cfg_args; + + if (!hw_mgr->devices[dev_type][0]->hw_ops.reset) { + CAM_ERR(CAM_JPEG, "op reset null "); + rc = -EFAULT; + goto end_error; + } + rc = hw_mgr->devices[dev_type][0]->hw_ops.reset( + hw_mgr->devices[dev_type][0]->hw_priv, + NULL, 0); + if (rc) { + CAM_ERR(CAM_JPEG, "jpeg hw reset failed %d", rc); + goto end_error; + } + + cdm_cmd = ctx_data->cdm_cmd; + cdm_cmd->type = CAM_CDM_BL_CMD_TYPE_MEM_HANDLE; + cdm_cmd->flag = false; + cdm_cmd->userdata = NULL; + cdm_cmd->cookie = 0; + cdm_cmd->cmd_arrary_count = 0; + + /* insert cdm chage base cmd */ + rc = cam_jpeg_insert_cdm_change_base(config_args, + ctx_data, hw_mgr); + if (rc) { + CAM_ERR(CAM_JPEG, "insert change base failed %d", rc); + goto end_error; + } + + /* insert next cdm payload at index */ + /* for enc or dma 1st pass at index 1 */ + /* for dma 2nd pass at index 2, for 3rd at 4 */ + if (p_cfg_req->num_hw_entry_processed == 0) + cdm_cfg_to_insert = CAM_JPEG_CFG; + else + cdm_cfg_to_insert = p_cfg_req->num_hw_entry_processed + 2; + + CAM_DBG(CAM_JPEG, "processed %d total %d using cfg entry %d for %pK", + p_cfg_req->num_hw_entry_processed, + config_args->num_hw_update_entries, + cdm_cfg_to_insert, + p_cfg_req); + + cmd = (config_args->hw_update_entries + cdm_cfg_to_insert); + cdm_cmd->cmd[cdm_cmd->cmd_arrary_count].bl_addr.mem_handle = + cmd->handle; + cdm_cmd->cmd[cdm_cmd->cmd_arrary_count].offset = + cmd->offset; + cdm_cmd->cmd[cdm_cmd->cmd_arrary_count].len = + cmd->len; + CAM_DBG(CAM_JPEG, "i %d entry h %d o %d l %d", + i, cmd->handle, cmd->offset, cmd->len); + cdm_cmd->cmd_arrary_count++; + + rc = cam_cdm_submit_bls( + hw_mgr->cdm_info[dev_type][0].cdm_handle, + cdm_cmd); + if (rc) { + CAM_ERR(CAM_JPEG, "Failed to apply the configs %d", rc); + goto end_error; + } + + if (!hw_mgr->devices[dev_type][0]->hw_ops.start) { + CAM_ERR(CAM_JPEG, "op start null "); + rc = -EINVAL; + goto end_error; + } + rc = hw_mgr->devices[dev_type][0]->hw_ops.start( + hw_mgr->devices[dev_type][0]->hw_priv, NULL, 0); + if (rc) { + CAM_ERR(CAM_JPEG, "Failed to apply the configs %d", + rc); + goto end_error; + } + + return 0; +end_error: + return rc; +} static int cam_jpeg_mgr_process_irq(void *priv, void *data) { @@ -93,6 +199,21 @@ static int cam_jpeg_mgr_process_irq(void *priv, void *data) return -EINVAL; } + p_cfg_req->num_hw_entry_processed++; + CAM_DBG(CAM_JPEG, "hw entry processed %d", + p_cfg_req->num_hw_entry_processed); + + if ((task_data->result_size > 0) && + (p_cfg_req->num_hw_entry_processed < + p_cfg_req->hw_cfg_args.num_hw_update_entries - 2)) { + /* start processing next entry before marking device free */ + rc = cam_jpeg_process_next_hw_update(priv, ctx_data); + if (!rc) { + mutex_unlock(&g_jpeg_hw_mgr.hw_mgr_mutex); + return 0; + } + } + irq_cb.jpeg_hw_mgr_cb = cam_jpeg_hw_mgr_cb; irq_cb.data = NULL; irq_cb.b_set_cb = false; @@ -159,7 +280,9 @@ static int cam_jpeg_mgr_process_irq(void *priv, void *data) if ((p_cfg_req->hw_cfg_args.hw_update_entries[CAM_JPEG_PARAM].offset / sizeof(uint32_t)) >= cmd_buf_len) { - CAM_ERR(CAM_JPEG, "Not enough buf"); + CAM_ERR(CAM_JPEG, "Invalid offset: %u cmd buf len: %zu", + p_cfg_req->hw_cfg_args.hw_update_entries[ + CAM_JPEG_PARAM].offset, cmd_buf_len); return -EINVAL; } @@ -288,7 +411,9 @@ static int cam_jpeg_insert_cdm_change_base( if (config_args->hw_update_entries[CAM_JPEG_CHBASE].offset >= ch_base_len) { - CAM_ERR(CAM_JPEG, "Not enough buf"); + CAM_ERR(CAM_JPEG, "Not enough buf offset %d len %d", + config_args->hw_update_entries[CAM_JPEG_CHBASE].offset, + ch_base_len); return -EINVAL; } CAM_DBG(CAM_JPEG, "iova %pK len %zu offset %d", @@ -327,8 +452,6 @@ static int cam_jpeg_mgr_process_cmd(void *priv, void *data) int rc; int i = 0; struct cam_jpeg_hw_mgr *hw_mgr = priv; - struct cam_hw_update_entry *cmd; - struct cam_cdm_bl_request *cdm_cmd; struct cam_hw_config_args *config_args = NULL; struct cam_jpeg_hw_ctx_data *ctx_data = NULL; uintptr_t request_id = 0; @@ -430,68 +553,14 @@ static int cam_jpeg_mgr_process_cmd(void *priv, void *data) goto end_callcb; } - if (!hw_mgr->devices[dev_type][0]->hw_ops.reset) { - CAM_ERR(CAM_JPEG, "op reset null "); - rc = -EFAULT; - goto end_callcb; - } - rc = hw_mgr->devices[dev_type][0]->hw_ops.reset( - hw_mgr->devices[dev_type][0]->hw_priv, - NULL, 0); + /* insert one of the cdm payloads */ + rc = cam_jpeg_process_next_hw_update(priv, ctx_data); if (rc) { - CAM_ERR(CAM_JPEG, "jpeg hw reset failed %d", rc); + CAM_ERR(CAM_JPEG, "next hw update failed %d", rc); goto end_callcb; } - cdm_cmd = ctx_data->cdm_cmd; - cdm_cmd->type = CAM_CDM_BL_CMD_TYPE_MEM_HANDLE; - cdm_cmd->flag = false; - cdm_cmd->userdata = NULL; - cdm_cmd->cookie = 0; - cdm_cmd->cmd_arrary_count = 0; - rc = cam_jpeg_insert_cdm_change_base(config_args, - ctx_data, hw_mgr); - if (rc) { - CAM_ERR(CAM_JPEG, "insert change base failed %d", rc); - goto end_callcb; - } - - CAM_DBG(CAM_JPEG, "num hw up %d", config_args->num_hw_update_entries); - for (i = CAM_JPEG_CFG; i < (config_args->num_hw_update_entries - 1); - i++) { - cmd = (config_args->hw_update_entries + i); - cdm_cmd->cmd[cdm_cmd->cmd_arrary_count].bl_addr.mem_handle - = cmd->handle; - cdm_cmd->cmd[cdm_cmd->cmd_arrary_count].offset = - cmd->offset; - cdm_cmd->cmd[cdm_cmd->cmd_arrary_count].len = - cmd->len; - CAM_DBG(CAM_JPEG, "i %d entry h %d o %d l %d", - i, cmd->handle, cmd->offset, cmd->len); - cdm_cmd->cmd_arrary_count++; - } - - rc = cam_cdm_submit_bls( - hw_mgr->cdm_info[dev_type][0].cdm_handle, cdm_cmd); - if (rc) { - CAM_ERR(CAM_JPEG, "Failed to apply the configs %d", rc); - goto rel_cpu_buf; - } - - if (!hw_mgr->devices[dev_type][0]->hw_ops.start) { - CAM_ERR(CAM_JPEG, "op start null "); - rc = -EINVAL; - goto rel_cpu_buf; - } - rc = hw_mgr->devices[dev_type][0]->hw_ops.start( - hw_mgr->devices[dev_type][0]->hw_priv, - NULL, 0); - if (rc) { - CAM_ERR(CAM_JPEG, "Failed to start hw %d", - rc); - goto rel_cpu_buf; - } cam_common_util_get_curr_timestamp(&p_cfg_req->submit_timestamp); if (cam_mem_put_cpu_buf( config_args->hw_update_entries[CAM_JPEG_CHBASE].handle)) @@ -501,11 +570,6 @@ static int cam_jpeg_mgr_process_cmd(void *priv, void *data) mutex_unlock(&hw_mgr->hw_mgr_mutex); return rc; -rel_cpu_buf: - if (cam_mem_put_cpu_buf( - config_args->hw_update_entries[CAM_JPEG_CHBASE].handle)) - CAM_WARN(CAM_JPEG, "unable to put info for cmd buf: 0x%x", - config_args->hw_update_entries[CAM_JPEG_CHBASE].handle); end_callcb: mutex_unlock(&hw_mgr->hw_mgr_mutex); if (p_cfg_req) { @@ -578,6 +642,7 @@ static int cam_jpeg_mgr_config_hw(void *hw_mgr_priv, void *config_hw_args) request_id = (uintptr_t)config_args->priv; p_cfg_req->req_id = request_id; + p_cfg_req->num_hw_entry_processed = 0; hw_update_entries = config_args->hw_update_entries; CAM_DBG(CAM_JPEG, "ctx_data = %pK req_id = %lld %zd", ctx_data, request_id, (uintptr_t)config_args->priv); @@ -797,6 +862,7 @@ static int cam_jpeg_mgr_prepare_hw_update(void *hw_mgr_priv, i, io_cfg_ptr[i].direction, io_cfg_ptr[i].fence); } + CAM_DBG(CAM_JPEG, "received num cmd buf %d", packet->num_cmd_buf); j = prepare_args->num_hw_update_entries; rc = cam_packet_util_get_kmd_buffer(packet, &kmd_buf); diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.h b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.h index 2dc11dfa0746..3f317524611f 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.h +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -83,6 +83,7 @@ struct cam_jpeg_hw_cdm_info_t { * @dev_type: Dev type for cfg request * @req_id: Request Id * @submit_timestamp: Timestamp of submitting request + * @num_hw_entry_processed: Cdm payloads already processed */ struct cam_jpeg_hw_cfg_req { struct list_head list; @@ -90,6 +91,7 @@ struct cam_jpeg_hw_cfg_req { uint32_t dev_type; uintptr_t req_id; struct timeval submit_timestamp; + uint32_t num_hw_entry_processed; }; /** diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/cam_jpeg_dma_hw_info_ver_4_2_0.h b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/cam_jpeg_dma_hw_info_ver_4_2_0.h new file mode 100644 index 000000000000..ff8997bd4615 --- /dev/null +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/cam_jpeg_dma_hw_info_ver_4_2_0.h @@ -0,0 +1,53 @@ +/* Copyright (c) 2020 The Linux Foundation. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 and + * only version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef CAM_JPEG_DMA_HW_INFO_VER_4_2_0_H +#define CAM_JPEG_DMA_HW_INFO_VER_4_2_0_H + +#define CAM_JPEGDMA_HW_IRQ_STATUS_SESSION_DONE (1 << 0) +#define CAM_JPEGDMA_HW_IRQ_STATUS_RD_BUF_DONE (1 << 1) +#define CAM_JPEGDMA_HW_IRQ_STATUS_WR_BUF_DONE (1 << 5) +#define CAM_JPEGDMA_HW_IRQ_STATUS_AXI_HALT (1 << 9) +#define CAM_JPEGDMA_HW_IRQ_STATUS_RST_DONE (1 << 10) + +#define CAM_JPEGDMA_HW_MASK_COMP_FRAMEDONE \ + CAM_JPEGDMA_HW_IRQ_STATUS_SESSION_DONE +#define CAM_JPEGDMA_HW_MASK_COMP_RESET_ACK \ + CAM_JPEGDMA_HW_IRQ_STATUS_RST_DONE + +static struct cam_jpeg_dma_device_hw_info cam_jpeg_dma_hw_info = { + .reg_offset = { + .hw_version = 0x0, + .int_clr = 0x14, + .int_status = 0x10, + .int_mask = 0x0C, + .hw_cmd = 0x1C, + .reset_cmd = 0x08, + .encode_size = 0x180, + }, + .reg_val = { + .int_clr_clearall = 0xFFFFFFFF, + .int_mask_disable_all = 0x00000000, + .int_mask_enable_all = 0xFFFFFFFF, + .hw_cmd_start = 0x00000001, + .reset_cmd = 0x32083, + .hw_cmd_stop = 0x00000004, + }, + .int_status = { + .framedone = CAM_JPEGDMA_HW_MASK_COMP_FRAMEDONE, + .resetdone = CAM_JPEGDMA_HW_MASK_COMP_RESET_ACK, + .iserror = 0x0, + .stopdone = CAM_JPEGDMA_HW_IRQ_STATUS_AXI_HALT, + } +}; + +#endif /* CAM_JPEG_DMA_HW_INFO_VER_4_2_0_H */ diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.c b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.c index 037a39e5eb12..169a027d95ff 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.c +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -31,6 +31,15 @@ #include "cam_cpas_api.h" #include "cam_debug_util.h" +#define CAM_JPEG_HW_IRQ_IS_FRAME_DONE(jpeg_irq_status, hi) \ + ((jpeg_irq_status) & (hi)->int_status.framedone) +#define CAM_JPEG_HW_IRQ_IS_RESET_ACK(jpeg_irq_status, hi) \ + ((jpeg_irq_status) & (hi)->int_status.resetdone) +#define CAM_JPEG_HW_IRQ_IS_STOP_DONE(jpeg_irq_status, hi) \ + ((jpeg_irq_status) & (hi)->int_status.stopdone) + +#define CAM_JPEG_DMA_RESET_TIMEOUT msecs_to_jiffies(500) + int cam_jpeg_dma_init_hw(void *device_priv, void *init_hw_args, uint32_t arg_size) { @@ -131,7 +140,7 @@ int cam_jpeg_dma_deinit_hw(void *device_priv, rc = cam_jpeg_dma_disable_soc_resources(soc_info); if (rc) - CAM_ERR(CAM_JPEG, "soc enable failed %d", rc); + CAM_ERR(CAM_JPEG, "soc disable failed %d", rc); rc = cam_cpas_stop(core_info->cpas_handle); if (rc) @@ -142,6 +151,226 @@ int cam_jpeg_dma_deinit_hw(void *device_priv, return 0; } +irqreturn_t cam_jpeg_dma_irq(int irq_num, void *data) +{ + struct cam_hw_info *jpeg_dma_dev = data; + struct cam_jpeg_dma_device_core_info *core_info = NULL; + uint32_t irq_status = 0; + struct cam_hw_soc_info *soc_info = NULL; + struct cam_jpeg_dma_device_hw_info *hw_info = NULL; + void __iomem *mem_base; + + if (!jpeg_dma_dev) { + CAM_ERR(CAM_JPEG, "Invalid args"); + return IRQ_HANDLED; + } + soc_info = &jpeg_dma_dev->soc_info; + core_info = (struct cam_jpeg_dma_device_core_info *) + jpeg_dma_dev->core_info; + hw_info = core_info->jpeg_dma_hw_info; + mem_base = soc_info->reg_map[0].mem_base; + + irq_status = cam_io_r_mb(mem_base + + core_info->jpeg_dma_hw_info->reg_offset.int_status); + cam_io_w_mb(irq_status, + soc_info->reg_map[0].mem_base + + core_info->jpeg_dma_hw_info->reg_offset.int_clr); + CAM_DBG(CAM_JPEG, "irq_num %d irq_status = %x , core_state %d", + irq_num, irq_status, core_info->core_state); + if (CAM_JPEG_HW_IRQ_IS_FRAME_DONE(irq_status, hw_info)) { + spin_lock(&jpeg_dma_dev->hw_lock); + if (core_info->core_state == CAM_JPEG_DMA_CORE_READY) { + core_info->result_size = 1; + CAM_DBG(CAM_JPEG, "result_size %d", + core_info->result_size); + core_info->core_state = + CAM_JPEG_DMA_CORE_RESETTING_ON_DONE; + cam_io_w_mb(hw_info->reg_val.reset_cmd, + mem_base + hw_info->reg_offset.reset_cmd); + } else { + CAM_WARN(CAM_JPEG, "unexpected frame done "); + core_info->core_state = CAM_JPEG_DMA_CORE_NOT_READY; + } + spin_unlock(&jpeg_dma_dev->hw_lock); + } + + if (CAM_JPEG_HW_IRQ_IS_RESET_ACK(irq_status, hw_info)) { + spin_lock(&jpeg_dma_dev->hw_lock); + if (core_info->core_state == CAM_JPEG_DMA_CORE_RESETTING) { + core_info->core_state = CAM_JPEG_DMA_CORE_READY; + core_info->result_size = -1; + complete(&jpeg_dma_dev->hw_complete); + } else if (core_info->core_state == + CAM_JPEG_DMA_CORE_RESETTING_ON_DONE) { + if (core_info->irq_cb.jpeg_hw_mgr_cb) { + core_info->irq_cb.jpeg_hw_mgr_cb(irq_status, + core_info->result_size, + core_info->irq_cb.data); + } else { + CAM_WARN(CAM_JPEG, "unexpected frame done"); + } + core_info->result_size = -1; + core_info->core_state = CAM_JPEG_DMA_CORE_NOT_READY; + } else { + CAM_ERR(CAM_JPEG, "unexpected reset irq"); + } + spin_unlock(&jpeg_dma_dev->hw_lock); + } + if (CAM_JPEG_HW_IRQ_IS_STOP_DONE(irq_status, hw_info)) { + spin_lock(&jpeg_dma_dev->hw_lock); + if (core_info->core_state == CAM_JPEG_DMA_CORE_ABORTING) { + core_info->core_state = CAM_JPEG_DMA_CORE_NOT_READY; + complete(&jpeg_dma_dev->hw_complete); + if (core_info->irq_cb.jpeg_hw_mgr_cb) { + core_info->irq_cb.jpeg_hw_mgr_cb(irq_status, + -1, + core_info->irq_cb.data); + } + } else { + CAM_ERR(CAM_JPEG, "unexpected abort irq"); + } + spin_unlock(&jpeg_dma_dev->hw_lock); + } + + return IRQ_HANDLED; +} + +int cam_jpeg_dma_reset_hw(void *data, + void *start_args, uint32_t arg_size) +{ + struct cam_hw_info *jpeg_dma_dev = data; + struct cam_jpeg_dma_device_core_info *core_info = NULL; + struct cam_hw_soc_info *soc_info = NULL; + struct cam_jpeg_dma_device_hw_info *hw_info = NULL; + void __iomem *mem_base; + unsigned long rem_jiffies; + + if (!jpeg_dma_dev) { + CAM_ERR(CAM_JPEG, "Invalid args"); + return -EINVAL; + } + /* maskdisable.clrirq.maskenable.resetcmd */ + soc_info = &jpeg_dma_dev->soc_info; + core_info = (struct cam_jpeg_dma_device_core_info *) + jpeg_dma_dev->core_info; + hw_info = core_info->jpeg_dma_hw_info; + mem_base = soc_info->reg_map[0].mem_base; + + mutex_lock(&core_info->core_mutex); + spin_lock(&jpeg_dma_dev->hw_lock); + if (core_info->core_state == CAM_JPEG_DMA_CORE_RESETTING) { + CAM_ERR(CAM_JPEG, "dma alrady resetting"); + spin_unlock(&jpeg_dma_dev->hw_lock); + mutex_unlock(&core_info->core_mutex); + return 0; + } + + reinit_completion(&jpeg_dma_dev->hw_complete); + + core_info->core_state = CAM_JPEG_DMA_CORE_RESETTING; + spin_unlock(&jpeg_dma_dev->hw_lock); + + cam_io_w_mb(hw_info->reg_val.int_mask_disable_all, + mem_base + hw_info->reg_offset.int_mask); + cam_io_w_mb(hw_info->reg_val.int_clr_clearall, + mem_base + hw_info->reg_offset.int_clr); + cam_io_w_mb(hw_info->reg_val.int_mask_enable_all, + mem_base + hw_info->reg_offset.int_mask); + cam_io_w_mb(hw_info->reg_val.reset_cmd, + mem_base + hw_info->reg_offset.reset_cmd); + + rem_jiffies = wait_for_completion_timeout(&jpeg_dma_dev->hw_complete, + CAM_JPEG_DMA_RESET_TIMEOUT); + if (!rem_jiffies) { + CAM_ERR(CAM_JPEG, "dma error Reset Timeout"); + core_info->core_state = CAM_JPEG_DMA_CORE_NOT_READY; + } + + mutex_unlock(&core_info->core_mutex); + return 0; +} + +int cam_jpeg_dma_start_hw(void *data, + void *start_args, uint32_t arg_size) +{ + struct cam_hw_info *jpeg_dma_dev = data; + struct cam_jpeg_dma_device_core_info *core_info = NULL; + struct cam_hw_soc_info *soc_info = NULL; + struct cam_jpeg_dma_device_hw_info *hw_info = NULL; + void __iomem *mem_base; + + if (!jpeg_dma_dev) { + CAM_ERR(CAM_JPEG, "Invalid args"); + return -EINVAL; + } + + soc_info = &jpeg_dma_dev->soc_info; + core_info = (struct cam_jpeg_dma_device_core_info *) + jpeg_dma_dev->core_info; + hw_info = core_info->jpeg_dma_hw_info; + mem_base = soc_info->reg_map[0].mem_base; + + if (core_info->core_state != CAM_JPEG_DMA_CORE_READY) { + CAM_ERR(CAM_JPEG, "Error not ready"); + return -EINVAL; + } + + CAM_DBG(CAM_JPEG, "Starting DMA"); + cam_io_w_mb(0x00000601, + mem_base + hw_info->reg_offset.int_mask); + cam_io_w_mb(hw_info->reg_val.hw_cmd_start, + mem_base + hw_info->reg_offset.hw_cmd); + + return 0; +} + +int cam_jpeg_dma_stop_hw(void *data, + void *stop_args, uint32_t arg_size) +{ + struct cam_hw_info *jpeg_dma_dev = data; + struct cam_jpeg_dma_device_core_info *core_info = NULL; + struct cam_hw_soc_info *soc_info = NULL; + struct cam_jpeg_dma_device_hw_info *hw_info = NULL; + void __iomem *mem_base; + unsigned long rem_jiffies; + + if (!jpeg_dma_dev) { + CAM_ERR(CAM_JPEG, "Invalid args"); + return -EINVAL; + } + soc_info = &jpeg_dma_dev->soc_info; + core_info = (struct cam_jpeg_dma_device_core_info *) + jpeg_dma_dev->core_info; + hw_info = core_info->jpeg_dma_hw_info; + mem_base = soc_info->reg_map[0].mem_base; + + mutex_lock(&core_info->core_mutex); + spin_lock(&jpeg_dma_dev->hw_lock); + if (core_info->core_state == CAM_JPEG_DMA_CORE_ABORTING) { + CAM_ERR(CAM_JPEG, "alrady stopping"); + spin_unlock(&jpeg_dma_dev->hw_lock); + mutex_unlock(&core_info->core_mutex); + return 0; + } + + reinit_completion(&jpeg_dma_dev->hw_complete); + core_info->core_state = CAM_JPEG_DMA_CORE_ABORTING; + spin_unlock(&jpeg_dma_dev->hw_lock); + + cam_io_w_mb(hw_info->reg_val.hw_cmd_stop, + mem_base + hw_info->reg_offset.hw_cmd); + + rem_jiffies = wait_for_completion_timeout(&jpeg_dma_dev->hw_complete, + CAM_JPEG_DMA_RESET_TIMEOUT); + if (!rem_jiffies) { + CAM_ERR(CAM_JPEG, "error Reset Timeout"); + core_info->core_state = CAM_JPEG_DMA_CORE_NOT_READY; + } + + mutex_unlock(&core_info->core_mutex); + return 0; +} + int cam_jpeg_dma_process_cmd(void *device_priv, uint32_t cmd_type, void *cmd_args, uint32_t arg_size) { @@ -186,12 +415,7 @@ int cam_jpeg_dma_process_cmd(void *device_priv, uint32_t cmd_type, rc = -EINVAL; break; } - + if (rc) + CAM_ERR(CAM_JPEG, "error cmdtype %d rc = %d", cmd_type, rc); return rc; } - -irqreturn_t cam_jpeg_dma_irq(int irq_num, void *data) -{ - return IRQ_HANDLED; -} - diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.h b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.h index 8f5fd58698d2..737c2f217feb 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.h +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_core.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2018,2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -21,14 +21,44 @@ #include "cam_jpeg_hw_intf.h" +struct cam_jpeg_dma_reg_offsets { + uint32_t hw_version; + uint32_t int_status; + uint32_t int_clr; + uint32_t int_mask; + uint32_t hw_cmd; + uint32_t reset_cmd; + uint32_t encode_size; +}; + +struct cam_jpeg_dma_regval { + uint32_t int_clr_clearall; + uint32_t int_mask_disable_all; + uint32_t int_mask_enable_all; + uint32_t hw_cmd_start; + uint32_t reset_cmd; + uint32_t hw_cmd_stop; +}; + +struct cam_jpeg_dma_int_status { + uint32_t framedone; + uint32_t resetdone; + uint32_t iserror; + uint32_t stopdone; +}; + struct cam_jpeg_dma_device_hw_info { - uint32_t reserved; + struct cam_jpeg_dma_reg_offsets reg_offset; + struct cam_jpeg_dma_regval reg_val; + struct cam_jpeg_dma_int_status int_status; }; enum cam_jpeg_dma_core_state { CAM_JPEG_DMA_CORE_NOT_READY, CAM_JPEG_DMA_CORE_READY, CAM_JPEG_DMA_CORE_RESETTING, + CAM_JPEG_DMA_CORE_ABORTING, + CAM_JPEG_DMA_CORE_RESETTING_ON_DONE, CAM_JPEG_DMA_CORE_STATE_MAX, }; @@ -39,12 +69,19 @@ struct cam_jpeg_dma_device_core_info { struct cam_jpeg_set_irq_cb irq_cb; int32_t ref_count; struct mutex core_mutex; + int32_t result_size; }; int cam_jpeg_dma_init_hw(void *device_priv, void *init_hw_args, uint32_t arg_size); int cam_jpeg_dma_deinit_hw(void *device_priv, void *init_hw_args, uint32_t arg_size); +int cam_jpeg_dma_start_hw(void *device_priv, + void *start_hw_args, uint32_t arg_size); +int cam_jpeg_dma_stop_hw(void *device_priv, + void *stop_hw_args, uint32_t arg_size); +int cam_jpeg_dma_reset_hw(void *device_priv, + void *reset_hw_args, uint32_t arg_size); int cam_jpeg_dma_process_cmd(void *device_priv, uint32_t cmd_type, void *cmd_args, uint32_t arg_size); irqreturn_t cam_jpeg_dma_irq(int irq_num, void *data); diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_dev.c b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_dev.c index fd4fdab19fa7..f91eee863352 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_dev.c +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_dma_hw/jpeg_dma_dev.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2018,2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -25,11 +25,7 @@ #include "cam_jpeg_hw_mgr_intf.h" #include "cam_cpas_api.h" #include "cam_debug_util.h" - -static struct cam_jpeg_dma_device_hw_info cam_jpeg_dma_hw_info = { - .reserved = 0, -}; -EXPORT_SYMBOL(cam_jpeg_dma_hw_info); +#include "cam_jpeg_dma_hw_info_ver_4_2_0.h" static int cam_jpeg_dma_register_cpas(struct cam_hw_soc_info *soc_info, struct cam_jpeg_dma_device_core_info *core_info, @@ -142,6 +138,9 @@ static int cam_jpeg_dma_probe(struct platform_device *pdev) jpeg_dma_dev_intf->hw_priv = jpeg_dma_dev; jpeg_dma_dev_intf->hw_ops.init = cam_jpeg_dma_init_hw; jpeg_dma_dev_intf->hw_ops.deinit = cam_jpeg_dma_deinit_hw; + jpeg_dma_dev_intf->hw_ops.start = cam_jpeg_dma_start_hw; + jpeg_dma_dev_intf->hw_ops.stop = cam_jpeg_dma_stop_hw; + jpeg_dma_dev_intf->hw_ops.reset = cam_jpeg_dma_reset_hw; jpeg_dma_dev_intf->hw_ops.process_cmd = cam_jpeg_dma_process_cmd; jpeg_dma_dev_intf->hw_type = CAM_JPEG_DEV_DMA; @@ -186,13 +185,11 @@ static int cam_jpeg_dma_probe(struct platform_device *pdev) mutex_init(&jpeg_dma_dev->hw_mutex); spin_lock_init(&jpeg_dma_dev->hw_lock); init_completion(&jpeg_dma_dev->hw_complete); - - CAM_DBG(CAM_JPEG, " hwidx %d", jpeg_dma_dev_intf->hw_idx); - + CAM_DBG(CAM_JPEG, "JPEG-DMA component bound successfully"); return rc; error_reg_cpas: - rc = cam_soc_util_release_platform_resource(&jpeg_dma_dev->soc_info); + cam_soc_util_release_platform_resource(&jpeg_dma_dev->soc_info); error_init_soc: mutex_destroy(&core_info->core_mutex); error_match_dev: diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_core.c b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_core.c index 54dd62c44f67..196742d06448 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_core.c +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_core.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -350,7 +350,7 @@ int cam_jpeg_enc_start_hw(void *data, return -EINVAL; } spin_unlock(&jpeg_enc_dev->hw_lock); - + CAM_DBG(CAM_JPEG, "Starting JPEG ENC"); cam_io_w_mb(hw_info->reg_val.hw_cmd_start, mem_base + hw_info->reg_offset.hw_cmd); diff --git a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_dev.c b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_dev.c index d4daa6dde308..be703d6c3055 100644 --- a/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_dev.c +++ b/drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/jpeg_enc_hw/jpeg_enc_dev.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2018,2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -185,7 +185,7 @@ static int cam_jpeg_enc_probe(struct platform_device *pdev) mutex_init(&jpeg_enc_dev->hw_mutex); spin_lock_init(&jpeg_enc_dev->hw_lock); init_completion(&jpeg_enc_dev->hw_complete); - + CAM_DBG(CAM_JPEG, "JPEG-Encoder component bound successfully"); return rc; error_reg_cpas: From 6564db448ffb1f9da172241690beef9b9d4b2a68 Mon Sep 17 00:00:00 2001 From: Terence Ho Date: Wed, 5 Aug 2020 15:25:26 -0400 Subject: [PATCH 091/386] msm: ais: fix to enqueue current sof timestamp Fix to enqueue current sof timestamp instead of previous frame. Change-Id: I673d057ebed3062f908bbb490a82313743721512 Acked-by: Abderahmane Allalou Signed-off-by: Terence Ho --- drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c index 00219b70667a..b8a1909520ec 100644 --- a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c +++ b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c @@ -985,7 +985,7 @@ static void ais_vfe_handle_sof_rdi(struct ais_vfe_hw_core_info *core_info, //enq curr sof.sof_ts = work_data->ts; - sof.cur_sof_hw_ts = prev_sof_hw_ts; + sof.cur_sof_hw_ts = cur_sof_hw_ts; sof.frame_cnt = p_rdi->frame_cnt; ais_vfe_q_sof(core_info, path, &sof); From b9fe5673d3d39fa737dd70b6f775bbb1ff7e6c00 Mon Sep 17 00:00:00 2001 From: Venkata Rao Kakani Date: Thu, 6 Aug 2020 11:41:24 +0530 Subject: [PATCH 092/386] defconfig: quin_gvmq: enable disk renaming Enable dev node renaming for changing the dev path to support avb 2.0 in linux android guest. Change-Id: I5f640667418a6176191d86b7ace4a4c45ed8465c Signed-off-by: Venkata Rao Kakani --- arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig | 1 + arch/arm64/configs/vendor/qti-quin-gvm_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig b/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig index eae30c1b4fb0..61f2563f8f77 100644 --- a/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig +++ b/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig @@ -463,6 +463,7 @@ CONFIG_MEM_SHARE_QMI_SERVICE=y CONFIG_MSM_HAB=y CONFIG_QCOM_HGSL_TCSR_SIGNAL=y CONFIG_QCOM_HGSL=y +CONFIG_RENAME_BLOCK_DEVICE=y CONFIG_PM_DEVFREQ=y CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=y CONFIG_EXTCON_USB_GPIO=y diff --git a/arch/arm64/configs/vendor/qti-quin-gvm_defconfig b/arch/arm64/configs/vendor/qti-quin-gvm_defconfig index 1559e097deeb..19a24df6f119 100644 --- a/arch/arm64/configs/vendor/qti-quin-gvm_defconfig +++ b/arch/arm64/configs/vendor/qti-quin-gvm_defconfig @@ -474,6 +474,7 @@ CONFIG_MEM_SHARE_QMI_SERVICE=y CONFIG_MSM_HAB=y CONFIG_QCOM_HGSL_TCSR_SIGNAL=y CONFIG_QCOM_HGSL=y +CONFIG_RENAME_BLOCK_DEVICE=y CONFIG_PM_DEVFREQ=y CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=y CONFIG_EXTCON_USB_GPIO=y From 360f8047d99040c212f2cfaac6ba6653d226e6e0 Mon Sep 17 00:00:00 2001 From: Lakshay Verma Date: Thu, 6 Aug 2020 13:42:44 +0530 Subject: [PATCH 093/386] diag: Prevent out-of-bound read while processing peripheral ctrl_pkt There is a possibility of out-of-bound access while processing control packet received from peripheral due to missing buffer length check. The patch adds proper check to fix the same. Change-Id: I6793a47ca21c6e0ba52863a350decb90feb81a88 Signed-off-by: Lakshay Verma --- drivers/char/diag/diagfwd_cntl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/diag/diagfwd_cntl.c b/drivers/char/diag/diagfwd_cntl.c index 4b1df988c527..ed892195fc2b 100644 --- a/drivers/char/diag/diagfwd_cntl.c +++ b/drivers/char/diag/diagfwd_cntl.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -886,6 +886,8 @@ void diag_cntl_process_read_data(struct diagfwd_info *p_info, void *buf, while (read_len + header_len < len) { ctrl_pkt = (struct diag_ctrl_pkt_header_t *)ptr; + if ((read_len + header_len + ctrl_pkt->len) > len) + return; switch (ctrl_pkt->pkt_id) { case DIAG_CTRL_MSG_REG: process_command_registration(ptr, ctrl_pkt->len, From 64ef232253df497d07af196afc448af85f1de051 Mon Sep 17 00:00:00 2001 From: Kavya Nunna Date: Wed, 5 Aug 2020 17:26:55 +0530 Subject: [PATCH 094/386] power: smb1398-charger: Fix use of uninitialized variable error Fix use of uninitiallized variable error in function smb1398_taper_work. Change-Id: I5a86fc7b879cbe3c31556645ad4808ac1b8f7ae2 Signed-off-by: Kavya Nunna --- drivers/power/supply/qcom/smb1398-charger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/supply/qcom/smb1398-charger.c b/drivers/power/supply/qcom/smb1398-charger.c index d52d1410d7eb..62396c59a32e 100644 --- a/drivers/power/supply/qcom/smb1398-charger.c +++ b/drivers/power/supply/qcom/smb1398-charger.c @@ -1755,7 +1755,7 @@ static void smb1398_taper_work(struct work_struct *work) struct smb1398_chip *chip = container_of(work, struct smb1398_chip, taper_work); union power_supply_propval pval = {0}; - int rc, fcc_ua, fv_uv, stepper_ua, main_fcc_ua, min_ilim_ua; + int rc, fcc_ua, fv_uv, stepper_ua, main_fcc_ua = 0, min_ilim_ua; bool slave_en; if (!is_psy_voter_available(chip)) From 9d84fccd94750acad62ed0008bbbdee406307a13 Mon Sep 17 00:00:00 2001 From: Paul Lawrence Date: Mon, 1 Jun 2020 10:53:02 -0700 Subject: [PATCH 095/386] ANDROID: dm-bow: Add block_size option Also consolidated changes to limits, including no longer changing underlying device. Bug: 153512828 Test: device boots, checkpoints can be committed or rolled back with and without this parameter, parameter is accepted Change-Id: I6fcb9bc21353a16ae0bf8998ffa22094eb1cbf3a Signed-off-by: Paul Lawrence (cherry picked from commit 7df64f62169ca56286ba49bca3116e9786fd1616) Git-repo: https://android.googlesource.com/kernel/common Git-commit: 8330799340d88e2d5812b99b680681a2f5e7d31d Signed-off-by: Srinivasarao P --- drivers/md/dm-bow.c | 85 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 74 insertions(+), 11 deletions(-) diff --git a/drivers/md/dm-bow.c b/drivers/md/dm-bow.c index 940c6944f0cf..47289850c445 100644 --- a/drivers/md/dm-bow.c +++ b/drivers/md/dm-bow.c @@ -622,6 +622,72 @@ static void dm_bow_dtr(struct dm_target *ti) kfree(bc); } +static void dm_bow_io_hints(struct dm_target *ti, struct queue_limits *limits) +{ + struct bow_context *bc = ti->private; + const unsigned int block_size = bc->block_size; + + limits->logical_block_size = + max_t(unsigned short, limits->logical_block_size, block_size); + limits->physical_block_size = + max_t(unsigned int, limits->physical_block_size, block_size); + limits->io_min = max_t(unsigned int, limits->io_min, block_size); + + if (limits->max_discard_sectors == 0) { + limits->discard_granularity = 1 << 12; + limits->max_hw_discard_sectors = 1 << 15; + limits->max_discard_sectors = 1 << 15; + bc->forward_trims = false; + } else { + limits->discard_granularity = 1 << 12; + bc->forward_trims = true; + } +} + +static int dm_bow_ctr_optional(struct dm_target *ti, unsigned int argc, + char **argv) +{ + struct bow_context *bc = ti->private; + struct dm_arg_set as; + static const struct dm_arg _args[] = { + {0, 1, "Invalid number of feature args"}, + }; + unsigned int opt_params; + const char *opt_string; + int err; + char dummy; + + as.argc = argc; + as.argv = argv; + + err = dm_read_arg_group(_args, &as, &opt_params, &ti->error); + if (err) + return err; + + while (opt_params--) { + opt_string = dm_shift_arg(&as); + if (!opt_string) { + ti->error = "Not enough feature arguments"; + return -EINVAL; + } + + if (sscanf(opt_string, "block_size:%u%c", + &bc->block_size, &dummy) == 1) { + if (bc->block_size < SECTOR_SIZE || + bc->block_size > 4096 || + !is_power_of_2(bc->block_size)) { + ti->error = "Invalid block_size"; + return -EINVAL; + } + } else { + ti->error = "Invalid feature arguments"; + return -EINVAL; + } + } + + return 0; +} + static int dm_bow_ctr(struct dm_target *ti, unsigned int argc, char **argv) { struct bow_context *bc; @@ -629,7 +695,7 @@ static int dm_bow_ctr(struct dm_target *ti, unsigned int argc, char **argv) int ret; struct mapped_device *md = dm_table_get_md(ti->table); - if (argc != 1) { + if (argc < 1) { ti->error = "Invalid argument count"; return -EINVAL; } @@ -652,17 +718,13 @@ static int dm_bow_ctr(struct dm_target *ti, unsigned int argc, char **argv) goto bad; } - if (bc->dev->bdev->bd_queue->limits.max_discard_sectors == 0) { - bc->dev->bdev->bd_queue->limits.discard_granularity = 1 << 12; - bc->dev->bdev->bd_queue->limits.max_hw_discard_sectors = 1 << 15; - bc->dev->bdev->bd_queue->limits.max_discard_sectors = 1 << 15; - bc->forward_trims = false; - } else { - bc->dev->bdev->bd_queue->limits.discard_granularity = 1 << 12; - bc->forward_trims = true; + bc->block_size = bc->dev->bdev->bd_queue->limits.logical_block_size; + if (argc > 1) { + ret = dm_bow_ctr_optional(ti, argc - 1, &argv[1]); + if (ret) + goto bad; } - bc->block_size = bc->dev->bdev->bd_queue->limits.logical_block_size; bc->block_shift = ilog2(bc->block_size); bc->log_sector = kzalloc(bc->block_size, GFP_KERNEL); if (!bc->log_sector) { @@ -1205,7 +1267,7 @@ static int dm_bow_iterate_devices(struct dm_target *ti, static struct target_type bow_target = { .name = "bow", - .version = {1, 1, 1}, + .version = {1, 2, 0}, .module = THIS_MODULE, .ctr = dm_bow_ctr, .dtr = dm_bow_dtr, @@ -1213,6 +1275,7 @@ static struct target_type bow_target = { .status = dm_bow_status, .prepare_ioctl = dm_bow_prepare_ioctl, .iterate_devices = dm_bow_iterate_devices, + .io_hints = dm_bow_io_hints, }; int __init dm_bow_init(void) From 9fc3d9533d1cb721e2eb5bba9e55e93b0aabbb79 Mon Sep 17 00:00:00 2001 From: E V Ravi Date: Thu, 6 Aug 2020 14:54:56 +0530 Subject: [PATCH 096/386] msm: ais: Do not attach iommu if its already attached cam_ife_hw_mgr_init tried to attach smmu handle already attached by ais_ife_dev_probe resulting in destroying of iommu_hndl. Change-Id: Ifa7194a7cc425476bcf9e0d7a871925a854c180f Signed-off-by: E V Ravi --- .../platform/msm/ais/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/msm/ais/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c b/drivers/media/platform/msm/ais/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c index 7c349f66c3de..78e8332729ea 100644 --- a/drivers/media/platform/msm/ais/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c +++ b/drivers/media/platform/msm/ais/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c @@ -6337,9 +6337,10 @@ int cam_ife_hw_mgr_init(struct cam_hw_mgr_intf *hw_mgr_intf, int *iommu_hdl) return -EINVAL; } - if (cam_smmu_ops(g_ife_hw_mgr.mgr_common.img_iommu_hdl, - CAM_SMMU_ATTACH)) { - CAM_ERR(CAM_ISP, "Attach iommu handle failed."); + rc = cam_smmu_ops(g_ife_hw_mgr.mgr_common.img_iommu_hdl, + CAM_SMMU_ATTACH); + if (rc && rc != -EALREADY) { + CAM_ERR(CAM_ISP, "Attach iommu handle failed %d", rc); goto attach_fail; } From 200f6b758438879c31f20889ed79536bcc9612df Mon Sep 17 00:00:00 2001 From: Suraj Jaiswal Date: Tue, 19 May 2020 15:38:00 +0530 Subject: [PATCH 097/386] net: stmmac: FR60005 Loopback & phy off support Add support for all Ethernet level loopback like IO macro, MAc, PHY . Also, Provide debugfs node for phy off/on at suspend resume. Change-Id: I0c095791a29120929ff52ffd77a56b1151ab9c40 Signed-off-by: Suraj Jaiswal --- .../stmicro/stmmac/dwmac-qcom-ethqos.c | 624 +++++++++++++++++- .../stmicro/stmmac/dwmac-qcom-ethqos.h | 48 +- .../ethernet/stmicro/stmmac/dwmac-qcom-gpio.c | 57 ++ .../ethernet/stmicro/stmmac/dwmac-qcom-ipa.c | 4 + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 9 +- .../ethernet/stmicro/stmmac/stmmac_ethtool.c | 4 + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 50 ++ 7 files changed, 786 insertions(+), 10 deletions(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c index da5c40c74ed2..962bb9bd3121 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c @@ -23,15 +23,28 @@ #include #include #include - +#include +#include +#include +#include #include "stmmac.h" #include "stmmac_platform.h" #include "dwmac-qcom-ethqos.h" #include "stmmac_ptp.h" #include "dwmac-qcom-ipa-offload.h" +#define PHY_LOOPBACK_1000 0x4140 +#define PHY_LOOPBACK_100 0x6100 +#define PHY_LOOPBACK_10 0x4100 + static void __iomem *tlmm_central_base_addr; +static void ethqos_rgmii_io_macro_loopback(struct qcom_ethqos *ethqos, + int mode); +static int phy_digital_loopback_config( + struct qcom_ethqos *ethqos, int speed, int config); + bool phy_intr_en; +static char buf[2000]; static struct ethqos_emac_por emac_por[] = { { .offset = RGMII_IO_MACRO_CONFIG, .value = 0x0 }, @@ -77,7 +90,7 @@ static void qcom_ethqos_read_iomacro_por_values(struct qcom_ethqos *ethqos) ethqos->por[i].offset); } -static inline unsigned int dwmac_qcom_get_eth_type(unsigned char *buf) +unsigned int dwmac_qcom_get_eth_type(unsigned char *buf) { return ((((u16)buf[QTAG_ETH_TYPE_OFFSET] << 8) | @@ -926,6 +939,12 @@ static int ethqos_mdio_read(struct stmmac_priv *priv, int phyaddr, int phyreg) u32 v; int data; u32 value = MII_BUSY; + struct qcom_ethqos *ethqos = priv->plat->bsp_priv; + + if (ethqos->phy_state == PHY_IS_OFF) { + ETHQOSINFO("Phy is in off state reading is not possible\n"); + return -EOPNOTSUPP; + } value |= (phyaddr << priv->hw->mii.addr_shift) & priv->hw->mii.addr_mask; @@ -951,6 +970,44 @@ static int ethqos_mdio_read(struct stmmac_priv *priv, int phyaddr, int phyreg) return data; } +static int ethqos_mdio_write(struct stmmac_priv *priv, int phyaddr, int phyreg, + u16 phydata) +{ + unsigned int mii_address = priv->hw->mii.addr; + unsigned int mii_data = priv->hw->mii.data; + u32 v; + u32 value = MII_BUSY; + struct qcom_ethqos *ethqos = priv->plat->bsp_priv; + + if (ethqos->phy_state == PHY_IS_OFF) { + ETHQOSINFO("Phy is in off state writing is not possible\n"); + return -EOPNOTSUPP; + } + value |= (phyaddr << priv->hw->mii.addr_shift) + & priv->hw->mii.addr_mask; + value |= (phyreg << priv->hw->mii.reg_shift) & priv->hw->mii.reg_mask; + + value |= (priv->clk_csr << priv->hw->mii.clk_csr_shift) + & priv->hw->mii.clk_csr_mask; + if (priv->plat->has_gmac4) + value |= MII_GMAC4_WRITE; + else + value |= MII_WRITE; + + /* Wait until any existing MII operation is complete */ + if (readl_poll_timeout(priv->ioaddr + mii_address, v, !(v & MII_BUSY), + 100, 10000)) + return -EBUSY; + + /* Set the MII address register to write */ + writel_relaxed(phydata, priv->ioaddr + mii_data); + writel_relaxed(value, priv->ioaddr + mii_address); + + /* Wait until any existing MII operation is complete */ + return readl_poll_timeout(priv->ioaddr + mii_address, v, + !(v & MII_BUSY), 100, 10000); +} + static int ethqos_phy_intr_config(struct qcom_ethqos *ethqos) { int ret = 0; @@ -1102,6 +1159,10 @@ static ssize_t read_phy_reg_dump(struct file *file, char __user *user_buf, ETHQOSERR("NULL Pointer\n"); return -EINVAL; } + if (ethqos->phy_state == PHY_IS_OFF) { + ETHQOSINFO("Phy is in off state phy dump is not possible\n"); + return -EOPNOTSUPP; + } buf = kzalloc(buf_len, GFP_KERNEL); if (!buf) @@ -1198,6 +1259,458 @@ static ssize_t read_rgmii_reg_dump(struct file *file, return ret_cnt; } +static ssize_t read_phy_off(struct file *file, + char __user *user_buf, + size_t count, loff_t *ppos) +{ + unsigned int len = 0, buf_len = 2000; + struct qcom_ethqos *ethqos = file->private_data; + + if (ethqos->current_phy_mode == DISABLE_PHY_IMMEDIATELY) + len += scnprintf(buf + len, buf_len - len, + "Disable phy immediately enabled\n"); + else if (ethqos->current_phy_mode == ENABLE_PHY_IMMEDIATELY) + len += scnprintf(buf + len, buf_len - len, + "Enable phy immediately enabled\n"); + else if (ethqos->current_phy_mode == DISABLE_PHY_AT_SUSPEND_ONLY) { + len += scnprintf(buf + len, buf_len - len, + "Disable Phy at suspend\n"); + len += scnprintf(buf + len, buf_len - len, + " & do not enable at resume enabled\n"); + } else if (ethqos->current_phy_mode == + DISABLE_PHY_SUSPEND_ENABLE_RESUME) { + len += scnprintf(buf + len, buf_len - len, + "Disable Phy at suspend\n"); + len += scnprintf(buf + len, buf_len - len, + " & enable at resume enabled\n"); + } else if (ethqos->current_phy_mode == DISABLE_PHY_ON_OFF) + len += scnprintf(buf + len, buf_len - len, + "Disable phy on/off disabled\n"); + else + len += scnprintf(buf + len, buf_len - len, + "Invalid Phy State\n"); + + if (len > buf_len) + len = buf_len; + + return simple_read_from_buffer(user_buf, count, ppos, buf, len); +} + +static ssize_t phy_off_config( + struct file *file, const char __user *user_buffer, + size_t count, loff_t *position) +{ + char *in_buf; + int buf_len = 2000; + unsigned long ret; + int config = 0; + struct qcom_ethqos *ethqos = file->private_data; + + in_buf = kzalloc(buf_len, GFP_KERNEL); + if (!in_buf) + return -ENOMEM; + + ret = copy_from_user(in_buf, user_buffer, buf_len); + if (ret) { + ETHQOSERR("unable to copy from user\n"); + return -EFAULT; + } + + ret = sscanf(in_buf, "%d", &config); + if (ret != 1) { + ETHQOSERR("Error in reading option from user"); + return -EINVAL; + } + if (config > DISABLE_PHY_ON_OFF || config < DISABLE_PHY_IMMEDIATELY) { + ETHQOSERR("Invalid option =%d", config); + return -EINVAL; + } + if (config == ethqos->current_phy_mode) { + ETHQOSERR("No effect as duplicate config"); + return -EPERM; + } + if (config == DISABLE_PHY_IMMEDIATELY) { + ethqos->current_phy_mode = DISABLE_PHY_IMMEDIATELY; + //make phy off + if (ethqos->current_loopback == ENABLE_PHY_LOOPBACK) { + /* If Phy loopback is enabled + * Disabled It before phy off + */ + phy_digital_loopback_config(ethqos, + ethqos->loopback_speed, 0); + ETHQOSDBG("Disable phy Loopback"); + ethqos->current_loopback = ENABLE_PHY_LOOPBACK; + } + ethqos_phy_power_off(ethqos); + } else if (config == ENABLE_PHY_IMMEDIATELY) { + ethqos->current_phy_mode = ENABLE_PHY_IMMEDIATELY; + //make phy on + ethqos_phy_power_on(ethqos); + ethqos_reset_phy_enable_interrupt(ethqos); + if (ethqos->current_loopback == ENABLE_PHY_LOOPBACK) { + /*If Phy loopback is enabled , enabled It again*/ + phy_digital_loopback_config(ethqos, + ethqos->loopback_speed, 1); + ETHQOSDBG("Enabling Phy loopback again"); + } + } else if (config == DISABLE_PHY_AT_SUSPEND_ONLY) { + ethqos->current_phy_mode = DISABLE_PHY_AT_SUSPEND_ONLY; + } else if (config == DISABLE_PHY_SUSPEND_ENABLE_RESUME) { + ethqos->current_phy_mode = DISABLE_PHY_SUSPEND_ENABLE_RESUME; + } else if (config == DISABLE_PHY_ON_OFF) { + ethqos->current_phy_mode = DISABLE_PHY_ON_OFF; + } else { + ETHQOSERR("Invalid option\n"); + return -EINVAL; + } + kfree(in_buf); + return count; +} + +static void ethqos_rgmii_io_macro_loopback(struct qcom_ethqos *ethqos, int mode) +{ + /* Set loopback mode */ + if (mode == 1) { + rgmii_updatel(ethqos, RGMII_CONFIG2_TX_TO_RX_LOOPBACK_EN, + RGMII_CONFIG2_TX_TO_RX_LOOPBACK_EN, + RGMII_IO_MACRO_CONFIG2); + rgmii_updatel(ethqos, RGMII_CONFIG2_RX_PROG_SWAP, + 0, RGMII_IO_MACRO_CONFIG2); + } else { + rgmii_updatel(ethqos, RGMII_CONFIG2_TX_TO_RX_LOOPBACK_EN, + 0, RGMII_IO_MACRO_CONFIG2); + rgmii_updatel(ethqos, RGMII_CONFIG2_RX_PROG_SWAP, + RGMII_CONFIG2_RX_PROG_SWAP, + RGMII_IO_MACRO_CONFIG2); + } +} + +static void ethqos_mac_loopback(struct qcom_ethqos *ethqos, int mode) +{ + u32 read_value = (u32)readl_relaxed(ethqos->ioaddr + MAC_CONFIGURATION); + /* Set loopback mode */ + if (mode == 1) + read_value |= MAC_LM; + else + read_value &= ~MAC_LM; + writel_relaxed(read_value, ethqos->ioaddr + MAC_CONFIGURATION); +} + +static int phy_digital_loopback_config( + struct qcom_ethqos *ethqos, int speed, int config) +{ + struct platform_device *pdev = ethqos->pdev; + struct net_device *dev = platform_get_drvdata(pdev); + struct stmmac_priv *priv = netdev_priv(dev); + int phydata = 0; + + if (config == 1) { + ETHQOSINFO("Request for phy digital loopback enable\n"); + switch (speed) { + case SPEED_1000: + phydata = PHY_LOOPBACK_1000; + break; + case SPEED_100: + phydata = PHY_LOOPBACK_100; + break; + case SPEED_10: + phydata = PHY_LOOPBACK_10; + break; + default: + ETHQOSERR("Invalid link speed\n"); + break; + } + } else if (config == 0) { + ETHQOSINFO("Request for phy digital loopback disable\n"); + if (ethqos->bmcr_backup) + phydata = ethqos->bmcr_backup; + else + phydata = 0x1140; + } else { + ETHQOSERR("Invalid option\n"); + return -EINVAL; + } + if (phydata != 0) { + ethqos_mdio_write( + priv, priv->plat->phy_addr, MII_BMCR, phydata); + ETHQOSINFO("write done for phy loopback\n"); + } + return 0; +} + +static void print_loopback_detail(enum loopback_mode loopback) +{ + switch (loopback) { + case DISABLE_LOOPBACK: + ETHQOSINFO("Loopback is disabled\n"); + break; + case ENABLE_IO_MACRO_LOOPBACK: + ETHQOSINFO("Loopback is Enabled as IO MACRO LOOPBACK\n"); + break; + case ENABLE_MAC_LOOPBACK: + ETHQOSINFO("Loopback is Enabled as MAC LOOPBACK\n"); + break; + case ENABLE_PHY_LOOPBACK: + ETHQOSINFO("Loopback is Enabled as PHY LOOPBACK\n"); + break; + default: + ETHQOSINFO("Invalid Loopback=%d\n", loopback); + break; + } +} + +static void setup_config_registers(struct qcom_ethqos *ethqos, + int speed, int duplex, int mode) +{ + struct platform_device *pdev = ethqos->pdev; + struct net_device *dev = platform_get_drvdata(pdev); + struct stmmac_priv *priv = netdev_priv(dev); + u32 ctrl = 0; + + ETHQOSDBG("Speed=%d,dupex=%d,mode=%d\n", speed, duplex, mode); + + if (mode > DISABLE_LOOPBACK && !qcom_ethqos_is_phy_link_up(ethqos)) { + /*If Link is Down & need to enable Loopback*/ + ETHQOSDBG("Enable Lower Up Flag & disable phy dev\n"); + ETHQOSDBG("IRQ so that Rx/Tx can happen beforeee Link down\n"); + netif_carrier_on(dev); + /*Disable phy interrupt by Link/Down by cable plug in/out*/ + disable_irq(ethqos->phy_intr); + } else if (mode > DISABLE_LOOPBACK && + qcom_ethqos_is_phy_link_up(ethqos)) { + ETHQOSDBG("Only disable phy irqqq Lin is UP\n"); + /*Since link is up no need to set Lower UP flag*/ + /*Disable phy interrupt by Link/Down by cable plug in/out*/ + disable_irq(ethqos->phy_intr); + } else if (mode == DISABLE_LOOPBACK && + !qcom_ethqos_is_phy_link_up(ethqos)) { + ETHQOSDBG("Disable Lower Up as Link is down\n"); + netif_carrier_off(dev); + enable_irq(ethqos->phy_intr); + } + ETHQOSDBG("Old ctrl=%d dupex full\n", ctrl); + ctrl = readl_relaxed(priv->ioaddr + MAC_CTRL_REG); + ETHQOSDBG("Old ctrl=0x%x with mask with flow control\n", ctrl); + + ctrl |= priv->hw->link.duplex; + priv->dev->phydev->duplex = duplex; + ctrl &= ~priv->hw->link.speed_mask; + switch (speed) { + case SPEED_1000: + ctrl |= priv->hw->link.speed1000; + break; + case SPEED_100: + ctrl |= priv->hw->link.speed100; + break; + case SPEED_10: + ctrl |= priv->hw->link.speed10; + break; + default: + speed = SPEED_UNKNOWN; + ETHQOSDBG("unkwon speed\n"); + break; + } + writel_relaxed(ctrl, priv->ioaddr + MAC_CTRL_REG); + ETHQOSDBG("New ctrl=%x priv hw speeed =%d\n", ctrl, + priv->hw->link.speed1000); + priv->dev->phydev->speed = speed; + priv->speed = speed; + + if (mode > DISABLE_LOOPBACK && !qcom_ethqos_is_phy_link_up(ethqos)) { + /*If Link is Down & need to enable Loopback*/ + ETHQOSDBG("Link is down . manual ipa setting up\n"); + if (priv->tx_queue[IPA_DMA_TX_CH].skip_sw) + ethqos_ipa_offload_event_handler(priv, + EV_PHY_LINK_UP); + } else if (mode == DISABLE_LOOPBACK && + !qcom_ethqos_is_phy_link_up(ethqos)) { + ETHQOSDBG("Disable request since link was down disable ipa\n"); + if (priv->tx_queue[IPA_DMA_TX_CH].skip_sw) + ethqos_ipa_offload_event_handler(priv, + EV_PHY_LINK_DOWN); + } + + if (priv->dev->phydev->speed != SPEED_UNKNOWN) + ethqos_fix_mac_speed(ethqos, speed); + + if (mode > DISABLE_LOOPBACK) { + if (mode == ENABLE_MAC_LOOPBACK || + mode == ENABLE_IO_MACRO_LOOPBACK) + rgmii_updatel(ethqos, RGMII_CONFIG_LOOPBACK_EN, + RGMII_CONFIG_LOOPBACK_EN, + RGMII_IO_MACRO_CONFIG); + } else if (mode == DISABLE_LOOPBACK) { + if (ethqos->emac_ver == EMAC_HW_v2_3_2 || + ethqos->emac_ver == EMAC_HW_v2_1_2) + rgmii_updatel(ethqos, RGMII_CONFIG_LOOPBACK_EN, + 0, RGMII_IO_MACRO_CONFIG); + } + ETHQOSERR("End\n"); +} + +static ssize_t loopback_handling_config( + struct file *file, const char __user *user_buffer, + size_t count, loff_t *position) +{ + char *in_buf; + int buf_len = 2000; + unsigned long ret; + int config = 0; + struct qcom_ethqos *ethqos = file->private_data; + struct platform_device *pdev = ethqos->pdev; + struct net_device *dev = platform_get_drvdata(pdev); + struct stmmac_priv *priv = netdev_priv(dev); + int speed = 0; + + in_buf = kzalloc(buf_len, GFP_KERNEL); + if (!in_buf) + return -ENOMEM; + + ret = copy_from_user(in_buf, user_buffer, buf_len); + if (ret) { + ETHQOSERR("unable to copy from user\n"); + return -EFAULT; + } + + ret = sscanf(in_buf, "%d %d", &config, &speed); + if (config > DISABLE_LOOPBACK && ret != 2) { + ETHQOSERR("Speed is also needed while enabling loopback\n"); + return -EINVAL; + } + if (config < DISABLE_LOOPBACK || config > ENABLE_PHY_LOOPBACK) { + ETHQOSERR("Invalid config =%d\n", config); + return -EINVAL; + } + if ((config == ENABLE_PHY_LOOPBACK || ethqos->current_loopback == + ENABLE_PHY_LOOPBACK) && + ethqos->current_phy_mode == DISABLE_PHY_IMMEDIATELY) { + ETHQOSERR("Can't enabled/disable "); + ETHQOSERR("phy loopback when phy is off\n"); + return -EPERM; + } + + /*Argument validation*/ + if (config == DISABLE_LOOPBACK || config == ENABLE_IO_MACRO_LOOPBACK || + config == ENABLE_MAC_LOOPBACK || config == ENABLE_PHY_LOOPBACK) { + if (speed != SPEED_1000 && speed != SPEED_100 && + speed != SPEED_10) + return -EINVAL; + } else { + return -EINVAL; + } + + if (config == ethqos->current_loopback) { + switch (config) { + case DISABLE_LOOPBACK: + ETHQOSINFO("Loopback is already disabled\n"); + break; + case ENABLE_IO_MACRO_LOOPBACK: + ETHQOSINFO("Loopback is already Enabled as "); + ETHQOSINFO("IO MACRO LOOPBACK\n"); + break; + case ENABLE_MAC_LOOPBACK: + ETHQOSINFO("Loopback is already Enabled as "); + ETHQOSINFO("MAC LOOPBACK\n"); + break; + case ENABLE_PHY_LOOPBACK: + ETHQOSINFO("Loopback is already Enabled as "); + ETHQOSINFO("PHY LOOPBACK\n"); + break; + } + return -EINVAL; + } + /*If request to enable loopback & some other loopback already enabled*/ + if (config != DISABLE_LOOPBACK && + ethqos->current_loopback > DISABLE_LOOPBACK) { + ETHQOSINFO("Loopback is already enabled\n"); + print_loopback_detail(ethqos->current_loopback); + return -EINVAL; + } + ETHQOSINFO("enable loopback = %d with link speed = %d backup now\n", + config, speed); + + /*Backup speed & duplex before Enabling Loopback */ + if (ethqos->current_loopback == DISABLE_LOOPBACK && + config > DISABLE_LOOPBACK) { + /*Backup old speed & duplex*/ + ethqos->backup_speed = priv->speed; + ethqos->backup_duplex = priv->dev->phydev->duplex; + } + /*Backup BMCR before Enabling Phy LoopbackLoopback */ + if (ethqos->current_loopback == DISABLE_LOOPBACK && + config == ENABLE_PHY_LOOPBACK) + ethqos->bmcr_backup = ethqos_mdio_read(priv, + priv->plat->phy_addr, + MII_BMCR); + + if (config == DISABLE_LOOPBACK) + setup_config_registers(ethqos, ethqos->backup_speed, + ethqos->backup_duplex, 0); + else + setup_config_registers(ethqos, speed, DUPLEX_FULL, config); + + switch (config) { + case DISABLE_LOOPBACK: + ETHQOSINFO("Request to Disable Loopback\n"); + if (ethqos->current_loopback == ENABLE_IO_MACRO_LOOPBACK) + ethqos_rgmii_io_macro_loopback(ethqos, 0); + else if (ethqos->current_loopback == ENABLE_MAC_LOOPBACK) + ethqos_mac_loopback(ethqos, 0); + else if (ethqos->current_loopback == ENABLE_PHY_LOOPBACK) + phy_digital_loopback_config(ethqos, + ethqos->backup_speed, 0); + break; + case ENABLE_IO_MACRO_LOOPBACK: + ETHQOSINFO("Request to Enable IO MACRO LOOPBACK\n"); + ethqos_rgmii_io_macro_loopback(ethqos, 1); + break; + case ENABLE_MAC_LOOPBACK: + ETHQOSINFO("Request to Enable MAC LOOPBACK\n"); + ethqos_mac_loopback(ethqos, 1); + break; + case ENABLE_PHY_LOOPBACK: + ETHQOSINFO("Request to Enable PHY LOOPBACK\n"); + ethqos->loopback_speed = speed; + phy_digital_loopback_config(ethqos, speed, 1); + break; + default: + ETHQOSINFO("Invalid Loopback=%d\n", config); + break; + } + + ethqos->current_loopback = config; + kfree(in_buf); + return count; +} + +static ssize_t read_loopback_config(struct file *file, + char __user *user_buf, + size_t count, loff_t *ppos) +{ + unsigned int len = 0, buf_len = 2000; + struct qcom_ethqos *ethqos = file->private_data; + + if (ethqos->current_loopback == DISABLE_LOOPBACK) + len += scnprintf(buf + len, buf_len - len, + "Loopback is Disabled\n"); + else if (ethqos->current_loopback == ENABLE_IO_MACRO_LOOPBACK) + len += scnprintf(buf + len, buf_len - len, + "Current Loopback is IO MACRO LOOPBACK\n"); + else if (ethqos->current_loopback == ENABLE_MAC_LOOPBACK) + len += scnprintf(buf + len, buf_len - len, + "Current Loopback is MAC LOOPBACK\n"); + else if (ethqos->current_loopback == ENABLE_PHY_LOOPBACK) + len += scnprintf(buf + len, buf_len - len, + "Current Loopback is PHY LOOPBACK\n"); + else + len += scnprintf(buf + len, buf_len - len, + "Invalid LOOPBACK Config\n"); + if (len > buf_len) + len = buf_len; + + return simple_read_from_buffer(user_buf, count, ppos, buf, len); +} + static const struct file_operations fops_phy_reg_dump = { .read = read_phy_reg_dump, .open = simple_open, @@ -1249,6 +1762,22 @@ static ssize_t write_ipc_stmmac_log_ctxt_low(struct file *file, return count; } +static const struct file_operations fops_phy_off = { + .read = read_phy_off, + .write = phy_off_config, + .open = simple_open, + .owner = THIS_MODULE, + .llseek = default_llseek, +}; + +static const struct file_operations fops_loopback_config = { + .read = read_loopback_config, + .write = loopback_handling_config, + .open = simple_open, + .owner = THIS_MODULE, + .llseek = default_llseek, +}; + static const struct file_operations fops_ipc_stmmac_log_low = { .write = write_ipc_stmmac_log_ctxt_low, .open = simple_open, @@ -1261,6 +1790,8 @@ static int ethqos_create_debugfs(struct qcom_ethqos *ethqos) static struct dentry *phy_reg_dump; static struct dentry *rgmii_reg_dump; static struct dentry *ipc_stmmac_log_low; + static struct dentry *phy_off; + static struct dentry *loopback_enable_mode; if (!ethqos) { ETHQOSERR("Null Param %s\n", __func__); @@ -1294,11 +1825,26 @@ static int ethqos_create_debugfs(struct qcom_ethqos *ethqos) ethqos->debugfs_dir, ethqos, &fops_ipc_stmmac_log_low); if (!ipc_stmmac_log_low || IS_ERR(ipc_stmmac_log_low)) { - ETHQOSERR("Cannot create debugfs ipc_stmmac_log_low %d\n", - (int)ipc_stmmac_log_low); + ETHQOSERR("Cannot create debugfs ipc_stmmac_log_low %x\n", + ipc_stmmac_log_low); + goto fail; + } + phy_off = debugfs_create_file("phy_off", 0400, + ethqos->debugfs_dir, ethqos, + &fops_phy_off); + if (!phy_off || IS_ERR(phy_off)) { + ETHQOSERR("Can't create phy_off %x\n", phy_off); goto fail; } + loopback_enable_mode = debugfs_create_file("loopback_enable_mode", 0400, + ethqos->debugfs_dir, ethqos, + &fops_loopback_config); + if (!loopback_enable_mode || IS_ERR(loopback_enable_mode)) { + ETHQOSERR("Can't create loopback_enable_mode %d\n", + (int)loopback_enable_mode); + goto fail; + } return 0; fail: @@ -1909,6 +2455,21 @@ static int qcom_ethqos_probe(struct platform_device *pdev) } ETHQOSDBG(": emac_core_version = %d\n", ethqos->emac_ver); + if (of_property_read_bool(pdev->dev.of_node, + "emac-phy-off-suspend")) { + /* Read emac core version value from dtsi */ + ret = of_property_read_u32(pdev->dev.of_node, + "emac-phy-off-suspend", + ðqos->current_phy_mode); + if (ret) { + ETHQOSDBG(":resource emac-phy-off-suspend! "); + ETHQOSDBG("not in dtsi\n"); + ethqos->current_phy_mode = 0; + } + } + ETHQOSINFO("emac-phy-off-suspend = %d\n", + ethqos->current_phy_mode); + ethqos->ioaddr = (&stmmac_res)->addr; ethqos_update_rgmii_tx_drv_strength(ethqos); @@ -2010,6 +2571,8 @@ static int qcom_ethqos_suspend(struct device *dev) struct net_device *ndev = NULL; int ret; int allow_suspend = 0; + struct stmmac_priv *priv; + struct plat_stmmacenet_data *plat; ETHQOSDBG("Suspend Enter\n"); if (of_device_is_compatible(dev->of_node, "qcom,emac-smmu-embedded")) { @@ -2022,6 +2585,8 @@ static int qcom_ethqos_suspend(struct device *dev) return -ENODEV; ndev = dev_get_drvdata(dev); + priv = netdev_priv(ndev); + plat = priv->plat; ethqos_ipa_offload_event_handler(&allow_suspend, EV_DPM_SUSPEND); if (!allow_suspend) { @@ -2031,9 +2596,25 @@ static int qcom_ethqos_suspend(struct device *dev) } if (!ndev || !netif_running(ndev)) return -EINVAL; - + if (ethqos->current_phy_mode == DISABLE_PHY_AT_SUSPEND_ONLY || + ethqos->current_phy_mode == DISABLE_PHY_SUSPEND_ENABLE_RESUME) { + /*Backup phy related data*/ + if (priv->phydev->autoneg == AUTONEG_DISABLE) { + ethqos->backup_autoneg = priv->phydev->autoneg; + ethqos->backup_bmcr = ethqos_mdio_read(priv, + plat->phy_addr, + MII_BMCR); + } else { + ethqos->backup_autoneg = AUTONEG_ENABLE; + } + } ret = stmmac_suspend(dev); qcom_ethqos_phy_suspend_clks(ethqos); + if (ethqos->current_phy_mode == DISABLE_PHY_AT_SUSPEND_ONLY || + ethqos->current_phy_mode == DISABLE_PHY_SUSPEND_ENABLE_RESUME) { + ETHQOSINFO("disable phy at suspend\n"); + ethqos_phy_power_off(ethqos); + } ETHQOSDBG(" ret = %d\n", ret); return ret; @@ -2044,6 +2625,7 @@ static int qcom_ethqos_resume(struct device *dev) struct net_device *ndev = NULL; struct qcom_ethqos *ethqos; int ret; + struct stmmac_priv *priv; ETHQOSDBG("Resume Enter\n"); if (of_device_is_compatible(dev->of_node, "qcom,emac-smmu-embedded")) @@ -2055,6 +2637,7 @@ static int qcom_ethqos_resume(struct device *dev) return -ENODEV; ndev = dev_get_drvdata(dev); + priv = netdev_priv(ndev); if (!ndev || !netif_running(ndev)) { ETHQOSERR(" Resume not possible\n"); @@ -2067,10 +2650,39 @@ static int qcom_ethqos_resume(struct device *dev) return 0; } + if (ethqos->current_phy_mode == DISABLE_PHY_SUSPEND_ENABLE_RESUME) { + ETHQOSINFO("enable phy at resume\n"); + ethqos_phy_power_on(ethqos); + } qcom_ethqos_phy_resume_clks(ethqos); - ret = stmmac_resume(dev); + if (ethqos->current_phy_mode == DISABLE_PHY_SUSPEND_ENABLE_RESUME) { + ETHQOSINFO("reset phy after clock\n"); + ethqos_reset_phy_enable_interrupt(ethqos); + if (ethqos->backup_autoneg == AUTONEG_DISABLE) { + priv->phydev->autoneg = ethqos->backup_autoneg; + ethqos_mdio_write( + priv, priv->plat->phy_addr, + MII_BMCR, ethqos->backup_bmcr); + } + } + if (ethqos->current_phy_mode == DISABLE_PHY_AT_SUSPEND_ONLY) { + /* Temp Enable LOOPBACK_EN. + * TX clock needed for reset As Phy is off + */ + rgmii_updatel(ethqos, RGMII_CONFIG_LOOPBACK_EN, + RGMII_CONFIG_LOOPBACK_EN, + RGMII_IO_MACRO_CONFIG); + ETHQOSINFO("Loopback EN Enabled\n"); + } + ret = stmmac_resume(dev); + if (ethqos->current_phy_mode == DISABLE_PHY_AT_SUSPEND_ONLY) { + //Disable LOOPBACK_EN + rgmii_updatel(ethqos, RGMII_CONFIG_LOOPBACK_EN, + 0, RGMII_IO_MACRO_CONFIG); + ETHQOSINFO("Loopback EN Disabled\n"); + } ethqos_ipa_offload_event_handler(NULL, EV_DPM_RESUME); ETHQOSDBG("<--Resume Exit\n"); diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.h b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.h index 0df87f533ab8..9a45efcbed63 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.h +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.h @@ -236,6 +236,10 @@ do {\ #define VOTE_IDX_100MBPS 2 #define VOTE_IDX_1000MBPS 3 +//Mac config +#define MAC_CONFIGURATION 0x0 +#define MAC_LM BIT(12) + #define TLMM_BASE_ADDRESS (tlmm_central_base_addr) #define TLMM_RGMII_HDRV_PULL_CTL1_ADDRESS_OFFSET\ @@ -330,9 +334,29 @@ static inline u32 PPSX_MASK(u32 x) } enum IO_MACRO_PHY_MODE { - RGMII_MODE, - RMII_MODE, - MII_MODE + RGMII_MODE, + RMII_MODE, + MII_MODE +}; + +enum loopback_mode { + DISABLE_LOOPBACK = 0, + ENABLE_IO_MACRO_LOOPBACK, + ENABLE_MAC_LOOPBACK, + ENABLE_PHY_LOOPBACK +}; + +enum phy_power_mode { + DISABLE_PHY_IMMEDIATELY = 1, + ENABLE_PHY_IMMEDIATELY, + DISABLE_PHY_AT_SUSPEND_ONLY, + DISABLE_PHY_SUSPEND_ENABLE_RESUME, + DISABLE_PHY_ON_OFF, +}; + +enum current_phy_state { + PHY_IS_ON = 0, + PHY_IS_OFF, }; #define RGMII_IO_BASE_ADDRESS ethqos->rgmii_base @@ -459,6 +483,19 @@ struct qcom_ethqos { bool ipa_enabled; /* Key Performance Indicators */ bool print_kpi; + unsigned int emac_phy_off_suspend; + int loopback_speed; + enum loopback_mode current_loopback; + enum phy_power_mode current_phy_mode; + enum current_phy_state phy_state; + /*Backup variable for phy loopback*/ + int backup_duplex; + int backup_speed; + u32 bmcr_backup; + /*Backup variable for suspend resume*/ + int backup_suspend_speed; + u32 backup_bmcr; + unsigned backup_autoneg:1; }; struct pps_cfg { @@ -514,6 +551,9 @@ bool qcom_ethqos_is_phy_link_up(struct qcom_ethqos *ethqos); void *qcom_ethqos_get_priv(struct qcom_ethqos *ethqos); int ppsout_config(struct stmmac_priv *priv, struct pps_cfg *eth_pps_cfg); +int ethqos_phy_power_on(struct qcom_ethqos *ethqos); +void ethqos_phy_power_off(struct qcom_ethqos *ethqos); +void ethqos_reset_phy_enable_interrupt(struct qcom_ethqos *ethqos); u16 dwmac_qcom_select_queue( struct net_device *dev, @@ -575,4 +615,6 @@ int dwmac_qcom_program_avb_algorithm( struct stmmac_priv *priv, struct ifr_data_struct *req); unsigned int dwmac_qcom_get_plat_tx_coal_frames( struct sk_buff *skb); + +unsigned int dwmac_qcom_get_eth_type(unsigned char *buf); #endif diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-gpio.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-gpio.c index 76aafe700851..5ad0eddf9179 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-gpio.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-gpio.c @@ -183,6 +183,63 @@ void ethqos_disable_regulators(struct qcom_ethqos *ethqos) } } +void ethqos_reset_phy_enable_interrupt(struct qcom_ethqos *ethqos) +{ + struct stmmac_priv *priv = qcom_ethqos_get_priv(ethqos); + struct phy_device *phydev = priv->dev->phydev; + + /* reset the phy so that it's ready */ + if (priv->mii) { + ETHQOSERR("do mdio reset\n"); + stmmac_mdio_reset(priv->mii); + } + /*Enable phy interrupt*/ + if (phy_intr_en && phydev) { + ETHQOSDBG("PHY interrupt Mode enabled\n"); + phydev->irq = PHY_IGNORE_INTERRUPT; + phydev->interrupts = PHY_INTERRUPT_ENABLED; + + if (phydev->drv->config_intr && + !phydev->drv->config_intr(phydev)) { + ETHQOSERR("config_phy_intr successful after phy on\n"); + } + qcom_ethqos_request_phy_wol(priv->plat); + } else if (!phy_intr_en) { + phydev->irq = PHY_POLL; + ETHQOSDBG("PHY Polling Mode enabled\n"); + } else { + ETHQOSERR("phydev is null , intr value=%d\n", phy_intr_en); + } +} + +int ethqos_phy_power_on(struct qcom_ethqos *ethqos) +{ + int ret = 0; + + if (ethqos->reg_emac_phy) { + ret = regulator_enable(ethqos->reg_emac_phy); + if (ret) { + ETHQOSERR("Can not enable <%s>\n", + EMAC_VREG_EMAC_PHY_NAME); + return ret; + } + ethqos->phy_state = PHY_IS_ON; + } else { + ETHQOSERR("reg_emac_phy is NULL\n"); + } + return ret; +} + +void ethqos_phy_power_off(struct qcom_ethqos *ethqos) +{ + if (ethqos->reg_emac_phy) { + regulator_disable(ethqos->reg_emac_phy); + ethqos->phy_state = PHY_IS_OFF; + } else { + ETHQOSERR("reg_emac_phy is NULL\n"); + } +} + void ethqos_free_gpios(struct qcom_ethqos *ethqos) { if (gpio_is_valid(ethqos->gpio_phy_intr_redirect)) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ipa.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ipa.c index fc6a346a4b7f..48285bb179a8 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ipa.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ipa.c @@ -1046,6 +1046,7 @@ static void ntn_ipa_notify_cb(void *priv, enum ipa_dp_evt_type evt, int stat = NET_RX_SUCCESS; struct platform_device *pdev; struct net_device *dev; + struct stmmac_priv *pdata; if (!ethqos || !skb) { ETHQOSERR("Null Param pdata %p skb %pK\n", ethqos, skb); @@ -1065,6 +1066,7 @@ static void ntn_ipa_notify_cb(void *priv, enum ipa_dp_evt_type evt, pdev = ethqos->pdev; dev = platform_get_drvdata(pdev); + pdata = netdev_priv(dev); if (evt == IPA_RECEIVE) { /*Exception packets to network stack*/ @@ -1075,6 +1077,8 @@ static void ntn_ipa_notify_cb(void *priv, enum ipa_dp_evt_type evt, skb->protocol = htons(ETH_P_IP); iph = (struct iphdr *)skb->data; } else { + if (ethqos->current_loopback > DISABLE_LOOPBACK) + swap_ip_port(skb, ETH_P_IP); skb->protocol = eth_type_trans(skb, skb->dev); iph = (struct iphdr *)(skb_mac_header(skb) + ETH_HLEN); } diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h index 1d6802ea1b50..00d1e634a59e 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h @@ -33,6 +33,10 @@ #include #endif #include "dwmac-qcom-ipa-offload.h" +#include +#include +#include +#include struct stmmac_resources { void __iomem *addr; @@ -149,6 +153,7 @@ struct stmmac_priv { void __iomem *ptpaddr; u32 mss; bool boot_kpi; + int current_loopback; #ifdef CONFIG_DEBUG_FS struct dentry *dbgfs_dir; struct dentry *dbgfs_rings_status; @@ -195,5 +200,7 @@ int stmmac_dvr_probe(struct device *device, void stmmac_disable_eee_mode(struct stmmac_priv *priv); bool stmmac_eee_init(struct stmmac_priv *priv); bool qcom_ethqos_ipa_enabled(void); - +u16 icmp_fast_csum(u16 old_csum); +void swap_ip_port(struct sk_buff *skb, unsigned int eth_type); +unsigned int dwmac_qcom_get_eth_type(unsigned char *buf); #endif /* __STMMAC_H__ */ diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c index 8875bfcdde16..be8704ffde49 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c @@ -647,6 +647,10 @@ static int stmmac_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol) u32 emac_wol_support = 0; int ret; + if (ethqos->phy_state == PHY_IS_OFF) { + ETHQOSINFO("Phy is in off state Wol set not possible\n"); + return -EOPNOTSUPP; + } /* By default almost all GMAC devices support the WoL via * magic frame but we can disable it if the HW capability * register shows no support for pmt_magic_frame. */ diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index 8a1a05b60e97..63d4decfa029 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -3512,6 +3512,47 @@ static inline void stmmac_rx_refill(struct stmmac_priv *priv, u32 queue) rx_q->dirty_rx = entry; } +static u16 csum(u16 old_csum) +{ + u16 new_checksum = 0; + + new_checksum = ~(~old_csum + (-8) + 0); + return new_checksum; +} + +void swap_ip_port(struct sk_buff *skb, unsigned int eth_type) +{ + __be32 temp_addr; + unsigned char *buf = skb->data; + struct icmphdr *icmp_hdr; + unsigned char eth_temp[ETH_ALEN] = {}; + struct ethhdr *eth = (struct ethhdr *)(buf); + struct iphdr *ip_header; + + if (eth_type == ETH_P_IP) { + ip_header = (struct iphdr *)(buf + sizeof(struct ethhdr)); + if (ip_header->protocol == IPPROTO_UDP || + ip_header->protocol == IPPROTO_ICMP) { + //swap mac address + memcpy(eth_temp, eth->h_dest, ETH_ALEN); + memcpy(eth->h_dest, eth->h_source, ETH_ALEN); + memcpy(eth->h_source, eth_temp, ETH_ALEN); + //swap ip address + temp_addr = ip_header->daddr; + ip_header->daddr = ip_header->saddr; + ip_header->saddr = temp_addr; + + icmp_hdr = (struct icmphdr *)(buf + + sizeof(struct ethhdr) + + sizeof(struct iphdr)); + if (icmp_hdr->type == ICMP_ECHO) { + icmp_hdr->type = ICMP_ECHOREPLY; + icmp_hdr->checksum = csum(icmp_hdr->checksum); + } + } + } +} + /** * stmmac_rx - manage the receive process * @priv: driver private structure @@ -3526,6 +3567,9 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) int coe = priv->hw->rx_csum; unsigned int next_entry = rx_q->cur_rx; unsigned int count = 0; +#ifndef CONFIG_ETH_IPA_OFFLOAD + unsigned int eth_type; +#endif if (netif_msg_rx_status(priv)) { void *rx_head; @@ -3700,7 +3744,13 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) stmmac_get_rx_hwtstamp(priv, p, np, skb); stmmac_rx_vlan(priv->dev, skb); +#ifndef CONFIG_ETH_IPA_OFFLOAD + eth_type = dwmac_qcom_get_eth_type(skb->data); + if (priv->current_loopback > 0 && + eth_type == ETH_P_IP) + swap_ip_port(skb, eth_type); +#endif skb->protocol = eth_type_trans(skb, priv->dev); if (unlikely(!coe)) From c4be3aa0917a19c803de7098ab1a0739cf9b09da Mon Sep 17 00:00:00 2001 From: Anirudh Ghayal Date: Thu, 7 May 2020 15:10:20 +0530 Subject: [PATCH 098/386] input: qti-haptics: Add support for cmd based haptics-twm Configure haptics for TWM entry in CMD mode. Change-Id: Id5a9f597fd76a53050f9f7d35173a2a78fcf2ef0 Signed-off-by: Anirudh Ghayal --- drivers/input/misc/qti-haptics.c | 44 +++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/drivers/input/misc/qti-haptics.c b/drivers/input/misc/qti-haptics.c index dd0f680ddb3e..fe2ed14461cb 100644 --- a/drivers/input/misc/qti-haptics.c +++ b/drivers/input/misc/qti-haptics.c @@ -250,6 +250,13 @@ static struct hap_addr_val twm_ext_cfg[] = { {REG_HAP_EN_CTL1, 0x80}, /* Enable haptics driver */ }; +static struct hap_addr_val twm_cfg[] = { + {REG_HAP_PLAY, 0x00}, /* Stop playing haptics waveform */ + {REG_HAP_SEL, 0x00}, /* Configure for cmd mode */ + {REG_HAP_EN_CTL1, 0x00}, /* Enable haptics driver */ + {REG_HAP_PERPH_RESET_CTL3, 0x0D}, /* Disable SHUTDOWN1_RB reset */ +}; + static int wf_repeat[8] = {1, 2, 4, 8, 16, 32, 64, 128}; static int wf_s_repeat[4] = {1, 2, 4, 8}; @@ -1060,20 +1067,30 @@ static void qti_haptics_set_gain(struct input_dev *dev, u16 gain) qti_haptics_config_vmax(chip, play->vmax_mv); } -static int qti_haptics_twm_config(struct qti_hap_chip *chip) +static int qti_haptics_twm_config(struct qti_hap_chip *chip, bool ext_pin) { - int rc, i; + int rc = 0, i; - for (i = 0; i < ARRAY_SIZE(twm_ext_cfg); i++) { - rc = qti_haptics_write(chip, twm_ext_cfg[i].addr, - &twm_ext_cfg[i].value, 1); - if (rc < 0) { - dev_err(chip->dev, "Haptics TWM config failed, rc=%d\n", - rc); - return rc; + if (ext_pin) { + for (i = 0; i < ARRAY_SIZE(twm_ext_cfg); i++) { + rc = qti_haptics_write(chip, twm_ext_cfg[i].addr, + &twm_ext_cfg[i].value, 1); + if (rc < 0) + break; + } + } else { + for (i = 0; i < ARRAY_SIZE(twm_cfg); i++) { + rc = qti_haptics_write(chip, twm_cfg[i].addr, + &twm_cfg[i].value, 1); + if (rc < 0) + break; } } - pr_debug("Enabled haptics for TWM mode\n"); + + if (rc < 0) + pr_err("Failed to write twm_config rc=%d\n", rc); + else + pr_debug("Enabled haptics for TWM mode\n"); return 0; } @@ -2032,7 +2049,6 @@ static void qti_haptics_shutdown(struct platform_device *pdev) { struct qti_hap_chip *chip = dev_get_drvdata(&pdev->dev); int rc; - bool enable_haptics_twm; dev_dbg(chip->dev, "Shutdown!\n"); @@ -2048,10 +2064,8 @@ static void qti_haptics_shutdown(struct platform_device *pdev) chip->vdd_enabled = false; } - enable_haptics_twm = chip->haptics_ext_pin_twm && twm_sys_enable; - - if (chip->twm_state == PMIC_TWM_ENABLE && enable_haptics_twm) { - rc = qti_haptics_twm_config(chip); + if (chip->twm_state == PMIC_TWM_ENABLE && twm_sys_enable) { + rc = qti_haptics_twm_config(chip, chip->haptics_ext_pin_twm); if (rc < 0) pr_err("Haptics TWM config failed rc=%d\n", rc); } From 7b9f5aa126b8b1d2a668bb5710374e7fc56317a5 Mon Sep 17 00:00:00 2001 From: Rohith Kollalsi Date: Thu, 6 Aug 2020 20:17:46 +0530 Subject: [PATCH 099/386] usb: dwc3: Initialize val,val1 with 0 as they can be used uninitialized If in the function dwc3_msm_power_collapse_por, dwc3 is not on DWC_usb31 core and dwc3_msm doesn't have dual port then val1 can be used uninitialized. To prevent such scenario initialize val1 and val with zero. Change-Id: I359c596d3dace6c00475eb22fb64a37631f240b1 Signed-off-by: Rohith Kollalsi --- drivers/usb/dwc3/dwc3-msm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/dwc3-msm.c b/drivers/usb/dwc3/dwc3-msm.c index fb37e21e8799..41afdf4860fe 100644 --- a/drivers/usb/dwc3/dwc3-msm.c +++ b/drivers/usb/dwc3/dwc3-msm.c @@ -2256,7 +2256,7 @@ static void dwc3_msm_block_reset(struct dwc3_msm *mdwc, bool core_reset) static void dwc3_msm_power_collapse_por(struct dwc3_msm *mdwc) { struct dwc3 *dwc = platform_get_drvdata(mdwc->dwc3); - u32 val, val1; + u32 val = 0, val1 = 0; int ret; /* Configure AHB2PHY for one wait state read/write */ From d06cd28525c6e23bfc6176d7a266374de2167774 Mon Sep 17 00:00:00 2001 From: Terence Ho Date: Thu, 6 Aug 2020 11:56:43 -0400 Subject: [PATCH 100/386] msm: ais: add support for nested smmu Add support for nested camera smmu for content protected streams. Acked-by: Abderahmane Allalou . Change-Id: I84535d826e6b4657277fb6b48326d7d28a3ab93b Signed-off-by: Terence Ho --- .../platform/msm/ais/ais_isp/ais_ife_dev.c | 22 ++++++++++++++---- .../platform/msm/ais/ais_isp/ais_ife_dev.h | 1 - .../msm/ais/ais_isp/vfe_hw/ais_vfe_core.c | 10 ++++++-- .../msm/ais/ais_isp/vfe_hw/ais_vfe_core.h | 1 + .../msm/ais/cam_req_mgr/cam_mem_mgr.c | 16 +++++++++---- .../platform/msm/ais/cam_smmu/cam_smmu_api.c | 23 ++++++++++++++++++- include/uapi/media/cam_req_mgr.h | 1 + 7 files changed, 60 insertions(+), 14 deletions(-) diff --git a/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.c b/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.c index 5ff489592c9e..89e378afcebe 100644 --- a/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.c +++ b/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.c @@ -498,7 +498,8 @@ static void ais_ife_dev_iommu_fault_handler( p_ife_dev = (struct ais_ife_dev *)token; - CAM_ERR(CAM_ISP, "IFE%d Pagefault at %lu", p_ife_dev->hw_idx, iova); + CAM_ERR(CAM_ISP, "IFE%d Pagefault at iova 0x%x %s", + p_ife_dev->hw_idx, iova, domain->name); } static int ais_ife_dev_remove(struct platform_device *pdev) @@ -549,7 +550,6 @@ static int ais_ife_dev_probe(struct platform_device *pdev) } mutex_init(&p_ife_dev->mutex); - spin_lock_init(&p_ife_dev->eventq_lock); /* * for now, we only support one iommu handle. later @@ -571,13 +571,19 @@ static int ais_ife_dev_probe(struct platform_device *pdev) goto attach_fail; } - rc = cam_smmu_get_handle("cam-secure", + rc = cam_smmu_get_handle("ife-cp", &p_ife_dev->iommu_hdl_secure); if (rc) { CAM_ERR(CAM_ISP, "Failed to get secure iommu handle %d", rc); goto secure_fail; } + rc = cam_smmu_ops(p_ife_dev->iommu_hdl_secure, CAM_SMMU_ATTACH); + if (rc && rc != -EALREADY) { + CAM_ERR(CAM_ISP, "Attach secure iommu handle failed %d", rc); + goto secure_fail; + } + CAM_DBG(CAM_ISP, "iommu_handles: non-secure[0x%x], secure[0x%x]", p_ife_dev->iommu_hdl, p_ife_dev->iommu_hdl_secure); @@ -585,6 +591,9 @@ static int ais_ife_dev_probe(struct platform_device *pdev) cam_smmu_set_client_page_fault_handler(p_ife_dev->iommu_hdl, ais_ife_dev_iommu_fault_handler, p_ife_dev); + cam_smmu_set_client_page_fault_handler(p_ife_dev->iommu_hdl_secure, + ais_ife_dev_iommu_fault_handler, p_ife_dev); + hw_init.hw_idx = p_ife_dev->hw_idx; hw_init.iommu_hdl = p_ife_dev->iommu_hdl; hw_init.iommu_hdl_secure = p_ife_dev->iommu_hdl_secure; @@ -594,14 +603,14 @@ static int ais_ife_dev_probe(struct platform_device *pdev) rc = ais_ife_csid_hw_init(&p_ife_dev->p_csid_drv, &hw_init); if (rc) { CAM_ERR(CAM_ISP, "IFE%d no CSID dev", p_ife_dev->hw_idx, rc); - goto secure_fail; + goto secure_attach_fail; } rc = ais_vfe_hw_init(&p_ife_dev->p_vfe_drv, &hw_init, p_ife_dev->p_csid_drv); if (rc) { CAM_ERR(CAM_ISP, "IFE%d no VFE dev", p_ife_dev->hw_idx, rc); - goto secure_fail; + goto secure_attach_fail; } CAM_INFO(CAM_ISP, "IFE%d probe complete", p_ife_dev->hw_idx); @@ -610,6 +619,9 @@ static int ais_ife_dev_probe(struct platform_device *pdev) return 0; +secure_attach_fail: + cam_smmu_ops(p_ife_dev->iommu_hdl_secure, + CAM_SMMU_DETACH); secure_fail: cam_smmu_ops(p_ife_dev->iommu_hdl, CAM_SMMU_DETACH); diff --git a/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.h b/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.h index 340b6ee91b43..4273c4c1f7ab 100644 --- a/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.h +++ b/drivers/media/platform/msm/ais/ais_isp/ais_ife_dev.h @@ -40,7 +40,6 @@ struct ais_ife_dev { int iommu_hdl; int iommu_hdl_secure; - spinlock_t eventq_lock; struct mutex mutex; int32_t open_cnt; }; diff --git a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c index 00219b70667a..4ef5aa3eb5a7 100644 --- a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c +++ b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.c @@ -438,6 +438,8 @@ int ais_vfe_reserve(void *hw_priv, void *reserve_args, uint32_t arg_size) goto EXIT; } + rdi_path->secure_mode = rdi_cfg->out_cfg.secure_mode; + cam_io_w(0xf, core_info->mem_base + client_regs->burst_limit); /*disable pack as it is done in CSID*/ cam_io_w(0x0, core_info->mem_base + client_regs->packer_cfg); @@ -766,8 +768,11 @@ static int ais_vfe_cmd_enq_buf(struct ais_vfe_hw_core_info *core_info, vfe_buf->bufIdx = enq_buf->buffer.idx; vfe_buf->mem_handle = enq_buf->buffer.mem_handle; - mmu_hdl = cam_mem_is_secure_buf(vfe_buf->mem_handle) ? - core_info->iommu_hdl_secure : core_info->iommu_hdl; + mmu_hdl = core_info->iommu_hdl; + + if (cam_mem_is_secure_buf(vfe_buf->mem_handle) || rdi_path->secure_mode) + mmu_hdl = core_info->iommu_hdl_secure; + rc = cam_mem_get_io_buf(vfe_buf->mem_handle, mmu_hdl, &vfe_buf->iova_addr, &src_buf_size); if (rc < 0) { @@ -1098,6 +1103,7 @@ static int ais_vfe_handle_error( continue; p_rdi = &core_info->rdi_out[path]; + if (p_rdi->state != AIS_ISP_RESOURCE_STATE_STREAMING) continue; diff --git a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.h b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.h index 3b5ee36182bc..c4bd0648dd27 100644 --- a/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.h +++ b/drivers/media/platform/msm/ais/ais_isp/vfe_hw/ais_vfe_core.h @@ -96,6 +96,7 @@ struct ais_vfe_rdi_output { enum ais_isp_resource_state state; uint32_t en_cfg; + uint32_t secure_mode; spinlock_t buffer_lock; struct ais_vfe_buffer_t buffers[AIS_VFE_MAX_BUF]; diff --git a/drivers/media/platform/msm/ais/cam_req_mgr/cam_mem_mgr.c b/drivers/media/platform/msm/ais/cam_req_mgr/cam_mem_mgr.c index 33094cd010a1..33949b9161fb 100644 --- a/drivers/media/platform/msm/ais/cam_req_mgr/cam_mem_mgr.c +++ b/drivers/media/platform/msm/ais/cam_req_mgr/cam_mem_mgr.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2016-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -217,6 +217,7 @@ int cam_mem_get_io_buf(int32_t buf_handle, int32_t mmu_handle, tbl.bufq[idx].fd, iova_ptr, len_ptr); + if (rc) { CAM_ERR(CAM_MEM, "fail to map buf_hdl:0x%x, mmu_hdl: 0x%x for fd:%d", @@ -511,6 +512,9 @@ static int cam_mem_util_ion_alloc(struct cam_mem_mgr_alloc_cmd *cmd, } else if (cmd->flags & CAM_MEM_FLAG_PROTECTED_MODE) { heap_id = ION_HEAP(ION_SECURE_DISPLAY_HEAP_ID); ion_flag |= ION_FLAG_SECURE | ION_FLAG_CP_CAMERA; + } else if (cmd->flags & CAM_MEM_FLAG_CP_PIXEL) { + heap_id = ION_HEAP(ION_SECURE_HEAP_ID); + ion_flag |= ION_FLAG_SECURE | ION_FLAG_CP_PIXEL; } else { heap_id = ION_HEAP(ION_SYSTEM_HEAP_ID) | ION_HEAP(ION_CAMERA_HEAP_ID); @@ -540,8 +544,9 @@ static int cam_mem_util_check_alloc_flags(struct cam_mem_mgr_alloc_cmd *cmd) return -EINVAL; } - if (cmd->flags & CAM_MEM_FLAG_PROTECTED_MODE && - cmd->flags & CAM_MEM_FLAG_KMD_ACCESS) { + if (((cmd->flags & CAM_MEM_FLAG_PROTECTED_MODE) || + (cmd->flags & CAM_MEM_FLAG_CP_PIXEL)) && + (cmd->flags & CAM_MEM_FLAG_KMD_ACCESS)) { CAM_ERR(CAM_MEM, "Kernel mapping in secure mode not allowed"); return -EINVAL; } @@ -562,8 +567,9 @@ static int cam_mem_util_check_map_flags(struct cam_mem_mgr_map_cmd *cmd) return -EINVAL; } - if (cmd->flags & CAM_MEM_FLAG_PROTECTED_MODE && - cmd->flags & CAM_MEM_FLAG_KMD_ACCESS) { + if (((cmd->flags & CAM_MEM_FLAG_PROTECTED_MODE) || + (cmd->flags & CAM_MEM_FLAG_CP_PIXEL)) && + (cmd->flags & CAM_MEM_FLAG_KMD_ACCESS)) { CAM_ERR(CAM_MEM, "Kernel mapping in secure mode not allowed, flags=0x%x", cmd->flags); diff --git a/drivers/media/platform/msm/ais/cam_smmu/cam_smmu_api.c b/drivers/media/platform/msm/ais/cam_smmu/cam_smmu_api.c index a89270254ca4..256842c73c20 100644 --- a/drivers/media/platform/msm/ais/cam_smmu/cam_smmu_api.c +++ b/drivers/media/platform/msm/ais/cam_smmu/cam_smmu_api.c @@ -36,7 +36,7 @@ #define COOKIE_SIZE (BYTE_SIZE*COOKIE_NUM_BYTE) #define COOKIE_MASK ((1<> COOKIE_SIZE) & COOKIE_MASK) @@ -105,7 +105,10 @@ struct cam_context_bank_info { dma_addr_t va_start; size_t va_len; const char *name; + /* stage 2 only */ bool is_secure; + /* stage 1 */ + bool is_secure_pixel; uint8_t scratch_buf_support; uint8_t firmware_support; uint8_t shared_support; @@ -3269,6 +3272,20 @@ static int cam_smmu_setup_cb(struct cam_context_bank_info *cb, goto end; } + if (cb->is_secure_pixel) { + int secure_vmid = VMID_CP_PIXEL; + + rc = iommu_domain_set_attr(cb->mapping->domain, + DOMAIN_ATTR_SECURE_VMID, &secure_vmid); + if (rc) { + CAM_ERR(CAM_SMMU, + "programming secure vmid failed: %s %d", + dev_name(dev), rc); + rc = -ENODEV; + goto end; + } + } + return rc; end: if (cb->shared_support) { @@ -3345,6 +3362,10 @@ static int cam_smmu_get_memory_regions_info(struct device_node *of_node, mem_map_node = of_get_child_by_name(of_node, "iova-mem-map"); cb->is_secure = of_property_read_bool(of_node, "qcom,secure-cb"); + if (!cb->is_secure) + cb->is_secure_pixel = of_property_read_bool(of_node, + "qcom,secure-pixel-cb"); + /* * We always expect a memory map node, except when it is a secure * context bank. diff --git a/include/uapi/media/cam_req_mgr.h b/include/uapi/media/cam_req_mgr.h index 55105fd903b0..50b81276d0e1 100644 --- a/include/uapi/media/cam_req_mgr.h +++ b/include/uapi/media/cam_req_mgr.h @@ -269,6 +269,7 @@ struct cam_req_mgr_link_control { #define CAM_MEM_FLAG_CACHE (1<<10) #define CAM_MEM_FLAG_HW_SHARED_ACCESS (1<<11) #define CAM_MEM_FLAG_CDSP_OUTPUT (1<<12) +#define CAM_MEM_FLAG_CP_PIXEL (1<<13) #define CAM_MEM_MMU_MAX_HANDLE 16 From c142784a01b0d45041ce5afab1080d5835762d2e Mon Sep 17 00:00:00 2001 From: Terence Ho Date: Fri, 31 Jul 2020 11:05:04 -0400 Subject: [PATCH 101/386] msm: dts: add secure nested cb for ife Add secure nested cb for ife for content protection usecase that uses nested Context Bank VMID. Acked-by: Abderahmane Allalou . Change-Id: If595e74ba714a0fd60da0f9c196193914dfb243f Signed-off-by: Terence Ho --- .../bindings/media/video/msm-cam-smmu.txt | 5 ++ arch/arm64/boot/dts/qcom/sa6155p-camera.dtsi | 20 +++++++ arch/arm64/boot/dts/qcom/sa8155-camera.dtsi | 25 +++++++++ arch/arm64/boot/dts/qcom/sa8195p-camera.dtsi | 52 ++++++++++++++++--- arch/arm64/boot/dts/qcom/sm6150-camera.dtsi | 2 +- arch/arm64/boot/dts/qcom/sm8150-camera.dtsi | 2 +- 6 files changed, 98 insertions(+), 8 deletions(-) diff --git a/Documentation/devicetree/bindings/media/video/msm-cam-smmu.txt b/Documentation/devicetree/bindings/media/video/msm-cam-smmu.txt index 4b1f08612865..b22615bdafef 100644 --- a/Documentation/devicetree/bindings/media/video/msm-cam-smmu.txt +++ b/Documentation/devicetree/bindings/media/video/msm-cam-smmu.txt @@ -67,6 +67,11 @@ Second Level Node - CAM SMMU context bank device or firmware device Value type: boolean Definition: Specifies if the context bank is a secure context bank. +- qcom,secure-pixel-cb + Usage: optional + Value type: boolean + Definition: Specifies if the context bank is a secure pixel context bank. + ============================================= Third Level Node - CAM SMMU memory map device ============================================= diff --git a/arch/arm64/boot/dts/qcom/sa6155p-camera.dtsi b/arch/arm64/boot/dts/qcom/sa6155p-camera.dtsi index 3eb01a1b915b..d9b3dd8a4490 100644 --- a/arch/arm64/boot/dts/qcom/sa6155p-camera.dtsi +++ b/arch/arm64/boot/dts/qcom/sa6155p-camera.dtsi @@ -46,6 +46,26 @@ status = "disabled"; }; +&cam_smmu { + msm_cam_smmu_ife_cp { + compatible = "qcom,msm-cam-smmu-cb"; + iommus = <&apps_smmu 0x821 0x1C0>, + <&apps_smmu 0x841 0x0>, + <&apps_smmu 0x861 0x1C0>; + label = "ife-cp"; + qcom,secure-pixel-cb; + ife_cp_iova_mem_map: iova-mem-map { + /* IO region is approximately 2.5 GB */ + iova-mem-region-io { + iova-region-name = "io"; + iova-region-start = <0x7400000>; + iova-region-len = <0x98C00000>; + iova-region-id = <0x3>; + status = "ok"; + }; + }; + }; +}; &soc { /delete-node/ cam_isp_mgr; diff --git a/arch/arm64/boot/dts/qcom/sa8155-camera.dtsi b/arch/arm64/boot/dts/qcom/sa8155-camera.dtsi index 2ded8cd4df2f..708cc284af93 100644 --- a/arch/arm64/boot/dts/qcom/sa8155-camera.dtsi +++ b/arch/arm64/boot/dts/qcom/sa8155-camera.dtsi @@ -62,6 +62,31 @@ status = "disabled"; }; +&cam_smmu { + msm_cam_smmu_ife_cp { + compatible = "qcom,msm-cam-smmu-cb"; + iommus = <&apps_smmu 0x841 0x620>, + <&apps_smmu 0x861 0x620>, + <&apps_smmu 0xA41 0x620>, + <&apps_smmu 0xA61 0x620>, + <&apps_smmu 0xC41 0x620>, + <&apps_smmu 0xC61 0x620>, + <&apps_smmu 0xE41 0x620>, + <&apps_smmu 0xE61 0x620>; + label = "ife-cp"; + qcom,secure-pixel-cb; + ife_cp_iova_mem_map: iova-mem-map { + /* IO region is approximately 2.5 GB */ + iova-mem-region-io { + iova-region-name = "io"; + iova-region-start = <0x7400000>; + iova-region-len = <0x98C00000>; + iova-region-id = <0x3>; + status = "ok"; + }; + }; + }; +}; &soc { /delete-node/ cam_isp_mgr; diff --git a/arch/arm64/boot/dts/qcom/sa8195p-camera.dtsi b/arch/arm64/boot/dts/qcom/sa8195p-camera.dtsi index 7a3bd743658a..b869b06b6f97 100644 --- a/arch/arm64/boot/dts/qcom/sa8195p-camera.dtsi +++ b/arch/arm64/boot/dts/qcom/sa8195p-camera.dtsi @@ -532,14 +532,22 @@ msm_cam_smmu_ife { compatible = "qcom,msm-cam-smmu-cb"; - iommus = <&apps_smmu 0xAA0 0x4E0>, - <&apps_smmu 0xA20 0x4E0>, - <&apps_smmu 0xA00 0x4E0>, + iommus = <&apps_smmu 0xA00 0x4E0>, + <&apps_smmu 0xAA0 0x4E0>, + <&apps_smmu 0xA40 0x4E0>, + <&apps_smmu 0xA60 0x4E0>, <&apps_smmu 0xA80 0x4E0>, - <&apps_smmu 0xEA0 0x4E0>, - <&apps_smmu 0xE20 0x4E0>, + <&apps_smmu 0xA20 0x4E0>, + <&apps_smmu 0xAC0 0x4E0>, + <&apps_smmu 0xAE0 0x4E0>, <&apps_smmu 0xE00 0x4E0>, - <&apps_smmu 0xE80 0x4E0>; + <&apps_smmu 0xEA0 0x4E0>, + <&apps_smmu 0xE40 0x4E0>, + <&apps_smmu 0xE60 0x4E0>, + <&apps_smmu 0xE80 0x4E0>, + <&apps_smmu 0xE20 0x4E0>, + <&apps_smmu 0xEC0 0x4E0>, + <&apps_smmu 0xEE0 0x4E0>; label = "ife"; ife_iova_mem_map: iova-mem-map { /* IO region is approximately 3.4 GB */ @@ -553,6 +561,38 @@ }; }; + msm_cam_smmu_ife_cp { + compatible = "qcom,msm-cam-smmu-cb"; + iommus = <&apps_smmu 0xA01 0x5E0>, + <&apps_smmu 0xAA1 0x5E0>, + <&apps_smmu 0xA41 0x5E0>, + <&apps_smmu 0xA61 0x5E0>, + <&apps_smmu 0xA81 0x5E0>, + <&apps_smmu 0xA21 0x5E0>, + <&apps_smmu 0xAC1 0x5E0>, + <&apps_smmu 0xAE1 0x5E0>, + <&apps_smmu 0xE01 0x5E0>, + <&apps_smmu 0xEA1 0x5E0>, + <&apps_smmu 0xE41 0x5E0>, + <&apps_smmu 0xE61 0x5E0>, + <&apps_smmu 0xE81 0x5E0>, + <&apps_smmu 0xE21 0x5E0>, + <&apps_smmu 0xEC1 0x5E0>, + <&apps_smmu 0xEE1 0x5E0>; + label = "ife-cp"; + qcom,secure-pixel-cb; + ife_cp_iova_mem_map: iova-mem-map { + /* IO region is approximately 2.5 GB */ + iova-mem-region-io { + iova-region-name = "io"; + iova-region-start = <0x7400000>; + iova-region-len = <0x98C00000>; + iova-region-id = <0x3>; + status = "ok"; + }; + }; + }; + msm_cam_smmu_jpeg { compatible = "qcom,msm-cam-smmu-cb"; iommus = <&apps_smmu 0x2100 0x20>, diff --git a/arch/arm64/boot/dts/qcom/sm6150-camera.dtsi b/arch/arm64/boot/dts/qcom/sm6150-camera.dtsi index f0acba499904..7ce2aec6b3a8 100644 --- a/arch/arm64/boot/dts/qcom/sm6150-camera.dtsi +++ b/arch/arm64/boot/dts/qcom/sm6150-camera.dtsi @@ -227,7 +227,7 @@ }; }; - qcom,cam_smmu { + cam_smmu: qcom,cam_smmu { compatible = "qcom,msm-cam-smmu"; status = "ok"; diff --git a/arch/arm64/boot/dts/qcom/sm8150-camera.dtsi b/arch/arm64/boot/dts/qcom/sm8150-camera.dtsi index c5bef86838ea..666fa3ffa818 100644 --- a/arch/arm64/boot/dts/qcom/sm8150-camera.dtsi +++ b/arch/arm64/boot/dts/qcom/sm8150-camera.dtsi @@ -316,7 +316,7 @@ }; }; - qcom,cam_smmu { + cam_smmu: qcom,cam_smmu { compatible = "qcom,msm-cam-smmu"; status = "ok"; From 50085f4b3af9f76b4043154fa894552759d2a744 Mon Sep 17 00:00:00 2001 From: Shravan Nevatia Date: Fri, 20 Mar 2020 17:42:05 +0530 Subject: [PATCH 102/386] msm: camera: csiphy: Update phy settings for atoll Update the PHY (CPHY, DPHY, DPHY combo) sequences for csiphy v1.2.2 to align with HPG revision W. Change-Id: Ib25d958cacd1a9b0f51d6b749ba0d59a84def761 Signed-off-by: Shravan Nevatia --- .../include/cam_csiphy_1_2_2_hwreg.h | 166 +++++++++--------- 1 file changed, 79 insertions(+), 87 deletions(-) diff --git a/drivers/media/platform/msm/camera/cam_sensor_module/cam_csiphy/include/cam_csiphy_1_2_2_hwreg.h b/drivers/media/platform/msm/camera/cam_sensor_module/cam_csiphy/include/cam_csiphy_1_2_2_hwreg.h index 51ffc1872af4..0aa91d58767a 100644 --- a/drivers/media/platform/msm/camera/cam_sensor_module/cam_csiphy/include/cam_csiphy_1_2_2_hwreg.h +++ b/drivers/media/platform/msm/camera/cam_sensor_module/cam_csiphy/include/cam_csiphy_1_2_2_hwreg.h @@ -19,10 +19,10 @@ struct csiphy_reg_parms_t csiphy_v1_2_2 = { .mipi_csiphy_interrupt_status0_addr = 0x8B0, .mipi_csiphy_interrupt_clear0_addr = 0x858, .mipi_csiphy_glbl_irq_cmd_addr = 0x828, - .csiphy_common_array_size = 7, + .csiphy_common_array_size = 6, .csiphy_reset_array_size = 5, - .csiphy_2ph_config_array_size = 22, - .csiphy_3ph_config_array_size = 38, + .csiphy_2ph_config_array_size = 23, + .csiphy_3ph_config_array_size = 30, .csiphy_2ph_clock_lane = 0x1, .csiphy_2ph_combo_ck_ln = 0x10, }; @@ -30,8 +30,7 @@ struct csiphy_reg_parms_t csiphy_v1_2_2 = { struct csiphy_reg_t csiphy_common_reg_1_2_2[] = { {0x0814, 0xd5, 0x00, CSIPHY_LANE_ENABLE}, {0x0818, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x081C, 0x02, 0x00, CSIPHY_2PH_REGS}, - {0x081C, 0x52, 0x00, CSIPHY_3PH_REGS}, + {0x081C, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x03, 0x01, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x02, 0x00, CSIPHY_2PH_REGS}, {0x0800, 0x0E, 0x00, CSIPHY_3PH_REGS}, @@ -65,34 +64,34 @@ csiphy_reg_t csiphy_2ph_v1_2_2_reg[MAX_LANES][MAX_SETTINGS_PER_LANE] = { {0x0030, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0904, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0910, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0900, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0908, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0900, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0908, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0904, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x00C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x002C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0034, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0010, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x001C, 0x0A, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0014, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0028, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0028, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x003C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0000, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0004, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0020, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0008, 0x10, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x000c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0010, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0038, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x005C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0060, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0730, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C84, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C90, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C80, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0C88, 0x14, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0C88, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C84, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x07C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x072C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0734, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0710, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -108,78 +107,83 @@ csiphy_reg_t csiphy_2ph_v1_2_2_reg[MAX_LANES][MAX_SETTINGS_PER_LANE] = { {0x0710, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0738, 0x1F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0230, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A04, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A10, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A00, 0x0B, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A08, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A00, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A08, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A04, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x02C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x022C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0234, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0210, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x021C, 0x0A, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0214, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0228, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0228, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x023C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0200, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0204, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0220, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0208, 0x04, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x020c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0210, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0238, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x025C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0260, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0430, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B04, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B10, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B00, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B08, 0x03, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B00, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B08, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B04, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x04C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x042C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0434, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0410, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x041C, 0x0A, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0414, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0428, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0428, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x043C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0400, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0404, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0420, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0408, 0x04, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x040c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0410, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0438, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x045C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0460, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0630, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C04, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C10, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0C00, 0x0E, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0C08, 0x1D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0C00, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0C08, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C04, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x06C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x062C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0634, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0610, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x061C, 0x0A, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0614, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0628, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0628, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x063C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0600, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0604, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0620, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0608, 0x04, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x060c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0610, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0638, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x065C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0660, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, }; @@ -189,34 +193,34 @@ struct csiphy_reg_t {0x0030, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0904, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0910, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0900, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0908, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0900, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0908, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0904, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x00C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x002C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0034, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0010, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x001C, 0x0A, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0014, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0028, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x003C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0000, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0004, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0020, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0008, 0x10, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x000c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0010, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0038, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0800, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x005C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0060, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0800, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0730, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C84, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C90, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C80, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0C88, 0x14, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0C88, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C84, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x07C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x072C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0734, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0710, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -231,40 +235,42 @@ struct csiphy_reg_t {0x070c, 0xFF, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0710, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0738, 0x1F, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0800, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x075C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0760, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0800, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, }, { {0x0230, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A04, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A10, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A00, 0x0B, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A08, 0x03, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A00, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A08, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A04, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x02C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x022C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0234, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0210, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x021C, 0x0A, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0214, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0228, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x023C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0200, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0204, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0220, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0208, 0x04, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x020c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0210, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0238, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0800, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x025C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0260, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0800, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0430, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B04, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B10, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B00, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B08, 0x1D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B00, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B08, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B04, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x04C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x042C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0434, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0410, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -276,19 +282,20 @@ struct csiphy_reg_t {0x0404, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0420, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0408, 0x04, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, - {0x040c, 0x00, 0x00, CSIPHY_DNP_PARAMS}, {0x0410, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0438, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0800, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x045C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0460, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0800, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0000, 0x00, 0x00, CSIPHY_DNP_PARAMS}, }, { {0x0630, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C04, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C10, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0C00, 0x0E, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0C08, 0x14, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0C00, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0C08, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0C04, 0x07, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x06C4, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x062C, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0634, 0x0F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0610, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -296,14 +303,16 @@ struct csiphy_reg_t {0x0614, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0628, 0x0E, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x063C, 0xB8, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0600, 0x91, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0600, 0x80, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0604, 0x0C, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0620, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0608, 0x04, 0x00, CSIPHY_SETTLE_CNT_LOWER_BYTE}, {0x060c, 0xFF, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0610, 0x52, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0638, 0xFE, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0800, 0x00, 0x00, CSIPHY_DNP_PARAMS}, + {0x065C, 0xC0, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0660, 0x0D, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0800, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, }, }; @@ -311,9 +320,6 @@ struct csiphy_reg_t csiphy_3ph_v1_2_2_reg[MAX_LANES][MAX_SETTINGS_PER_LANE] = { { {0x015C, 0x46, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0990, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0994, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0998, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0990, 0x08, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0994, 0x08, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0998, 0x1A, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -339,25 +345,17 @@ csiphy_reg_t csiphy_3ph_v1_2_2_reg[MAX_LANES][MAX_SETTINGS_PER_LANE] = { {0x01CC, 0x41, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0164, 0x33, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x01DC, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x09C0, 0x80, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x09C4, 0x7D, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x09C8, 0x7F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0984, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0988, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0980, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x09B0, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x09B4, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x0E, 0x00, CSIPHY_DEFAULT_PARAMS}, }, { {0x035C, 0x46, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A90, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A94, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A98, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A90, 0x08, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A94, 0x08, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A98, 0x1F, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A8C, 0xBF, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A98, 0x1A, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A8C, 0xAF, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0368, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x036C, 0x25, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0304, 0x06, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -379,21 +377,13 @@ csiphy_reg_t csiphy_3ph_v1_2_2_reg[MAX_LANES][MAX_SETTINGS_PER_LANE] = { {0x03CC, 0x41, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0364, 0x33, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x03DC, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0AC0, 0x80, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0AC4, 0x7D, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0AC8, 0x7F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0A84, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A88, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A80, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0AB0, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0AB4, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x0E, 0x00, CSIPHY_DEFAULT_PARAMS}, }, { {0x055C, 0x46, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B90, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B94, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B98, 0x00, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B90, 0x08, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B94, 0x08, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B98, 0x1A, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -419,12 +409,7 @@ csiphy_reg_t csiphy_3ph_v1_2_2_reg[MAX_LANES][MAX_SETTINGS_PER_LANE] = { {0x05CC, 0x41, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0564, 0x33, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x05DC, 0x50, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0BC0, 0x80, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0BC4, 0x7D, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0BC8, 0x7F, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0B84, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B88, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0B80, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0BB0, 0x01, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0BB4, 0x02, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x0800, 0x0E, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -437,7 +422,7 @@ struct data_rate_settings_t data_rate_delta_table_1_2_2 = { { /* (2.5 * 10**3 * 2.28) rounded value*/ .bandwidth = 5700000000, - .data_rate_reg_array_size = 8, + .data_rate_reg_array_size = 6, .csiphy_data_rate_regs = { {0x144, 0x22, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x344, 0x22, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -445,14 +430,12 @@ struct data_rate_settings_t data_rate_delta_table_1_2_2 = { {0x984, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, {0xA84, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, {0xB84, 0xA0, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A98, 0x1F, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A8C, 0xBF, 0x00, CSIPHY_DEFAULT_PARAMS}, } }, { /* (3.5 * 10**3 * 2.28) rounded value */ .bandwidth = 7980000000, - .data_rate_reg_array_size = 8, + .data_rate_reg_array_size = 12, .csiphy_data_rate_regs = { {0x144, 0xA2, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x344, 0xA2, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -460,14 +443,18 @@ struct data_rate_settings_t data_rate_delta_table_1_2_2 = { {0x984, 0x20, 0x00, CSIPHY_DEFAULT_PARAMS}, {0xA84, 0x20, 0x00, CSIPHY_DEFAULT_PARAMS}, {0xB84, 0x20, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A98, 0x1A, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A8C, 0xAF, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0988, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0980, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A88, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A80, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B88, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B80, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, }, }, { /* (4.5 * 10**3 * 2.28) rounded value */ .bandwidth = 10260000000, - .data_rate_reg_array_size = 8, + .data_rate_reg_array_size = 12, .csiphy_data_rate_regs = { {0x144, 0xA2, 0x00, CSIPHY_DEFAULT_PARAMS}, {0x344, 0xA2, 0x00, CSIPHY_DEFAULT_PARAMS}, @@ -475,8 +462,13 @@ struct data_rate_settings_t data_rate_delta_table_1_2_2 = { {0x984, 0x20, 0x00, CSIPHY_DEFAULT_PARAMS}, {0xA84, 0x20, 0x00, CSIPHY_DEFAULT_PARAMS}, {0xB84, 0x20, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A98, 0x1A, 0x00, CSIPHY_DEFAULT_PARAMS}, - {0x0A8C, 0xAF, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0988, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0980, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A88, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0A80, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B88, 0x05, 0x00, CSIPHY_DEFAULT_PARAMS}, + {0x0B80, 0x60, 0x00, CSIPHY_DEFAULT_PARAMS}, + }, } } From 91b6a9669df15021c15841cb0f39db8aae183085 Mon Sep 17 00:00:00 2001 From: Rahul Shahare Date: Tue, 4 Aug 2020 13:51:57 +0530 Subject: [PATCH 103/386] ARM: dts: msm: Keep a DDR proxy vote for modem pil for sdmmagpie Keep a proxy DDR vote for modem pil, to meet the bandwidth requirements during modem SSR. Change-Id: I7a502e9cfd65e9c9062870e2bf0cbafc5937c71a Signed-off-by: Rahul Shahare --- arch/arm64/boot/dts/qcom/sdmmagpie.dtsi | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sdmmagpie.dtsi b/arch/arm64/boot/dts/qcom/sdmmagpie.dtsi index 86098aa8ccba..2e2abfe4b014 100644 --- a/arch/arm64/boot/dts/qcom/sdmmagpie.dtsi +++ b/arch/arm64/boot/dts/qcom/sdmmagpie.dtsi @@ -2633,6 +2633,13 @@ qcom,minidump-id = <3>; qcom,complete-ramdump; + qcom,msm-bus,name = "pil-modem"; + qcom,msm-bus,num-cases = <2>; + qcom,msm-bus,num-paths = <1>; + qcom,msm-bus,vectors-KBps = + <129 512 0 0>, + <129 512 0 7000000>; + /* Inputs from mss */ interrupts-extended = <&pdc GIC_SPI 266 IRQ_TYPE_EDGE_RISING>, <&modem_smp2p_in 0 IRQ_TYPE_NONE>, From 2bfaebd429fc41663e1f265313fa480285a35974 Mon Sep 17 00:00:00 2001 From: Ganesh Keethol Date: Fri, 1 May 2020 17:49:17 +0530 Subject: [PATCH 104/386] ARM: dts: msm: Remove TWM Haptics entry for SDM429w + BG BG controls haptics in TWM mode via command mode.By default haptics is in command mode. So removing configuration of haptics in ext-pin pwm mode from HLOS while entering TWM mode. Change-Id: I9825fa916e57278e8e08bee5ac0ddceaa603f31b Signed-off-by: Ganesh Keethol --- arch/arm64/boot/dts/qcom/sdm429w-bg-pm660.dtsi | 4 ---- 1 file changed, 4 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/sdm429w-bg-pm660.dtsi b/arch/arm64/boot/dts/qcom/sdm429w-bg-pm660.dtsi index 5ceebb2c9b30..21004c2dbc1d 100644 --- a/arch/arm64/boot/dts/qcom/sdm429w-bg-pm660.dtsi +++ b/arch/arm64/boot/dts/qcom/sdm429w-bg-pm660.dtsi @@ -29,7 +29,3 @@ &pm660_fg { qcom,fg-disable-in-twm; }; - -&pm660_haptics { - qcom,haptics-ext-pin-twm; -}; From 3e0c01f48d956c742b41660d6566c84040806d65 Mon Sep 17 00:00:00 2001 From: Michael Adisumarta Date: Thu, 6 Aug 2020 21:09:39 -0700 Subject: [PATCH 105/386] msm: ipa: Fix deleting the routing entries Make changes to delete the route entry even when the hdr/proc_ctx handles are already freed. Otherwise the entry will be dangling. Change-Id: Icbab6b96fa137c5214b37ea33c6203c5a54273ac Signed-off-by: Michael Adisumarta --- drivers/platform/msm/ipa/ipa_v3/ipa_rt.c | 48 ++++++++++-------------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c index 1f6d6eb070dd..2027f303a037 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c @@ -86,14 +86,16 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip, if (entry->hdr) { hdr_entry = ipa3_id_find(entry->rule.hdr_hdl); - if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) { + if (!hdr_entry || (hdr_entry->cookie != IPA_HDR_COOKIE) || + ipa3_check_idr_if_freed(entry->hdr)) { IPAERR_RL("Header entry already deleted\n"); return -EPERM; } } else if (entry->proc_ctx) { hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl); if (!hdr_proc_entry || - hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) { + (hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) || + ipa3_check_idr_if_freed(entry->proc_ctx)) { IPAERR_RL("Proc header entry already deleted\n"); return -EPERM; } @@ -1768,18 +1770,19 @@ int __ipa3_del_rt_rule(u32 rule_hdl) hdr_entry = ipa3_id_find(entry->rule.hdr_hdl); if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) { IPAERR_RL("Header entry already deleted\n"); - return -EINVAL; + entry->hdr = NULL; } } else if (entry->proc_ctx) { hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl); if (!hdr_proc_entry || hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) { IPAERR_RL("Proc header entry already deleted\n"); - return -EINVAL; + entry->proc_ctx = NULL; } } - if (entry->hdr) + if (entry->hdr && + (!ipa3_check_idr_if_freed(entry->hdr))) __ipa3_release_hdr(entry->hdr->id); else if (entry->proc_ctx && (!ipa3_check_idr_if_freed(entry->proc_ctx))) @@ -1956,7 +1959,6 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only) if (!user_only || rule->ipacm_installed) { - list_del(&rule->link); if (rule->hdr) { hdr_entry = ipa3_id_find( rule->rule.hdr_hdl); @@ -1964,8 +1966,7 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only) hdr_entry->cookie != IPA_HDR_COOKIE) { IPAERR_RL( "Header already deleted\n"); - mutex_unlock(&ipa3_ctx->lock); - return -EINVAL; + rule->hdr = NULL; } } else if (rule->proc_ctx) { hdr_proc_entry = @@ -1976,12 +1977,13 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only) IPA_PROC_HDR_COOKIE) { IPAERR_RL( "Proc entry already deleted\n"); - mutex_unlock(&ipa3_ctx->lock); - return -EINVAL; + rule->proc_ctx = NULL; } } tbl->rule_cnt--; - if (rule->hdr) + list_del(&rule->link); + if (rule->hdr && + (!ipa3_check_idr_if_freed(rule->hdr))) __ipa3_release_hdr(rule->hdr->id); else if (rule->proc_ctx && (!ipa3_check_idr_if_freed( @@ -2158,20 +2160,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule) struct ipa3_hdr_entry *hdr_entry; struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry; - if (rtrule->rule.hdr_hdl) { - hdr = ipa3_id_find(rtrule->rule.hdr_hdl); - if ((hdr == NULL) || (hdr->cookie != IPA_HDR_COOKIE)) { - IPAERR_RL("rt rule does not point to valid hdr\n"); - goto error; - } - } else if (rtrule->rule.hdr_proc_ctx_hdl) { - proc_ctx = ipa3_id_find(rtrule->rule.hdr_proc_ctx_hdl); - if ((proc_ctx == NULL) || - (proc_ctx->cookie != IPA_PROC_HDR_COOKIE)) { - IPAERR_RL("rt rule does not point to valid proc ctx\n"); - goto error; - } - } + if (__ipa_rt_validate_hndls(&rtrule->rule, &hdr, &proc_ctx)) + goto error; entry = ipa3_id_find(rtrule->rt_rule_hdl); if (entry == NULL) { @@ -2194,14 +2184,16 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule) if (entry->hdr) { hdr_entry = ipa3_id_find(entry->rule.hdr_hdl); - if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) { + if (!hdr_entry || (hdr_entry->cookie != IPA_HDR_COOKIE) || + ipa3_check_idr_if_freed(entry->hdr)) { IPAERR_RL("Header entry already deleted\n"); return -EPERM; } } else if (entry->proc_ctx) { hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl); if (!hdr_proc_entry || - hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) { + (hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) || + ipa3_check_idr_if_freed(entry->proc_ctx)) { IPAERR_RL("Proc header entry already deleted\n"); return -EPERM; } @@ -2209,7 +2201,7 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule) if (entry->hdr) entry->hdr->ref_cnt--; - if (entry->proc_ctx) + else if (entry->proc_ctx) entry->proc_ctx->ref_cnt--; entry->rule = rtrule->rule; From 352e4bdb20b2ad133ea588e5eac0c78376ba28b5 Mon Sep 17 00:00:00 2001 From: Vipin Deep Kaur Date: Thu, 11 Jun 2020 13:12:33 +0530 Subject: [PATCH 106/386] platform: qcom-geni-se: Disable CMD_DONE in DMA mode for I2C and SPI For I2C and SPI, CMD_DONE should be enabled only in fifo mode for transfer completion. Disable CMD_DONE for DMA mode and cancel cmd to avoid race condition between cmd_done, dma_done and cmd_done, cancel_irq. Change-Id: I89e227d4b43cd93c27c3d536c3615dddc693ddb7 Signed-off-by: Vipin Deep Kaur Signed-off-by: Ashish Kori --- drivers/platform/msm/qcom-geni-se.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/platform/msm/qcom-geni-se.c b/drivers/platform/msm/qcom-geni-se.c index 1c6615a76b69..6c1d04cfe079 100644 --- a/drivers/platform/msm/qcom-geni-se.c +++ b/drivers/platform/msm/qcom-geni-se.c @@ -501,9 +501,12 @@ static int geni_se_select_dma_mode(void __iomem *base) geni_write_reg(0xFFFFFFFF, base, SE_IRQ_EN); common_geni_m_irq_en = geni_read_reg(base, SE_GENI_M_IRQ_EN); - if (proto != UART) + if (proto != UART) { common_geni_m_irq_en &= ~(M_TX_FIFO_WATERMARK_EN | M_RX_FIFO_WATERMARK_EN); + if (proto != I3C) + common_geni_m_irq_en &= ~M_CMD_DONE_EN; + } geni_write_reg(common_geni_m_irq_en, base, SE_GENI_M_IRQ_EN); geni_dma_mode = geni_read_reg(base, SE_GENI_DMA_MODE_EN); @@ -622,6 +625,14 @@ EXPORT_SYMBOL(geni_setup_s_cmd); */ void geni_cancel_m_cmd(void __iomem *base) { + unsigned int common_geni_m_irq_en; + int proto = get_se_proto(base); + + if (proto != UART && proto != I3C) { + common_geni_m_irq_en = geni_read_reg(base, SE_GENI_M_IRQ_EN); + common_geni_m_irq_en &= ~M_CMD_DONE_EN; + geni_write_reg(common_geni_m_irq_en, base, SE_GENI_M_IRQ_EN); + } geni_write_reg(M_GENI_CMD_CANCEL, base, SE_GENI_M_CMD_CTRL_REG); } EXPORT_SYMBOL(geni_cancel_m_cmd); From 9310a7df6e0649b04670ed59a12e65f95a86b9e9 Mon Sep 17 00:00:00 2001 From: Manoj Prabhu B Date: Thu, 6 Aug 2020 08:32:42 +0530 Subject: [PATCH 107/386] diag: Prevent possible integer overflow while processing cntl pkt Possible integer overflow while processing control packets received from peripherals prevented by typecasting the lengths during buffer boundary check. Change-Id: Ic29553a8c3422c9e11051d78a6b57a4f921586b9 Signed-off-by: Manoj Prabhu B --- drivers/char/diag/diagfwd_cntl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/char/diag/diagfwd_cntl.c b/drivers/char/diag/diagfwd_cntl.c index ed892195fc2b..15801eb2d8aa 100644 --- a/drivers/char/diag/diagfwd_cntl.c +++ b/drivers/char/diag/diagfwd_cntl.c @@ -886,7 +886,8 @@ void diag_cntl_process_read_data(struct diagfwd_info *p_info, void *buf, while (read_len + header_len < len) { ctrl_pkt = (struct diag_ctrl_pkt_header_t *)ptr; - if ((read_len + header_len + ctrl_pkt->len) > len) + if (((size_t)read_len + (size_t)ctrl_pkt->len + + header_len) > len) return; switch (ctrl_pkt->pkt_id) { case DIAG_CTRL_MSG_REG: From c4c783d96ea4ccd11d05d166d8e011103ae19781 Mon Sep 17 00:00:00 2001 From: Meghana Reddy Mula Date: Fri, 7 Aug 2020 13:54:32 +0530 Subject: [PATCH 108/386] dts: sdx: add support for tdm for sa515m TTP adding configuration for PRI or SEC TDM. Change-Id: I571ba8a93667b0cae61069d09e35e68997fa78fe Signed-off-by: Meghana Reddy Mula --- arch/arm64/boot/dts/qcom/sdxprairie-audio.dtsi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sdxprairie-audio.dtsi b/arch/arm64/boot/dts/qcom/sdxprairie-audio.dtsi index 26204b4f6814..589e790f9e78 100644 --- a/arch/arm64/boot/dts/qcom/sdxprairie-audio.dtsi +++ b/arch/arm64/boot/dts/qcom/sdxprairie-audio.dtsi @@ -38,7 +38,9 @@ <&afe_proxy_tx>, <&incall_record_rx>, <&incall_record_tx>, <&incall_music_rx>, <&dai_pri_tdm_rx_0>, <&dai_pri_tdm_tx_0>, + <&dai_pri_tdm_rx_1>, <&dai_pri_tdm_tx_1>, <&dai_sec_tdm_rx_0>, <&dai_sec_tdm_tx_0>, + <&dai_sec_tdm_rx_1>, <&dai_sec_tdm_tx_1>, <&dai_sec_auxpcm>, <&incall2_record_rx>, <&incall_music_2_rx>, <&incall_music_dl_rx>; asoc-cpu-names = "msm-dai-q6-auxpcm.1", @@ -50,7 +52,9 @@ "msm-dai-q6-dev.240", "msm-dai-q6-dev.32771", "msm-dai-q6-dev.32772", "msm-dai-q6-dev.32773", "msm-dai-q6-tdm.36864", "msm-dai-q6-tdm.36865", + "msm-dai-q6-tdm.36866", "msm-dai-q6-tdm.36867", "msm-dai-q6-tdm.36880", "msm-dai-q6-tdm.36881", + "msm-dai-q6-tdm.36882", "msm-dai-q6-tdm.36883", "msm-dai-q6-auxpcm.2", "msm-dai-q6-dev.32769", "msm-dai-q6-dev.32770", "msm-dai-q6-dev.32774"; }; From fff2e8067fdb47c612d54edb9d1d0515aa43e357 Mon Sep 17 00:00:00 2001 From: Cong Zhang Date: Thu, 9 Apr 2020 21:26:25 +0800 Subject: [PATCH 109/386] ARM: align the start and end of v7_setup_stack to cache line The v7_setup_stack is used when D-cache disabled. When CPU is reading something nearby with D-cache enabled. It is possible to read v7_setup_stack to cache line. There is a risk that when cache line write back the data, v7_setup_stack may already been modified by other CPU with D-cache disabled. The change make v7_setup_stack align cache line size and use the whole cache line to prevent corrupting v7_setup_stack. Change-Id: I13be3c49beafd69d6e86ffd28d5f3ba998aaa8c3 Signed-off-by: Cong Zhang --- arch/arm/mm/proc-v7.S | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S index d8d90cf65b39..b397cf1e486d 100644 --- a/arch/arm/mm/proc-v7.S +++ b/arch/arm/mm/proc-v7.S @@ -18,6 +18,7 @@ #include #include #include +#include #include "proc-macros.S" @@ -547,10 +548,10 @@ __v7_setup_stack_ptr: ENDPROC(__v7_setup) .bss - .align 2 + .align L1_CACHE_SHIFT __v7_setup_stack: .space 4 * 7 @ 7 registers - + .align L1_CACHE_SHIFT __INITDATA .weak cpu_v7_bugs_init From b10f5607563aa27e3b05348d12eefdc9e47a3cbb Mon Sep 17 00:00:00 2001 From: Chandana Kishori Chiluveru Date: Fri, 3 Jul 2020 15:44:48 +0530 Subject: [PATCH 110/386] serail: msm_geni_serial: Stop TX Engine during port close This change is added to stop_tx during port shutdown. Leaving TX sequencer active after port shutdown resulting in unexpected behaviour because we expect TX sequencer and DMA engine to go IDLE after port close. In some cases TX remains active and trying to send invalid TX zero bytes over TX line. Hence stop TX during port close. Change-Id: I5ac15726bee16d2cc4de96dcd64e5c1d2b743908 Signed-off-by: Chandana Kishori Chiluveru --- drivers/tty/serial/msm_geni_serial.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tty/serial/msm_geni_serial.c b/drivers/tty/serial/msm_geni_serial.c index 374ecc888e2b..bcdcdc194866 100644 --- a/drivers/tty/serial/msm_geni_serial.c +++ b/drivers/tty/serial/msm_geni_serial.c @@ -2209,6 +2209,7 @@ static void msm_geni_serial_shutdown(struct uart_port *uport) } else { msm_geni_serial_power_on(uport); wait_for_transfers_inflight(uport); + msm_geni_serial_stop_tx(uport); } if (!uart_console(uport)) { From e951ef176443f240496f284491e301d49a09fc0f Mon Sep 17 00:00:00 2001 From: Rishi Gupta Date: Fri, 7 Aug 2020 15:31:36 +0530 Subject: [PATCH 111/386] ARM: dts: sa2150p: use gpio 77 for wakeup on sa2150p side The GPIO 77 is connected to remote processor on the other end. This commit populates correct GPIO number on the sa2150p side. Change-Id: Ibe8c2702d186fe07a669102b97f74e01d8075438 Signed-off-by: Rishi Gupta --- .../boot/dts/qcom/sa2145p-ccard-nand-dc.dts | 19 +++++++++++++++++++ .../boot/dts/qcom/sa2150p-ccard-nand-dc.dts | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts b/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts index 3a5c5aef5c77..2aa4f8d7047c 100644 --- a/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts +++ b/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts @@ -54,3 +54,22 @@ /delete-node/ wlan_msa_region@88E0000; /delete-node/ wlan_fw_mem@86400000; }; + +&tlmm { + wakeup_gpio_default: wakeup_gpio_default { + mux { + pins = "gpio77"; + function = "gpio"; + }; + + config { + pins = "gpio77"; + drive-strength = <2>; + bias-pull-down; + }; + }; +}; + +&sdx_ext_ipc { + qcom,wakeup-gpio-out = <&tlmm 77 0x00>; +}; diff --git a/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts b/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts index fb3ae4f7843d..e7f9dcb42061 100644 --- a/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts +++ b/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts @@ -128,3 +128,22 @@ /delete-node/ wlan_msa_region@88E0000; /delete-node/ wlan_fw_mem@86400000; }; + +&tlmm { + wakeup_gpio_default: wakeup_gpio_default { + mux { + pins = "gpio77"; + function = "gpio"; + }; + + config { + pins = "gpio77"; + drive-strength = <2>; + bias-pull-down; + }; + }; +}; + +&sdx_ext_ipc { + qcom,wakeup-gpio-out = <&tlmm 77 0x00>; +}; From 8f5b5402672133f15df5e44577b5c752cd82b00b Mon Sep 17 00:00:00 2001 From: Jishnu Prakash Date: Thu, 27 Sep 2018 16:52:15 +0530 Subject: [PATCH 112/386] iio: qcom-rradc: Force conversion for die_temp channel on RRADC Force conversion for die_temp channel instead of keeping die_temp reading dependent on presence of USB for trigger. Change-Id: I7f31ddc701102fb1e5e52ec3c073c90d4fee6adb Signed-off-by: Jishnu Prakash --- drivers/iio/adc/qcom-rradc.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/qcom-rradc.c b/drivers/iio/adc/qcom-rradc.c index 02dfbf86d6c2..485d7cc03402 100644 --- a/drivers/iio/adc/qcom-rradc.c +++ b/drivers/iio/adc/qcom-rradc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2017, The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2017, 2019-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -767,8 +767,7 @@ static int rradc_check_status_ready_with_retry(struct rradc_chip *chip, if (((prop->channel == RR_ADC_CHG_TEMP) || (prop->channel == RR_ADC_SKIN_TEMP) || - (prop->channel == RR_ADC_USBIN_I) || - (prop->channel == RR_ADC_DIE_TEMP)) && + (prop->channel == RR_ADC_USBIN_I)) && ((!rradc_is_usb_present(chip)))) { pr_debug("USB not present for %d\n", prop->channel); rc = -ENODATA; @@ -938,6 +937,30 @@ static int rradc_do_conversion(struct rradc_chip *chip, goto fail; } break; + case RR_ADC_DIE_TEMP: + /* Force conversion every cycle */ + rc = rradc_masked_write(chip, FG_ADC_RR_PMI_DIE_TEMP_TRIGGER, + FG_ADC_RR_USB_IN_V_EVERY_CYCLE_MASK, + FG_ADC_RR_USB_IN_V_EVERY_CYCLE); + if (rc < 0) { + pr_err("Force every cycle update failed:%d\n", rc); + goto fail; + } + + rc = rradc_read_channel_with_continuous_mode(chip, prop, buf); + if (rc < 0) { + pr_err("Error reading in continuous mode:%d\n", rc); + goto fail; + } + + /* Restore aux_therm trigger */ + rc = rradc_masked_write(chip, FG_ADC_RR_PMI_DIE_TEMP_TRIGGER, + FG_ADC_RR_USB_IN_V_EVERY_CYCLE_MASK, 0); + if (rc < 0) { + pr_err("Restore every cycle update failed:%d\n", rc); + goto fail; + } + break; case RR_ADC_CHG_HOT_TEMP: case RR_ADC_CHG_TOO_HOT_TEMP: case RR_ADC_SKIN_HOT_TEMP: From 50764c92064c9f916626f68ea8a6e69086994f44 Mon Sep 17 00:00:00 2001 From: Jishnu Prakash Date: Fri, 26 Jul 2019 16:09:32 +0530 Subject: [PATCH 113/386] iio: qcom-rradc: Add batt_id delay property for RRADC Add DT property to set batt_id hardware settling delay time. Change-Id: I3ca6078d45efdfcec38027586fc5a740aa03f698 Signed-off-by: Jishnu Prakash --- .../bindings/iio/adc/qcom-rradc.txt | 4 +++ drivers/iio/adc/qcom-rradc.c | 31 ++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/iio/adc/qcom-rradc.txt b/Documentation/devicetree/bindings/iio/adc/qcom-rradc.txt index 1ab49edfe30c..240c6d82deb0 100644 --- a/Documentation/devicetree/bindings/iio/adc/qcom-rradc.txt +++ b/Documentation/devicetree/bindings/iio/adc/qcom-rradc.txt @@ -45,6 +45,10 @@ Optional property: - qcom,pmic-revid : Phandle pointing to the revision peripheral node. Use it to query the PMIC fabrication ID for applying the appropriate temperature compensation parameters. +- qcom,batt-id-delay-ms : + Value type: + Definition: Used to specify HW settling time in MS for measuring BATT_ID. + Possible values are: 0, 1, 4, 12, 20, 40, 60, 80. Example: /* RRADC node */ diff --git a/drivers/iio/adc/qcom-rradc.c b/drivers/iio/adc/qcom-rradc.c index 485d7cc03402..20136383c66b 100644 --- a/drivers/iio/adc/qcom-rradc.c +++ b/drivers/iio/adc/qcom-rradc.c @@ -199,6 +199,9 @@ #define FG_RR_TP_REV_VERSION2 29 #define FG_RR_TP_REV_VERSION3 32 +#define BATT_ID_SETTLE_SHIFT 5 +#define RRADC_BATT_ID_DELAY_MAX 8 + /* * The channel number is not a physical index in hardware, * rather it's a list of supported channels and an index to @@ -229,6 +232,7 @@ struct rradc_chip { struct mutex lock; struct regmap *regmap; u16 base; + int batt_id_delay; struct iio_chan_spec *iio_chans; unsigned int nchannels; struct rradc_chan_prop *chan_props; @@ -256,6 +260,8 @@ struct rradc_chan_prop { u16 adc_code, int *result); }; +static const int batt_id_delays[] = {0, 1, 4, 12, 20, 40, 60, 80}; + static int rradc_masked_write(struct rradc_chip *rr_adc, u16 offset, u8 mask, u8 val) { @@ -853,7 +859,7 @@ static int rradc_enable_batt_id_channel(struct rradc_chip *chip, bool enable) static int rradc_do_batt_id_conversion(struct rradc_chip *chip, struct rradc_chan_prop *prop, u16 *data, u8 *buf) { - int rc = 0, ret = 0; + int rc = 0, ret = 0, batt_id_delay; rc = rradc_enable_batt_id_channel(chip, true); if (rc < 0) { @@ -861,6 +867,14 @@ static int rradc_do_batt_id_conversion(struct rradc_chip *chip, return rc; } + if (chip->batt_id_delay != -EINVAL) { + batt_id_delay = chip->batt_id_delay << BATT_ID_SETTLE_SHIFT; + rc = rradc_masked_write(chip, FG_ADC_RR_BATT_ID_CFG, + batt_id_delay, batt_id_delay); + if (rc < 0) + pr_err("BATT_ID settling time config failed:%d\n", rc); + } + rc = rradc_masked_write(chip, FG_ADC_RR_BATT_ID_TRIGGER, FG_ADC_RR_BATT_ID_TRIGGER_CTL, FG_ADC_RR_BATT_ID_TRIGGER_CTL); @@ -1129,6 +1143,21 @@ static int rradc_get_dt_data(struct rradc_chip *chip, struct device_node *node) return rc; } + chip->batt_id_delay = -EINVAL; + + rc = of_property_read_u32(node, "qcom,batt-id-delay-ms", + &chip->batt_id_delay); + if (!rc) { + for (i = 0; i < RRADC_BATT_ID_DELAY_MAX; i++) { + if (chip->batt_id_delay == batt_id_delays[i]) + break; + } + if (i == RRADC_BATT_ID_DELAY_MAX) + pr_err("Invalid batt_id_delay, rc=%d\n", rc); + else + chip->batt_id_delay = i; + } + chip->base = base; chip->revid_dev_node = of_parse_phandle(node, "qcom,pmic-revid", 0); if (chip->revid_dev_node) { From 618f67a880c30ec9ae267bb90a2d6a80d9ce26eb Mon Sep 17 00:00:00 2001 From: Ashay Jaiswal Date: Wed, 15 Nov 2017 18:09:19 +0530 Subject: [PATCH 114/386] power: smb-lib: fix OTG enable error handling Fix OTG enable error path and drop stale votes on USB_ICL votable. Change-Id: Ia0fce0ef75bb83ece72cc6a5a8f294b2500a0166 Signed-off-by: Ashay Jaiswal --- drivers/power/supply/qcom/smb-lib.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/power/supply/qcom/smb-lib.c b/drivers/power/supply/qcom/smb-lib.c index ffec1bf46b0d..d3c378a2b708 100644 --- a/drivers/power/supply/qcom/smb-lib.c +++ b/drivers/power/supply/qcom/smb-lib.c @@ -725,6 +725,7 @@ static void smblib_uusb_removal(struct smb_charger *chg) vote(chg->pl_enable_votable_indirect, USBIN_V_VOTER, false, 0); vote(chg->usb_icl_votable, SW_QC3_VOTER, false, 0); vote(chg->hvdcp_hw_inov_dis_votable, OV_VOTER, false, 0); + vote(chg->usb_icl_votable, USBIN_USBIN_BOOST_VOTER, false, 0); cancel_delayed_work_sync(&chg->hvdcp_detect_work); @@ -1716,6 +1717,8 @@ int smblib_vbus_regulator_enable(struct regulator_dev *rdev) rc = _smblib_vbus_regulator_enable(rdev); if (rc >= 0) chg->otg_en = true; + else + vote(chg->usb_icl_votable, USBIN_USBIN_BOOST_VOTER, false, 0); unlock: mutex_unlock(&chg->otg_oc_lock); @@ -4388,6 +4391,7 @@ static void smblib_handle_typec_removal(struct smb_charger *chg) vote(chg->pl_enable_votable_indirect, USBIN_V_VOTER, false, 0); vote(chg->awake_votable, PL_DELAY_VOTER, false, 0); + vote(chg->usb_icl_votable, USBIN_USBIN_BOOST_VOTER, false, 0); chg->vconn_attempts = 0; chg->otg_attempts = 0; chg->pulse_cnt = 0; From e4c309197bf4108665c2d4cd547f3369aa2957c4 Mon Sep 17 00:00:00 2001 From: Kiran Gunda Date: Fri, 7 Aug 2020 17:39:25 +0530 Subject: [PATCH 115/386] ARM: dts: msm: Remove "qcom,ilim-ma" property for SDM429W "qcom,ilim-ma" property is unused in the "qti-haptics" driver. Hence, remove the this property from the device tree node. Change-Id: Ifc335deaf139338aeb63b8f84dcf2eaa11f17130 Signed-off-by: Kiran Gunda --- arch/arm64/boot/dts/qcom/sdm429w-pm660.dtsi | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sdm429w-pm660.dtsi b/arch/arm64/boot/dts/qcom/sdm429w-pm660.dtsi index 1cf4c8ad62a0..024ec2d91792 100644 --- a/arch/arm64/boot/dts/qcom/sdm429w-pm660.dtsi +++ b/arch/arm64/boot/dts/qcom/sdm429w-pm660.dtsi @@ -131,7 +131,6 @@ /delete-property/ qcom,lra-allow-variable-play; /delete-property/ qcom,lra-allow-variable-play-rate; qcom,actuator-type = "erm"; - qcom,ilim-ma = <400>; qcom,play-rate-us = <10000>; wf_0 { From 1e87face21552949b6390360ecb5559cc883480a Mon Sep 17 00:00:00 2001 From: Sachin Prakash Gejji Date: Fri, 7 Aug 2020 20:00:42 +0530 Subject: [PATCH 116/386] defconfig: msm: Enable switchdev for SA515m Enable switchdev config for ethernet switch driver. Change-Id: If43784c8cfe941748ce788091b6d880cdff56d83 Signed-off-by: Sachin Prakash Gejji --- arch/arm/configs/vendor/sa515m-perf_defconfig | 1 + arch/arm/configs/vendor/sa515m_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm/configs/vendor/sa515m-perf_defconfig b/arch/arm/configs/vendor/sa515m-perf_defconfig index 9b01e9f0a689..ba1f7b8d3bca 100644 --- a/arch/arm/configs/vendor/sa515m-perf_defconfig +++ b/arch/arm/configs/vendor/sa515m-perf_defconfig @@ -166,6 +166,7 @@ CONFIG_BRIDGE=y CONFIG_VLAN_8021Q=y CONFIG_NET_SCHED=y CONFIG_NET_SCH_PRIO=y +CONFIG_NET_SWITCHDEV=y CONFIG_QRTR=y CONFIG_QRTR_NODE_ID=2 CONFIG_QRTR_SMD=y diff --git a/arch/arm/configs/vendor/sa515m_defconfig b/arch/arm/configs/vendor/sa515m_defconfig index bc64df02ed11..90b571160d95 100644 --- a/arch/arm/configs/vendor/sa515m_defconfig +++ b/arch/arm/configs/vendor/sa515m_defconfig @@ -166,6 +166,7 @@ CONFIG_BRIDGE=y CONFIG_VLAN_8021Q=y CONFIG_NET_SCHED=y CONFIG_NET_SCH_PRIO=y +CONFIG_NET_SWITCHDEV=y CONFIG_QRTR=y CONFIG_QRTR_NODE_ID=2 CONFIG_QRTR_SMD=y From 112cc4cbe31cd0663bd724085085ad248986e720 Mon Sep 17 00:00:00 2001 From: Pradeep P V K Date: Thu, 9 Jul 2020 19:35:17 +0530 Subject: [PATCH 117/386] mtd: msm_qpic_nand: Skip erased page check upon error Skip erased page check upon error. Change-Id: I08ea01fdccd6896f83a42758652e19949e3d1b0e Signed-off-by: Pradeep P V K --- drivers/mtd/devices/msm_qpic_nand.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/devices/msm_qpic_nand.c b/drivers/mtd/devices/msm_qpic_nand.c index 8cb1feb3dcd1..f5aa60df49a7 100644 --- a/drivers/mtd/devices/msm_qpic_nand.c +++ b/drivers/mtd/devices/msm_qpic_nand.c @@ -1984,7 +1984,7 @@ free_dma: total_ecc_byte_cnt, DMA_FROM_DEVICE); /* check for bit flips in ecc data */ ecc_temp = ecc; - for (n = rw_params->start_sector; n < cwperpage; n++) { + for (n = rw_params->start_sector; !err && n < cwperpage; n++) { int last_pos = 0, next_pos = 0; int ecc_bytes_percw_in_bits = (chip->ecc_parity_bytes * 8); @@ -2651,7 +2651,7 @@ free_dma: total_ecc_byte_cnt, DMA_FROM_DEVICE); /* check for bit flips in ecc data */ ecc_temp = ecc; - for (n = rw_params->start_sector; n < cwperpage; n++) { + for (n = rw_params->start_sector; !err && n < cwperpage; n++) { int last_pos = 0, next_pos = 0; int ecc_bytes_percw_in_bits = (chip->ecc_parity_bytes * 8); From ede5bcc51f9697696fcf1d63b862eed50b7d3ae0 Mon Sep 17 00:00:00 2001 From: Swetha Chikkaboraiah Date: Wed, 29 Jul 2020 22:47:07 +0530 Subject: [PATCH 118/386] AndroidKernel: Disable debugfs for user builds Debugfs is not needed on user builds, so disabling same at compile time for ARM 64. Change-Id: If6708c9de060584ebcba4cac9bad8e85d6a5ab7f Signed-off-by: Swetha Chikkaboraiah --- AndroidKernel.mk | 20 +++++++++++++++++--- disable_dbgfs.sh | 29 +++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 3 deletions(-) create mode 100755 disable_dbgfs.sh diff --git a/AndroidKernel.mk b/AndroidKernel.mk index f7e26617f635..73a2232be4a2 100644 --- a/AndroidKernel.mk +++ b/AndroidKernel.mk @@ -10,6 +10,8 @@ ifneq ($(TARGET_KERNEL_APPEND_DTB), true) $(info Using DTB Image) INSTALLED_DTBIMAGE_TARGET := $(PRODUCT_OUT)/dtb.img endif +MAKE_ARGS := $(strip $(TARGET_KERNEL_MAKE_ARGS)) +KERNEL_DISABLE_DEBUGFS := $(TARGET_KERNEL_DISABLE_DEBUGFS) TARGET_KERNEL_MAKE_ENV := $(strip $(TARGET_KERNEL_MAKE_ENV)) ifeq ($(TARGET_KERNEL_MAKE_ENV),) @@ -138,6 +140,7 @@ $(info Using appended DTB) TARGET_PREBUILT_INT_KERNEL := $(TARGET_PREBUILT_INT_KERNEL)-dtb endif +KERNEL_DEBUGFS := $(KERNEL_OUT)/tmp KERNEL_HEADERS_INSTALL := $(KERNEL_OUT)/usr KERNEL_MODULES_INSTALL ?= system KERNEL_MODULES_OUT ?= $(PRODUCT_OUT)/$(KERNEL_MODULES_INSTALL)/lib/modules @@ -162,6 +165,9 @@ mpath=`dirname $$mdpath`; rm -rf $$mpath;\ fi endef +$(KERNEL_OUT): $(KERNEL_DEBUGFS) + mkdir -p $(KERNEL_OUT) + ifneq ($(KERNEL_LEGACY_DIR),true) $(KERNEL_USR): $(KERNEL_HEADERS_INSTALL) rm -rf $(KERNEL_SYMLINK) @@ -170,9 +176,6 @@ $(KERNEL_USR): $(KERNEL_HEADERS_INSTALL) $(TARGET_PREBUILT_INT_KERNEL): $(KERNEL_USR) endif -$(KERNEL_OUT): - mkdir -p $(KERNEL_OUT) - $(KERNEL_CONFIG): $(KERNEL_OUT) $(MAKE) -C $(TARGET_KERNEL_SOURCE) O=$(BUILD_ROOT_LOC)$(KERNEL_OUT) $(KERNEL_MAKE_ENV) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(KERNEL_CROSS_COMPILE) $(real_cc) $(KERNEL_DEFCONFIG) $(hide) if [ ! -z "$(KERNEL_CONFIG_OVERRIDE)" ]; then \ @@ -206,6 +209,17 @@ $(TARGET_PREBUILT_INT_KERNEL): $(KERNEL_OUT) $(KERNEL_HEADERS_INSTALL) $(clean-module-folder) endif +$(KERNEL_DEBUGFS): + KERNEL_DIR=$(TARGET_KERNEL_SOURCE) \ + DEFCONFIG=$(KERNEL_DEFCONFIG) \ + OUT_DIR=$(KERNEL_OUT) \ + ARCH=$(KERNEL_ARCH) \ + CROSS_COMPILE=$(KERNEL_CROSS_COMPILE) \ + DISABLE_DEBUGFS=$(KERNEL_DISABLE_DEBUGFS) \ + $(TARGET_KERNEL_SOURCE)/disable_dbgfs.sh \ + $(real_cc) \ + $(TARGET_KERNEL_MAKE_ARGS) + $(KERNEL_HEADERS_INSTALL): $(KERNEL_OUT) $(hide) if [ ! -z "$(KERNEL_HEADER_DEFCONFIG)" ]; then \ rm -f $(BUILD_ROOT_LOC)$(KERNEL_CONFIG) && \ diff --git a/disable_dbgfs.sh b/disable_dbgfs.sh new file mode 100755 index 000000000000..fe23680972a5 --- /dev/null +++ b/disable_dbgfs.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 + +# disable debugfs for user builds +export MAKE_ARGS=$@ + +if [ ${DISABLE_DEBUGFS} == "true" ]; then + echo "build variant ${TARGET_BUILD_VARIANT}" + if [ ${TARGET_BUILD_VARIANT} == "user" ] && \ + [ ${ARCH} == "arm64" ]; then + echo "combining fragments for user build" + (cd $KERNEL_DIR && \ + ARCH=${ARCH} CROSS_COMPILE=${CROSS_COMPILE}\ + ./scripts/kconfig/merge_config.sh \ + ./arch/${ARCH}/configs/$DEFCONFIG \ + ./arch/${ARCH}/configs/vendor/debugfs.config + make ${MAKE_ARGS} ARCH=${ARCH} \ + CROSS_COMPILE=${CROSS_COMPILE} savedefconfig + mv defconfig ./arch/${ARCH}/configs/$DEFCONFIG + rm .config) + else + if [[ ${DEFCONFIG} == *"perf_defconfig" ]] && \ + [ ${ARCH} == "arm64" ]; then + echo "resetting perf defconfig" + (cd ${KERNEL_DIR} && \ + git checkout arch/$ARCH/configs/$DEFCONFIG) + fi + fi +fi From 36ba69d9b40a307dcc171c67d9299edea69586c1 Mon Sep 17 00:00:00 2001 From: Avaneesh Kumar Dwivedi Date: Mon, 3 Aug 2020 20:30:59 +0530 Subject: [PATCH 119/386] ARM: dts: msm: Include qcs610 changes for qcs410 also QCS410 is derivative of QCS610 hence include the same changes that are needed for QCS610 for QCS410 also. Change-Id: I586463a89d3180a0afbbc12968a07489a433f10b Signed-off-by: Avaneesh Kumar Dwivedi --- arch/arm64/boot/dts/qcom/qcs410-iot.dts | 4 - arch/arm64/boot/dts/qcom/qcs410-iot.dtsi | 227 +---------------------- arch/arm64/boot/dts/qcom/qcs610-iot.dts | 1 - arch/arm64/boot/dts/qcom/qcs610-iot.dtsi | 1 + arch/arm64/boot/dts/qcom/qcs610-ipc.dts | 5 - arch/arm64/boot/dts/qcom/qcs610-ipc.dtsi | 23 +-- 6 files changed, 4 insertions(+), 257 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/qcs410-iot.dts b/arch/arm64/boot/dts/qcom/qcs410-iot.dts index 2fe709638dbc..3c640e55c721 100644 --- a/arch/arm64/boot/dts/qcom/qcs410-iot.dts +++ b/arch/arm64/boot/dts/qcom/qcs410-iot.dts @@ -14,7 +14,6 @@ #include "qcs410.dtsi" #include "qcs410-iot.dtsi" -#include "sm6150-audio-overlay.dtsi" / { model = "Qualcomm Technologies, Inc. QCS410 IOT"; @@ -22,6 +21,3 @@ qcom,board-id = <32 0>; }; -&sm6150_snd { - /delete-property/ fsa4480-i2c-handle; -}; diff --git a/arch/arm64/boot/dts/qcom/qcs410-iot.dtsi b/arch/arm64/boot/dts/qcom/qcs410-iot.dtsi index 374d1f73eff9..3dc3f2141b17 100644 --- a/arch/arm64/boot/dts/qcom/qcs410-iot.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs410-iot.dtsi @@ -10,235 +10,10 @@ * GNU General Public License for more details. */ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "qcs610-camera-sensor-idp.dtsi" +#include "qcs610-iot.dtsi" / { model = "Qualcomm Technologies, Inc. QCS410 IOT"; compatible = "qcom,qcs410-iot", "qcom,qcs410", "qcom,iot"; }; -&qupv3_se3_i2c { - status = "ok"; - #include "smb1390.dtsi" -}; - -&qupv3_se0_2uart { - status = "ok"; -}; - -&qupv3_se7_4uart { - status = "ok"; -}; - -&pm6150l_gpios { - key_vol_up { - key_vol_up_default: key_vol_up_default { - pins = "gpio2"; - function = "normal"; - input-enable; - bias-pull-up; - power-source = <0>; - }; - }; - - irled { - irled_pwm: irled_pwm_default { - pins = "gpio6"; - function = "func1"; - qcom,drive-strength = <2>; - power-source = <0>; - bias-disable; - output-low; - }; - }; -}; - -&soc { - gpio_keys { - compatible = "gpio-keys"; - label = "gpio-keys"; - - pinctrl-names = "default"; - pinctrl-0 = <&key_vol_up_default>; - - vol_up { - label = "volume_up"; - gpios = <&pm6150l_gpios 2 GPIO_ACTIVE_LOW>; - linux,input-type = <1>; - linux,code = ; - linux,can-disable; - debounce-interval = <15>; - gpio-key,wakeup; - }; - }; - - mtp_batterydata: qcom,battery-data { - qcom,batt-id-range-pct = <15>; - #include "qg-batterydata-alium-3600mah.dtsi" - #include "qg-batterydata-mlp356477-2800mah.dtsi" - }; -}; - -&pm6150l_wled { - qcom,string-cfg= <3>; - qcom,leds-per-string = <7>; - status = "ok"; -}; - -&pm6150l_lcdb { - status = "ok"; -}; - -&pm6150l_pwm_1 { - status = "okay"; -}; - -&pm6150_qg { - qcom,battery-data = <&mtp_batterydata>; - qcom,qg-iterm-ma = <100>; - qcom,hold-soc-while-full; - qcom,linearize-soc; - qcom,cl-feedback-on; -}; - -&pm6150_charger { - io-channels = <&pm6150_vadc ADC_USB_IN_V_16>, - <&pm6150_vadc ADC_USB_IN_I>, - <&pm6150_vadc ADC_CHG_TEMP>, - <&pm6150_vadc ADC_DIE_TEMP>, - <&pm6150_vadc ADC_AMUX_THM4_PU2>, - <&pm6150_vadc ADC_SBUx>, - <&pm6150_vadc ADC_VPH_PWR>; - io-channel-names = "usb_in_voltage", - "usb_in_current", - "chg_temp", - "die_temp", - "conn_temp", - "sbux_res", - "vph_voltage"; - qcom,battery-data = <&mtp_batterydata>; - qcom,auto-recharge-soc = <98>; - qcom,step-charging-enable; - qcom,sw-jeita-enable; - qcom,fcc-stepping-enable; - qcom,suspend-input-on-debug-batt; - qcom,sec-charger-config = <3>; - qcom,thermal-mitigation = <4200000 3500000 3000000 - 2500000 2000000 1500000 1000000 500000>; - dpdm-supply = <&qusb_phy0>; - qcom,charger-temp-max = <800>; - qcom,smb-temp-max = <800>; -}; - -&smb1390 { - /delete-property/ interrupts; - interrupts = <0x0 0xc2 0x0 IRQ_TYPE_LEVEL_LOW>; - pinctrl-names = "default"; - pinctrl-0 = <&smb_stat_default>; - status = "ok"; -}; - -&smb1390_charger { - /delete-property/ compatible; - compatible = "qcom,smb1390-charger-psy"; - io-channels = <&pm6150_vadc ADC_AMUX_THM3>; - io-channel-names = "cp_die_temp"; - status = "ok"; -}; - -&sdhc_1 { - vdd-supply = <&pm6150l_l11>; - qcom,vdd-voltage-level = <2950000 2950000>; - qcom,vdd-current-level = <0 570000>; - - vdd-io-supply = <&pm6150_l12>; - qcom,vdd-io-always-on; - qcom,vdd-io-lpm-sup; - qcom,vdd-io-voltage-level = <1800000 1800000>; - qcom,vdd-io-current-level = <0 325000>; - - pinctrl-names = "active", "sleep"; - pinctrl-0 = <&sdc1_clk_on &sdc1_cmd_on &sdc1_data_on &sdc1_rclk_on>; - pinctrl-1 = <&sdc1_clk_off &sdc1_cmd_off &sdc1_data_off &sdc1_rclk_off>; - - status = "ok"; -}; - -&sdhc_2 { - vdd-supply = <&pm6150l_l9>; - qcom,vdd-voltage-level = <2950000 2950000>; - qcom,vdd-current-level = <0 800000>; - - vdd-io-supply = <&pm6150l_l6>; - qcom,vdd-io-voltage-level = <1800000 3100000>; - qcom,vdd-io-current-level = <0 22000>; - - pinctrl-names = "active", "sleep"; - pinctrl-0 = <&sdc2_clk_on &sdc2_cmd_on &sdc2_data_on &sdc2_cd_on>; - pinctrl-1 = <&sdc2_clk_off &sdc2_cmd_off &sdc2_data_off &sdc2_cd_off>; - - cd-gpios = <&tlmm 99 GPIO_ACTIVE_LOW>; - - status = "ok"; -}; - -&pil_camera_mem { - reg = <0 0x8f800000 0 0x500000>; -}; - -&pil_modem_mem { - reg = <0 0x8fd00000 0 0x3100000>; -}; - -&pil_video_mem { - reg = <0 0x92e00000 0 0x500000>; -}; - -&wlan_msa_mem { - reg = <0 0x93300000 0 0x200000>; -}; - -&pil_cdsp_mem { - reg = <0 0x93500000 0 0x1e00000>; -}; - -&pil_adsp_mem { - reg = <0 0x95300000 0 0x1e00000>; -}; - -&pil_ipa_fw_mem { - reg = <0 0x97100000 0 0x10000>; -}; - -&pil_ipa_gsi_mem { - reg = <0 0x97110000 0 0x5000>; -}; - -&pil_gpu_mem { - reg = <0 0x97115000 0 0x2000>; -}; - -&L16A { - regulator-max-microvolt = <3304000>; -}; - -&L19A { - regulator-max-microvolt = <3304000>; -}; - -&L4C { - regulator-max-microvolt = <2912000>; -}; - -&L5C { - regulator-max-microvolt = <2912000>; -}; diff --git a/arch/arm64/boot/dts/qcom/qcs610-iot.dts b/arch/arm64/boot/dts/qcom/qcs610-iot.dts index a0a6c723d172..9d79b8ceea0a 100644 --- a/arch/arm64/boot/dts/qcom/qcs610-iot.dts +++ b/arch/arm64/boot/dts/qcom/qcs610-iot.dts @@ -13,7 +13,6 @@ /dts-v1/; #include "qcs610.dtsi" #include "qcs610-iot.dtsi" -#include "sm6150-audio-overlay.dtsi" / { model = "Qualcomm Technologies, Inc. QCS610 IOT"; diff --git a/arch/arm64/boot/dts/qcom/qcs610-iot.dtsi b/arch/arm64/boot/dts/qcom/qcs610-iot.dtsi index c65dae42e904..6bf996060d60 100644 --- a/arch/arm64/boot/dts/qcom/qcs610-iot.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs610-iot.dtsi @@ -25,6 +25,7 @@ #include "sm6150-sde-pll.dtsi" #include "sm6150-sde-display.dtsi" #include "qcs610-camera-sensor-idp.dtsi" +#include "sm6150-audio-overlay.dtsi" / { model = "Qualcomm Technologies, Inc. QCS610 IOT"; diff --git a/arch/arm64/boot/dts/qcom/qcs610-ipc.dts b/arch/arm64/boot/dts/qcom/qcs610-ipc.dts index aa9b6439e0b3..cb0b1a23bfa6 100644 --- a/arch/arm64/boot/dts/qcom/qcs610-ipc.dts +++ b/arch/arm64/boot/dts/qcom/qcs610-ipc.dts @@ -13,7 +13,6 @@ /dts-v1/; #include "qcs610.dtsi" -#include "qcs610-iot.dtsi" #include "qcs610-ipc.dtsi" / { @@ -21,7 +20,3 @@ compatible = "qcom,qcs610-iot", "qcom,qcs610", "qcom,iot"; qcom,board-id = <32 1>; }; - -&sm6150_snd { - /delete-property/ fsa4480-i2c-handle; -}; diff --git a/arch/arm64/boot/dts/qcom/qcs610-ipc.dtsi b/arch/arm64/boot/dts/qcom/qcs610-ipc.dtsi index 87c198d211ec..9340e5cb4d18 100644 --- a/arch/arm64/boot/dts/qcom/qcs610-ipc.dtsi +++ b/arch/arm64/boot/dts/qcom/qcs610-ipc.dtsi @@ -10,8 +10,8 @@ * GNU General Public License for more details. */ -#include "sm6150-audio-overlay.dtsi" -#include "sm6150-camera-sensor-idp.dtsi" +#include "qcs610-iot.dtsi" + / { model = "Qualcomm Technologies, Inc. QCS610 IPC"; compatible = "qcom,qcs610-iot", "qcom,qcs610", "qcom,iot"; @@ -73,25 +73,6 @@ qcom,batteryless-platform; }; -&eeprom_rear { - cam_vana-supply = <&pm6150l_l4>; - rgltr-min-voltage = <1800000 2900000 1200000 0 2800000>; - rgltr-max-voltage = <1800000 2900000 1200000 0 2800000>; -}; - -&cam_cci { - qcom,cam-sensor@0 { - cam_vana-supply = <&pm6150l_l4>; - rgltr-min-voltage = <1800000 2900000 1200000 0>; - rgltr-max-voltage = <1800000 2900000 1200000 0>; - }; -}; - - -&led_flash_front { - status = "disabled"; -}; - &tlmm { led_red_default: led_red_default { mux { From 8aded3de2b6f1631e30573660c7ce0e7ef159741 Mon Sep 17 00:00:00 2001 From: Michael Adisumarta Date: Sun, 9 Aug 2020 18:26:12 -0700 Subject: [PATCH 120/386] msm: ipa: Add IPv6 NAT uc activation interface Add IOCTLs for adding and deleting uc activation entries. Amend Socksv5 add\delete entry algorithm to allow IPv6 NAT and Socksv5 entries to co-exist in activation table. Add debugfs entry to dump uc activation table. Change-Id: I5382a393cb2890cd6c6ee4dc73eadf16c603294a Signed-off-by: Amir Levy Signed-off-by: Michael Adisumarta --- drivers/platform/msm/ipa/ipa_v3/ipa.c | 34 ++ drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c | 131 ++++- drivers/platform/msm/ipa/ipa_v3/ipa_i.h | 11 + drivers/platform/msm/ipa/ipa_v3/ipa_utils.c | 464 ++++++++++++++++-- include/linux/ipa.h | 28 +- include/uapi/linux/msm_ipa.h | 112 +++++ 6 files changed, 721 insertions(+), 59 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c index d46d50b82387..ebfe2c0cdb66 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c @@ -1003,6 +1003,7 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) struct ipa_ioc_get_vlan_mode vlan_mode; struct ipa_ioc_wigig_fst_switch fst_switch; struct ipa_nat_in_sram_info nat_in_sram_info; + union ipa_ioc_uc_activation_entry uc_act; size_t sz; int pre_entry; int hdl; @@ -3052,6 +3053,39 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) } break; + case IPA_IOC_ADD_UC_ACT_ENTRY: + if (copy_from_user(&uc_act, (const void __user *)arg, + sizeof(union ipa_ioc_uc_activation_entry))) { + IPAERR_RL("copy_from_user fails\n"); + retval = -EFAULT; + break; + } + + /* first field in both structs is cmd id */ + if (uc_act.socks.cmd_id == IPA_SOCKSV5_ADD_COM_ID) { + retval = ipa3_add_socksv5_conn_usr(&uc_act.socks); + } else { + retval = ipa3_add_ipv6_nat_uc_activation_entry( + &uc_act.ipv6_nat); + } + if (retval) { + retval = -EFAULT; + break; + } + if (copy_to_user((void __user *)arg, &uc_act, + sizeof(union ipa_ioc_uc_activation_entry))) { + IPAERR_RL("copy_to_user fails\n"); + retval = -EFAULT; + break; + } + break; + case IPA_IOC_DEL_UC_ACT_ENTRY: + if (ipa3_del_uc_act_entry((uint16_t)arg)) { + retval = -EFAULT; + break; + } + break; + default: IPA_ACTIVE_CLIENTS_DEC_SIMPLE(); return -ENOTTY; diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c index 4e87ede63057..bfcaae8c6fad 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c @@ -324,7 +324,7 @@ static ssize_t ipa3_read_ep_reg(struct file *file, char __user *ubuf, *ppos = pos; ret = simple_read_from_buffer(ubuf, count, ppos, dbg_buff, - nbytes); + nbytes); if (ret < 0) { IPA_ACTIVE_CLIENTS_DEC_SIMPLE(); return ret; @@ -503,12 +503,12 @@ static int ipa3_attrib_dump(struct ipa_rule_attrib *attrib, if (attrib->attrib_mask & IPA_FLT_SRC_PORT_RANGE) { pr_err("src_port_range:%u %u ", attrib->src_port_lo, - attrib->src_port_hi); + attrib->src_port_hi); } if (attrib->attrib_mask & IPA_FLT_DST_PORT_RANGE) { pr_err("dst_port_range:%u %u ", attrib->dst_port_lo, - attrib->dst_port_hi); + attrib->dst_port_hi); } if (attrib->attrib_mask & IPA_FLT_TYPE) pr_err("type:%d ", attrib->type); @@ -2646,6 +2646,125 @@ static ssize_t ipa3_enable_ipc_low(struct file *file, return count; } +static ssize_t ipa3_read_uc_act_tbl(struct file *file, + char __user *ubuf, size_t count, loff_t *ppos) +{ + int nbytes; + int cnt = 0; + int i; + struct ipa_ipv6_nat_uc_tmpl *uc_entry_nat; + struct ipa_socksv5_uc_tmpl *uc_entry_socks; + struct iphdr_rsv *socks_iphdr; + struct ipv6hdr *socks_ipv6hdr; + + /* IPA version check */ + if (ipa3_ctx->ipa_hw_type < IPA_HW_v4_5) { + nbytes = scnprintf(dbg_buff, IPA_MAX_MSG_LEN, + "This feature only support on IPA4.5+\n"); + cnt += nbytes; + goto done; + } + + if (!ipa3_ctx->uc_act_tbl_valid) { + IPAERR("uC act tbl wasn't allocated\n"); + return -ENOENT; + } + + if (sizeof(dbg_buff) < count + 1) + return -EFAULT; + + dbg_buff[count] = '\0'; + + mutex_lock(&ipa3_ctx->act_tbl_lock); + + uc_entry_nat = (struct ipa_ipv6_nat_uc_tmpl *) + (ipa3_ctx->uc_act_tbl.base); + nbytes = scnprintf(dbg_buff, IPA_MAX_MSG_LEN, + "uc_act_tbl_total %d, uc_act_tbl_ipv6_nat_total %d uc_act_tbl_socksv5_total %d, uc_act_tbl_next_index %d\n" + "uC activation entries:" + , ipa3_ctx->uc_act_tbl_total, + ipa3_ctx->uc_act_tbl_ipv6_nat_total, + ipa3_ctx->uc_act_tbl_socksv5_total, + ipa3_ctx->uc_act_tbl_next_index); + cnt += nbytes; + for (i = 0; i < IPA_UC_ACT_TBL_SIZE; i++) { + if (uc_entry_nat[i].cmd_id == IPA_IPv6_NAT_COM_ID) { + nbytes = scnprintf(dbg_buff + cnt, IPA_MAX_MSG_LEN, + "\nentry %d:\n" + "cmd_id = IPV6_NAT\n" + "private_address_msb 0x%llX\n" + "private_address_lsb 0x%llX\n" + "private_port %u\n" + "public_address_msb 0x%llX\n" + "public_address_lsb 0x%llX\n" + "public_port %u\n", + i, + uc_entry_nat[i].private_address_msb, + uc_entry_nat[i].private_address_lsb, + uc_entry_nat[i].private_port, + uc_entry_nat[i].public_address_msb, + uc_entry_nat[i].public_address_lsb, + uc_entry_nat[i].public_port); + cnt += nbytes; + } else if (uc_entry_nat[i].cmd_id == IPA_SOCKSV5_ADD_COM_ID) { + uc_entry_socks = (struct ipa_socksv5_uc_tmpl *) + (uc_entry_nat); + nbytes = scnprintf(dbg_buff + cnt, IPA_MAX_MSG_LEN, + "\nentry %d:\n" + "cmd_id = SOCKSv5\n" + "cmd_param: %u\n" + "source_port: %u\n" + "dest_port: %u\n" + "ipa_socksv5_mask: %x\n", + i, + uc_entry_socks[i].cmd_param, + uc_entry_socks[i].src_port, + uc_entry_socks[i].dst_port, + uc_entry_socks[i].ipa_sockv5_mask); + cnt += nbytes; + + if (uc_entry_socks[i].cmd_param == + IPA_SOCKsv5_ADD_V6_V4_COM_PM) { + socks_iphdr = + &uc_entry_socks[i].ip_hdr.ipv4_rsv; + nbytes = scnprintf(dbg_buff + cnt, + IPA_MAX_MSG_LEN, + "ipv4_src_addr: 0x%X\n" + "ipv4_dst_addr: 0x%X\n", + socks_iphdr->ipv4_temp.saddr, + socks_iphdr->ipv4_temp.daddr); + cnt += nbytes; + } else { + socks_ipv6hdr = + &uc_entry_socks[i].ip_hdr.ipv6_temp; + nbytes = scnprintf(dbg_buff + cnt, + IPA_MAX_MSG_LEN, + "ipv6_src_addr[0]: 0x%X\n" + "ipv6_src_addr[1]: 0x%X\n" + "ipv6_src_addr[2]: 0x%X\n" + "ipv6_src_addr[3]: 0x%X\n" + "ipv6_dts_addr[0]: 0x%X\n" + "ipv6_dts_addr[1]: 0x%X\n" + "ipv6_dts_addr[2]: 0x%X\n" + "ipv6_dts_addr[3]: 0x%X\n", + socks_ipv6hdr->saddr.s6_addr32[0], + socks_ipv6hdr->saddr.s6_addr32[1], + socks_ipv6hdr->saddr.s6_addr32[2], + socks_ipv6hdr->saddr.s6_addr32[3], + socks_ipv6hdr->daddr.s6_addr32[0], + socks_ipv6hdr->daddr.s6_addr32[1], + socks_ipv6hdr->daddr.s6_addr32[2], + socks_ipv6hdr->daddr.s6_addr32[3]); + cnt += nbytes; + } + } + } + mutex_unlock(&ipa3_ctx->act_tbl_lock); +done: + return simple_read_from_buffer(ubuf, count, ppos, dbg_buff, cnt); + +} + static const struct ipa3_debugfs_file debugfs_files[] = { { "gen_reg", IPA_READ_ONLY_MODE, NULL, { @@ -2811,7 +2930,11 @@ static const struct ipa3_debugfs_file debugfs_files[] = { "app_clk_vote_cnt", IPA_READ_ONLY_MODE, NULL, { .read = ipa3_read_app_clk_vote, } - }, + }, { + "uc_act_table", IPA_READ_ONLY_MODE, NULL, { + .read = ipa3_read_uc_act_tbl, + } + } }; void ipa3_debugfs_pre_init(void) diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h index f0c2d575969b..54d6bf0a7a3e 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h @@ -2022,6 +2022,8 @@ struct ipa3_context { bool uc_act_tbl_valid; struct mutex act_tbl_lock; int uc_act_tbl_total; + int uc_act_tbl_socksv5_total; + int uc_act_tbl_ipv6_nat_total; int uc_act_tbl_next_index; bool manual_fw_load; }; @@ -2419,6 +2421,15 @@ int ipa3_add_socksv5_conn(struct ipa_socksv5_info *info); int ipa3_del_socksv5_conn(uint32_t handle); +int ipa3_add_socksv5_conn_usr(struct ipa_kernel_tests_socksv5_uc_tmpl *tmpl); + +int ipa3_add_ipv6_nat_uc_activation_entry( + struct ipa_ioc_ipv6_nat_uc_act_entry *entry); + +int ipa3_del_ipv6_nat_uc_activation_entry(uint16_t index); + +int ipa3_del_uc_act_entry(uint16_t index); + /* * Header removal / addition */ diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c index 970f9510b56d..7d9f7d4631ff 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c @@ -9150,6 +9150,213 @@ int ipa3_setup_uc_act_tbl(void) return res; } +static inline bool is_free_socksv5(struct ipa_socksv5_uc_tmpl *socksv5_entry) +{ + if ((!socksv5_entry->cmd_id) || + (socksv5_entry->cmd_id == IPA_SOCKsv5_ADD_COM_ID && + !(socksv5_entry->ipa_sockv5_mask & IPA_SOCKSv5_ENTRY_VALID))) + return true; + return false; +} + +static int ipa3_get_free_uc_act_entry(void) +{ + struct ipa_socksv5_uc_tmpl *entry; + int orig_index = ipa3_ctx->uc_act_tbl_next_index; + int free_index = -1; + + IPADBG("\n"); + /* find a free spot*/ + do { + entry = ipa3_ctx->uc_act_tbl.base + + ipa3_ctx->uc_act_tbl_next_index + * sizeof(struct ipa_socksv5_uc_tmpl); + + /* check if entry is free */ + if (is_free_socksv5(entry)) { + free_index = ipa3_ctx->uc_act_tbl_next_index; + IPADBG("found free index at %d\n", free_index); + break; + } + + ipa3_ctx->uc_act_tbl_next_index++; + ipa3_ctx->uc_act_tbl_next_index %= + IPA_UC_ACT_TBL_SIZE; + } while (orig_index != ipa3_ctx->uc_act_tbl_next_index); + IPADBG("exit free_index %d\n", free_index); + return free_index; +} + +int ipa3_add_ipv6_nat_uc_activation_entry( + struct ipa_ioc_ipv6_nat_uc_act_entry *entry) +{ + int res = 0; + int index; + struct ipa_ipv6_nat_uc_tmpl *uc_entry; + + /* IPA version check */ + if (ipa3_ctx->ipa_hw_type < IPA_HW_v4_5) { + IPAERR("Not support !\n"); + return -EPERM; + } + + if (!ipa3_ctx->uc_act_tbl_valid) { + IPAERR("uC act tbl wasn't allocated\n"); + return -ENOENT; + } + + if (!entry) { + IPAERR("Null entry\n"); + return -EIO; + } + if (!entry->private_address_lsb || !entry->private_address_msb + || !entry->public_address_lsb || !entry->public_address_msb + || !entry->private_port || !entry->public_port) { + IPAERR("0 param 0x%llX 0x%llX 0x%llX 0x%llX %d %d\n", + entry->private_address_lsb, entry->private_address_msb, + entry->public_address_lsb, entry->public_address_msb, + entry->private_port, entry->public_port); + return -EFAULT; + } + + mutex_lock(&ipa3_ctx->act_tbl_lock); + /* check the left # of entries */ + if (ipa3_ctx->uc_act_tbl_total + >= IPA_UC_ACT_TBL_SIZE) { + IPAERR("uc act tbl is full!\n"); + res = -EFAULT; + goto error; + } + + index = ipa3_get_free_uc_act_entry(); + + uc_entry = (struct ipa_ipv6_nat_uc_tmpl *)(ipa3_ctx->uc_act_tbl.base + + index * sizeof(struct ipa_ipv6_nat_uc_tmpl)); + + uc_entry->private_address_lsb = entry->private_address_lsb; + uc_entry->private_address_msb = entry->private_address_msb; + uc_entry->public_address_lsb = entry->public_address_lsb; + uc_entry->public_address_msb = entry->public_address_msb; + uc_entry->private_port = entry->private_port; + uc_entry->public_port = entry->public_port; + uc_entry->cmd_id = IPA_IPv6_NAT_COM_ID; + + /* set output index */ + entry->index = (uint16_t)index; + + ipa3_ctx->uc_act_tbl_total++; + ipa3_ctx->uc_act_tbl_ipv6_nat_total++; + + if (ipa3_ctx->uc_act_tbl_total < IPA_UC_ACT_TBL_SIZE) { + /* + * find next free spot, this function shall update + * uc_act_tbl_next_index + */ + index = ipa3_get_free_uc_act_entry(); + + if (index < 0) { + /* set to max tbl size to debug */ + IPAERR("can't find available spot!\n"); + ipa3_ctx->uc_act_tbl_total = IPA_UC_ACT_TBL_SIZE; + res = -EFAULT; + } + } +error: + mutex_unlock(&ipa3_ctx->act_tbl_lock); + return res; +} + +int ipa3_del_uc_act_entry(uint16_t index) +{ + struct ipa_ipv6_nat_uc_tmpl *uc_entry; + uint16_t cmd_id; + + /* IPA version check */ + if (ipa3_ctx->ipa_hw_type < IPA_HW_v4_5) { + IPAERR_RL("Not support !\n"); + return -EPERM; + } + + if (!ipa3_ctx->uc_act_tbl_valid) { + IPAERR_RL("uC act tbl haven't allocated\n"); + return -ENOENT; + } + + if (index > IPA_UC_ACT_TBL_SIZE || index < 0) { + IPAERR_RL("invalid index!\n"); + return -EINVAL; + } + + if (!ipa3_ctx->uc_act_tbl_total) { + IPAERR_RL( + "invalid handle, no uc activation entries in table (total %d)\n" + , ipa3_ctx->uc_act_tbl_total); + return -EINVAL; + } + + uc_entry = (struct ipa_ipv6_nat_uc_tmpl *)(ipa3_ctx->uc_act_tbl.base + + index * sizeof(struct ipa_ipv6_nat_uc_tmpl)); + + mutex_lock(&ipa3_ctx->act_tbl_lock); + cmd_id = uc_entry->cmd_id; + mutex_unlock(&ipa3_ctx->act_tbl_lock); + + if (cmd_id == IPA_IPv6_NAT_COM_ID) + return ipa3_del_ipv6_nat_uc_activation_entry(index); + else + return ipa3_del_socksv5_conn(index); +} + +int ipa3_del_ipv6_nat_uc_activation_entry(uint16_t index) +{ + struct ipa_ipv6_nat_uc_tmpl *uc_entry; + int res = 0; + + /* IPA version check */ + if (ipa3_ctx->ipa_hw_type < IPA_HW_v4_5) { + IPAERR_RL("Not support !\n"); + return -EPERM; + } + + if (!ipa3_ctx->uc_act_tbl_valid) { + IPAERR_RL("uC act tbl haven't allocated\n"); + return -ENOENT; + } + + if (index > IPA_UC_ACT_TBL_SIZE || index < 0) { + IPAERR_RL("invalid index!\n"); + return -EINVAL; + } + + if (!ipa3_ctx->uc_act_tbl_ipv6_nat_total) { + IPAERR_RL( + "invalid handle, no IPv6 NAT entries in table (total %d)\n" + , ipa3_ctx->uc_act_tbl_total); + return -EINVAL; + } + + uc_entry = (struct ipa_ipv6_nat_uc_tmpl *)(ipa3_ctx->uc_act_tbl.base + + index * sizeof(struct ipa_ipv6_nat_uc_tmpl)); + + mutex_lock(&ipa3_ctx->act_tbl_lock); + if (uc_entry->cmd_id != IPA_IPv6_NAT_COM_ID) { + IPAERR_RL("entry %d wrong cmd id %d\n", uc_entry->cmd_id); + res = -EFAULT; + goto error; + } + uc_entry->cmd_id = 0; + ipa3_ctx->uc_act_tbl_total--; + ipa3_ctx->uc_act_tbl_ipv6_nat_total--; + + IPADBG("free entry %d, nat total %d, left total %d\n", + index, + ipa3_ctx->uc_act_tbl_ipv6_nat_total, + ipa3_ctx->uc_act_tbl_total); +error: + mutex_unlock(&ipa3_ctx->act_tbl_lock); + return res; +} + static void ipa3_socksv5_msg_free_cb(void *buff, u32 len, u32 type) { if (!buff) { @@ -9167,6 +9374,39 @@ static void ipa3_socksv5_msg_free_cb(void *buff, u32 len, u32 type) kfree(buff); } +static int ipa3_get_free_socksv5_entry(void) +{ + struct ipa_socksv5_uc_tmpl *first; + struct ipa_socksv5_uc_tmpl *next; + int orig_index = ipa3_ctx->uc_act_tbl_next_index; + int free_index = -1; + + IPADBG("\n"); + /* find a free spot with two contiguous entries*/ + do { + first = ipa3_ctx->uc_act_tbl.base + + ipa3_ctx->uc_act_tbl_next_index + * sizeof(struct ipa_socksv5_uc_tmpl); + next = ipa3_ctx->uc_act_tbl.base + + (ipa3_ctx->uc_act_tbl_next_index + 1) + * sizeof(struct ipa_socksv5_uc_tmpl); + + /* check if first entry and next entry are free */ + if (is_free_socksv5(first) && is_free_socksv5(next)) { + free_index = ipa3_ctx->uc_act_tbl_next_index; + IPADBG("found free index at %d\n", free_index); + break; + } + + ipa3_ctx->uc_act_tbl_next_index += 2; + ipa3_ctx->uc_act_tbl_next_index %= + IPA_UC_ACT_TBL_SIZE; + } while (orig_index != ipa3_ctx->uc_act_tbl_next_index); + + IPADBG("exit free_index %d\n", free_index); + return free_index; +} + /** * ipa3_add_socksv5_conn() - IPA add socksv5_conn * @@ -9176,8 +9416,8 @@ static void ipa3_socksv5_msg_free_cb(void *buff, u32 len, u32 type) */ int ipa3_add_socksv5_conn(struct ipa_socksv5_info *info) { - int res = 0; - void *rp_va, *wp_va; + int res = 0, index; + void *wp_va; struct ipa_socksv5_msg *socksv5_msg; struct ipa_msg_meta msg_meta; @@ -9198,18 +9438,24 @@ int ipa3_add_socksv5_conn(struct ipa_socksv5_info *info) } mutex_lock(&ipa3_ctx->act_tbl_lock); - /* check the left # of entries */ + /* check the left # of entries (need at least 2)*/ if (ipa3_ctx->uc_act_tbl_total - >= IPA_UC_ACT_TBL_SIZE) { + >= IPA_UC_ACT_TBL_SIZE - 1) { IPAERR("uc act tbl is full!\n"); res = -EFAULT; goto error; } + index = ipa3_get_free_socksv5_entry(); + if (index < 0) { + IPAERR("couldn't find free socksv5 entry\n"); + res = -EFAULT; + goto error; + } + /* Copied the act-info to tbl */ wp_va = ipa3_ctx->uc_act_tbl.base + - ipa3_ctx->uc_act_tbl_next_index - * sizeof(struct ipa_socksv5_uc_tmpl); + index * sizeof(struct ipa_socksv5_uc_tmpl); /* check entry valid */ if ((info->ul_out.cmd_id != IPA_SOCKsv5_ADD_COM_ID) @@ -9246,9 +9492,10 @@ int ipa3_add_socksv5_conn(struct ipa_socksv5_info *info) &(info->dl_out), sizeof(info->dl_out)); /* set output handle */ - info->handle = (uint16_t) ipa3_ctx->uc_act_tbl_next_index; + info->handle = (uint16_t) index; ipa3_ctx->uc_act_tbl_total += 2; + ipa3_ctx->uc_act_tbl_socksv5_total += 2; /* send msg to ipacm */ socksv5_msg = kzalloc(sizeof(*socksv5_msg), GFP_KERNEL); @@ -9261,9 +9508,9 @@ int ipa3_add_socksv5_conn(struct ipa_socksv5_info *info) memcpy(&(socksv5_msg->dl_in), &(info->dl_in), sizeof(info->dl_in)); socksv5_msg->handle = info->handle; socksv5_msg->ul_in.index = - (uint16_t) ipa3_ctx->uc_act_tbl_next_index; + (uint16_t) index; socksv5_msg->dl_in.index = - (uint16_t) ipa3_ctx->uc_act_tbl_next_index + 1; + (uint16_t) index + 1; memset(&msg_meta, 0, sizeof(struct ipa_msg_meta)); msg_meta.msg_type = IPA_SOCKV5_ADD; @@ -9276,27 +9523,14 @@ int ipa3_add_socksv5_conn(struct ipa_socksv5_info *info) goto error; } - if (ipa3_ctx->uc_act_tbl_total < IPA_UC_ACT_TBL_SIZE) { - /* find next free spot */ - do { - ipa3_ctx->uc_act_tbl_next_index += 2; - ipa3_ctx->uc_act_tbl_next_index %= - IPA_UC_ACT_TBL_SIZE; + if (ipa3_ctx->uc_act_tbl_total < IPA_UC_ACT_TBL_SIZE - 1) { + /* + * find next free spot, this function shall update + * uc_act_tbl_next_index + */ + index = ipa3_get_free_socksv5_entry(); - rp_va = ipa3_ctx->uc_act_tbl.base + - ipa3_ctx->uc_act_tbl_next_index - * sizeof(struct ipa_socksv5_uc_tmpl); - - if (!((((struct ipa_socksv5_uc_tmpl *) rp_va)-> - ipa_sockv5_mask) & IPA_SOCKSv5_ENTRY_VALID)) { - IPADBG("next available entry %d, total %d\n", - ipa3_ctx->uc_act_tbl_next_index, - ipa3_ctx->uc_act_tbl_total); - break; - } - } while (rp_va != wp_va); - - if (rp_va == wp_va) { + if (index < 0) { /* set to max tbl size to debug */ IPAERR("can't find available spot!\n"); ipa3_ctx->uc_act_tbl_total = IPA_UC_ACT_TBL_SIZE; @@ -9308,6 +9542,127 @@ error: mutex_unlock(&ipa3_ctx->act_tbl_lock); return res; } +/* + * ipa3_add_socksv5_conn_usr() - IPA copy and add socksv5 conn + * + * Returns: 0 on success, negative on failure + * + * Note : Should not be called from atomic context + */ +int ipa3_add_socksv5_conn_usr(struct ipa_kernel_tests_socksv5_uc_tmpl *tmpl) +{ + struct ipa_socksv5_info info; + int retval = 0; + + memset(&info, 0, sizeof(struct ipa_socksv5_info)); + + if (tmpl->direction == 0) { /* DL */ + info.dl_out.cmd_id = tmpl->cmd_id; + info.dl_out.cmd_param = tmpl->cmd_param; + info.dl_out.ip_hdr.ipv6_temp.version = 6; + info.dl_out.ip_hdr.ipv6_temp.nexthdr = 6; + info.dl_out.ip_hdr.ipv6_temp.saddr.s6_addr32[0] = + tmpl->ipv6_src_addr[0]; + info.dl_out.ip_hdr.ipv6_temp.saddr.s6_addr32[1] = + tmpl->ipv6_src_addr[1]; + info.dl_out.ip_hdr.ipv6_temp.saddr.s6_addr32[2] = + tmpl->ipv6_src_addr[2]; + info.dl_out.ip_hdr.ipv6_temp.saddr.s6_addr32[3] = + tmpl->ipv6_src_addr[3]; + info.dl_out.ip_hdr.ipv6_temp.daddr.s6_addr32[0] = + tmpl->ipv6_dst_addr[0]; + info.dl_out.ip_hdr.ipv6_temp.daddr.s6_addr32[1] = + tmpl->ipv6_dst_addr[1]; + info.dl_out.ip_hdr.ipv6_temp.daddr.s6_addr32[2] = + tmpl->ipv6_dst_addr[2]; + info.dl_out.ip_hdr.ipv6_temp.daddr.s6_addr32[3] = + tmpl->ipv6_dst_addr[3]; + info.dl_out.src_port = tmpl->src_port; + info.dl_out.dst_port = tmpl->dst_port; + info.dl_out.ipa_sockv5_mask = tmpl->ipa_sockv5_mask; + info.dl_out.out_irs = tmpl->out_irs; + info.dl_out.out_iss = tmpl->out_iss; + info.dl_out.in_irs = tmpl->in_irs; + info.dl_out.in_iss = tmpl->in_iss; + info.dl_out.out_ircv_tsval = tmpl->out_ircv_tsval; + info.dl_out.in_ircv_tsecr = tmpl->in_ircv_tsecr; + info.dl_out.out_ircv_tsecr = tmpl->out_ircv_tsecr; + info.dl_out.in_ircv_tsval = tmpl->in_ircv_tsval; + info.dl_out.in_isnd_wscale = tmpl->in_isnd_wscale; + info.dl_out.out_isnd_wscale = tmpl->out_isnd_wscale; + info.dl_out.in_ircv_wscale = tmpl->in_ircv_wscale; + info.dl_out.out_ircv_wscale = tmpl->out_ircv_wscale; + + /* for UL set default values to pass pair validity check */ + info.ul_out.cmd_id = IPA_SOCKsv5_ADD_COM_ID; + info.ul_out.cmd_param = IPA_SOCKsv5_ADD_V6_V4_COM_PM; + } else if (tmpl->direction == 1) { /* UL */ + info.ul_out.cmd_id = tmpl->cmd_id; + info.ul_out.cmd_param = tmpl->cmd_param; + if (info.ul_out.cmd_param == IPA_SOCKsv5_ADD_V6_V4_COM_PM) { + info.ul_out.ip_hdr.ipv4_rsv.ipv4_temp.version = 4; + info.ul_out.ip_hdr.ipv4_rsv.ipv4_temp.ihl = 5; + info.ul_out.ip_hdr.ipv4_rsv.ipv4_temp.saddr = + tmpl->ip_src_addr; + info.ul_out.ip_hdr.ipv4_rsv.ipv4_temp.daddr = + tmpl->ip_dst_addr; + info.ul_out.ip_hdr.ipv4_rsv.ipv4_temp.protocol = 6; + } + if (info.ul_out.cmd_param == IPA_SOCKsv5_ADD_V6_V6_COM_PM) { + info.ul_out.ip_hdr.ipv6_temp.version = 6; + info.ul_out.ip_hdr.ipv6_temp.nexthdr = 6; + info.ul_out.ip_hdr.ipv6_temp.saddr.s6_addr32[0] = + tmpl->ipv6_src_addr[0]; + info.ul_out.ip_hdr.ipv6_temp.saddr.s6_addr32[1] = + tmpl->ipv6_src_addr[1]; + info.ul_out.ip_hdr.ipv6_temp.saddr.s6_addr32[2] = + tmpl->ipv6_src_addr[2]; + info.ul_out.ip_hdr.ipv6_temp.saddr.s6_addr32[3] = + tmpl->ipv6_src_addr[3]; + info.ul_out.ip_hdr.ipv6_temp.daddr.s6_addr32[0] = + tmpl->ipv6_dst_addr[0]; + info.ul_out.ip_hdr.ipv6_temp.daddr.s6_addr32[1] = + tmpl->ipv6_dst_addr[1]; + info.ul_out.ip_hdr.ipv6_temp.daddr.s6_addr32[2] = + tmpl->ipv6_dst_addr[2]; + info.ul_out.ip_hdr.ipv6_temp.daddr.s6_addr32[3] = + tmpl->ipv6_dst_addr[3]; + } + info.ul_out.src_port = tmpl->src_port; + info.ul_out.dst_port = tmpl->dst_port; + info.ul_out.ipa_sockv5_mask = tmpl->ipa_sockv5_mask; + info.ul_out.out_irs = tmpl->out_irs; + info.ul_out.out_iss = tmpl->out_iss; + info.ul_out.in_irs = tmpl->in_irs; + info.ul_out.in_iss = tmpl->in_iss; + info.ul_out.out_ircv_tsval = tmpl->out_ircv_tsval; + info.ul_out.in_ircv_tsecr = tmpl->in_ircv_tsecr; + info.ul_out.out_ircv_tsecr = tmpl->out_ircv_tsecr; + info.ul_out.in_ircv_tsval = tmpl->in_ircv_tsval; + info.ul_out.in_isnd_wscale = tmpl->in_isnd_wscale; + info.ul_out.out_isnd_wscale = tmpl->out_isnd_wscale; + info.ul_out.in_ircv_wscale = tmpl->in_ircv_wscale; + info.ul_out.out_ircv_wscale = tmpl->out_ircv_wscale; + + /* for DL set default values to pass pair validity check */ + info.dl_out.cmd_param = IPA_SOCKsv5_ADD_V4_V6_COM_PM; + info.dl_out.cmd_id = IPA_SOCKsv5_ADD_COM_ID; + } else { + IPAERR("invalid socksv5 direction: %d\n", tmpl->direction); + return -EINVAL; + } + + retval = ipa3_add_socksv5_conn(&info); + if (retval) { + IPAERR("ipa3_add_socksv5_conn failed retval: %d\n", retval); + return retval; + } + + /* save uc handle */ + tmpl->handle = info.handle; + + return retval; +} /** * ipa3_del_socksv5_conn() - IPA add socksv5_conn @@ -9319,9 +9674,9 @@ error: int ipa3_del_socksv5_conn(uint32_t handle) { int res = 0; - void *rp_va; uint32_t *socksv5_handle; struct ipa_msg_meta msg_meta; + struct ipa_socksv5_uc_tmpl *entry, *next; /* IPA version check */ if (ipa3_ctx->ipa_hw_type < IPA_HW_v4_5) { @@ -9339,43 +9694,44 @@ int ipa3_del_socksv5_conn(uint32_t handle) return -EINVAL; } - if ((handle % 2) != 0) { - IPAERR("invalid handle!\n"); + if (ipa3_ctx->uc_act_tbl_socksv5_total < 2) { + IPAERR("invalid handle, tbl doesn't have socksv5 entries!\n"); return -EINVAL; } - if (ipa3_ctx->uc_act_tbl_total < 2) { - IPAERR("invalid handle, all tbl is empty!\n"); - return -EINVAL; - } - - rp_va = ipa3_ctx->uc_act_tbl.base + - handle * sizeof(struct ipa_socksv5_uc_tmpl); + entry = (struct ipa_socksv5_uc_tmpl *)(ipa3_ctx->uc_act_tbl.base + + handle * sizeof(struct ipa_socksv5_uc_tmpl)); + next = (struct ipa_socksv5_uc_tmpl *)(ipa3_ctx->uc_act_tbl.base + + (handle + 1) * sizeof(struct ipa_socksv5_uc_tmpl)); /* check entry is valid or not */ mutex_lock(&ipa3_ctx->act_tbl_lock); - if (!((((struct ipa_socksv5_uc_tmpl *) rp_va)-> - ipa_sockv5_mask) & IPA_SOCKSv5_ENTRY_VALID)) { - IPADBG(" entry %d already free\n", handle); + if (entry->cmd_id != IPA_SOCKsv5_ADD_COM_ID) { + IPAERR(" entry %d not socksv5\n", handle); + res = -EINVAL; + goto error; } - - if (!((((struct ipa_socksv5_uc_tmpl *) (rp_va + - sizeof(struct ipa_socksv5_uc_tmpl)))-> - ipa_sockv5_mask) & IPA_SOCKSv5_ENTRY_VALID)) { - IPADBG(" entry %d already free\n", handle); + if (next->cmd_id != IPA_SOCKsv5_ADD_COM_ID) { + IPAERR(" entry %d not socksv5\n", handle + 1); + res = -EINVAL; + goto error; } + if (!(entry->ipa_sockv5_mask & IPA_SOCKSv5_ENTRY_VALID)) + IPADBG(" entry %d already free\n", handle); - ((struct ipa_socksv5_uc_tmpl *) rp_va)->ipa_sockv5_mask - &= ~IPA_SOCKSv5_ENTRY_VALID; - ((struct ipa_socksv5_uc_tmpl *) (rp_va + - sizeof(struct ipa_socksv5_uc_tmpl)))->ipa_sockv5_mask - &= ~IPA_SOCKSv5_ENTRY_VALID; + if (!(next->ipa_sockv5_mask & IPA_SOCKSv5_ENTRY_VALID)) + IPADBG(" entry %d already free\n", handle); + + entry->ipa_sockv5_mask &= ~IPA_SOCKSv5_ENTRY_VALID; + next->ipa_sockv5_mask &= ~IPA_SOCKSv5_ENTRY_VALID; ipa3_ctx->uc_act_tbl_total -= 2; + ipa3_ctx->uc_act_tbl_socksv5_total -= 2; - IPADBG("free entry %d and %d, left total %d\n", + IPADBG("free entry %d and %d, left total %d, socksv5 total %d\n", handle, handle + 1, - ipa3_ctx->uc_act_tbl_total); + ipa3_ctx->uc_act_tbl_total, + ipa3_ctx->uc_act_tbl_socksv5_total); /* send msg to ipacm */ socksv5_handle = kzalloc(sizeof(*socksv5_handle), GFP_KERNEL); diff --git a/include/linux/ipa.h b/include/linux/ipa.h index 654f68600adf..f2f4a6bd3d5f 100644 --- a/include/linux/ipa.h +++ b/include/linux/ipa.h @@ -1423,9 +1423,35 @@ struct ipa_socksv5_info { struct ipacm_socksv5_info dl_in; /* output: handle (index) */ - uint32_t handle; + uint16_t handle; }; +struct ipa_ipv6_nat_uc_tmpl { + uint16_t cmd_id; + uint16_t rsv; + uint32_t cmd_param; + uint16_t pkt_count; + uint16_t rsv2; + uint32_t byte_count; + uint64_t private_address_lsb; + uint64_t private_address_msb; + uint64_t public_address_lsb; + uint64_t public_address_msb; + uint16_t private_port; + uint16_t public_port; + uint32_t rsv3; + uint64_t rsv4; + uint64_t rsv5; + uint64_t rsv6; + uint64_t rsv7; + uint64_t rsv8; + uint64_t rsv9; + uint64_t rsv10; + uint64_t rsv11; + uint64_t rsv12; +} __packed; + + #if defined CONFIG_IPA || defined CONFIG_IPA3 diff --git a/include/uapi/linux/msm_ipa.h b/include/uapi/linux/msm_ipa.h index 00b293065977..6d86d7357807 100644 --- a/include/uapi/linux/msm_ipa.h +++ b/include/uapi/linux/msm_ipa.h @@ -127,6 +127,8 @@ #define IPA_IOCTL_APP_CLOCK_VOTE 79 #define IPA_IOCTL_PDN_CONFIG 80 #define IPA_IOCTL_SET_MAC_FLT 81 +#define IPA_IOCTL_ADD_UC_ACT_ENTRY 82 +#define IPA_IOCTL_DEL_UC_ACT_ENTRY 83 /** * max size of the header to be inserted @@ -2515,6 +2517,73 @@ struct ipa_wan_msg { uint32_t ipv6_addr_gw[IPA_WAN_MSG_IPv6_ADDR_GW_LEN]; }; +/* uc activation command Ids */ +#define IPA_SOCKSV5_ADD_COM_ID 15 +#define IPA_IPv6_NAT_COM_ID 16 + +/** + * ipa_kernel_tests_socksv5_uc_tmpl - uc activation entry info + * @cmd_id: uc command id + * @cmd_param: uC command param + * @ipa_kernel_tests_ip_hdr_temp: ip header + * @src_port: source port + * @dst_port: destination port + * @ipa_sockv5_mask: uc attribute mask for options/etc + * @out_irs: 4B/4B Seq/Ack/SACK + * @out_iss + * @in_irs + * @in_iss + * @out_ircv_tsval: timestamp attributes + * @in_ircv_tsecr + * @out_ircv_tsecr + * @in_ircv_tsval + * @in_isnd_wscale: window scale attributes + * @out_isnd_wscale + * @in_ircv_wscale + * @out_ircv_wscale + * @direction: 1 for UL 0 for DL + * @handle: uc activation table index + */ +struct ipa_kernel_tests_socksv5_uc_tmpl { + uint16_t cmd_id; + uint32_t cmd_param; + __be32 ip_src_addr; + __be32 ip_dst_addr; + __be32 ipv6_src_addr[4]; + __be32 ipv6_dst_addr[4]; + + /* 2B src/dst port */ + uint16_t src_port; + uint16_t dst_port; + + /* attribute mask */ + uint32_t ipa_sockv5_mask; + + /* required update 4B/4B Seq/Ack/SACK */ + uint32_t out_irs; + uint32_t out_iss; + uint32_t in_irs; + uint32_t in_iss; + + /* option 10B: time-stamp */ + uint32_t out_ircv_tsval; + uint32_t in_ircv_tsecr; + uint32_t out_ircv_tsecr; + uint32_t in_ircv_tsval; + + /* option 2B: window-scaling/dynamic */ + uint16_t in_isnd_wscale : 4; + uint16_t out_isnd_wscale : 4; + uint16_t in_ircv_wscale : 4; + uint16_t out_ircv_wscale : 4; + + /* direction 1 = UL, 0 = DL */ + uint8_t direction; + + /* output: handle (index) */ + uint16_t handle; +}; + /** * struct ipacm_socksv5_info - To hold information about socksv5 connections * @ip_type: ip type @@ -2565,6 +2634,41 @@ struct ipa_socksv5_msg { uint16_t handle; }; +/** + * struct ipa_ioc_ipv6_nat_uc_act_entry - To hold information about IPv6 NAT + * uC entry + * @cmd_id[in]: IPv6 NAT uC CMD ID - used for identifying uc activation type + * @private_address_lsb[in]: client private address lsb + * @private_address_msb[in]: client private address msb + * @public_address_lsb[in]: client public address lsb + * @public_address_msb[in]: client public address msb + * @private_port[in]: client private port + * @public_port[in]: client public port + * @index[out]: uC activation entry index + */ +struct ipa_ioc_ipv6_nat_uc_act_entry { + uint16_t cmd_id; + uint64_t private_address_lsb; + uint64_t private_address_msb; + uint64_t public_address_lsb; + uint64_t public_address_msb; + uint32_t private_port; + uint32_t public_port; + uint16_t index; +}; + +/** + * union ipa_ioc_uc_activation_entry - To hold information about uC activation + * entry + * @socks[in]: fill here if entry is Socksv5 entry + * @ipv6_nat[in]: fill here if entry is IPv6 NAT entry + */ +union ipa_ioc_uc_activation_entry { + struct ipa_kernel_tests_socksv5_uc_tmpl socks; + struct ipa_ioc_ipv6_nat_uc_act_entry ipv6_nat; +}; + + /** * struct ipa_ioc_rm_dependency - parameters for add/delete dependency * @resource_name: name of dependent resource @@ -3084,6 +3188,14 @@ struct ipa_ioc_mac_client_list_type { IPA_IOCTL_SET_MAC_FLT, \ struct ipa_ioc_mac_client_list_type) +#define IPA_IOC_ADD_UC_ACT_ENTRY _IOWR(IPA_IOC_MAGIC, \ + IPA_IOCTL_ADD_UC_ACT_ENTRY, \ + union ipa_ioc_uc_activation_entry) + +#define IPA_IOC_DEL_UC_ACT_ENTRY _IOWR(IPA_IOC_MAGIC, \ + IPA_IOCTL_DEL_UC_ACT_ENTRY, \ + uint16_t) + /* * unique magic number of the Tethering bridge ioctls */ From 0b168c7f2da50d29bd95d473671ea60711431b09 Mon Sep 17 00:00:00 2001 From: Lei wang Date: Mon, 3 Aug 2020 17:33:14 +0800 Subject: [PATCH 121/386] Revert "security: selinux: allow per-file labelling for binderfs" Current androidQ build still does not support binderfs selinux policy, this will cause binderfs mount failed. Revert it for this release. Change-Id: Ice22179cade43a8929d8bfdbea710bb0e176a1a7 Signed-off-by: Lei wang --- security/selinux/hooks.c | 1 - 1 file changed, 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 84f89ab1f2b5..3a16b388d6d0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -870,7 +870,6 @@ static int selinux_set_mnt_opts(struct super_block *sb, !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "sysfs") || !strcmp(sb->s_type->name, "pstore") || - !strcmp(sb->s_type->name, "binder") || !strcmp(sb->s_type->name, "cgroup") || !strcmp(sb->s_type->name, "cgroup2")) sbsec->flags |= SE_SBGENFS; From 52fdeb09ae38088065243da368f4acc169358b68 Mon Sep 17 00:00:00 2001 From: Rajeswari Konda Date: Fri, 7 Aug 2020 00:32:07 +0530 Subject: [PATCH 122/386] ARM: dts: add audio device tree for sda429 Add audio device tree for sda429. Change-Id: Ieeb964eba308407bd18c2977e1029703e6be049c Signed-off-by: Rajeswari Konda --- arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts b/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts index 04d3b38f2d42..449691b4c68d 100644 --- a/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts +++ b/arch/arm64/boot/dts/qcom/sda429-bg-dvt2-wtp-overlay.dts @@ -17,6 +17,7 @@ #include #include "sda429-bg-dvt2-wtp.dtsi" #include "sdm429-mdss-panels.dtsi" +#include "sdm429-spyro-qrd-evt-audio.dtsi" / { model = "Qualcomm Technologies, Inc. SDA429 QRD BG WTP Overlay"; From f56dfbc04ec6f9de3e3067138d6b16c4c31c8c2f Mon Sep 17 00:00:00 2001 From: Prudhvi Yarlagadda Date: Mon, 10 Aug 2020 13:09:44 +0530 Subject: [PATCH 123/386] ARM: dts: msm: Enable BAM mode for spi dtsi node Enabling the BAM mode for spi driver in sdm429 target. It was earlier disabled due to time outs observed when spi transfers are in BAM mode. This is due to build issues and on the latest builds issue is not seen anymore. This reverts commit b6a650c99971e1ae80c27393b806af87d15a9fb4. Change-Id: I1ae83f28f24e56b93dac8dcaabe8055b1e05db8a Signed-off-by: Prudhvi Yarlagadda --- arch/arm64/boot/dts/qcom/sdm429-blsp.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/sdm429-blsp.dtsi b/arch/arm64/boot/dts/qcom/sdm429-blsp.dtsi index e661a4f1db0b..06f9e76d7983 100644 --- a/arch/arm64/boot/dts/qcom/sdm429-blsp.dtsi +++ b/arch/arm64/boot/dts/qcom/sdm429-blsp.dtsi @@ -198,6 +198,7 @@ interrupts = <0 97 IRQ_TYPE_LEVEL_HIGH>, <0 238 IRQ_TYPE_LEVEL_HIGH>; spi-max-frequency = <50000000>; + qcom,use-bam; qcom,ver-reg-exists; qcom,bam-consumer-pipe-index = <8>; qcom,bam-producer-pipe-index = <9>; From e599aa241673bd0fc5f0058ef0641d1ace0406e8 Mon Sep 17 00:00:00 2001 From: Subramanian Ananthanarayanan Date: Tue, 28 Jul 2020 13:43:33 +0530 Subject: [PATCH 124/386] msm: ep_pcie: Prevent apps suspend in active state PCIE global interrupt and MHI interrupts are not wakeup-capable. Acquire wakelock after PERST de-assertion to avoid delayed processing of these interrupts if apps enters suspend before they fire. Wakelock is released when entering D3 cold. This change also involves a check for PERST de-assertion to bail out before we shut down the link. Change-Id: I53e9c58584f92b91bb17e0a20d3666339bd878b4 Signed-off-by: Subramanian Ananthanarayanan --- drivers/platform/msm/ep_pcie/ep_pcie_com.h | 3 +- drivers/platform/msm/ep_pcie/ep_pcie_core.c | 72 ++++++++++++++++++--- 2 files changed, 66 insertions(+), 9 deletions(-) diff --git a/drivers/platform/msm/ep_pcie/ep_pcie_com.h b/drivers/platform/msm/ep_pcie/ep_pcie_com.h index e77734e1b476..cd4effbea361 100644 --- a/drivers/platform/msm/ep_pcie/ep_pcie_com.h +++ b/drivers/platform/msm/ep_pcie/ep_pcie_com.h @@ -406,7 +406,6 @@ struct ep_pcie_dev_t { bool config_mmio_init; bool enumerated; enum ep_pcie_link_status link_status; - bool perst_deast; bool power_on; bool suspending; bool l23_ready; @@ -414,6 +413,8 @@ struct ep_pcie_dev_t { struct ep_pcie_msi_config msi_cfg; bool no_notify; bool client_ready; + atomic_t ep_pcie_dev_wake; + atomic_t perst_deast; struct ep_pcie_register_event *event_reg; struct work_struct handle_perst_work; diff --git a/drivers/platform/msm/ep_pcie/ep_pcie_core.c b/drivers/platform/msm/ep_pcie/ep_pcie_core.c index adae05919994..62d40d9fe81f 100644 --- a/drivers/platform/msm/ep_pcie/ep_pcie_core.c +++ b/drivers/platform/msm/ep_pcie/ep_pcie_core.c @@ -1805,7 +1805,7 @@ int ep_pcie_core_enable_endpoint(enum ep_pcie_options opt) ret = EP_PCIE_ERROR; goto link_fail; } else { - dev->perst_deast = true; + atomic_set(&dev->perst_deast, 1); if (opt & EP_PCIE_OPT_AST_WAKE) { /* deassert PCIe WAKE# */ EP_PCIE_DBG(dev, @@ -1971,11 +1971,19 @@ out: int ep_pcie_core_disable_endpoint(void) { int rc = 0; + u32 val = 0; + unsigned long irqsave_flags; struct ep_pcie_dev_t *dev = &ep_pcie_dev; EP_PCIE_DBG(dev, "PCIe V%d\n", dev->rev); mutex_lock(&dev->setup_mtx); + if (atomic_read(&dev->perst_deast)) { + EP_PCIE_DBG(dev, + "PCIe V%d: PERST is de-asserted, exiting disable\n", + dev->rev); + goto out; + } if (!dev->power_on) { EP_PCIE_DBG(dev, @@ -1992,9 +2000,25 @@ int ep_pcie_core_disable_endpoint(void) dev->rev); } + val = readl_relaxed(dev->elbi + PCIE20_ELBI_SYS_STTS); + EP_PCIE_DBG(dev, "PCIe V%d: LTSSM_STATE during disable:0x%x\n", + dev->rev, (val >> 0xC) & 0x3f); ep_pcie_pipe_clk_deinit(dev); ep_pcie_clk_deinit(dev); ep_pcie_vreg_deinit(dev); + + spin_lock_irqsave(&dev->isr_lock, irqsave_flags); + if (atomic_read(&dev->ep_pcie_dev_wake) && + !atomic_read(&dev->perst_deast)) { + EP_PCIE_DBG(dev, "PCIe V%d: Released wakelock\n", dev->rev); + atomic_set(&dev->ep_pcie_dev_wake, 0); + pm_relax(&dev->pdev->dev); + } else { + EP_PCIE_DBG(dev, "PCIe V%d: Bail, Perst-assert:%d wake:%d\n", + dev->rev, atomic_read(&dev->perst_deast), + atomic_read(&dev->ep_pcie_dev_wake)); + } + spin_unlock_irqrestore(&dev->isr_lock, irqsave_flags); out: mutex_unlock(&dev->setup_mtx); return rc; @@ -2251,12 +2275,25 @@ static void handle_d3cold_func(struct work_struct *work) { struct ep_pcie_dev_t *dev = container_of(work, struct ep_pcie_dev_t, handle_d3cold_work); + unsigned long irqsave_flags; EP_PCIE_DBG(dev, "PCIe V%d: shutdown PCIe link due to PERST assertion before BME is set\n", dev->rev); ep_pcie_core_disable_endpoint(); dev->no_notify = false; + spin_lock_irqsave(&dev->isr_lock, irqsave_flags); + if (atomic_read(&dev->ep_pcie_dev_wake) && + !atomic_read(&dev->perst_deast)) { + atomic_set(&dev->ep_pcie_dev_wake, 0); + pm_relax(&dev->pdev->dev); + EP_PCIE_DBG(dev, "PCIe V%d: Released wakelock\n", dev->rev); + } else { + EP_PCIE_DBG(dev, "PCIe V%d: Bail, Perst-assert:%d wake:%d\n", + dev->rev, atomic_read(&dev->perst_deast), + atomic_read(&dev->ep_pcie_dev_wake)); + } + spin_unlock_irqrestore(&dev->isr_lock, irqsave_flags); } static void handle_bme_func(struct work_struct *work) @@ -2294,14 +2331,24 @@ static irqreturn_t ep_pcie_handle_perst_irq(int irq, void *data) } if (perst) { - dev->perst_deast = true; + atomic_set(&dev->perst_deast, 1); dev->perst_deast_counter++; + /* + * Hold a wakelock to avoid missing BME and other + * interrupts if apps goes into suspend before BME is set. + */ + if (!atomic_read(&dev->ep_pcie_dev_wake)) { + pm_stay_awake(&dev->pdev->dev); + atomic_set(&dev->ep_pcie_dev_wake, 1); + EP_PCIE_DBG(dev, "PCIe V%d: Acquired wakelock\n", + dev->rev); + } EP_PCIE_DBG(dev, "PCIe V%d: No. %ld PERST deassertion\n", dev->rev, dev->perst_deast_counter); ep_pcie_notify_event(dev, EP_PCIE_EVENT_PM_RST_DEAST); } else { - dev->perst_deast = false; + atomic_set(&dev->perst_deast, 0); dev->perst_ast_counter++; EP_PCIE_DBG(dev, "PCIe V%d: No. %ld PERST assertion\n", @@ -2552,14 +2599,15 @@ perst_irq: * based on the next expected level of the gpio */ if (gpio_get_value(dev->gpio[EP_PCIE_GPIO_PERST].num) == 1) - dev->perst_deast = true; + atomic_set(&dev->perst_deast, 1); /* register handler for PERST interrupt */ perst_irq = gpio_to_irq(dev->gpio[EP_PCIE_GPIO_PERST].num); ret = devm_request_irq(pdev, perst_irq, ep_pcie_handle_perst_irq, - ((dev->perst_deast ? IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH) - | IRQF_EARLY_RESUME), + ((atomic_read(&dev->perst_deast) ? + IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH) + | IRQF_EARLY_RESUME), "ep_pcie_perst", dev); if (ret) { EP_PCIE_ERR(dev, @@ -2953,7 +3001,7 @@ static int ep_pcie_core_wakeup_host(enum ep_pcie_event event) if (event == EP_PCIE_EVENT_PM_D3_HOT) ep_pcie_core_issue_inband_pme(); - if (dev->perst_deast && !dev->l23_ready) { + if (atomic_read(&dev->perst_deast) && !dev->l23_ready) { EP_PCIE_ERR(dev, "PCIe V%d: request to assert WAKE# when PERST is de-asserted and D3hot is not received\n", dev->rev); @@ -2964,7 +3012,7 @@ static int ep_pcie_core_wakeup_host(enum ep_pcie_event event) EP_PCIE_DBG(dev, "PCIe V%d: No. %ld to assert PCIe WAKE#; perst is %s de-asserted; D3hot is %s received\n", dev->rev, dev->wake_counter, - dev->perst_deast ? "" : "not", + atomic_read(&dev->perst_deast) ? "" : "not", dev->l23_ready ? "" : "not"); /* * Assert WAKE# GPIO until link is back to L0. @@ -3219,6 +3267,14 @@ static int ep_pcie_probe(struct platform_device *pdev) goto irq_failure; } + /* + * Wakelock is needed to avoid missing BME and other + * interrupts if apps goes into suspend before host + * sets them. + */ + device_init_wakeup(&ep_pcie_dev.pdev->dev, true); + atomic_set(&ep_pcie_dev.ep_pcie_dev_wake, 0); + if (ep_pcie_dev.perst_enum && !gpio_get_value(ep_pcie_dev.gpio[EP_PCIE_GPIO_PERST].num)) { EP_PCIE_DBG2(&ep_pcie_dev, From d659af34f76a69edb76b2aeb1979e1847da32b90 Mon Sep 17 00:00:00 2001 From: Aditya Mathur Date: Mon, 3 Aug 2020 13:59:52 -0700 Subject: [PATCH 125/386] ARM: dts: sa2150p: Enable EMAC settings for SA2150P Reverse EMAC RX clock polarity for 10/100M and keep DLL in bypass mode for 1000M on SA2150P NAND platform. Change-Id: I29dc8b7427c0e8c113d8e0a58848fed8486db928 Signed-off-by: Aditya Mathur --- arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts | 8 ++++++++ arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts b/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts index 2aa4f8d7047c..19b33f9f06ba 100644 --- a/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts +++ b/arch/arm64/boot/dts/qcom/sa2145p-ccard-nand-dc.dts @@ -73,3 +73,11 @@ &sdx_ext_ipc { qcom,wakeup-gpio-out = <&tlmm 77 0x00>; }; + +ðqos_hw { + rxc-skew-ps = <720>; + io-macro-info { + rx-prog-swap; + rx-dll-bypass; + }; +}; diff --git a/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts b/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts index e7f9dcb42061..418d9bb685a5 100644 --- a/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts +++ b/arch/arm64/boot/dts/qcom/sa2150p-ccard-nand-dc.dts @@ -147,3 +147,11 @@ &sdx_ext_ipc { qcom,wakeup-gpio-out = <&tlmm 77 0x00>; }; + +ðqos_hw { + rxc-skew-ps = <720>; + io-macro-info { + rx-prog-swap; + rx-dll-bypass; + }; +}; From bc05e27b03fda693713ca85f0bf325b1e1be5a39 Mon Sep 17 00:00:00 2001 From: Jianmin Zhu Date: Tue, 11 Aug 2020 10:15:44 +0800 Subject: [PATCH 126/386] qcacld-3.0: Increase unsafe channel max num for 6G 2G+5G+6G, total channel num is 157 until now, increase unsafe channel max num to avoid out of buffer. Change-Id: I1e433c0bd88290bb5493b2c4b0bda86e17b04a01 CRs-Fixed: 2752689 Signed-off-by: Jianmin Zhu --- drivers/net/wireless/cnss_utils/cnss_utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/cnss_utils/cnss_utils.c b/drivers/net/wireless/cnss_utils/cnss_utils.c index 713b6a938207..7c1023905e3f 100644 --- a/drivers/net/wireless/cnss_utils/cnss_utils.c +++ b/drivers/net/wireless/cnss_utils/cnss_utils.c @@ -31,7 +31,7 @@ #define LPASS_PMU_INT_EN0 0xC060084 #define LPASS_PMU_INT_CLR 0xC060034 #endif -#define CNSS_MAX_CH_NUM 45 +#define CNSS_MAX_CH_NUM 157 struct cnss_unsafe_channel_list { u16 unsafe_ch_count; u16 unsafe_ch_list[CNSS_MAX_CH_NUM]; From a3da1921edb55431072dc715b0a9ceb0d2335255 Mon Sep 17 00:00:00 2001 From: Jeya R Date: Tue, 11 Aug 2020 12:26:06 +0530 Subject: [PATCH 127/386] msm: adsprpc: Avoid race condition during map find and free Protect remote heap buffer list with spin lock while freeing to avoid UAF in fastrpc_mmap_find() on a buffer that is freed in fastrpc_mmap_free(). Change-Id: I524abf80087a5a53dfdf81c81ef34cd13f6a43cb Acked-by: Maitreyi Gupta Signed-off-by: jeyr --- drivers/char/adsprpc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 752c243218ce..d846f2cd1a6a 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -733,9 +733,11 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags) } if (map->flags == ADSP_MMAP_HEAP_ADDR || map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) { + spin_lock(&me->hlock); map->refs--; if (!map->refs) hlist_del_init(&map->hn); + spin_unlock(&me->hlock); if (map->refs > 0) return; } else { From 093c7d808fd93bb2567b1dc90f023854eef6d8b4 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Tue, 11 Aug 2020 15:10:04 -0700 Subject: [PATCH 128/386] f2fs: avoid to wait writeback on evicted inode If the inode is still in the list, vfs will wait forever on dangling inode object. Signed-off-by: Jaegeuk Kim --- fs/f2fs/inode.c | 8 ++++++++ fs/fs-writeback.c | 1 + include/linux/writeback.h | 1 + 3 files changed, 10 insertions(+) diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index 1a44b43518c8..596e618909b1 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -776,6 +776,14 @@ no_delete: else f2fs_inode_synced(inode); + /* + * Make sure evicted inode should not wait for writeback again. + */ + if (!list_empty_careful(&inode->i_io_list)) { + WARN_ON(1); + inode_io_list_del(inode); + } + /* for the case f2fs_new_inode() was failed, .i_ino is zero, skip it */ if (inode->i_ino) invalidate_mapping_pages(NODE_MAPPING(sbi), inode->i_ino, diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c index b44e7444e7ec..3245c99d856b 100644 --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -996,6 +996,7 @@ void inode_io_list_del(struct inode *inode) spin_unlock(&inode->i_lock); spin_unlock(&wb->list_lock); } +EXPORT_SYMBOL(inode_io_list_del); /* * mark an inode as under writeback on the sb diff --git a/include/linux/writeback.h b/include/linux/writeback.h index e12d92808e98..43c702e22e04 100644 --- a/include/linux/writeback.h +++ b/include/linux/writeback.h @@ -192,6 +192,7 @@ bool try_to_writeback_inodes_sb_nr(struct super_block *, unsigned long nr, void sync_inodes_sb(struct super_block *); void wakeup_flusher_threads(long nr_pages, enum wb_reason reason); void inode_wait_for_writeback(struct inode *inode); +void inode_io_list_del(struct inode *inode); /* writeback.h requires fs.h; it, too, is not included from here. */ static inline void wait_on_inode(struct inode *inode) From b5e99bad898fc55e88014a6fc11107ca7d05be14 Mon Sep 17 00:00:00 2001 From: Charan Teja Reddy Date: Thu, 13 Feb 2020 13:51:41 +0530 Subject: [PATCH 129/386] ion: don't call free_buffer_page on failure of ion_hyp_unassign_sg As we don't know the state of pages after failure from ion_hyp_unassign_sg, don't try to free them to buddy or pool. Change-Id: I54113ef13e25818301bdbe033468070b15cefa55 Signed-off-by: Charan Teja Reddy --- drivers/staging/android/ion/ion_system_heap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c index 723d49bbc5bb..af1ea09141ab 100644 --- a/drivers/staging/android/ion/ion_system_heap.c +++ b/drivers/staging/android/ion/ion_system_heap.c @@ -2,7 +2,7 @@ * drivers/staging/android/ion/ion_system_heap.c * * Copyright (C) 2011 Google, Inc. - * Copyright (c) 2011-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2020, The Linux Foundation. All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -409,11 +409,13 @@ err_free_sg2: buffer->private_flags |= ION_PRIV_FLAG_SHRINKER_FREE; if (vmid > 0) - ion_hyp_unassign_sg(table, &vmid, 1, true, false); + if (ion_hyp_unassign_sg(table, &vmid, 1, true, false)) + goto err_free_table_sync; for_each_sg(table->sgl, sg, table->nents, i) free_buffer_page(sys_heap, buffer, sg_page(sg), get_order(sg->length)); +err_free_table_sync: if (nents_sync) sg_free_table(&table_sync); err_free_sg: From 2169dec40495f7d28184f5570790ea5cca86d807 Mon Sep 17 00:00:00 2001 From: Suresh Kumar Allam Date: Mon, 29 Jun 2020 23:40:26 +0530 Subject: [PATCH 130/386] arm: dts: qcom: Enable msm ion heap for qseecom Enable msm ion heap memory for qseecom. Change-Id: I57e564359e58a5ee2963ef62e854c6f9e6841393 Signed-off-by: Haribabu Gattem Signed-off-by: Sivasri Kumar Vanka --- arch/arm64/boot/dts/qcom/mdm9607-ion.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/mdm9607-ion.dtsi b/arch/arm64/boot/dts/qcom/mdm9607-ion.dtsi index b828b3ccf78b..5b8d3bcc2ea1 100644 --- a/arch/arm64/boot/dts/qcom/mdm9607-ion.dtsi +++ b/arch/arm64/boot/dts/qcom/mdm9607-ion.dtsi @@ -32,7 +32,7 @@ reg = <27>; memory-region = <&qseecom_mem>; qcom,ion-heap-type = "DMA"; - status = "disabled"; + status = "ok"; }; }; }; From a26476f5417aa02476c38c5b449675705250f0a4 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 18 Aug 2020 11:39:49 +0800 Subject: [PATCH 131/386] binderfs: use refcount for binder control devices too Binderfs binder-control devices are cleaned up via binderfs_evict_inode too() which will use refcount_dec_and_test(). However, we missed to set the refcount for binderfs binder-control devices and so we underflowed when the binderfs instance got unmounted. Pretty obvious oversight and should have been part of the more general UAF fix. The good news is that having test cases (suprisingly) helps. Technically, we could detect that we're about to cleanup the binder-control dentry in binderfs_evict_inode() and then simply clean it up. But that makes the assumption that the binder driver itself will never make use of a binderfs binder-control device after the binderfs instance it belongs to has been unmounted and the superblock for it been destroyed. While it is unlikely to ever come to this let's be on the safe side. Performance-wise this also really doesn't matter since the binder-control device is only every really when creating the binderfs filesystem or creating additional binder devices. Both operations are pretty rare. Change-Id: Ia2eedd8b11621c9358c372b024ffb776055600f6 Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II") Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com Reported-by: Naresh Kamboju Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner Acked-by: Todd Kjos Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com Signed-off-by: Greg Kroah-Hartman Git-repo: git://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Git-commit: 211b64e4b5b6bd5fdc19cd525c2cc9a90e6b0ec9 Signed-off-by: Lei wang --- drivers/android/binderfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c index c25ab8bc8b4b..bfdbc9c640ff 100644 --- a/drivers/android/binderfs.c +++ b/drivers/android/binderfs.c @@ -448,6 +448,7 @@ static int binderfs_binder_ctl_create(struct super_block *sb) inode->i_uid = info->root_uid; inode->i_gid = info->root_gid; + refcount_set(&device->ref, 1); device->binderfs_inode = inode; device->miscdev.minor = minor; From 5d9d56dec3a3c69826dc5f79452f3685302accd6 Mon Sep 17 00:00:00 2001 From: Venkata Rao Kakani Date: Tue, 18 Aug 2020 10:07:07 +0530 Subject: [PATCH 132/386] ARM: dts: msm: disable avb for lv container disable avb for lv lxc container as avb is not supported for lv gvm. Change-Id: Ie76cde5a8f8c5736f3df5313f9ca82baaa49d27e Signed-off-by: Venkata Rao Kakani --- arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi index d2eceb74af93..98522181a703 100644 --- a/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi +++ b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dtsi @@ -19,6 +19,7 @@ }; }; + /delete-node/ rename_blk; }; &hab { From bffd75e0953d4be3514277070199bc4763a36bc4 Mon Sep 17 00:00:00 2001 From: Wanteng Zhang Date: Thu, 13 Aug 2020 12:34:11 +0800 Subject: [PATCH 133/386] ARM: dts: msm: Add multiple dri device nodes for sa8195 lxc gvm Multiple device nodes of dri card will be created for sa8195 lxc gvm Change-Id: I07e45c04867fa1c8ae371247b56cefdfd9694c09 Signed-off-by: Wanteng Zhang --- arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts index 99342867dcbb..fc7e93ba2874 100644 --- a/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts +++ b/arch/arm64/boot/dts/qcom/sa8195-vm-lv-lxc.dts @@ -21,3 +21,20 @@ qcom,pmic-name = "PM8195"; qcom,board-id = <0x1000002 0>; }; + +&soc { + sde_kms_hyp1: qcom,sde_kms_hyp@ae10000 { + compatible = "qcom,sde-kms-hyp"; + qcom,client-id = "7815"; + }; + + sde_kms_hyp2: qcom,sde_kms_hyp@ae20000 { + compatible = "qcom,sde-kms-hyp"; + qcom,client-id = "7818"; + }; + + sde_kms_hyp3: qcom,sde_kms_hyp@ae30000 { + compatible = "qcom,sde-kms-hyp"; + qcom,client-id = "7819"; + }; +}; From 8e78e6d11e5e846ad78dcd38c2e75bfd2662f7aa Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Tue, 18 Aug 2020 18:10:53 +0530 Subject: [PATCH 134/386] Revert "sde: interrupts: optimize interrupt dispatching routines" This reverts commit fe708336d43275363c8ecd64a9a8016e0dd63725. --- drivers/gpu/drm/msm/sde/sde_core_irq.c | 37 +++++++++-- drivers/gpu/drm/msm/sde/sde_hw_interrupts.c | 71 ++++++++++++++++----- drivers/gpu/drm/msm/sde/sde_hw_interrupts.h | 10 +++ drivers/gpu/drm/msm/sde/sde_kms.h | 1 + 4 files changed, 99 insertions(+), 20 deletions(-) diff --git a/drivers/gpu/drm/msm/sde/sde_core_irq.c b/drivers/gpu/drm/msm/sde/sde_core_irq.c index 2fe931e12c32..b082778a4590 100644 --- a/drivers/gpu/drm/msm/sde/sde_core_irq.c +++ b/drivers/gpu/drm/msm/sde/sde_core_irq.c @@ -44,6 +44,8 @@ static void sde_core_irq_callback_handler(void *arg, int irq_idx) &sde_kms->irq_obj.enable_counts[irq_idx]); } + atomic_inc(&irq_obj->irq_counts[irq_idx]); + /* * Perform registered function callback */ @@ -70,6 +72,15 @@ static void sde_core_irq_callback_handler(void *arg, int irq_idx) SDE_EVT32_IRQ(irq_idx, enable_counts, SDE_EVTLOG_ERROR); } } + + /* + * Clear pending interrupt status in HW. + * NOTE: sde_core_irq_callback_handler is protected by top-level + * spinlock, so it is safe to clear any interrupt status here. + */ + sde_kms->hw_intr->ops.clear_intr_status_nolock( + sde_kms->hw_intr, + irq_idx); } int sde_core_irq_idx_lookup(struct sde_kms *sde_kms, @@ -94,7 +105,8 @@ static int _sde_core_irq_enable(struct sde_kms *sde_kms, int irq_idx) int ret = 0; if (!sde_kms || !sde_kms->hw_intr || - !sde_kms->irq_obj.enable_counts) { + !sde_kms->irq_obj.enable_counts || + !sde_kms->irq_obj.irq_counts) { SDE_ERROR("invalid params\n"); return -EINVAL; } @@ -400,14 +412,15 @@ static int sde_debugfs_core_irq_show(struct seq_file *s, void *v) for (i = 0; i < irq_obj->total_irqs; i++) { spin_lock_irqsave(&irq_obj->cb_lock, irq_flags); cb_count = 0; + irq_count = atomic_read(&irq_obj->irq_counts[i]); enable_count = atomic_read(&irq_obj->enable_counts[i]); list_for_each_entry(cb, &irq_obj->irq_cb_tbl[i], list) cb_count++; spin_unlock_irqrestore(&irq_obj->cb_lock, irq_flags); if (irq_count || enable_count || cb_count) - seq_printf(s, "idx:%d enable:%d cb:%d\n", - i, enable_count, cb_count); + seq_printf(s, "idx:%d irq:%d enable:%d cb:%d\n", + i, irq_count, enable_count, cb_count); } return 0; @@ -481,7 +494,10 @@ void sde_core_irq_preinstall(struct sde_kms *sde_kms) sizeof(struct list_head), GFP_KERNEL); sde_kms->irq_obj.enable_counts = kcalloc(sde_kms->irq_obj.total_irqs, sizeof(atomic_t), GFP_KERNEL); - if (!sde_kms->irq_obj.irq_cb_tbl || !sde_kms->irq_obj.enable_counts) + sde_kms->irq_obj.irq_counts = kcalloc(sde_kms->irq_obj.total_irqs, + sizeof(atomic_t), GFP_KERNEL); + if (!sde_kms->irq_obj.irq_cb_tbl || !sde_kms->irq_obj.enable_counts + || !sde_kms->irq_obj.irq_counts) return; for (i = 0; i < sde_kms->irq_obj.total_irqs; i++) { @@ -489,6 +505,8 @@ void sde_core_irq_preinstall(struct sde_kms *sde_kms) INIT_LIST_HEAD(&sde_kms->irq_obj.irq_cb_tbl[i]); if (sde_kms->irq_obj.enable_counts) atomic_set(&sde_kms->irq_obj.enable_counts[i], 0); + if (sde_kms->irq_obj.irq_counts) + atomic_set(&sde_kms->irq_obj.irq_counts[i], 0); } } @@ -536,8 +554,10 @@ void sde_core_irq_uninstall(struct sde_kms *sde_kms) spin_lock_irqsave(&sde_kms->irq_obj.cb_lock, irq_flags); kfree(sde_kms->irq_obj.irq_cb_tbl); kfree(sde_kms->irq_obj.enable_counts); + kfree(sde_kms->irq_obj.irq_counts); sde_kms->irq_obj.irq_cb_tbl = NULL; sde_kms->irq_obj.enable_counts = NULL; + sde_kms->irq_obj.irq_counts = NULL; sde_kms->irq_obj.total_irqs = 0; spin_unlock_irqrestore(&sde_kms->irq_obj.cb_lock, irq_flags); } @@ -641,6 +661,15 @@ int sde_core_irq_domain_fini(struct sde_kms *sde_kms) irqreturn_t sde_core_irq(struct sde_kms *sde_kms) { + /* + * Read interrupt status from all sources. Interrupt status are + * stored within hw_intr. + * Function will also clear the interrupt status after reading. + * Individual interrupt status bit will only get stored if it + * is enabled. + */ + sde_kms->hw_intr->ops.get_interrupt_statuses(sde_kms->hw_intr); + /* * Dispatch to HW driver to handle interrupt lookup that is being * fired. When matching interrupt is located, HW driver will call to diff --git a/drivers/gpu/drm/msm/sde/sde_hw_interrupts.c b/drivers/gpu/drm/msm/sde/sde_hw_interrupts.c index d6b4f8a462fc..c34aed434dca 100644 --- a/drivers/gpu/drm/msm/sde/sde_hw_interrupts.c +++ b/drivers/gpu/drm/msm/sde/sde_hw_interrupts.c @@ -880,17 +880,13 @@ static void sde_hw_intr_dispatch_irq(struct sde_hw_intr *intr, return; /* + * The dispatcher will save the IRQ status before calling here. * Now need to go through each IRQ status and find matching * irq lookup index. */ spin_lock_irqsave(&intr->irq_lock, irq_flags); for (reg_idx = 0; reg_idx < intr->sde_irq_size; reg_idx++) { - /* Read interrupt status */ - irq_status = SDE_REG_READ(&intr->hw, - intr->sde_irq_tbl[reg_idx].status_off); - - if (!irq_status) - continue; + irq_status = intr->save_irq_status[reg_idx]; /* get the global offset in 'sde_irq_map' */ sde_irq_idx = intr->sde_irq_tbl[reg_idx].sde_irq_idx; @@ -916,13 +912,20 @@ static void sde_hw_intr_dispatch_irq(struct sde_hw_intr *intr, for (irq_idx = start_idx; (irq_idx < end_idx) && irq_status; irq_idx++) - if (irq_status & sde_irq_map[irq_idx].irq_mask) { + if ((irq_status & sde_irq_map[irq_idx].irq_mask) && + (sde_irq_map[irq_idx].reg_idx == reg_idx)) { /* * Once a match on irq mask, perform a callback - * to the given cbfunc. + * to the given cbfunc. cbfunc will take care + * the interrupt status clearing. If cbfunc is + * not provided, then the interrupt clearing + * is here. */ if (cbfunc) cbfunc(arg, irq_idx); + else + intr->ops.clear_intr_status_nolock( + intr, irq_idx); /* * When callback finish, clear the irq_status @@ -931,15 +934,7 @@ static void sde_hw_intr_dispatch_irq(struct sde_hw_intr *intr, */ irq_status &= ~sde_irq_map[irq_idx].irq_mask; } - - /* Clear the interrupt */ - SDE_REG_WRITE(&intr->hw, intr->sde_irq_tbl[reg_idx].clr_off, - 0xffffffff); } - - /* ensure register writes go through */ - wmb(); - spin_unlock_irqrestore(&intr->irq_lock, irq_flags); } @@ -1120,6 +1115,40 @@ static int sde_hw_intr_get_interrupt_sources(struct sde_hw_intr *intr, return 0; } +static void sde_hw_intr_get_interrupt_statuses(struct sde_hw_intr *intr) +{ + int i; + u32 enable_mask; + unsigned long irq_flags; + + if (!intr) + return; + + spin_lock_irqsave(&intr->irq_lock, irq_flags); + for (i = 0; i < intr->sde_irq_size; i++) { + /* Read interrupt status */ + intr->save_irq_status[i] = SDE_REG_READ(&intr->hw, + intr->sde_irq_tbl[i].status_off); + + /* Read enable mask */ + enable_mask = SDE_REG_READ(&intr->hw, + intr->sde_irq_tbl[i].en_off); + + /* and clear the interrupt */ + if (intr->save_irq_status[i]) + SDE_REG_WRITE(&intr->hw, intr->sde_irq_tbl[i].clr_off, + intr->save_irq_status[i]); + + /* Finally update IRQ status based on enable mask */ + intr->save_irq_status[i] &= enable_mask; + } + + /* ensure register writes go through */ + wmb(); + + spin_unlock_irqrestore(&intr->irq_lock, irq_flags); +} + static void sde_hw_intr_clear_intr_status_force_mask(struct sde_hw_intr *intr, int irq_idx, u32 irq_mask) { @@ -1292,6 +1321,7 @@ static void __setup_intr_ops(struct sde_hw_intr_ops *ops) ops->disable_all_irqs = sde_hw_intr_disable_irqs; ops->get_valid_interrupts = sde_hw_intr_get_valid_interrupts; ops->get_interrupt_sources = sde_hw_intr_get_interrupt_sources; + ops->get_interrupt_statuses = sde_hw_intr_get_interrupt_statuses; ops->clear_interrupt_status = sde_hw_intr_clear_interrupt_status; ops->clear_intr_status_nolock = sde_hw_intr_clear_intr_status_nolock; ops->clear_intr_status_force_mask = @@ -1439,6 +1469,7 @@ void sde_hw_intr_destroy(struct sde_hw_intr *intr) if (intr) { kfree(intr->sde_irq_tbl); kfree(intr->cache_irq_mask); + kfree(intr->save_irq_status); kfree(intr); } } @@ -1547,6 +1578,13 @@ struct sde_hw_intr *sde_hw_intr_init(void __iomem *addr, goto exit; } + intr->save_irq_status = kcalloc(intr->sde_irq_size, sizeof(u32), + GFP_KERNEL); + if (intr->save_irq_status == NULL) { + ret = -ENOMEM; + goto exit; + } + spin_lock_init(&intr->irq_lock); return intr; @@ -1554,6 +1592,7 @@ struct sde_hw_intr *sde_hw_intr_init(void __iomem *addr, exit: kfree(intr->sde_irq_tbl); kfree(intr->cache_irq_mask); + kfree(intr->save_irq_status); kfree(intr); return ERR_PTR(ret); } diff --git a/drivers/gpu/drm/msm/sde/sde_hw_interrupts.h b/drivers/gpu/drm/msm/sde/sde_hw_interrupts.h index e2de0e33bd59..1d5a8427d0aa 100644 --- a/drivers/gpu/drm/msm/sde/sde_hw_interrupts.h +++ b/drivers/gpu/drm/msm/sde/sde_hw_interrupts.h @@ -188,6 +188,14 @@ struct sde_hw_intr_ops { void (*cbfunc)(void *arg, int irq_idx), void *arg); + /** + * get_interrupt_statuses - Gets and store value from all interrupt + * status registers that are currently fired. + * @intr: HW interrupt handle + */ + void (*get_interrupt_statuses)( + struct sde_hw_intr *intr); + /** * clear_interrupt_status - Clears HW interrupt status based on given * lookup IRQ index. @@ -284,6 +292,7 @@ struct sde_hw_intr_ops { * @hw: virtual address mapping * @ops: function pointer mapping for IRQ handling * @cache_irq_mask: array of IRQ enable masks reg storage created during init + * @save_irq_status: array of IRQ status reg storage created during init * @irq_idx_tbl_size: total number of irq_idx mapped in the hw_interrupts * @irq_lock: spinlock for accessing IRQ resources * @sde_irq_size: total number of elements of the sde_irq_tbl @@ -294,6 +303,7 @@ struct sde_hw_intr { struct sde_hw_blk_reg_map hw; struct sde_hw_intr_ops ops; u32 *cache_irq_mask; + u32 *save_irq_status; u32 irq_idx_tbl_size; u32 sde_irq_size; struct sde_intr_reg *sde_irq_tbl; diff --git a/drivers/gpu/drm/msm/sde/sde_kms.h b/drivers/gpu/drm/msm/sde/sde_kms.h index 38a1f3cfb1c9..f01624a1c9a1 100644 --- a/drivers/gpu/drm/msm/sde/sde_kms.h +++ b/drivers/gpu/drm/msm/sde/sde_kms.h @@ -204,6 +204,7 @@ struct sde_irq { u32 total_irqs; struct list_head *irq_cb_tbl; atomic_t *enable_counts; + atomic_t *irq_counts; spinlock_t cb_lock; struct dentry *debugfs_file; }; From 0cf9e0d0fe0a8467c116061bb7a4e46cb05877b5 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Tue, 18 Aug 2020 13:14:46 +0530 Subject: [PATCH 135/386] Revert "drm: msm: modify doze backlight sysfs" This reverts commit ae5d796ef65d13e6f3b03da6c7ae17ec196726ff. Signed-off-by: UtsavBalar1231 --- drivers/gpu/drm/drm_sysfs.c | 64 ++------ drivers/gpu/drm/msm/dsi-staging/dsi_display.c | 25 +-- drivers/gpu/drm/msm/dsi-staging/dsi_display.h | 9 +- drivers/gpu/drm/msm/dsi-staging/dsi_drm.c | 63 +------- drivers/gpu/drm/msm/dsi-staging/dsi_panel.c | 146 ++++++++++-------- drivers/gpu/drm/msm/dsi-staging/dsi_panel.h | 2 + drivers/gpu/drm/msm/sde/sde_connector.c | 10 +- include/drm/drm_device.h | 2 +- 8 files changed, 126 insertions(+), 195 deletions(-) diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index ec54cf967e85..4799d8c13445 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -260,6 +260,17 @@ static ssize_t panel_info_show(struct device *device, return written; } +static ssize_t doze_brightness_show(struct device *device, + struct device_attribute *attr, + char *buf) +{ + struct drm_connector *connector = to_drm_connector(device); + struct drm_device *dev = connector->dev; + + return snprintf(buf, PAGE_SIZE, "%d\n", + dev->doze_brightness); +} + void drm_bridge_disp_param_set(struct drm_bridge *bridge, int cmd); static ssize_t disp_param_store(struct device *device, struct device_attribute *attr, @@ -291,57 +302,6 @@ static ssize_t disp_param_store(struct device *device, return count; } -int dsi_bridge_disp_set_doze_backlight(struct drm_connector *connector, - int doze_backlight); -ssize_t dsi_bridge_disp_get_doze_backlight(struct drm_connector *connector, - char *buf); -static ssize_t doze_brightness_show(struct device *device, - struct device_attribute *attr, - char *buf) -{ - int writen = 0; - struct drm_connector *connector = NULL; - struct drm_device *dev = NULL; - - if (!device) - return writen; - - connector = to_drm_connector(device); - if (!connector) - return writen; - - dev = connector->dev; - if (!dev) - return writen; - - return snprintf(buf, PAGE_SIZE, "%d\n", - dev->doze_brightness); -} - -static ssize_t doze_backlight_store(struct device *device, - struct device_attribute *attr, - const char *buf, size_t count) -{ - struct drm_connector *connector = to_drm_connector(device); - int doze_backlight; - int ret; - - ret = kstrtoint(buf, 0, &doze_backlight); - if (ret) - return ret; - - ret = dsi_bridge_disp_set_doze_backlight(connector, doze_backlight); - - return ret ? ret : count; -} - -static ssize_t doze_backlight_show(struct device *dev, - struct device_attribute *attr, char *buf) -{ - struct drm_connector *connector = to_drm_connector(dev); - return dsi_bridge_disp_get_doze_backlight(connector, buf); -} - extern ssize_t mipi_reg_write(char *buf, size_t count); extern ssize_t mipi_reg_read(char *buf); @@ -498,7 +458,6 @@ static DEVICE_ATTR_RO(modes); static DEVICE_ATTR_RO(panel_info); static DEVICE_ATTR_WO(disp_param); static DEVICE_ATTR_RO(doze_brightness); -static DEVICE_ATTR_RW(doze_backlight); static DEVICE_ATTR_RW(mipi_reg); static DEVICE_ATTR_RW(disp_count); static DEVICE_ATTR_RW(dim_layer_enable); @@ -514,7 +473,6 @@ static struct attribute *connector_dev_attrs[] = { &dev_attr_panel_info.attr, &dev_attr_disp_param.attr, &dev_attr_doze_brightness.attr, - &dev_attr_doze_backlight.attr, &dev_attr_mipi_reg.attr, &dev_attr_disp_count.attr, &dev_attr_dim_layer_enable.attr, diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_display.c b/drivers/gpu/drm/msm/dsi-staging/dsi_display.c index cf82d664d4a5..91198970d344 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_display.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_display.c @@ -236,10 +236,19 @@ int dsi_display_set_backlight(struct drm_connector *connector, goto error; } - rc = dsi_panel_set_backlight(panel, (u32)bl_temp); - if (rc) - pr_err("unable to set backlight\n"); - + if (drm_dev && (drm_dev->doze_state == MSM_DRM_BLANK_LP1 || drm_dev->doze_state == MSM_DRM_BLANK_LP2)) { + rc = dsi_panel_set_doze_backlight(display, (u32)bl_temp); + if (rc) + pr_err("unable to set doze backlight\n"); + rc = dsi_panel_enable_doze_backlight(panel, (u32)bl_temp); + if (rc) + pr_err("unable to enable doze backlight\n"); + } else { + drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; + rc = dsi_panel_set_backlight(panel, (u32)bl_temp); + if (rc) + pr_err("unable to set backlight\n"); + } rc = dsi_display_clk_ctrl(dsi_display->dsi_clk_handle, DSI_CORE_CLK, DSI_CLK_OFF); if (rc) { @@ -1259,7 +1268,7 @@ int dsi_display_set_power(struct drm_connector *connector, return -EINVAL; } else { dev = connector->dev; - event = dev->state; + event = dev->doze_state; } g_notify_data.data = &event; @@ -1268,15 +1277,11 @@ int dsi_display_set_power(struct drm_connector *connector, case SDE_MODE_DPMS_LP1: msm_drm_notifier_call_chain(MSM_DRM_EARLY_EVENT_BLANK, &g_notify_data); rc = dsi_panel_set_lp1(display->panel); - if (!rc) - dsi_panel_set_doze_backlight(display); msm_drm_notifier_call_chain(MSM_DRM_EVENT_BLANK, &g_notify_data); break; case SDE_MODE_DPMS_LP2: msm_drm_notifier_call_chain(MSM_DRM_EARLY_EVENT_BLANK, &g_notify_data); rc = dsi_panel_set_lp2(display->panel); - if (!rc) - dsi_panel_set_doze_backlight(display); msm_drm_notifier_call_chain(MSM_DRM_EVENT_BLANK, &g_notify_data); break; case SDE_MODE_DPMS_ON: @@ -1284,8 +1289,6 @@ int dsi_display_set_power(struct drm_connector *connector, display->panel->power_mode == SDE_MODE_DPMS_LP2) { msm_drm_notifier_call_chain(MSM_DRM_EARLY_EVENT_BLANK, &g_notify_data); rc = dsi_panel_set_nolp(display->panel); - if (!rc) - dsi_panel_set_doze_backlight(display); msm_drm_notifier_call_chain(MSM_DRM_EVENT_BLANK, &g_notify_data); } break; diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_display.h b/drivers/gpu/drm/msm/dsi-staging/dsi_display.h index 04be58725e22..bbc3b41c3bc0 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_display.h +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_display.h @@ -653,14 +653,7 @@ void dsi_display_enable_event(struct drm_connector *connector, int dsi_display_set_backlight(struct drm_connector *connector, void *display, u32 bl_lvl); -/** - * dsi_display_set_doze_backlight() - set doze backlight - * @display: Handle to display. - */ - -int dsi_panel_set_doze_backlight(struct dsi_display *display); - -ssize_t dsi_panel_get_doze_backlight(struct dsi_display *display, char *buf); +int dsi_panel_set_doze_backlight(struct dsi_display *display, u32 bl_lvl); /** * dsi_display_check_status() - check if panel is dead or alive diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c index bce05dd3be4e..39e4bed9756f 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c @@ -198,12 +198,12 @@ static void dsi_bridge_pre_enable(struct drm_bridge *bridge) struct drm_device *dev = bridge->dev; int event = 0; - if (dev->state == MSM_DRM_BLANK_POWERDOWN) { - dev->state = MSM_DRM_BLANK_UNBLANK; + if (dev->doze_state == MSM_DRM_BLANK_POWERDOWN) { + dev->doze_state = MSM_DRM_BLANK_UNBLANK; pr_info("%s power on from power off\n", __func__); } - event = dev->state; + event = dev->doze_state; g_notify_data.data = &event; @@ -223,7 +223,7 @@ static void dsi_bridge_pre_enable(struct drm_bridge *bridge) cancel_delayed_work_sync(&prim_panel_work); __pm_relax(&prim_panel_wakelock); if (dev->fp_quickon && - (dev->state == MSM_DRM_BLANK_LP1 || dev->state == MSM_DRM_BLANK_LP2)) { + (dev->doze_state == MSM_DRM_BLANK_LP1 || dev->doze_state == MSM_DRM_BLANK_LP2)) { event = MSM_DRM_BLANK_POWERDOWN; msm_drm_notifier_call_chain(MSM_DRM_EARLY_EVENT_BLANK, &g_notify_data); msm_drm_notifier_call_chain(MSM_DRM_EVENT_BLANK, &g_notify_data); @@ -364,53 +364,6 @@ static int dsi_bridge_get_panel_info(struct drm_bridge *bridge, char *buf) return rc; } -int dsi_panel_set_doze_backlight(struct dsi_display *display); - -ssize_t dsi_panel_get_doze_backlight(struct dsi_display *display, char *buf); - -int dsi_bridge_disp_set_doze_backlight(struct drm_connector *connector, - int doze_backlight) -{ - struct dsi_display *display = NULL; - struct dsi_bridge *c_bridge = NULL; - - if (!connector || !connector->encoder || !connector->encoder->bridge) { - pr_err("Invalid connector/encoder/bridge ptr\n"); - return -EINVAL; - } - - c_bridge = to_dsi_bridge(connector->encoder->bridge); - display = c_bridge->display; - if (!display || !display->panel || !display->drm_dev) { - pr_err("Invalid display/panel/drm_dev ptr\n"); - return -EINVAL; - } else - display->drm_dev->doze_brightness = doze_backlight; - - return dsi_panel_set_doze_backlight(display); -} - -ssize_t dsi_bridge_disp_get_doze_backlight(struct drm_connector *connector, - char *buf) -{ - struct dsi_display *display = NULL; - struct dsi_bridge *c_bridge = NULL; - - if (!connector || !connector->encoder || !connector->encoder->bridge) { - pr_err("Invalid connector/encoder/bridge ptr\n"); - return -EINVAL; - } - - c_bridge = to_dsi_bridge(connector->encoder->bridge); - display = c_bridge->display; - if (!display || !display->panel) { - pr_err("Invalid display/panel ptr\n"); - return -EINVAL; - } - - return dsi_panel_get_doze_backlight(display, buf); -} - static void dsi_bridge_enable(struct drm_bridge *bridge) { int rc = 0; @@ -468,12 +421,12 @@ static void dsi_bridge_post_disable(struct drm_bridge *bridge) struct drm_device *dev = bridge->dev; int event = 0; - if (dev->state == MSM_DRM_BLANK_UNBLANK) { - dev->state = MSM_DRM_BLANK_POWERDOWN; + if (dev->doze_state == MSM_DRM_BLANK_UNBLANK) { + dev->doze_state = MSM_DRM_BLANK_POWERDOWN; pr_info("%s wrong doze state\n", __func__); } - event = dev->state; + event = dev->doze_state; g_notify_data.data = &event; @@ -487,7 +440,7 @@ static void dsi_bridge_post_disable(struct drm_bridge *bridge) return; } - if (dev->state == MSM_DRM_BLANK_LP1 || dev->state == MSM_DRM_BLANK_LP2) { + if (dev->doze_state == MSM_DRM_BLANK_LP1 || dev->doze_state == MSM_DRM_BLANK_LP2) { pr_err("%s doze state can't power off panel\n", __func__); event = MSM_DRM_BLANK_POWERDOWN; msm_drm_notifier_call_chain(MSM_DRM_EARLY_EVENT_BLANK, &g_notify_data); diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c index 461c33d25cf6..5c1fbe70c2ed 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c @@ -740,79 +740,62 @@ error: return rc; } -int dsi_panel_set_doze_backlight(struct dsi_display *display) +int dsi_panel_set_doze_backlight(struct dsi_display *display, u32 bl_lvl) { int rc = 0; - struct dsi_display *dsi_display = display; struct dsi_panel *panel = NULL; struct drm_device *drm_dev = NULL; - if (!dsi_display || !dsi_display->panel || !dsi_display->drm_dev) { + if (!display || !display->panel || !display->drm_dev) { pr_err("invalid display/panel/drm_dev\n"); return -EINVAL; } - panel = dsi_display->panel; - drm_dev = dsi_display->drm_dev; - mutex_lock(&panel->panel_lock); - if (!dsi_panel_initialized(panel)) { - pr_info("[%s] set doze backlight before panel initialized!\n", dsi_display->name); - goto error; + panel = display->panel; + drm_dev = display->drm_dev; + + if (panel->fod_hbm_enabled || panel->fod_backlight_flag || panel->fod_dimlayer_hbm_enabled) { + pr_debug("%s FOD HBM open, skip value:%u [hbm=%d][fod_bl=%d][dimlayer_fod=%d]\n", __func__, + bl_lvl, panel->fod_hbm_enabled, panel->fod_backlight_flag, panel->fod_dimlayer_hbm_enabled); + return rc; } - if (drm_dev && (drm_dev->state == MSM_DRM_BLANK_LP1 || drm_dev->state == MSM_DRM_BLANK_LP2)) { - if (panel->fod_hbm_enabled || panel->fod_backlight_flag) { - pr_info("%s FOD HBM open, skip set doze backlight at: [hbm=%d][fod_bl=%d]\n", __func__, - panel->fod_hbm_enabled, panel->fod_backlight_flag); - goto error; - } - if (drm_dev->doze_brightness == DOZE_BRIGHTNESS_HBM) { - rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_HBM); - if (rc) - pr_err("[%s] failed to send DSI_CMD_SET_DOZE_HBM cmd, rc=%d\n", panel->name, rc); - else - pr_info("In %s the doze_brightness value:%u\n", __func__, drm_dev->doze_brightness); - panel->in_aod = true; - panel->skip_dimmingon = STATE_DIM_BLOCK; - } else if (drm_dev->doze_brightness == DOZE_BRIGHTNESS_LBM) { - rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_LBM); - if (rc) - pr_err("[%s] failed to send DSI_CMD_SET_DOZE_LBM cmd, rc=%d\n", - panel->name, rc); - else - pr_info("In %s the doze_brightness value:%u\n", __func__, drm_dev->doze_brightness); - panel->in_aod = true; - panel->skip_dimmingon = STATE_DIM_BLOCK; - } else { - drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; - pr_info("In %s the doze_brightness value:%u\n", __func__, drm_dev->doze_brightness); - } + if (bl_lvl > panel->doze_backlight_threshold) { + rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_HBM); + if (rc) + pr_err("[%s] failed to send DSI_CMD_SET_DOZE_HBM cmd, rc=%d\n", + panel->name, rc); + drm_dev->doze_brightness = DOZE_BRIGHTNESS_HBM; + panel->in_aod = true; + panel->skip_dimmingon = STATE_DIM_BLOCK; + } else if (bl_lvl <= panel->doze_backlight_threshold && bl_lvl > 0) { + rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_LBM); + if (rc) + pr_err("[%s] failed to send DSI_CMD_SET_DOZE_LBM cmd, rc=%d\n", + panel->name, rc); + drm_dev->doze_brightness = DOZE_BRIGHTNESS_LBM; + panel->in_aod = true; + panel->skip_dimmingon = STATE_DIM_BLOCK; + } else { + drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; } -error: - mutex_unlock(&panel->panel_lock); + + pr_debug("%s value:%u\n", __func__, drm_dev->doze_brightness); return rc; } -ssize_t dsi_panel_get_doze_backlight(struct dsi_display *display, char *buf) +int dsi_panel_enable_doze_backlight(struct dsi_panel *panel, u32 bl_lvl) { - int rc = 0; - struct dsi_display *dsi_display = display; - struct dsi_panel *panel = NULL; - struct drm_device *drm_dev = NULL; + struct dsi_backlight_config *bl = &panel->bl_config; - if (!dsi_display || !dsi_display->panel || !dsi_display->drm_dev) { - pr_err("invalid display/panel/drm_dev\n"); - return -EINVAL; + if (panel->fod_backlight_flag) { + pr_debug("fod_backlight_flag set\n"); + } else { + pr_debug("enable doze backlight type:%d lvl:%d\n", bl->type, bl_lvl); + rc = dsi_panel_update_backlight(panel, bl_lvl); } - panel = dsi_display->panel; - drm_dev = dsi_display->drm_dev; - mutex_lock(&panel->panel_lock); - - rc = snprintf(buf, PAGE_SIZE, "%d\n", drm_dev->doze_brightness); - pr_info("In %s the doze_brightness value:%u\n", __func__, drm_dev->doze_brightness); - - mutex_unlock(&panel->panel_lock); + panel->last_bl_lvl = bl_lvl; return rc; } @@ -4534,6 +4517,45 @@ int dsi_panel_set_lp1(struct dsi_panel *panel) pr_err("[%s] failed to send DSI_CMD_SET_LP1 cmd, rc=%d\n", panel->name, rc); + if (panel->fod_hbm_enabled || panel->fod_backlight_flag || panel->fod_dimlayer_hbm_enabled) { + pr_debug("%s skip [hbm=%d][fod_bl=%d][dimlayer_hbm=%d]\n", __func__, + panel->fod_hbm_enabled, panel->fod_backlight_flag, panel->fod_dimlayer_hbm_enabled); + } else { + struct dsi_display *display = NULL; + struct mipi_dsi_host *host = panel->host; + if (host) + display = container_of(host, struct dsi_display, host); + + if (panel->last_bl_lvl > panel->doze_backlight_threshold) { + pr_debug("dsi_panel_set_lp1 DSI_CMD_SET_DOZE_HBM"); + rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_HBM); + if (rc) + pr_err("[%s] failed to send DSI_CMD_SET_DOZE_HBM cmd, rc=%d\n", + panel->name, rc); + if (display) + display->drm_dev->doze_brightness = DOZE_BRIGHTNESS_HBM; + + panel->in_aod = true; + panel->skip_dimmingon = STATE_DIM_BLOCK; + } else if (panel->last_bl_lvl <= panel->doze_backlight_threshold && panel->last_bl_lvl > 0) { + pr_debug("dsi_panel_set_lp1 DSI_CMD_SET_DOZE_LBM"); + rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_LBM); + if (rc) + pr_err("[%s] failed to send DSI_CMD_SET_DOZE_LBM cmd, rc=%d\n", + panel->name, rc); + + if (display) + display->drm_dev->doze_brightness = DOZE_BRIGHTNESS_LBM; + + panel->in_aod = true; + panel->skip_dimmingon = STATE_DIM_BLOCK; + } else { + pr_debug("dsi_panel_set_lp1 DOZE_BRIGHTNESS_INVALID"); + if (display) + display->drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; + } + } + mutex_unlock(&panel->panel_lock); return rc; } @@ -5042,8 +5064,8 @@ static int panel_disp_param_send_lock(struct dsi_panel *panel, int param) if (host) display = container_of(host, struct dsi_display, host); - if ((display->drm_dev && display->drm_dev->state == MSM_DRM_BLANK_LP1) || - (display->drm_dev && display->drm_dev->state == MSM_DRM_BLANK_LP2)) { + if ((display->drm_dev && display->drm_dev->doze_state == MSM_DRM_BLANK_LP1) || + (display->drm_dev && display->drm_dev->doze_state == MSM_DRM_BLANK_LP2)) { #if 0 if (panel->last_bl_lvl > panel->doze_backlight_threshold) { pr_info("hbm fod off DSI_CMD_SET_DOZE_HBM"); @@ -5162,21 +5184,21 @@ static int panel_disp_param_send_lock(struct dsi_panel *panel, int param) if (host) display = container_of(host, struct dsi_display, host); - pr_info("FOD backlight restore last_bl_lvl=%d, state=%d", - panel->last_bl_lvl, display->drm_dev->state); + pr_debug("FOD backlight restore last_bl_lvl=%d, doze_state=%d", + panel->last_bl_lvl, display->drm_dev->doze_state); rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DISP_DIMMINGOFF); if (panel->dc_enable) { pr_info("FOD backlight restore dc_threshold=%d, doze_state=%d", - panel->dc_threshold, display->drm_dev->state); + panel->dc_threshold, display->drm_dev->doze_state); rc = dsi_panel_update_backlight(panel, panel->dc_threshold); } else { pr_info("FOD backlight restore last_bl_lvl=%d, doze_state=%d", - panel->last_bl_lvl, display->drm_dev->state); + panel->last_bl_lvl, display->drm_dev->doze_state); rc = dsi_panel_update_backlight(panel, panel->last_bl_lvl); } - if ((display->drm_dev && display->drm_dev->state == MSM_DRM_BLANK_LP1) || - (display->drm_dev && display->drm_dev->state == MSM_DRM_BLANK_LP2)) { + if ((display->drm_dev && display->drm_dev->doze_state == MSM_DRM_BLANK_LP1) || + (display->drm_dev && display->drm_dev->doze_state == MSM_DRM_BLANK_LP2)) { #if 0 if (panel->last_bl_lvl > panel->doze_backlight_threshold) { pr_info("FOD backlight restore DSI_CMD_SET_DOZE_HBM"); diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h index 38ca0b7554f3..16d8f6db26f7 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h @@ -358,6 +358,8 @@ int dsi_panel_post_unprepare(struct dsi_panel *panel); int dsi_panel_set_backlight(struct dsi_panel *panel, u32 bl_lvl); +int dsi_panel_enable_doze_backlight(struct dsi_panel *panel, u32 bl_lvl); + int dsi_panel_update_pps(struct dsi_panel *panel); int dsi_panel_send_qsync_on_dcs(struct dsi_panel *panel, diff --git a/drivers/gpu/drm/msm/sde/sde_connector.c b/drivers/gpu/drm/msm/sde/sde_connector.c index 7c86d38cb60d..dfe3e3fc668c 100644 --- a/drivers/gpu/drm/msm/sde/sde_connector.c +++ b/drivers/gpu/drm/msm/sde/sde_connector.c @@ -713,8 +713,8 @@ int sde_connector_update_hbm(struct sde_connector *c_conn) if (dsi_display->panel->fod_dimlayer_hbm_enabled) { mutex_lock(&dsi_display->panel->panel_lock); sde_encoder_wait_for_event(c_conn->encoder, MSM_ENC_VBLANK); - if ((dsi_display->drm_dev && dsi_display->drm_dev->state == MSM_DRM_BLANK_LP1) || - (dsi_display->drm_dev && dsi_display->drm_dev->state == MSM_DRM_BLANK_LP2)) { + if ((dsi_display->drm_dev && dsi_display->drm_dev->doze_state == MSM_DRM_BLANK_LP1) || + (dsi_display->drm_dev && dsi_display->drm_dev->doze_state == MSM_DRM_BLANK_LP2)) { if (dsi_display->panel->last_bl_lvl > dsi_display->panel->doze_backlight_threshold) { dsi_display->panel->hbm_enabled = false; dsi_display->panel->fod_dimlayer_hbm_enabled = false; @@ -765,8 +765,8 @@ int sde_connector_update_hbm(struct sde_connector *c_conn) mutex_lock(&dsi_display->panel->panel_lock); sde_encoder_wait_for_event(c_conn->encoder, MSM_ENC_VBLANK); pr_debug("wait one frame for hbm on\n"); - if (dsi_display->panel->last_bl_lvl || dsi_display->drm_dev->state == MSM_DRM_BLANK_LP1 - || dsi_display->drm_dev->state == MSM_DRM_BLANK_LP2) { + if (dsi_display->panel->last_bl_lvl || dsi_display->drm_dev->doze_state == MSM_DRM_BLANK_LP1 + || dsi_display->drm_dev->doze_state == MSM_DRM_BLANK_LP2) { dsi_display->panel->fod_dimlayer_hbm_enabled = true; dsi_display->panel->skip_dimmingon = STATE_DIM_BLOCK; dsi_display->panel->hbm_enabled = true; @@ -1359,7 +1359,7 @@ static int sde_connector_atomic_set_property(struct drm_connector *connector, switch (idx) { case CONNECTOR_PROP_LP: if(connector->dev) - connector->dev->state = val; + connector->dev->doze_state = val; break; case CONNECTOR_PROP_OUT_FB: /* clear old fb, if present */ diff --git a/include/drm/drm_device.h b/include/drm/drm_device.h index 26a243d4c9e6..3e8e2d02fcbb 100644 --- a/include/drm/drm_device.h +++ b/include/drm/drm_device.h @@ -195,7 +195,7 @@ struct drm_device { struct drm_vma_offset_manager *vma_offset_manager; /*@} */ int switch_power_state; - int state; + int doze_state; int doze_brightness; bool fp_quickon; }; From 362bcd6bb4965c01aa797e7f1059e5db1fb3d713 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Tue, 18 Aug 2020 18:21:36 +0530 Subject: [PATCH 136/386] drm: msm: Import minimal doze backlight changes - Properly extracted for raphael should fix the remaning AOD issues Signed-off-by: UtsavBalar1231 --- drivers/gpu/drm/drm_sysfs.c | 31 +++++++ drivers/gpu/drm/msm/dsi-staging/dsi_display.c | 19 ++-- drivers/gpu/drm/msm/dsi-staging/dsi_display.h | 8 +- drivers/gpu/drm/msm/dsi-staging/dsi_drm.c | 47 ++++++++++ drivers/gpu/drm/msm/dsi-staging/dsi_panel.c | 88 +++++++++++-------- drivers/gpu/drm/msm/dsi-staging/dsi_panel.h | 2 - 6 files changed, 144 insertions(+), 51 deletions(-) diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index 4799d8c13445..b67531e02011 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -260,6 +260,11 @@ static ssize_t panel_info_show(struct device *device, return written; } +int dsi_bridge_disp_set_doze_backlight(struct drm_connector *connector, + int doze_backlight); +ssize_t dsi_bridge_disp_get_doze_backlight(struct drm_connector *connector, + char *buf); + static ssize_t doze_brightness_show(struct device *device, struct device_attribute *attr, char *buf) @@ -271,6 +276,30 @@ static ssize_t doze_brightness_show(struct device *device, dev->doze_brightness); } +static ssize_t doze_backlight_store(struct device *device, + struct device_attribute *attr, + const char *buf, size_t count) +{ + struct drm_connector *connector = to_drm_connector(device); + int doze_backlight; + int ret; + + ret = kstrtoint(buf, 0, &doze_backlight); + if (ret) + return ret; + + ret = dsi_bridge_disp_set_doze_backlight(connector, doze_backlight); + + return ret ? ret : count; +} + +static ssize_t doze_backlight_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + struct drm_connector *connector = to_drm_connector(dev); + return dsi_bridge_disp_get_doze_backlight(connector, buf); +} + void drm_bridge_disp_param_set(struct drm_bridge *bridge, int cmd); static ssize_t disp_param_store(struct device *device, struct device_attribute *attr, @@ -458,6 +487,7 @@ static DEVICE_ATTR_RO(modes); static DEVICE_ATTR_RO(panel_info); static DEVICE_ATTR_WO(disp_param); static DEVICE_ATTR_RO(doze_brightness); +static DEVICE_ATTR_RW(doze_backlight); static DEVICE_ATTR_RW(mipi_reg); static DEVICE_ATTR_RW(disp_count); static DEVICE_ATTR_RW(dim_layer_enable); @@ -473,6 +503,7 @@ static struct attribute *connector_dev_attrs[] = { &dev_attr_panel_info.attr, &dev_attr_disp_param.attr, &dev_attr_doze_brightness.attr, + &dev_attr_doze_backlight.attr, &dev_attr_mipi_reg.attr, &dev_attr_disp_count.attr, &dev_attr_dim_layer_enable.attr, diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_display.c b/drivers/gpu/drm/msm/dsi-staging/dsi_display.c index 91198970d344..79b4230db8f3 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_display.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_display.c @@ -236,19 +236,10 @@ int dsi_display_set_backlight(struct drm_connector *connector, goto error; } - if (drm_dev && (drm_dev->doze_state == MSM_DRM_BLANK_LP1 || drm_dev->doze_state == MSM_DRM_BLANK_LP2)) { - rc = dsi_panel_set_doze_backlight(display, (u32)bl_temp); - if (rc) - pr_err("unable to set doze backlight\n"); - rc = dsi_panel_enable_doze_backlight(panel, (u32)bl_temp); - if (rc) - pr_err("unable to enable doze backlight\n"); - } else { - drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; - rc = dsi_panel_set_backlight(panel, (u32)bl_temp); - if (rc) - pr_err("unable to set backlight\n"); - } + rc = dsi_panel_set_backlight(panel, (u32)bl_temp); + if (rc) + pr_err("unable to set backlight\n"); + rc = dsi_display_clk_ctrl(dsi_display->dsi_clk_handle, DSI_CORE_CLK, DSI_CLK_OFF); if (rc) { @@ -1277,6 +1268,8 @@ int dsi_display_set_power(struct drm_connector *connector, case SDE_MODE_DPMS_LP1: msm_drm_notifier_call_chain(MSM_DRM_EARLY_EVENT_BLANK, &g_notify_data); rc = dsi_panel_set_lp1(display->panel); + if (!rc) + dsi_panel_set_doze_backlight(display); msm_drm_notifier_call_chain(MSM_DRM_EVENT_BLANK, &g_notify_data); break; case SDE_MODE_DPMS_LP2: diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_display.h b/drivers/gpu/drm/msm/dsi-staging/dsi_display.h index bbc3b41c3bc0..5918445b3a6d 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_display.h +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_display.h @@ -653,7 +653,13 @@ void dsi_display_enable_event(struct drm_connector *connector, int dsi_display_set_backlight(struct drm_connector *connector, void *display, u32 bl_lvl); -int dsi_panel_set_doze_backlight(struct dsi_display *display, u32 bl_lvl); +/** + * dsi_display_set_doze_backlight() - set doze backlight + * @display: Handle to display. + */ +int dsi_panel_set_doze_backlight(struct dsi_display *display); + +ssize_t dsi_panel_get_doze_backlight(struct dsi_display *display, char *buf); /** * dsi_display_check_status() - check if panel is dead or alive diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c index 39e4bed9756f..f6772b4f226e 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_drm.c @@ -364,6 +364,53 @@ static int dsi_bridge_get_panel_info(struct drm_bridge *bridge, char *buf) return rc; } +int dsi_panel_set_doze_backlight(struct dsi_display *display); + +ssize_t dsi_panel_get_doze_backlight(struct dsi_display *display, char *buf); + +int dsi_bridge_disp_set_doze_backlight(struct drm_connector *connector, + int doze_backlight) +{ + struct dsi_display *display = NULL; + struct dsi_bridge *c_bridge = NULL; + + if (!connector || !connector->encoder || !connector->encoder->bridge) { + pr_err("Invalid connector/encoder/bridge ptr\n"); + return -EINVAL; + } + + c_bridge = to_dsi_bridge(connector->encoder->bridge); + display = c_bridge->display; + if (!display || !display->panel || !display->drm_dev) { + pr_err("Invalid display/panel/drm_dev ptr\n"); + return -EINVAL; + } else + display->drm_dev->doze_brightness = doze_backlight; + + return dsi_panel_set_doze_backlight(display); +} + +ssize_t dsi_bridge_disp_get_doze_backlight(struct drm_connector *connector, + char *buf) +{ + struct dsi_display *display = NULL; + struct dsi_bridge *c_bridge = NULL; + + if (!connector || !connector->encoder || !connector->encoder->bridge) { + pr_err("Invalid connector/encoder/bridge ptr\n"); + return -EINVAL; + } + + c_bridge = to_dsi_bridge(connector->encoder->bridge); + display = c_bridge->display; + if (!display || !display->panel) { + pr_err("Invalid display/panel ptr\n"); + return -EINVAL; + } + + return dsi_panel_get_doze_backlight(display, buf); +} + static void dsi_bridge_enable(struct drm_bridge *bridge) { int rc = 0; diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c index 5c1fbe70c2ed..4c516fe328a6 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c @@ -740,62 +740,80 @@ error: return rc; } -int dsi_panel_set_doze_backlight(struct dsi_display *display, u32 bl_lvl) +int dsi_panel_set_doze_backlight(struct dsi_display *display) { int rc = 0; + struct dsi_display *dsi_display = display; struct dsi_panel *panel = NULL; struct drm_device *drm_dev = NULL; - if (!display || !display->panel || !display->drm_dev) { + if (!dsi_display || !dsi_display->panel || !dsi_display->drm_dev) { pr_err("invalid display/panel/drm_dev\n"); return -EINVAL; } - panel = display->panel; - drm_dev = display->drm_dev; + panel = dsi_display->panel; + drm_dev = dsi_display->drm_dev; + mutex_lock(&panel->panel_lock); - if (panel->fod_hbm_enabled || panel->fod_backlight_flag || panel->fod_dimlayer_hbm_enabled) { - pr_debug("%s FOD HBM open, skip value:%u [hbm=%d][fod_bl=%d][dimlayer_fod=%d]\n", __func__, - bl_lvl, panel->fod_hbm_enabled, panel->fod_backlight_flag, panel->fod_dimlayer_hbm_enabled); - return rc; + if (!dsi_panel_initialized(panel)) { + pr_info("[%s] set doze backlight before panel initialized!\n", dsi_display->name); + goto error; } - if (bl_lvl > panel->doze_backlight_threshold) { - rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_HBM); - if (rc) - pr_err("[%s] failed to send DSI_CMD_SET_DOZE_HBM cmd, rc=%d\n", - panel->name, rc); - drm_dev->doze_brightness = DOZE_BRIGHTNESS_HBM; - panel->in_aod = true; - panel->skip_dimmingon = STATE_DIM_BLOCK; - } else if (bl_lvl <= panel->doze_backlight_threshold && bl_lvl > 0) { - rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_LBM); - if (rc) - pr_err("[%s] failed to send DSI_CMD_SET_DOZE_LBM cmd, rc=%d\n", - panel->name, rc); - drm_dev->doze_brightness = DOZE_BRIGHTNESS_LBM; - panel->in_aod = true; - panel->skip_dimmingon = STATE_DIM_BLOCK; - } else { - drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; + if (drm_dev && (drm_dev->doze_state == MSM_DRM_BLANK_LP1 || drm_dev->doze_state == MSM_DRM_BLANK_LP2)) { + if (panel->fod_hbm_enabled || panel->fod_dimlayer_hbm_enabled || panel->fod_backlight_flag) { + pr_debug("%s FOD HBM open, skip set doze backlight at: [hbm=%d][dimlayer_fod=%d][fod_bl=%d]\n", + __func__, panel->fod_hbm_enabled, + panel->fod_dimlayer_hbm_enabled, panel->fod_backlight_flag); + goto error; + } + + if (drm_dev->doze_brightness == DOZE_BRIGHTNESS_HBM) { + rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_HBM); + if (rc) + pr_err("[%s] failed to send DSI_CMD_SET_DOZE_HBM cmd, rc=%d\n", panel->name, rc); + panel->in_aod = true; + panel->skip_dimmingon = STATE_DIM_BLOCK; + } else if (drm_dev->doze_brightness == DOZE_BRIGHTNESS_LBM) { + rc = dsi_panel_tx_cmd_set(panel, DSI_CMD_SET_DOZE_LBM); + if (rc) + pr_err("[%s] failed to send DSI_CMD_SET_DOZE_LBM cmd, rc=%d\n", + panel->name, rc); + panel->in_aod = true; + panel->skip_dimmingon = STATE_DIM_BLOCK; + } else { + drm_dev->doze_brightness = DOZE_BRIGHTNESS_INVALID; + pr_debug("In %s the doze_brightness value:%u\n", __func__, drm_dev->doze_brightness); + } } - pr_debug("%s value:%u\n", __func__, drm_dev->doze_brightness); +error: + mutex_unlock(&panel->panel_lock); return rc; } -int dsi_panel_enable_doze_backlight(struct dsi_panel *panel, u32 bl_lvl) +ssize_t dsi_panel_get_doze_backlight(struct dsi_display *display, char *buf) { + int rc = 0; - struct dsi_backlight_config *bl = &panel->bl_config; + struct dsi_display *dsi_display = display; + struct dsi_panel *panel = NULL; + struct drm_device *drm_dev = NULL; - if (panel->fod_backlight_flag) { - pr_debug("fod_backlight_flag set\n"); - } else { - pr_debug("enable doze backlight type:%d lvl:%d\n", bl->type, bl_lvl); - rc = dsi_panel_update_backlight(panel, bl_lvl); + if (!dsi_display || !dsi_display->panel || !dsi_display->drm_dev) { + pr_err("invalid display/panel/drm_dev\n"); + return -EINVAL; } + panel = dsi_display->panel; + drm_dev = dsi_display->drm_dev; + + mutex_lock(&panel->panel_lock); + + rc = snprintf(buf, PAGE_SIZE, "%d\n", drm_dev->doze_brightness); + pr_info("In %s the doze_brightness value:%u\n", __func__, drm_dev->doze_brightness); + + mutex_unlock(&panel->panel_lock); - panel->last_bl_lvl = bl_lvl; return rc; } diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h index 16d8f6db26f7..38ca0b7554f3 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.h @@ -358,8 +358,6 @@ int dsi_panel_post_unprepare(struct dsi_panel *panel); int dsi_panel_set_backlight(struct dsi_panel *panel, u32 bl_lvl); -int dsi_panel_enable_doze_backlight(struct dsi_panel *panel, u32 bl_lvl); - int dsi_panel_update_pps(struct dsi_panel *panel); int dsi_panel_send_qsync_on_dcs(struct dsi_panel *panel, From 0a31bae6d83daa6726b6f23bdc4bdb88c35fbadf Mon Sep 17 00:00:00 2001 From: Lei wang Date: Wed, 19 Aug 2020 16:23:03 +0800 Subject: [PATCH 137/386] defconfig: disable QCOM_SECURE_BUFFER for lxc container lxc android container will failed on secure_buffer and this buffer is no longer usable and can not used by system anymore. Change-Id: I65e535d8bc58a7284ad2acd11a6e0d7b843961d5 Signed-off-by: Lei wang --- arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig | 1 - arch/arm64/configs/vendor/qti-quin-gvm_defconfig | 1 - 2 files changed, 2 deletions(-) diff --git a/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig b/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig index c1281e9efb76..1aeade82c3bc 100644 --- a/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig +++ b/arch/arm64/configs/vendor/qti-quin-gvm-perf_defconfig @@ -457,7 +457,6 @@ CONFIG_MSM_PIL=y CONFIG_MSM_PIL_SSR_GENERIC=y CONFIG_MSM_BOOT_STATS=y CONFIG_MSM_BOOT_TIME_MARKER=y -CONFIG_QCOM_SECURE_BUFFER=y CONFIG_QCOM_GLINK=y CONFIG_MEM_SHARE_QMI_SERVICE=y CONFIG_MSM_HAB=y diff --git a/arch/arm64/configs/vendor/qti-quin-gvm_defconfig b/arch/arm64/configs/vendor/qti-quin-gvm_defconfig index 22a036e1a74e..050f57e87abc 100644 --- a/arch/arm64/configs/vendor/qti-quin-gvm_defconfig +++ b/arch/arm64/configs/vendor/qti-quin-gvm_defconfig @@ -468,7 +468,6 @@ CONFIG_MSM_PIL=y CONFIG_MSM_PIL_SSR_GENERIC=y CONFIG_MSM_BOOT_STATS=y CONFIG_MSM_BOOT_TIME_MARKER=y -CONFIG_QCOM_SECURE_BUFFER=y CONFIG_QCOM_GLINK=y CONFIG_MEM_SHARE_QMI_SERVICE=y CONFIG_MSM_HAB=y From fb4e037e1d84b8fce1db8941fd9f6288d2c08b04 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Thu, 20 Aug 2020 18:37:09 +0530 Subject: [PATCH 138/386] Revert "msm: kgsl: Mark the scratch buffer as privileged" plaease make my device boot into system This reverts commit c027388297dc07cdefbc68eacfd57fd72a76726c. Signed-off-by: UtsavBalar1231 --- drivers/gpu/msm/adreno.c | 13 -------- drivers/gpu/msm/adreno.h | 7 ++--- drivers/gpu/msm/adreno_a5xx.c | 13 +++----- drivers/gpu/msm/adreno_a5xx.h | 4 +-- drivers/gpu/msm/adreno_a5xx_preempt.c | 8 ++--- drivers/gpu/msm/adreno_a6xx.c | 4 +-- drivers/gpu/msm/adreno_a6xx.h | 4 +-- drivers/gpu/msm/adreno_a6xx_preempt.c | 33 ++++++++++---------- drivers/gpu/msm/adreno_ioctl.c | 4 +-- drivers/gpu/msm/adreno_pm4types.h | 4 +-- drivers/gpu/msm/adreno_ringbuffer.c | 44 ++------------------------- drivers/gpu/msm/adreno_ringbuffer.h | 5 +-- drivers/gpu/msm/kgsl.h | 11 ++++++- 13 files changed, 50 insertions(+), 104 deletions(-) diff --git a/drivers/gpu/msm/adreno.c b/drivers/gpu/msm/adreno.c index f6f1d399ca31..d5ee10482a5f 100644 --- a/drivers/gpu/msm/adreno.c +++ b/drivers/gpu/msm/adreno.c @@ -4178,19 +4178,6 @@ static int adreno_resume_device(struct kgsl_device *device, return 0; } -u32 adreno_get_ucode_version(const u32 *data) -{ - u32 version; - - version = data[1]; - - if ((version & 0xf) != 0xa) - return version; - - version &= ~0xfff; - return version | ((data[3] & 0xfff000) >> 12); -} - static const struct kgsl_functable adreno_functable = { /* Mandatory functions */ .regread = adreno_regread, diff --git a/drivers/gpu/msm/adreno.h b/drivers/gpu/msm/adreno.h index 1cc4fc05fac5..905dd4009a7e 100644 --- a/drivers/gpu/msm/adreno.h +++ b/drivers/gpu/msm/adreno.h @@ -289,8 +289,8 @@ enum adreno_preempt_states { /** * struct adreno_preemption * @state: The current state of preemption - * @scratch: Memory descriptor for the memory where the GPU writes the - * current ctxt record address and preemption counters on switch + * @counters: Memory descriptor for the memory where the GPU writes the + * preemption counters on switch * @timer: A timer to make sure preemption doesn't stall * @work: A work struct for the preemption worker (for 5XX) * @token_submit: Indicates if a preempt token has been submitted in @@ -302,7 +302,7 @@ enum adreno_preempt_states { */ struct adreno_preemption { atomic_t state; - struct kgsl_memdesc scratch; + struct kgsl_memdesc counters; struct timer_list timer; struct work_struct work; bool token_submit; @@ -1209,7 +1209,6 @@ void adreno_cx_misc_regwrite(struct adreno_device *adreno_dev, void adreno_cx_misc_regrmw(struct adreno_device *adreno_dev, unsigned int offsetwords, unsigned int mask, unsigned int bits); -u32 adreno_get_ucode_version(const u32 *data); #define ADRENO_TARGET(_name, _id) \ diff --git a/drivers/gpu/msm/adreno_a5xx.c b/drivers/gpu/msm/adreno_a5xx.c index 925a288efd8c..ba46bd46d450 100644 --- a/drivers/gpu/msm/adreno_a5xx.c +++ b/drivers/gpu/msm/adreno_a5xx.c @@ -2154,15 +2154,12 @@ static int a5xx_post_start(struct adreno_device *adreno_dev) *cmds++ = 0xF; } - if (adreno_is_preemption_enabled(adreno_dev)) { + if (adreno_is_preemption_enabled(adreno_dev)) cmds += _preemption_init(adreno_dev, rb, cmds, NULL); - rb->_wptr = rb->_wptr - (42 - (cmds - start)); - ret = adreno_ringbuffer_submit_spin_nosync(rb, NULL, 2000); - } else { - rb->_wptr = rb->_wptr - (42 - (cmds - start)); - ret = adreno_ringbuffer_submit_spin(rb, NULL, 2000); - } + rb->_wptr = rb->_wptr - (42 - (cmds - start)); + + ret = adreno_ringbuffer_submit_spin(rb, NULL, 2000); if (ret) adreno_spin_idle_debug(adreno_dev, "hw initialization failed to idle\n"); @@ -2500,7 +2497,7 @@ static int _load_firmware(struct kgsl_device *device, const char *fwfile, memcpy(firmware->memdesc.hostptr, &fw->data[4], fw->size - 4); firmware->size = (fw->size - 4) / sizeof(uint32_t); - firmware->version = adreno_get_ucode_version((u32 *)fw->data); + firmware->version = *(unsigned int *)&fw->data[4]; done: release_firmware(fw); diff --git a/drivers/gpu/msm/adreno_a5xx.h b/drivers/gpu/msm/adreno_a5xx.h index 71e9e69895f0..08f56d6701f2 100644 --- a/drivers/gpu/msm/adreno_a5xx.h +++ b/drivers/gpu/msm/adreno_a5xx.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2015-2017,2019-2020, The Linux Foundation. All rights reserved. +/* Copyright (c) 2015-2017,2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -112,7 +112,7 @@ void a5xx_crashdump_init(struct adreno_device *adreno_dev); void a5xx_hwcg_set(struct adreno_device *adreno_dev, bool on); -#define A5XX_CP_RB_CNTL_DEFAULT ((1 << 27) | ((ilog2(4) << 8) & 0x1F00) | \ +#define A5XX_CP_RB_CNTL_DEFAULT (((ilog2(4) << 8) & 0x1F00) | \ (ilog2(KGSL_RB_DWORDS >> 1) & 0x3F)) /* GPMU interrupt multiplexor */ #define FW_INTR_INFO (0) diff --git a/drivers/gpu/msm/adreno_a5xx_preempt.c b/drivers/gpu/msm/adreno_a5xx_preempt.c index 39283db8f100..cb7a65f92135 100644 --- a/drivers/gpu/msm/adreno_a5xx_preempt.c +++ b/drivers/gpu/msm/adreno_a5xx_preempt.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2017,2019-2020 The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2017,2019 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -575,7 +575,7 @@ static void _preemption_close(struct adreno_device *adreno_dev) unsigned int i; del_timer(&preempt->timer); - kgsl_free_global(device, &preempt->scratch); + kgsl_free_global(device, &preempt->counters); a5xx_preemption_iommu_close(adreno_dev); FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { @@ -611,14 +611,14 @@ int a5xx_preemption_init(struct adreno_device *adreno_dev) (unsigned long) adreno_dev); /* Allocate mem for storing preemption counters */ - ret = kgsl_allocate_global(device, &preempt->scratch, + ret = kgsl_allocate_global(device, &preempt->counters, adreno_dev->num_ringbuffers * A5XX_CP_CTXRECORD_PREEMPTION_COUNTER_SIZE, 0, 0, "preemption_counters"); if (ret) goto err; - addr = preempt->scratch.gpuaddr; + addr = preempt->counters.gpuaddr; /* Allocate mem for storing preemption switch record */ FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { diff --git a/drivers/gpu/msm/adreno_a6xx.c b/drivers/gpu/msm/adreno_a6xx.c index cbd3d39305d2..a780c1bb1600 100644 --- a/drivers/gpu/msm/adreno_a6xx.c +++ b/drivers/gpu/msm/adreno_a6xx.c @@ -1211,7 +1211,7 @@ static int a6xx_post_start(struct adreno_device *adreno_dev) rb->_wptr = rb->_wptr - (42 - (cmds - start)); - ret = adreno_ringbuffer_submit_spin_nosync(rb, NULL, 2000); + ret = adreno_ringbuffer_submit_spin(rb, NULL, 2000); if (ret) adreno_spin_idle_debug(adreno_dev, "hw preemption initialization failed to idle\n"); @@ -1357,7 +1357,7 @@ static int _load_firmware(struct kgsl_device *device, const char *fwfile, if (!ret) { memcpy(firmware->memdesc.hostptr, &fw->data[4], fw->size - 4); firmware->size = (fw->size - 4) / sizeof(uint32_t); - firmware->version = adreno_get_ucode_version((u32 *)fw->data); + firmware->version = *(unsigned int *)&fw->data[4]; } release_firmware(fw); diff --git a/drivers/gpu/msm/adreno_a6xx.h b/drivers/gpu/msm/adreno_a6xx.h index 5127f18d2c54..49085651f208 100644 --- a/drivers/gpu/msm/adreno_a6xx.h +++ b/drivers/gpu/msm/adreno_a6xx.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. +/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -101,7 +101,7 @@ struct cpu_gpu_lock { /* Size of the performance counter save/restore block (in bytes) */ #define A6XX_CP_PERFCOUNTER_SAVE_RESTORE_SIZE (4 * 1024) -#define A6XX_CP_RB_CNTL_DEFAULT ((1 << 27) | ((ilog2(4) << 8) & 0x1F00) | \ +#define A6XX_CP_RB_CNTL_DEFAULT (((ilog2(4) << 8) & 0x1F00) | \ (ilog2(KGSL_RB_DWORDS >> 1) & 0x3F)) /* diff --git a/drivers/gpu/msm/adreno_a6xx_preempt.c b/drivers/gpu/msm/adreno_a6xx_preempt.c index ac928a65514d..760cef5891af 100644 --- a/drivers/gpu/msm/adreno_a6xx_preempt.c +++ b/drivers/gpu/msm/adreno_a6xx_preempt.c @@ -324,8 +324,8 @@ void a6xx_preemption_trigger(struct adreno_device *adreno_dev) kgsl_sharedmem_writel(device, &iommu->smmu_info, PREEMPT_SMMU_RECORD(context_idr), contextidr); - kgsl_sharedmem_readq(&preempt->scratch, &gpuaddr, - next->id * sizeof(u64)); + kgsl_sharedmem_readq(&device->scratch, &gpuaddr, + SCRATCH_PREEMPTION_CTXT_RESTORE_ADDR_OFFSET(next->id)); /* * Set a keepalive bit before the first preemption register write. @@ -546,10 +546,12 @@ unsigned int a6xx_preemption_pre_ibsubmit( rb->perfcounter_save_restore_desc.gpuaddr); if (context) { + struct kgsl_device *device = KGSL_DEVICE(adreno_dev); struct adreno_context *drawctxt = ADRENO_CONTEXT(context); struct adreno_ringbuffer *rb = drawctxt->rb; - uint64_t dest = adreno_dev->preempt.scratch.gpuaddr + - sizeof(u64) * rb->id; + uint64_t dest = + SCRATCH_PREEMPTION_CTXT_RESTORE_GPU_ADDR(device, + rb->id); *cmds++ = cp_mem_packet(adreno_dev, CP_MEM_WRITE, 2, 2); cmds += cp_gpuaddr(adreno_dev, cmds, dest); @@ -567,8 +569,9 @@ unsigned int a6xx_preemption_post_ibsubmit(struct adreno_device *adreno_dev, struct adreno_ringbuffer *rb = adreno_dev->cur_rb; if (rb) { - uint64_t dest = adreno_dev->preempt.scratch.gpuaddr + - sizeof(u64) * rb->id; + struct kgsl_device *device = KGSL_DEVICE(adreno_dev); + uint64_t dest = SCRATCH_PREEMPTION_CTXT_RESTORE_GPU_ADDR(device, + rb->id); *cmds++ = cp_mem_packet(adreno_dev, CP_MEM_WRITE, 2, 2); cmds += cp_gpuaddr(adreno_dev, cmds, dest); @@ -729,7 +732,7 @@ static void _preemption_close(struct adreno_device *adreno_dev) unsigned int i; del_timer(&preempt->timer); - kgsl_free_global(device, &preempt->scratch); + kgsl_free_global(device, &preempt->counters); a6xx_preemption_iommu_close(adreno_dev); FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { @@ -768,19 +771,15 @@ int a6xx_preemption_init(struct adreno_device *adreno_dev) setup_timer(&preempt->timer, _a6xx_preemption_timer, (unsigned long) adreno_dev); - /* - * Allocate a scratch buffer to keep the below table: - * Offset: What - * 0x0: Context Record address - * 0x10: Preemption Counters - */ - ret = kgsl_allocate_global(device, &preempt->scratch, PAGE_SIZE, 0, 0, - "preemption_scratch"); + /* Allocate mem for storing preemption counters */ + ret = kgsl_allocate_global(device, &preempt->counters, + adreno_dev->num_ringbuffers * + A6XX_CP_CTXRECORD_PREEMPTION_COUNTER_SIZE, 0, 0, + "preemption_counters"); if (ret) goto err; - addr = preempt->scratch.gpuaddr + - KGSL_PRIORITY_MAX_RB_LEVELS * sizeof(u64); + addr = preempt->counters.gpuaddr; /* Allocate mem for storing preemption switch record */ FOR_EACH_RINGBUFFER(adreno_dev, rb, i) { diff --git a/drivers/gpu/msm/adreno_ioctl.c b/drivers/gpu/msm/adreno_ioctl.c index d18aa19ad563..82629c6fcf23 100644 --- a/drivers/gpu/msm/adreno_ioctl.c +++ b/drivers/gpu/msm/adreno_ioctl.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2018,2020 The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -168,7 +168,7 @@ static long adreno_ioctl_preemption_counters_query( levels_to_copy = gpudev->num_prio_levels; if (copy_to_user((void __user *) (uintptr_t) read->counters, - adreno_dev->preempt.scratch.hostptr, + adreno_dev->preempt.counters.hostptr, levels_to_copy * size_level)) return -EFAULT; diff --git a/drivers/gpu/msm/adreno_pm4types.h b/drivers/gpu/msm/adreno_pm4types.h index 543496399044..2a330b4474aa 100644 --- a/drivers/gpu/msm/adreno_pm4types.h +++ b/drivers/gpu/msm/adreno_pm4types.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2017,2020 The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -103,8 +103,6 @@ /* A5XX Enable yield in RB only */ #define CP_YIELD_ENABLE 0x1C -#define CP_WHERE_AM_I 0x62 - /* Enable/Disable/Defer A5x global preemption model */ #define CP_PREEMPT_ENABLE_GLOBAL 0x69 diff --git a/drivers/gpu/msm/adreno_ringbuffer.c b/drivers/gpu/msm/adreno_ringbuffer.c index e32562296809..2ee57e9a5ce6 100644 --- a/drivers/gpu/msm/adreno_ringbuffer.c +++ b/drivers/gpu/msm/adreno_ringbuffer.c @@ -204,7 +204,7 @@ void adreno_ringbuffer_submit(struct adreno_ringbuffer *rb, adreno_ringbuffer_wptr(adreno_dev, rb); } -int adreno_ringbuffer_submit_spin_nosync(struct adreno_ringbuffer *rb, +int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, struct adreno_submit_time *time, unsigned int timeout) { struct adreno_device *adreno_dev = ADRENO_RB_DEVICE(rb); @@ -213,38 +213,6 @@ int adreno_ringbuffer_submit_spin_nosync(struct adreno_ringbuffer *rb, return adreno_spin_idle(adreno_dev, timeout); } -/* - * adreno_ringbuffer_submit_spin() - Submit the cmds and wait until GPU is idle - * @rb: Pointer to ringbuffer - * @time: Pointer to adreno_submit_time - * @timeout: timeout value in ms - * - * Add commands to the ringbuffer and wait until GPU goes to idle. This routine - * inserts a WHERE_AM_I packet to trigger a shadow rptr update. So, use - * adreno_ringbuffer_submit_spin_nosync() if the previous cmd in the RB is a - * CSY packet because CSY followed by WHERE_AM_I is not legal. - */ -int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, - struct adreno_submit_time *time, unsigned int timeout) -{ - struct adreno_device *adreno_dev = ADRENO_RB_DEVICE(rb); - struct kgsl_device *device = KGSL_DEVICE(adreno_dev); - unsigned int *cmds; - - if (adreno_is_a3xx(adreno_dev)) - return adreno_ringbuffer_submit_spin_nosync(rb, time, timeout); - - cmds = adreno_ringbuffer_allocspace(rb, 3); - if (IS_ERR(cmds)) - return PTR_ERR(cmds); - - *cmds++ = cp_packet(adreno_dev, CP_WHERE_AM_I, 2); - cmds += cp_gpuaddr(adreno_dev, cmds, - SCRATCH_RPTR_GPU_ADDR(device, rb->id)); - - return adreno_ringbuffer_submit_spin_nosync(rb, time, timeout); -} - unsigned int *adreno_ringbuffer_allocspace(struct adreno_ringbuffer *rb, unsigned int dwords) { @@ -369,13 +337,12 @@ int adreno_ringbuffer_probe(struct adreno_device *adreno_dev, bool nopreempt) { struct kgsl_device *device = KGSL_DEVICE(adreno_dev); struct adreno_gpudev *gpudev = ADRENO_GPU_DEVICE(adreno_dev); - unsigned int priv = KGSL_MEMDESC_RANDOM | KGSL_MEMDESC_PRIVILEGED; int i, r = 0; int status = -ENOMEM; if (!adreno_is_a3xx(adreno_dev)) { status = kgsl_allocate_global(device, &device->scratch, - PAGE_SIZE, 0, priv, "scratch"); + PAGE_SIZE, 0, KGSL_MEMDESC_RANDOM, "scratch"); if (status != 0) return status; } @@ -597,8 +564,6 @@ adreno_ringbuffer_addcmds(struct adreno_ringbuffer *rb, if (gpudev->preemption_post_ibsubmit && adreno_is_preemption_enabled(adreno_dev)) total_sizedwords += 10; - else if (!adreno_is_a3xx(adreno_dev)) - total_sizedwords += 3; /* * a5xx uses 64 bit memory address. pm4 commands that involve read/write @@ -810,11 +775,6 @@ adreno_ringbuffer_addcmds(struct adreno_ringbuffer *rb, adreno_is_preemption_enabled(adreno_dev)) ringcmds += gpudev->preemption_post_ibsubmit(adreno_dev, ringcmds); - else if (!adreno_is_a3xx(adreno_dev)) { - *ringcmds++ = cp_packet(adreno_dev, CP_WHERE_AM_I, 2); - ringcmds += cp_gpuaddr(adreno_dev, ringcmds, - SCRATCH_RPTR_GPU_ADDR(device, rb->id)); - } /* * If we have more ringbuffer commands than space reserved diff --git a/drivers/gpu/msm/adreno_ringbuffer.h b/drivers/gpu/msm/adreno_ringbuffer.h index 14b4ecc2e192..9eb0c92213f3 100644 --- a/drivers/gpu/msm/adreno_ringbuffer.h +++ b/drivers/gpu/msm/adreno_ringbuffer.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2020, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -178,9 +178,6 @@ int adreno_ringbuffer_issue_internal_cmds(struct adreno_ringbuffer *rb, void adreno_ringbuffer_submit(struct adreno_ringbuffer *rb, struct adreno_submit_time *time); -int adreno_ringbuffer_submit_spin_nosync(struct adreno_ringbuffer *rb, - struct adreno_submit_time *time, unsigned int timeout); - int adreno_ringbuffer_submit_spin(struct adreno_ringbuffer *rb, struct adreno_submit_time *time, unsigned int timeout); diff --git a/drivers/gpu/msm/kgsl.h b/drivers/gpu/msm/kgsl.h index 1091205e6aa3..06736130e13c 100644 --- a/drivers/gpu/msm/kgsl.h +++ b/drivers/gpu/msm/kgsl.h @@ -71,11 +71,13 @@ /* * SCRATCH MEMORY: The scratch memory is one page worth of data that * is mapped into the GPU. This allows for some 'shared' data between - * the GPU and CPU. + * the GPU and CPU. For example, it will be used by the GPU to write + * each updated RPTR for each RB. * * Used Data: * Offset: Length(bytes): What * 0x0: 4 * KGSL_PRIORITY_MAX_RB_LEVELS: RB0 RPTR + * 0x10: 8 * KGSL_PRIORITY_MAX_RB_LEVELS: RB0 CTXT RESTORE ADDR */ /* Shadow global helpers */ @@ -83,6 +85,13 @@ #define SCRATCH_RPTR_GPU_ADDR(dev, id) \ ((dev)->scratch.gpuaddr + SCRATCH_RPTR_OFFSET(id)) +#define SCRATCH_PREEMPTION_CTXT_RESTORE_ADDR_OFFSET(id) \ + (SCRATCH_RPTR_OFFSET(KGSL_PRIORITY_MAX_RB_LEVELS) + \ + ((id) * sizeof(uint64_t))) +#define SCRATCH_PREEMPTION_CTXT_RESTORE_GPU_ADDR(dev, id) \ + ((dev)->scratch.gpuaddr + \ + SCRATCH_PREEMPTION_CTXT_RESTORE_ADDR_OFFSET(id)) + /* Timestamp window used to detect rollovers (half of integer range) */ #define KGSL_TIMESTAMP_WINDOW 0x80000000 From b816232bdf7982dcb7978f8f70178cf0439d3fd9 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Thu, 20 Aug 2020 10:08:52 +0530 Subject: [PATCH 139/386] goodix_driver_gt9886: Remove touch_suspend_notify sysfs node Signed-off-by: UtsavBalar1231 --- .../goodix_driver_gt9886/goodix_ts_core.c | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_core.c b/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_core.c index 75816175d121..af8a0b316dda 100644 --- a/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_core.c +++ b/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_core.c @@ -1141,13 +1141,6 @@ static int goodix_ts_gpio_setup(struct goodix_ts_core *core_data) return 0; } -static ssize_t gtp_touch_suspend_notify_show(struct device *dev, - struct device_attribute *attr, - char *buf) -{ - return snprintf(buf, PAGE_SIZE, "%d\n", !!atomic_read(&goodix_core_data->suspend_stat)); -} - static ssize_t gtp_fod_test_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) @@ -1212,9 +1205,6 @@ static DEVICE_ATTR(fod_status, (S_IRUGO | S_IWUSR | S_IWGRP), static DEVICE_ATTR(fod_test, (S_IRUGO | S_IWUSR | S_IWGRP), NULL, gtp_fod_test_store); -static DEVICE_ATTR(touch_suspend_notify, (S_IRUGO | S_IRGRP), - gtp_touch_suspend_notify_show, NULL); - static void goodix_switch_mode_work(struct work_struct *work) { struct goodix_mode_switch *ms = @@ -1628,9 +1618,6 @@ out: release_all_touches(core_data); core_data->ts_event.event_data.touch_data.touch_num = 0; - sysfs_notify(&core_data->gtp_touch_dev->kobj, NULL, - "touch_suspend_notify"); - mutex_unlock(&core_data->work_stat); ts_info("Suspend end"); @@ -1718,9 +1705,6 @@ out: } core_data->sleep_finger = 0; - sysfs_notify(&core_data->gtp_touch_dev->kobj, NULL, - "touch_suspend_notify"); - mutex_unlock(&core_data->work_stat); ts_info("Resume end"); @@ -2161,12 +2145,6 @@ static int goodix_ts_probe(struct platform_device *pdev) } dev_set_drvdata(core_data->gtp_touch_dev, core_data); - if (sysfs_create_file(&core_data->gtp_touch_dev->kobj, - &dev_attr_touch_suspend_notify.attr)) { - ts_err("Failed to create sysfs group!\n"); - goto out; - } - if (sysfs_create_file(&core_data->gtp_touch_dev->kobj, &dev_attr_fod_status.attr)) { ts_err("Failed to create fod_status sysfs group!\n"); From dffb2a3778c83742c010dba3950cf71ebe2c9149 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Thu, 20 Aug 2020 10:11:46 +0530 Subject: [PATCH 140/386] goodix_driver_gt9886: fix bad indentation in gsx_gesture_ist Signed-off-by: UtsavBalar1231 --- .../goodix_driver_gt9886/goodix_ts_gesture.c | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c b/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c index c4dd45d76775..be0b8dca8124 100644 --- a/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c +++ b/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c @@ -479,16 +479,16 @@ static int gsx_gesture_ist(struct goodix_ts_core *core_data, if ((FP_Event_Gesture == 1) && (temp_data[2] == 0xff)) { if (core_data->fod_pressed) { ts_debug("Gesture report up"); - input_mt_slot(core_data->input_dev, 0); - input_mt_report_slot_state(core_data->input_dev, MT_TOOL_FINGER, false); - input_report_abs(core_data->input_dev, ABS_MT_WIDTH_MINOR, 0); - input_report_key(core_data->input_dev, BTN_INFO, 0); - /*input_report_key(core_data->input_dev, KEY_INFO, 0);*/ - input_report_key(core_data->input_dev, BTN_TOUCH, 0); - input_report_key(core_data->input_dev, BTN_TOOL_FINGER, 0); - input_sync(core_data->input_dev); - __clear_bit(0, &core_data->touch_id); - core_data->fod_pressed = false; + input_mt_slot(core_data->input_dev, 0); + input_mt_report_slot_state(core_data->input_dev, MT_TOOL_FINGER, false); + input_report_abs(core_data->input_dev, ABS_MT_WIDTH_MINOR, 0); + input_report_key(core_data->input_dev, BTN_INFO, 0); + /*input_report_key(core_data->input_dev, KEY_INFO, 0);*/ + input_report_key(core_data->input_dev, BTN_TOUCH, 0); + input_report_key(core_data->input_dev, BTN_TOOL_FINGER, 0); + input_sync(core_data->input_dev); + __clear_bit(0, &core_data->touch_id); + core_data->fod_pressed = false; } core_data->sleep_finger = 0; } From 27468e4557ec42bb7377b2b33dcc8240315af958 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Thu, 20 Aug 2020 10:15:35 +0530 Subject: [PATCH 141/386] goodix_driver_gt9886: check aod_status while updating suspend_stat Signed-off-by: UtsavBalar1231 --- .../touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c b/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c index be0b8dca8124..266d6c07f72d 100644 --- a/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c +++ b/drivers/input/touchscreen/goodix_driver_gt9886/goodix_ts_gesture.c @@ -619,11 +619,11 @@ static int goodix_wakeup_and_set_suspend_func(struct goodix_ts_core *core_data) } } while (r < 0 && ++retry < 3); - if (core_data->double_wakeup && core_data->fod_status) { + if (core_data->double_wakeup && (core_data->fod_status || core_data->aod_status)) { atomic_set(&core_data->suspend_stat, TP_GESTURE_DBCLK_FOD); } else if (core_data->double_wakeup) { atomic_set(&core_data->suspend_stat, TP_GESTURE_DBCLK); - } else if (core_data->fod_status) { + } else if (core_data->fod_status || core_data->aod_status) { atomic_set(&core_data->suspend_stat, TP_GESTURE_FOD); } ts_info("suspend_stat[%d]", atomic_read(&core_data->suspend_stat)); From a4a28afb218b8897d704e0bed6905b3be2a9ccc0 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Thu, 20 Aug 2020 10:29:19 +0530 Subject: [PATCH 142/386] msm_vidc: Remove pm_qos usage Signed-off-by: UtsavBalar1231 --- .../platform/msm/vidc/msm_vidc_res_parse.c | 3 --- .../platform/msm/vidc/msm_vidc_resources.h | 1 - drivers/media/platform/msm/vidc/venus_hfi.c | 26 ------------------- 3 files changed, 30 deletions(-) diff --git a/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c b/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c index 8ca1edfdc27b..3de0232873a1 100644 --- a/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c +++ b/drivers/media/platform/msm/vidc/msm_vidc_res_parse.c @@ -813,9 +813,6 @@ int read_platform_resources_from_drv_data( res->debug_timeout = find_key_value(platform_data, "qcom,debug-timeout"); - res->pm_qos_latency_us = find_key_value(platform_data, - "qcom,pm-qos-latency-us"); - res->max_secure_inst_count = find_key_value(platform_data, "qcom,max-secure-instances"); diff --git a/drivers/media/platform/msm/vidc/msm_vidc_resources.h b/drivers/media/platform/msm/vidc/msm_vidc_resources.h index 53d62fb91c45..a5ebba093383 100644 --- a/drivers/media/platform/msm/vidc/msm_vidc_resources.h +++ b/drivers/media/platform/msm/vidc/msm_vidc_resources.h @@ -193,7 +193,6 @@ struct msm_vidc_platform_resources { const char *hfi_version; bool never_unload_fw; bool debug_timeout; - uint32_t pm_qos_latency_us; uint32_t max_inst_count; uint32_t max_secure_inst_count; int msm_vidc_hw_rsp_timeout; diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c index 4deed7f6b8ed..ad6197425045 100644 --- a/drivers/media/platform/msm/vidc/venus_hfi.c +++ b/drivers/media/platform/msm/vidc/venus_hfi.c @@ -23,7 +23,6 @@ #include #include #include -#include #include #include #include @@ -2224,14 +2223,6 @@ static int venus_hfi_core_init(void *device) __set_subcaches(device); __dsp_send_hfi_queue(device); - if (dev->res->pm_qos_latency_us) { -#ifdef CONFIG_SMP - dev->qos.type = PM_QOS_REQ_AFFINE_IRQ; - dev->qos.irq = dev->hal_data->irq; -#endif - pm_qos_add_request(&dev->qos, PM_QOS_CPU_DMA_LATENCY, - dev->res->pm_qos_latency_us); - } dprintk(VIDC_DBG, "Core inited successfully\n"); mutex_unlock(&dev->lock); return rc; @@ -2258,10 +2249,6 @@ static int venus_hfi_core_release(void *dev) mutex_lock(&device->lock); dprintk(VIDC_DBG, "Core releasing\n"); - if (device->res->pm_qos_latency_us && - pm_qos_request_active(&device->qos)) - pm_qos_remove_request(&device->qos); - __resume(device); __set_state(device, VENUS_STATE_DEINIT); __dsp_shutdown(device, 0); @@ -4801,10 +4788,6 @@ static inline int __suspend(struct venus_hfi_device *device) dprintk(VIDC_PROF, "Entering suspend\n"); - if (device->res->pm_qos_latency_us && - pm_qos_request_active(&device->qos)) - pm_qos_remove_request(&device->qos); - rc = __tzbsp_set_video_state(TZBSP_VIDEO_STATE_SUSPEND); if (rc) { dprintk(VIDC_WARN, "Failed to suspend video core %d\n", rc); @@ -4864,15 +4847,6 @@ static inline int __resume(struct venus_hfi_device *device) */ __set_threshold_registers(device); - if (device->res->pm_qos_latency_us) { -#ifdef CONFIG_SMP - device->qos.type = PM_QOS_REQ_AFFINE_IRQ; - device->qos.irq = device->hal_data->irq; -#endif - pm_qos_add_request(&device->qos, PM_QOS_CPU_DMA_LATENCY, - device->res->pm_qos_latency_us); - } - __sys_set_debug(device, msm_vidc_fw_debug); __enable_subcaches(device); From d1dc1c03a982fc6dc37d8bc731f5e72e7877ce8d Mon Sep 17 00:00:00 2001 From: celtare21 Date: Sat, 1 Aug 2020 18:10:57 +0200 Subject: [PATCH 143/386] drm/msm/sde: Remove pm_qos usage Signed-off-by: celtare21 Signed-off-by: UtsavBalar1231 --- drivers/gpu/drm/msm/sde/sde_encoder.c | 46 +-------------------------- 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/drivers/gpu/drm/msm/sde/sde_encoder.c b/drivers/gpu/drm/msm/sde/sde_encoder.c index 5f193c496494..72007a282191 100644 --- a/drivers/gpu/drm/msm/sde/sde_encoder.c +++ b/drivers/gpu/drm/msm/sde/sde_encoder.c @@ -228,7 +228,6 @@ enum sde_enc_rc_states { * @recovery_events_enabled: status of hw recovery feature enable by client * @elevated_ahb_vote: increase AHB bus speed for the first frame * after power collapse - * @pm_qos_cpu_req: pm_qos request for cpu frequency */ struct sde_encoder_virt { struct drm_encoder base; @@ -289,44 +288,10 @@ struct sde_encoder_virt { bool recovery_events_enabled; bool elevated_ahb_vote; - struct pm_qos_request pm_qos_cpu_req; }; #define to_sde_encoder_virt(x) container_of(x, struct sde_encoder_virt, base) -static void _sde_encoder_pm_qos_add_request(struct drm_encoder *drm_enc, - struct sde_kms *sde_kms) -{ - struct sde_encoder_virt *sde_enc = to_sde_encoder_virt(drm_enc); - struct pm_qos_request *req; - u32 cpu_mask; - u32 cpu_dma_latency; - - if (!sde_kms->catalog || !sde_kms->catalog->perf.cpu_mask) - return; - - cpu_mask = sde_kms->catalog->perf.cpu_mask; - cpu_dma_latency = sde_kms->catalog->perf.cpu_dma_latency; - - req = &sde_enc->pm_qos_cpu_req; - req->type = PM_QOS_REQ_AFFINE_CORES; - atomic_set(&req->cpus_affine, cpu_mask); - pm_qos_add_request(req, PM_QOS_CPU_DMA_LATENCY, cpu_dma_latency); - - SDE_EVT32_VERBOSE(DRMID(drm_enc), cpu_mask, cpu_dma_latency); -} - -static void _sde_encoder_pm_qos_remove_request(struct drm_encoder *drm_enc, - struct sde_kms *sde_kms) -{ - struct sde_encoder_virt *sde_enc = to_sde_encoder_virt(drm_enc); - - if (!sde_kms->catalog || !sde_kms->catalog->perf.cpu_mask) - return; - - pm_qos_remove_request(&sde_enc->pm_qos_cpu_req); -} - static struct drm_connector_state *_sde_encoder_get_conn_state( struct drm_encoder *drm_enc) { @@ -2200,14 +2165,12 @@ static int _sde_encoder_resource_control_helper(struct drm_encoder *drm_enc, struct sde_kms *sde_kms; struct sde_encoder_virt *sde_enc; int rc; - bool is_cmd_mode, is_primary; + bool is_primary; sde_enc = to_sde_encoder_virt(drm_enc); priv = drm_enc->dev->dev_private; sde_kms = to_sde_kms(priv->kms); - is_cmd_mode = sde_enc->disp_info.capabilities & - MSM_DISPLAY_CAP_CMD_MODE; is_primary = sde_enc->disp_info.is_primary; SDE_DEBUG_ENC(sde_enc, "enable:%d\n", enable); @@ -2241,14 +2204,7 @@ static int _sde_encoder_resource_control_helper(struct drm_encoder *drm_enc, /* enable all the irq */ _sde_encoder_irq_control(drm_enc, true); - - if (is_cmd_mode) - _sde_encoder_pm_qos_add_request(drm_enc, sde_kms); - } else { - if (is_cmd_mode) - _sde_encoder_pm_qos_remove_request(drm_enc, sde_kms); - /* disable all the irq */ _sde_encoder_irq_control(drm_enc, false); From 1bf4404790620833b889e0d894a5a988e6a659a5 Mon Sep 17 00:00:00 2001 From: celtare21 Date: Sat, 1 Aug 2020 18:12:52 +0200 Subject: [PATCH 144/386] ARM: dts: msm: Remove pm-qos values Signed-off-by: celtare21 --- arch/arm64/boot/dts/qcom/sm8150-sde.dtsi | 3 --- 1 file changed, 3 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/sm8150-sde.dtsi b/arch/arm64/boot/dts/qcom/sm8150-sde.dtsi index 2b0974243132..aee5d7896abe 100644 --- a/arch/arm64/boot/dts/qcom/sm8150-sde.dtsi +++ b/arch/arm64/boot/dts/qcom/sm8150-sde.dtsi @@ -200,9 +200,6 @@ qcom,sde-cdp-setting = <1 1>, <1 0>; - qcom,sde-qos-cpu-mask = <0x3>; - qcom,sde-qos-cpu-dma-latency = <44>; - /* offsets are relative to "mdp_phys + qcom,sde-off */ qcom,sde-reg-dma-off = <0>; From 3e8970aa4940f614ae0de8b7c2f634a58930351f Mon Sep 17 00:00:00 2001 From: Sivakanth vaka Date: Fri, 10 Jul 2020 14:30:44 +0530 Subject: [PATCH 145/386] MDM:IPA3: Fixes issue with RNDIS and ECM suspend path PM resources are released even when there are outstanding packets leading to data stall hence resources are released only when there are no outstanding packets. Change-Id: I630737edfc9cadea1d8a99bdb6bb6fcbe76615d8 Signed-off-by: sivakanth vaka Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/ipa/ipa_clients/ecm_ipa.c | 8 ++++++-- drivers/platform/msm/ipa/ipa_clients/rndis_ipa.c | 9 +++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_clients/ecm_ipa.c b/drivers/platform/msm/ipa/ipa_clients/ecm_ipa.c index 0199f038ebcb..2bf6185b5964 100644 --- a/drivers/platform/msm/ipa/ipa_clients/ecm_ipa.c +++ b/drivers/platform/msm/ipa/ipa_clients/ecm_ipa.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -650,7 +650,8 @@ static netdev_tx_t ecm_ipa_start_xmit fail_tx_packet: out: - resource_release(ecm_ipa_ctx); + if (atomic_read(&ecm_ipa_ctx->outstanding_pkts) == 0) + resource_release(ecm_ipa_ctx); resource_busy: return status; } @@ -1322,6 +1323,9 @@ static void ecm_ipa_tx_complete_notify netif_wake_queue(ecm_ipa_ctx->net); } + if (atomic_read(&ecm_ipa_ctx->outstanding_pkts) == 0) + resource_release(ecm_ipa_ctx); + out: dev_kfree_skb_any(skb); } diff --git a/drivers/platform/msm/ipa/ipa_clients/rndis_ipa.c b/drivers/platform/msm/ipa/ipa_clients/rndis_ipa.c index 9c0187f254df..e5df5e0c6bab 100644 --- a/drivers/platform/msm/ipa/ipa_clients/rndis_ipa.c +++ b/drivers/platform/msm/ipa/ipa_clients/rndis_ipa.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2018,2020 The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -984,7 +984,8 @@ static netdev_tx_t rndis_ipa_start_xmit(struct sk_buff *skb, fail_tx_packet: rndis_ipa_xmit_error(skb); out: - resource_release(rndis_ipa_ctx); + if (atomic_read(&rndis_ipa_ctx->outstanding_pkts) == 0) + resource_release(rndis_ipa_ctx); resource_busy: RNDIS_IPA_DEBUG ("packet Tx done - %s\n", @@ -1057,6 +1058,10 @@ static void rndis_ipa_tx_complete_notify( RNDIS_IPA_DEBUG("send queue was awaken\n"); } + /*Release resource only when outstanding packets are zero*/ + if (atomic_read(&rndis_ipa_ctx->outstanding_pkts) == 0) + resource_release(rndis_ipa_ctx); + out: dev_kfree_skb_any(skb); } From bb3ceab6e57d3429abe1ca539c967a39a427ddc3 Mon Sep 17 00:00:00 2001 From: Sivakanth vaka Date: Thu, 16 Jul 2020 19:19:16 +0530 Subject: [PATCH 146/386] msm: ipa3: Enable holb as part of usb suspend When USB is suspended there are DL packets on consumer channel leading to stall. to avoid the stall enabling the holb as part of suspend and removing it in resume. Change-Id: I08e2fe248ee675698da16b6df6aec8f109c73608 Signed-off-by: sivakanth vaka Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/ipa/ipa_v3/ipa_client.c | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_client.c b/drivers/platform/msm/ipa/ipa_v3/ipa_client.c index 20911f34fd33..fa27d5263ea7 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_client.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_client.c @@ -1543,6 +1543,7 @@ int ipa3_xdci_suspend(u32 ul_clnt_hdl, u32 dl_clnt_hdl, struct gsi_chan_info ul_gsi_chan_info, dl_gsi_chan_info; int aggr_active_bitmap = 0; struct ipa_ep_cfg_ctrl ep_cfg_ctrl; + struct ipa_ep_cfg_holb holb_cfg; /* In case of DPL, dl is the DPL channel/client */ @@ -1628,6 +1629,15 @@ int ipa3_xdci_suspend(u32 ul_clnt_hdl, u32 dl_clnt_hdl, goto unsuspend_dl_and_exit; } + /*enable holb to discard the packets*/ + if (ipa3_ctx->ipa_hw_type == IPA_HW_v4_5 && + IPA_CLIENT_IS_CONS(dl_ep->client) && !is_dpl) { + memset(&holb_cfg, 0, sizeof(holb_cfg)); + holb_cfg.en = IPA_HOLB_TMR_EN; + holb_cfg.tmr_val = IPA_HOLB_TMR_VAL_4_5; + result = ipa3_cfg_ep_holb(dl_clnt_hdl, &holb_cfg); + } + /* Stop DL channel */ result = ipa3_stop_gsi_channel(dl_clnt_hdl); if (result) { @@ -1657,6 +1667,14 @@ int ipa3_xdci_suspend(u32 ul_clnt_hdl, u32 dl_clnt_hdl, start_dl_and_exit: gsi_start_channel(dl_ep->gsi_chan_hdl); ipa3_start_gsi_debug_monitor(dl_clnt_hdl); + /*disable holb to allow packets*/ + if (ipa3_ctx->ipa_hw_type == IPA_HW_v4_5 && + IPA_CLIENT_IS_CONS(dl_ep->client) && !is_dpl) { + memset(&holb_cfg, 0, sizeof(holb_cfg)); + holb_cfg.en = IPA_HOLB_TMR_DIS; + holb_cfg.tmr_val = 0; + ipa3_cfg_ep_holb(dl_clnt_hdl, &holb_cfg); + } unsuspend_dl_and_exit: if (ipa3_ctx->ipa_hw_type < IPA_HW_v4_0) { /* Unsuspend the DL EP */ @@ -1713,6 +1731,7 @@ int ipa3_xdci_resume(u32 ul_clnt_hdl, u32 dl_clnt_hdl, bool is_dpl) struct ipa3_ep_context *dl_ep = NULL; enum gsi_status gsi_res; struct ipa_ep_cfg_ctrl ep_cfg_ctrl; + struct ipa_ep_cfg_holb holb_cfg; /* In case of DPL, dl is the DPL channel/client */ @@ -1743,6 +1762,15 @@ int ipa3_xdci_resume(u32 ul_clnt_hdl, u32 dl_clnt_hdl, bool is_dpl) IPAERR("Error starting DL channel: %d\n", gsi_res); ipa3_start_gsi_debug_monitor(dl_clnt_hdl); + /*disable holb to allow packets*/ + if (ipa3_ctx->ipa_hw_type == IPA_HW_v4_5 && + IPA_CLIENT_IS_CONS(dl_ep->client) && !is_dpl) { + memset(&holb_cfg, 0, sizeof(holb_cfg)); + holb_cfg.en = IPA_HOLB_TMR_DIS; + holb_cfg.tmr_val = 0; + ipa3_cfg_ep_holb(dl_clnt_hdl, &holb_cfg); + } + /* Start UL channel */ if (!is_dpl) { gsi_res = gsi_start_channel(ul_ep->gsi_chan_hdl); From 3c8cfe1453cb4dc0ca11790cc12c19829baad08c Mon Sep 17 00:00:00 2001 From: Michael Adisumarta Date: Thu, 6 Aug 2020 16:07:33 -0700 Subject: [PATCH 147/386] msm: ipa: header file to support wdi 2.4G new pipe Header file changes that includes new 2.4G wdi tx pipe info and it's interface. Change-Id: I0bc77f8359152f8209ec4ef132dc6497d0875c2a Signed-off-by: Michael Adisumarta Signed-off-by: UtsavBalar1231 --- include/linux/ipa_wdi3.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/include/linux/ipa_wdi3.h b/include/linux/ipa_wdi3.h index 4036becd4fcf..8d87ac4e3f0b 100644 --- a/include/linux/ipa_wdi3.h +++ b/include/linux/ipa_wdi3.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2018-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -89,6 +89,7 @@ struct ipa_wdi_hdr_info { * @is_meta_data_valid: if meta data is valid * @meta_data: meta data if any * @meta_data_mask: meta data mask + * @is_tx1_used: to indicate whether 2.4g or 5g iface */ struct ipa_wdi_reg_intf_in_params { const char *netdev_name; @@ -97,6 +98,7 @@ struct ipa_wdi_reg_intf_in_params { u8 is_meta_data_valid; u32 meta_data; u32 meta_data_mask; + u8 is_tx1_used; }; /** @@ -189,6 +191,9 @@ struct ipa_wdi_pipe_setup_info_smmu { * @tx_smmu: smmu parameters to connect TX pipe(from IPA to WLAN) * @rx: parameters to connect RX pipe(from WLAN to IPA) * @rx_smmu: smmu parameters to connect RX pipe(from WLAN to IPA) + * @is_tx1_used: to notify extra pipe required/not + * @tx1: parameters to connect TX1 pipe(from IPA to WLAN second pipe) + * @tx1_smmu: smmu parameters to connect TX1 pipe(from IPA to WLAN second pipe) */ struct ipa_wdi_conn_in_params { ipa_notify_cb notify; @@ -204,6 +209,11 @@ struct ipa_wdi_conn_in_params { struct ipa_wdi_pipe_setup_info rx; struct ipa_wdi_pipe_setup_info_smmu rx_smmu; } u_rx; + bool is_tx1_used; + union { + struct ipa_wdi_pipe_setup_info tx; + struct ipa_wdi_pipe_setup_info_smmu tx_smmu; + } u_tx1; }; /** @@ -211,10 +221,12 @@ struct ipa_wdi_conn_in_params { * to WLAN driver * @tx_uc_db_pa: physical address of IPA uC doorbell for TX * @rx_uc_db_pa: physical address of IPA uC doorbell for RX + * @tx1_uc_db_pa: physical address of IPA uC doorbell for TX1 */ struct ipa_wdi_conn_out_params { phys_addr_t tx_uc_db_pa; phys_addr_t rx_uc_db_pa; + phys_addr_t tx1_uc_db_pa; }; /** From ca932fbb48dc9f749a7ead45a704b414ff15c12a Mon Sep 17 00:00:00 2001 From: Akshay Pandit Date: Thu, 6 Aug 2020 22:29:16 +0530 Subject: [PATCH 148/386] msm: ipa3: Define ODL DPL cons for sdx55 CPE config Define IPA_CLIENT_ODL_DPL_CONS for sdx55 in CPE config where it boots up with mhi config. Change-Id: Ib42716568193d866662f9074c08aaaa322684f9b Signed-off-by: Akshay Pandit Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/ipa/ipa_v3/ipa_utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c index 8c3b92e19f85..529c9e3ac1a6 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c @@ -2712,6 +2712,12 @@ static const struct ipa_ep_configuration ipa3_ep_mapping IPA_DPS_HPS_SEQ_TYPE_INVALID, QMB_MASTER_SELECT_PCIE, { 22, 2, 5, 5, IPA_EE_AP, GSI_ESCAPE_BUF_ONLY, 0 } }, + [IPA_4_5_MHI][IPA_CLIENT_ODL_DPL_CONS] = { + true, IPA_v4_5_MHI_GROUP_DDR, + false, + IPA_DPS_HPS_SEQ_TYPE_INVALID, + QMB_MASTER_SELECT_DDR, + { 22, 2, 5, 5, IPA_EE_AP, GSI_ESCAPE_BUF_ONLY, 0 } }, [IPA_4_5_MHI][IPA_CLIENT_MHI_LOW_LAT_CONS] = { true, IPA_v4_5_MHI_GROUP_PCIE, false, From 1b7ce45d0a096283d29b252580314ea296a44a8c Mon Sep 17 00:00:00 2001 From: Siva Kumar Akkireddi Date: Tue, 5 May 2020 14:15:15 +0530 Subject: [PATCH 149/386] msm: mhi_dev: Redesign UCI transfer request structure management Invalid memory access can happen if a client closes its channels with transfers pending because the mhi transfer request structure gets freed in UCI when channel is closed, but MHI driver accesses the request structure in the transfer completion callback. To avoid the invalid memory access, following changes are done: * Allocate mhi transfer request structures for a client in the first UCI client open call * Do not free mhi transfer request structs when client calls release, to allow for subsequent re-use * Maintain an in-use list to track active transfers * If a client exits with transfers pending, move the request structs corresponding to pending transfers to free list and mark them as stale. * Stale transfers, if completed later, are ignored. Change-Id: I170e06321de9c67b0a1d107b775d75b2ed97febb Signed-off-by: Siva Kumar Akkireddi Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/mhi_dev/mhi.c | 26 ++- drivers/platform/msm/mhi_dev/mhi_uci.c | 284 +++++++++++++++++-------- include/linux/msm_mhi_dev.h | 1 + 3 files changed, 210 insertions(+), 101 deletions(-) diff --git a/drivers/platform/msm/mhi_dev/mhi.c b/drivers/platform/msm/mhi_dev/mhi.c index 484fc1ec3b53..9a3e8bc04dc9 100644 --- a/drivers/platform/msm/mhi_dev/mhi.c +++ b/drivers/platform/msm/mhi_dev/mhi.c @@ -2143,25 +2143,34 @@ static void mhi_dev_transfer_completion_cb(void *mreq) { int rc = 0; struct mhi_req *req = mreq; - struct mhi_dev_channel *ch = req->client->channel; + struct mhi_dev_channel *ch; u32 snd_cmpl = req->snd_cmpl; + bool inbound = false; - if (mhi_ctx->ch_ctx_cache[ch->ch_id].ch_type == - MHI_DEV_CH_TYPE_INBOUND_CHANNEL) - ch->pend_wr_count--; + ch = &mhi_ctx->ch[req->chan]; dma_unmap_single(&mhi_ctx->pdev->dev, req->dma, - req->len, DMA_FROM_DEVICE); + req->len, DMA_FROM_DEVICE); + + if (mhi_ctx->ch_ctx_cache[ch->ch_id].ch_type == + MHI_DEV_CH_TYPE_INBOUND_CHANNEL) { + inbound = true; + ch->pend_wr_count--; + } /* - * Channel got stopped or closed with transfers pending + * Channel got closed with transfers pending * Do not trigger callback or send cmpl to host */ if (ch->state == MHI_DEV_CH_CLOSED || ch->state == MHI_DEV_CH_STOPPED) { - mhi_log(MHI_MSG_DBG, - "Ch %d not in started state, %d writes pending\n", + if (inbound) + mhi_log(MHI_MSG_DBG, + "Ch %d closed with %d writes pending\n", ch->ch_id, ch->pend_wr_count + 1); + else + mhi_log(MHI_MSG_DBG, + "Ch %d closed with read pending\n", ch->ch_id); return; } @@ -2749,6 +2758,7 @@ int mhi_dev_open_channel(uint32_t chan_id, ch->active_client = (*handle_client); (*handle_client)->channel = ch; (*handle_client)->event_trigger = mhi_dev_client_cb_reason; + ch->pend_wr_count = 0; if (ch->state == MHI_DEV_CH_UNINT) { ch->ring = &mhi_ctx->ring[chan_id + mhi_ctx->ch_ring_start]; diff --git a/drivers/platform/msm/mhi_dev/mhi_uci.c b/drivers/platform/msm/mhi_dev/mhi_uci.c index 73ac3bc1e527..5384dc66c85a 100644 --- a/drivers/platform/msm/mhi_dev/mhi_uci.c +++ b/drivers/platform/msm/mhi_dev/mhi_uci.c @@ -33,8 +33,8 @@ #define MHI_SOFTWARE_CLIENT_LIMIT (MHI_MAX_SOFTWARE_CHANNELS/2) #define MHI_UCI_IPC_LOG_PAGES (100) -/* Max number of MHI write request structures (used in async writes) */ -#define MHI_UCI_NUM_WR_REQ_DEFAULT 10 +/* Max number of MHI read/write request structs (used in async transfers) */ +#define MHI_UCI_NUM_REQ_DEFAULT 10 #define MAX_NR_TRBS_PER_CHAN 9 #define MHI_QTI_IFACE_ID 4 #define MHI_ADPL_IFACE_ID 5 @@ -51,6 +51,8 @@ #define MHI_UCI_RELEASE_TIMEOUT_MAX 5100 #define MHI_UCI_RELEASE_TIMEOUT_COUNT 30 +#define MHI_UCI_IS_CHAN_DIR_IN(n) ((n % 2) ? true : false) + enum uci_dbg_level { UCI_DBG_VERBOSE = 0x0, UCI_DBG_INFO = 0x1, @@ -95,8 +97,7 @@ struct chan_attr { /* Skip node creation if not needed */ bool skip_node; /* Number of write request structs to allocate */ - u32 num_wr_reqs; - + u32 num_reqs; }; static void mhi_uci_generic_client_cb(struct mhi_dev_client_cb_data *cb_data); @@ -357,15 +358,19 @@ struct uci_client { struct mhi_uci_ctxt_t *uci_ctxt; struct mutex in_chan_lock; struct mutex out_chan_lock; - spinlock_t wr_req_lock; + spinlock_t req_lock; unsigned int f_flags; - struct mhi_req *wreqs; - struct list_head wr_req_list; + /* Pointer to dynamically allocated mhi_req structs */ + struct mhi_req *reqs; + /* Pointer to available (free) reqs */ + struct list_head req_list; + /* Pointer to in-use reqs */ + struct list_head in_use_list; struct completion read_done; struct completion at_ctrl_read_done; struct completion *write_done; int (*send)(struct uci_client*, void*, u32); - int (*read)(struct uci_client*, struct mhi_req*, int*); + int (*read)(struct uci_client*, int*); unsigned int tiocm; unsigned int at_ctrl_mask; }; @@ -501,23 +506,75 @@ free_memory: return rc; } +static struct mhi_req *mhi_uci_get_req(struct uci_client *uci_handle) +{ + struct mhi_req *req; + unsigned long flags; + + spin_lock_irqsave(&uci_handle->req_lock, flags); + if (list_empty(&uci_handle->req_list)) { + uci_log(UCI_DBG_ERROR, "Request pool empty for chans %d, %d\n", + uci_handle->in_chan, uci_handle->out_chan); + spin_unlock_irqrestore(&uci_handle->req_lock, flags); + return NULL; + } + /* Remove from free list and add to in-use list */ + req = container_of(uci_handle->req_list.next, + struct mhi_req, list); + list_del_init(&req->list); + /* + * If req is marked stale and if it was used for the write channel + * to host, free the previously allocated input buffer before the + * req is re-used + */ + if (req->is_stale && req->buf && MHI_UCI_IS_CHAN_DIR_IN(req->chan)) { + uci_log(UCI_DBG_VERBOSE, "Freeing write buf for chan %d\n", + req->chan); + kfree(req->buf); + } + req->is_stale = false; + uci_log(UCI_DBG_VERBOSE, "Adding req to in-use list\n"); + list_add_tail(&req->list, &uci_handle->in_use_list); + spin_unlock_irqrestore(&uci_handle->req_lock, flags); + + return req; +} + +static void mhi_uci_put_req(struct uci_client *uci_handle, struct mhi_req *req) +{ + unsigned long flags; + + spin_lock_irqsave(&uci_handle->req_lock, flags); + /* Remove from in-use list and add back to free list */ + list_del_init(&req->list); + list_add_tail(&req->list, &uci_handle->req_list); + spin_unlock_irqrestore(&uci_handle->req_lock, flags); +} + static void mhi_uci_write_completion_cb(void *req) { struct mhi_req *ureq = req; - struct uci_client *uci_handle; - unsigned long flags; + struct uci_client *uci_handle = (struct uci_client *)ureq->context; - uci_handle = (struct uci_client *)ureq->context; kfree(ureq->buf); ureq->buf = NULL; - spin_lock_irqsave(&uci_handle->wr_req_lock, flags); - list_add_tail(&ureq->list, &uci_handle->wr_req_list); - spin_unlock_irqrestore(&uci_handle->wr_req_lock, flags); + /* + * If this is a delayed write completion, just clear + * the stale flag and return. The ureq was added to + * the free list when client called release function. + */ + if (ureq->is_stale) { + uci_log(UCI_DBG_VERBOSE, + "Got stale completion for ch %d\n", ureq->chan); + ureq->is_stale = false; + return; + } if (uci_handle->write_done) complete(uci_handle->write_done); + mhi_uci_put_req(uci_handle, ureq); /* Write queue may be waiting for write request structs */ wake_up(&uci_handle->write_wq); } @@ -527,7 +584,19 @@ static void mhi_uci_read_completion_cb(void *req) struct mhi_req *ureq = req; struct uci_client *uci_handle; + if (ureq->is_stale) { + uci_log(UCI_DBG_VERBOSE, + "Got stale completion for ch %d, ignoring\n", + ureq->chan); + return; + } + uci_handle = (struct uci_client *)ureq->context; + + uci_handle->pkt_loc = (void *)ureq->buf; + uci_handle->pkt_size = ureq->transfer_len; + + mhi_uci_put_req(uci_handle, ureq); complete(&uci_handle->read_done); } @@ -537,6 +606,9 @@ static int mhi_uci_send_sync(struct uci_client *uci_handle, struct mhi_req ureq; int ret_val; + uci_log(UCI_DBG_VERBOSE, + "Sync write for ch %d size %d\n", uci_handle->out_chan, size); + ureq.client = uci_handle->out_handle; ureq.buf = data_loc; ureq.len = size; @@ -557,19 +629,12 @@ static int mhi_uci_send_async(struct uci_client *uci_handle, struct mhi_req *ureq; uci_log(UCI_DBG_VERBOSE, - "Got async write for ch %d of size %d\n", + "Async write for ch %d size %d\n", uci_handle->out_chan, size); - spin_lock_irq(&uci_handle->wr_req_lock); - if (list_empty(&uci_handle->wr_req_list)) { - uci_log(UCI_DBG_ERROR, "Write request pool empty\n"); - spin_unlock_irq(&uci_handle->wr_req_lock); + ureq = mhi_uci_get_req(uci_handle); + if (!ureq) return -EBUSY; - } - ureq = container_of(uci_handle->wr_req_list.next, - struct mhi_req, list); - list_del_init(&ureq->list); - spin_unlock_irq(&uci_handle->wr_req_lock); ureq->client = uci_handle->out_handle; ureq->context = uci_handle; @@ -588,9 +653,7 @@ static int mhi_uci_send_async(struct uci_client *uci_handle, error_async_transfer: ureq->buf = NULL; - spin_lock_irq(&uci_handle->wr_req_lock); - list_add_tail(&ureq->list, &uci_handle->wr_req_list); - spin_unlock_irq(&uci_handle->wr_req_lock); + mhi_uci_put_req(uci_handle, ureq); return bytes_to_write; } @@ -632,7 +695,7 @@ static int mhi_uci_send_packet(struct uci_client *uci_handle, void *data_loc, return -EAGAIN; ret_val = wait_event_interruptible_timeout( uci_handle->write_wq, - !list_empty(&uci_handle->wr_req_list), + !list_empty(&uci_handle->req_list), MHI_UCI_WRITE_REQ_AVAIL_TIMEOUT); if (ret_val > 0) { /* @@ -733,42 +796,62 @@ static unsigned int mhi_uci_client_poll(struct file *file, poll_table *wait) return mask; } -static int mhi_uci_alloc_write_reqs(struct uci_client *client) +static int mhi_uci_alloc_reqs(struct uci_client *client) { int i; - u32 num_wr_reqs; + u32 num_reqs; - num_wr_reqs = client->in_chan_attr->num_wr_reqs; - if (!num_wr_reqs) - num_wr_reqs = MHI_UCI_NUM_WR_REQ_DEFAULT; + if (client->reqs) { + uci_log(UCI_DBG_VERBOSE, "Reqs already allocated\n"); + return 0; + } - client->wreqs = kcalloc(num_wr_reqs, + num_reqs = client->in_chan_attr->num_reqs; + if (!num_reqs) + num_reqs = MHI_UCI_NUM_REQ_DEFAULT; + + client->reqs = kcalloc(num_reqs, sizeof(struct mhi_req), GFP_KERNEL); - if (!client->wreqs) { - uci_log(UCI_DBG_ERROR, "Write reqs alloc failed\n"); + if (!client->reqs) { + uci_log(UCI_DBG_ERROR, "Reqs alloc failed\n"); return -ENOMEM; } - INIT_LIST_HEAD(&client->wr_req_list); - for (i = 0; i < num_wr_reqs; ++i) - list_add_tail(&client->wreqs[i].list, &client->wr_req_list); + INIT_LIST_HEAD(&client->req_list); + INIT_LIST_HEAD(&client->in_use_list); + for (i = 0; i < num_reqs; ++i) + list_add_tail(&client->reqs[i].list, &client->req_list); uci_log(UCI_DBG_INFO, "Allocated %d write reqs for chan %d\n", - num_wr_reqs, client->out_chan); + num_reqs, client->out_chan); return 0; } -static int mhi_uci_read_async(struct uci_client *uci_handle, - struct mhi_req *ureq, int *bytes_avail) +static int mhi_uci_read_async(struct uci_client *uci_handle, int *bytes_avail) { int ret_val = 0; unsigned long compl_ret; + struct mhi_req *ureq; + struct mhi_dev_client *client_handle; uci_log(UCI_DBG_ERROR, "Async read for ch %d\n", uci_handle->in_chan); + ureq = mhi_uci_get_req(uci_handle); + if (!ureq) { + uci_log(UCI_DBG_ERROR, + "Out of reqs for chan %d\n", uci_handle->in_chan); + return -EBUSY; + } + + client_handle = uci_handle->in_handle; + ureq->chan = uci_handle->in_chan; + ureq->client = client_handle; + ureq->buf = uci_handle->in_buf_list[0].addr; + ureq->len = uci_handle->in_buf_list[0].buf_size; + ureq->mode = DMA_ASYNC; ureq->client_cb = mhi_uci_read_completion_cb; ureq->snd_cmpl = 1; @@ -777,14 +860,14 @@ static int mhi_uci_read_async(struct uci_client *uci_handle, reinit_completion(&uci_handle->read_done); *bytes_avail = mhi_dev_read_channel(ureq); - uci_log(UCI_DBG_VERBOSE, "buf_size = 0x%lx bytes_read = 0x%x\n", - ureq->len, *bytes_avail); if (*bytes_avail < 0) { uci_log(UCI_DBG_ERROR, "Failed to read channel ret %dlu\n", *bytes_avail); + mhi_uci_put_req(uci_handle, ureq); return -EIO; } - + uci_log(UCI_DBG_VERBOSE, "buf_size = 0x%lx bytes_read = 0x%x\n", + ureq->len, *bytes_avail); if (*bytes_avail > 0) { uci_log(UCI_DBG_VERBOSE, "Waiting for async read completion!\n"); @@ -792,7 +875,6 @@ static int mhi_uci_read_async(struct uci_client *uci_handle, wait_for_completion_interruptible_timeout( &uci_handle->read_done, MHI_UCI_ASYNC_READ_TIMEOUT); - if (compl_ret == -ERESTARTSYS) { uci_log(UCI_DBG_ERROR, "Exit signal caught\n"); return compl_ret; @@ -802,33 +884,41 @@ static int mhi_uci_read_async(struct uci_client *uci_handle, return -EIO; } uci_log(UCI_DBG_VERBOSE, - "wk up Read completed on ch %d\n", ureq->chan); - - uci_handle->pkt_loc = (void *)ureq->buf; - uci_handle->pkt_size = ureq->transfer_len; - + "wk up Read completed on ch %d\n", uci_handle->in_chan); uci_log(UCI_DBG_VERBOSE, "Got pkt of sz 0x%lx at adr %pK, ch %d\n", uci_handle->pkt_size, - ureq->buf, ureq->chan); + uci_handle->pkt_loc, uci_handle->in_chan); } else { uci_handle->pkt_loc = NULL; uci_handle->pkt_size = 0; + uci_log(UCI_DBG_VERBOSE, + "No read data available, return req to free liat\n"); + mhi_uci_put_req(uci_handle, ureq); } return ret_val; } -static int mhi_uci_read_sync(struct uci_client *uci_handle, - struct mhi_req *ureq, int *bytes_avail) +static int mhi_uci_read_sync(struct uci_client *uci_handle, int *bytes_avail) { int ret_val = 0; + struct mhi_req ureq; + struct mhi_dev_client *client_handle; - ureq->mode = DMA_SYNC; - *bytes_avail = mhi_dev_read_channel(ureq); + uci_log(UCI_DBG_ERROR, + "Sync read for ch %d\n", uci_handle->in_chan); + client_handle = uci_handle->in_handle; + ureq.chan = uci_handle->in_chan; + ureq.client = client_handle; + ureq.buf = uci_handle->in_buf_list[0].addr; + ureq.len = uci_handle->in_buf_list[0].buf_size; + ureq.mode = DMA_SYNC; + + *bytes_avail = mhi_dev_read_channel(&ureq); uci_log(UCI_DBG_VERBOSE, "buf_size = 0x%lx bytes_read = 0x%x\n", - ureq->len, *bytes_avail); + ureq.len, *bytes_avail); if (*bytes_avail < 0) { uci_log(UCI_DBG_ERROR, "Failed to read channel ret %d\n", @@ -837,13 +927,13 @@ static int mhi_uci_read_sync(struct uci_client *uci_handle, } if (*bytes_avail > 0) { - uci_handle->pkt_loc = (void *)ureq->buf; - uci_handle->pkt_size = ureq->transfer_len; + uci_handle->pkt_loc = (void *)ureq.buf; + uci_handle->pkt_size = ureq.transfer_len; uci_log(UCI_DBG_VERBOSE, "Got pkt of sz 0x%lx at adr %pK, ch %d\n", uci_handle->pkt_size, - ureq->buf, ureq->chan); + ureq.buf, ureq.chan); } else { uci_handle->pkt_loc = NULL; uci_handle->pkt_size = 0; @@ -868,7 +958,7 @@ static int open_client_mhi_channels(struct uci_client *uci_client) /* Allocate write requests for async operations */ if (!(uci_client->f_flags & O_SYNC)) { - rc = mhi_uci_alloc_write_reqs(uci_client); + rc = mhi_uci_alloc_reqs(uci_client); if (rc) goto handle_not_rdy_err; uci_client->send = mhi_uci_send_async; @@ -988,6 +1078,7 @@ static int mhi_uci_client_release(struct inode *mhi_inode, { struct uci_client *uci_handle = file_handle->private_data; int count = 0; + struct mhi_req *ureq; if (!uci_handle) return -EINVAL; @@ -1018,9 +1109,6 @@ static int mhi_uci_client_release(struct inode *mhi_inode, if (atomic_read(&uci_handle->mhi_chans_open)) { atomic_set(&uci_handle->mhi_chans_open, 0); - - if (!(uci_handle->f_flags & O_SYNC)) - kfree(uci_handle->wreqs); mutex_lock(&uci_handle->out_chan_lock); mhi_dev_close_channel(uci_handle->out_handle); wake_up(&uci_handle->write_wq); @@ -1030,6 +1118,27 @@ static int mhi_uci_client_release(struct inode *mhi_inode, mhi_dev_close_channel(uci_handle->in_handle); wake_up(&uci_handle->read_wq); mutex_unlock(&uci_handle->in_chan_lock); + /* + * Add back reqs in in-use list, if any, to free list. + * Mark the ureq stale to avoid returning stale data + * to client if the transfer completes later. + */ + count = 0; + while (!(list_empty(&uci_handle->in_use_list))) { + ureq = container_of(uci_handle->in_use_list.next, + struct mhi_req, list); + list_del_init(&ureq->list); + ureq->is_stale = true; + uci_log(UCI_DBG_VERBOSE, + "Adding back req for chan %d to free list\n", + ureq->chan); + list_add_tail(&ureq->list, &uci_handle->req_list); + count++; + } + if (count) + uci_log(UCI_DBG_DBG, + "Client %d closed with %d transfers pending\n", + iminor(mhi_inode), count); } atomic_set(&uci_handle->read_data_ready, 0); @@ -1146,20 +1255,11 @@ static int __mhi_uci_client_read(struct uci_client *uci_handle, int *bytes_avail) { int ret_val = 0; - struct mhi_dev_client *client_handle; - struct mhi_req ureq; - - client_handle = uci_handle->in_handle; - ureq.chan = uci_handle->in_chan; - ureq.client = client_handle; - ureq.buf = uci_handle->in_buf_list[0].addr; - ureq.len = uci_handle->in_buf_list[0].buf_size; do { if (!uci_handle->pkt_loc && !atomic_read(&uci_ctxt.mhi_disabled)) { - ret_val = uci_handle->read(uci_handle, &ureq, - bytes_avail); + ret_val = uci_handle->read(uci_handle, bytes_avail); if (ret_val) return ret_val; } @@ -1169,12 +1269,13 @@ static int __mhi_uci_client_read(struct uci_client *uci_handle, uci_log(UCI_DBG_VERBOSE, "No data read_data_ready %d, chan %d\n", atomic_read(&uci_handle->read_data_ready), - ureq.chan); + uci_handle->in_chan); if (uci_handle->f_flags & (O_NONBLOCK | O_NDELAY)) return -EAGAIN; ret_val = wait_event_interruptible(uci_handle->read_wq, - (!mhi_dev_channel_isempty(client_handle))); + (!mhi_dev_channel_isempty( + uci_handle->in_handle))); if (ret_val == -ERESTARTSYS) { uci_log(UCI_DBG_ERROR, "Exit signal caught\n"); @@ -1183,27 +1284,16 @@ static int __mhi_uci_client_read(struct uci_client *uci_handle, uci_log(UCI_DBG_VERBOSE, "wk up Got data on ch %d read_data_ready %d\n", - ureq.chan, + uci_handle->in_chan, atomic_read(&uci_handle->read_data_ready)); } else if (*bytes_avail > 0) { /* A valid packet was returned from MHI */ uci_log(UCI_DBG_VERBOSE, "Got packet: avail pkts %d phy_adr %pK, ch %d\n", atomic_read(&uci_handle->read_data_ready), - ureq.buf, - ureq.chan); + uci_handle->pkt_loc, + uci_handle->in_chan); break; - } else { - /* - * MHI did not return a valid packet, but we have one - * which we did not finish returning to user - */ - uci_log(UCI_DBG_CRITICAL, - "chan %d err: avail pkts %d phy_adr %pK", - ureq.chan, - atomic_read(&uci_handle->read_data_ready), - ureq.buf); - return -EIO; } } while (!uci_handle->pkt_loc); @@ -1465,7 +1555,7 @@ static int mhi_register_client(struct uci_client *mhi_client, int index) mutex_init(&mhi_client->in_chan_lock); mutex_init(&mhi_client->out_chan_lock); - spin_lock_init(&mhi_client->wr_req_lock); + spin_lock_init(&mhi_client->req_lock); /* Init the completion event for AT ctrl read */ init_completion(&mhi_client->at_ctrl_read_done); @@ -1833,6 +1923,7 @@ static void mhi_uci_at_ctrl_client_cb(struct mhi_dev_client_cb_data *cb_data) { struct uci_client *client = cb_data->user_data; int rc; + struct mhi_req *ureq; uci_log(UCI_DBG_VERBOSE, " Rcvd MHI cb for channel %d, state %d\n", cb_data->channel, cb_data->ctrl_info); @@ -1859,10 +1950,17 @@ static void mhi_uci_at_ctrl_client_cb(struct mhi_dev_client_cb_data *cb_data) } destroy_workqueue(uci_ctxt.at_ctrl_wq); uci_ctxt.at_ctrl_wq = NULL; - if (!(client->f_flags & O_SYNC)) - kfree(client->wreqs); mhi_dev_close_channel(client->out_handle); mhi_dev_close_channel(client->in_handle); + + /* Add back reqs in in-use list, if any, to free list */ + while (!(list_empty(&client->in_use_list))) { + ureq = container_of(client->in_use_list.next, + struct mhi_req, list); + list_del_init(&ureq->list); + /* Add to in-use list */ + list_add_tail(&ureq->list, &client->req_list); + } } } diff --git a/include/linux/msm_mhi_dev.h b/include/linux/msm_mhi_dev.h index f086e848327f..42eb9fa05405 100644 --- a/include/linux/msm_mhi_dev.h +++ b/include/linux/msm_mhi_dev.h @@ -73,6 +73,7 @@ struct mhi_req { struct list_head list; union mhi_dev_ring_element_type *el; void (*client_cb)(void *req); + bool is_stale; }; /* SW channel client list */ From 99ccd4b46f2509e2cb637f8ef1d74ba5b4657f43 Mon Sep 17 00:00:00 2001 From: Subramanian Ananthanarayanan Date: Tue, 7 Jul 2020 12:42:04 +0530 Subject: [PATCH 150/386] msm: mhi_dev: Fix interrupt storm during Enable/disable mhi_dev_backup_mmio() and mhi_dev_restore_mmio() does backup/restore of INTR registers of MHI device, causing it to restore interrupts that are not valid during PCIE PM_RST_DEAST event. The fix is to skip the INTR register space. Change-Id: I2a8cde174cf4c6acd7acce13ad0195ed6a9a6f0b Signed-off-by: Subramanian Ananthanarayanan Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/mhi_dev/mhi.h | 3 ++- drivers/platform/msm/mhi_dev/mhi_mmio.c | 12 ++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/platform/msm/mhi_dev/mhi.h b/drivers/platform/msm/mhi_dev/mhi.h index fe398cbc8c0f..5b8a7f5affc8 100644 --- a/drivers/platform/msm/mhi_dev/mhi.h +++ b/drivers/platform/msm/mhi_dev/mhi.h @@ -421,7 +421,8 @@ static inline void mhi_dev_ring_inc_index(struct mhi_dev_ring *ring, #define TRACE_DATA_MAX 128 #define MHI_DEV_DATA_MAX 512 -#define MHI_DEV_MMIO_RANGE 0xc80 +#define MHI_DEV_MMIO_RANGE 0xb80 +#define MHI_DEV_MMIO_OFFSET 0x100 struct ring_cache_req { struct completion *done; diff --git a/drivers/platform/msm/mhi_dev/mhi_mmio.c b/drivers/platform/msm/mhi_dev/mhi_mmio.c index 7770ea694330..a9c724c51db6 100644 --- a/drivers/platform/msm/mhi_dev/mhi_mmio.c +++ b/drivers/platform/msm/mhi_dev/mhi_mmio.c @@ -607,7 +607,8 @@ int mhi_dev_restore_mmio(struct mhi_dev *dev) mhi_dev_mmio_mask_interrupts(dev); for (i = 0; i < (MHI_DEV_MMIO_RANGE/4); i++) { - reg_cntl_addr = dev->mmio_base_addr + (i * 4); + reg_cntl_addr = dev->mmio_base_addr + + MHI_DEV_MMIO_OFFSET + (i * 4); reg_cntl_value = dev->mmio_backup[i]; writel_relaxed(reg_cntl_value, reg_cntl_addr); } @@ -628,13 +629,16 @@ EXPORT_SYMBOL(mhi_dev_restore_mmio); int mhi_dev_backup_mmio(struct mhi_dev *dev) { uint32_t i = 0; + void __iomem *reg_cntl_addr; if (WARN_ON(!dev)) return -EINVAL; - for (i = 0; i < MHI_DEV_MMIO_RANGE/4; i++) - dev->mmio_backup[i] = - readl_relaxed(dev->mmio_base_addr + (i * 4)); + for (i = 0; i < MHI_DEV_MMIO_RANGE/4; i++) { + reg_cntl_addr = (void __iomem *) (dev->mmio_base_addr + + MHI_DEV_MMIO_OFFSET + (i * 4)); + dev->mmio_backup[i] = readl_relaxed(reg_cntl_addr); + } return 0; } From f8ebc3712ef11ae1e1ea024fa9a562367ec4c855 Mon Sep 17 00:00:00 2001 From: Subramanian Ananthanarayanan Date: Fri, 7 Aug 2020 10:55:31 +0530 Subject: [PATCH 151/386] mhi: netdev: Avoid free of netdev client,ipc handles Change involves to avoid free of mhi netdev client, ipc handles as part of mhi_dev_net_state_cb(). These are not re-allocated in mhi_dev_net_interface_init() as mhi_net_ctxt.client_handle is already valid which is called during device reset scenario. Change-Id: I6f660c8dccd47a93c115c39d2898f450c5d61635 Signed-off-by: Subramanian Ananthanarayanan Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/mhi_dev/mhi_dev_net.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/platform/msm/mhi_dev/mhi_dev_net.c b/drivers/platform/msm/mhi_dev/mhi_dev_net.c index a9ad33a9aa83..49b67640a3e1 100644 --- a/drivers/platform/msm/mhi_dev/mhi_dev_net.c +++ b/drivers/platform/msm/mhi_dev/mhi_dev_net.c @@ -700,8 +700,6 @@ static void mhi_dev_net_state_cb(struct mhi_dev_client_cb_data *cb_data) mhi_dev_net_free_reqs(&mhi_client->wr_req_buffers); free_netdev(mhi_client->dev); mhi_client->dev = NULL; - kfree(mhi_client); - kfree(mhi_net_ipc_log); } } } From cedd35b569ca7f10ded2b66b19c01511f41fe470 Mon Sep 17 00:00:00 2001 From: Subramanian Ananthanarayanan Date: Thu, 6 Aug 2020 13:19:56 +0530 Subject: [PATCH 152/386] msm: mhi_dev: UCI memory leak fix mhi_init_read_chan() allocates max_packet_size*nr_trbs for async client for inbound channel. Multiple open/close of channels can cause memory leak. Adding free operation during channel release to resolve this. Change-Id: I7be4d47d28140a4d04b5070cb7db776a7f909238 Signed-off-by: Subramanian Ananthanarayanan Signed-off-by: UtsavBalar1231 --- drivers/platform/msm/mhi_dev/mhi_uci.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/platform/msm/mhi_dev/mhi_uci.c b/drivers/platform/msm/mhi_dev/mhi_uci.c index 5384dc66c85a..a95df104d38c 100644 --- a/drivers/platform/msm/mhi_dev/mhi_uci.c +++ b/drivers/platform/msm/mhi_dev/mhi_uci.c @@ -1077,12 +1077,20 @@ static int mhi_uci_client_release(struct inode *mhi_inode, struct file *file_handle) { struct uci_client *uci_handle = file_handle->private_data; - int count = 0; + const struct chan_attr *in_chan_attr; + int count = 0, i; struct mhi_req *ureq; if (!uci_handle) return -EINVAL; + in_chan_attr = uci_handle->in_chan_attr; + if (!in_chan_attr) { + uci_log(UCI_DBG_ERROR, "Null channel attributes for chan %d\n", + uci_handle->in_chan); + return -EINVAL; + } + if (atomic_sub_return(1, &uci_handle->ref_count)) { uci_log(UCI_DBG_DBG, "Client close chan %d, ref count 0x%x\n", iminor(mhi_inode), @@ -1141,6 +1149,12 @@ static int mhi_uci_client_release(struct inode *mhi_inode, iminor(mhi_inode), count); } + for (i = 0; i < (in_chan_attr->nr_trbs); i++) { + kfree(uci_handle->in_buf_list[i].addr); + uci_handle->in_buf_list[i].addr = NULL; + uci_handle->in_buf_list[i].buf_size = 0; + } + atomic_set(&uci_handle->read_data_ready, 0); atomic_set(&uci_handle->write_data_ready, 0); file_handle->private_data = NULL; From 0faa773adaa22e6f9bd99290de2a1f273334b28a Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Fri, 3 May 2019 00:34:19 -0700 Subject: [PATCH 153/386] qos: Don't allow userspace to impose restrictions on CPU idle levels Giving userspace intimate control over CPU latency requirements is nonsense. Userspace can't even stop itself from being preempted, so there's no reason for it to have access to a mechanism primarily used to eliminate CPU delays on the order of microseconds. Remove userspace's ability to send pm_qos requests so that it can't hurt power consumption. Signed-off-by: Sultan Alsawaf Signed-off-by: UtsavBalar1231 --- kernel/power/qos.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/qos.c b/kernel/power/qos.c index 95c48e007413..70d591dde70d 100644 --- a/kernel/power/qos.c +++ b/kernel/power/qos.c @@ -881,6 +881,9 @@ static ssize_t pm_qos_power_write(struct file *filp, const char __user *buf, s32 value; struct pm_qos_request *req; + /* Don't let userspace impose restrictions on CPU idle levels */ + return count; + if (count == sizeof(s32)) { if (copy_from_user(&value, buf, sizeof(s32))) return -EFAULT; From e2b05cc697e9ab6d2d1e6a9359aede59b74b6855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Tue, 16 Jun 2020 13:23:05 -0700 Subject: [PATCH 154/386] ARM64: configs: raphael: enable CONFIG_VETH=y MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Useful for testing, debugging, when combined with network namespaces in particular. Test: treehugger Bug: 158835517 Signed-off-by: Maciej Żenczykowski Change-Id: I85eb281fe3c93b748d7b26585e63a125c5b849c2 Signed-off-by: UtsavBalar1231 --- arch/arm64/configs/raphael_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/raphael_defconfig b/arch/arm64/configs/raphael_defconfig index ab290b2f27c9..21c693fd70c8 100644 --- a/arch/arm64/configs/raphael_defconfig +++ b/arch/arm64/configs/raphael_defconfig @@ -1620,7 +1620,7 @@ CONFIG_DUMMY=y # CONFIG_RMNET_IPLO is not set CONFIG_TUN=y # CONFIG_TUN_VNET_CROSS_LE is not set -# CONFIG_VETH is not set +CONFIG_VETH=y # CONFIG_NLMON is not set # From 36b47d53846aa5f73356cb4c2bf5afdcd0b3a71b Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Tue, 16 Jun 2020 22:09:29 +0200 Subject: [PATCH 155/386] ARM64: configs: raphael: CONFIG_STATIC_USERMODEHELPER=y Without this, we get the following error: android.security.cts.KernelConfigTest#testConfigDisableUsermodehelper fail: junit.framework.AssertionFailedError: Linux kernel must enable static usermodehelper: CONFIG_STATIC_USERMODEHELPER=y Test: testConfigDisableUsermodehelper Bug: 158049874 Bug: 145742407 Change-Id: Iebea5cfc2d986082f8fce76025735b72e4950168 Signed-off-by: UtsavBalar1231 --- arch/arm64/configs/raphael_defconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/configs/raphael_defconfig b/arch/arm64/configs/raphael_defconfig index 21c693fd70c8..412585623b0d 100644 --- a/arch/arm64/configs/raphael_defconfig +++ b/arch/arm64/configs/raphael_defconfig @@ -5086,7 +5086,8 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set CONFIG_FORTIFY_SOURCE=y -# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_STATIC_USERMODEHELPER=y +CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set From c263690273a43ff0359330c1b15af6583d652e93 Mon Sep 17 00:00:00 2001 From: Rahul Shahare Date: Fri, 21 Aug 2020 11:22:56 +0530 Subject: [PATCH 156/386] ARM64: configs: raphael: Enable dm-snapshot To support virtual A/B feature, set CONFIG_DM_SNAPSHOT to enable dm-snapshot. Change-Id: I8659b75f2687d7404dcf6c95d732b78bf77c6dd2 Signed-off-by: Rahul Shahare Signed-off-by: UtsavBalar1231 --- arch/arm64/configs/raphael_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/raphael_defconfig b/arch/arm64/configs/raphael_defconfig index 412585623b0d..3bf61c39a044 100644 --- a/arch/arm64/configs/raphael_defconfig +++ b/arch/arm64/configs/raphael_defconfig @@ -1581,7 +1581,7 @@ CONFIG_DM_BUFIO=y # CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set CONFIG_DM_CRYPT=y CONFIG_DM_DEFAULT_KEY=y -# CONFIG_DM_SNAPSHOT is not set +CONFIG_DM_SNAPSHOT=y # CONFIG_DM_THIN_PROVISIONING is not set # CONFIG_DM_CACHE is not set # CONFIG_DM_ERA is not set From 26b183d6cd29c060dc51577f0be993bdf797986b Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Fri, 21 Aug 2020 11:24:34 +0530 Subject: [PATCH 157/386] ARM64: configs: raphael: Enable Profiling support Signed-off-by: UtsavBalar1231 --- arch/arm64/configs/raphael_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/raphael_defconfig b/arch/arm64/configs/raphael_defconfig index 3bf61c39a044..bb089491bf42 100644 --- a/arch/arm64/configs/raphael_defconfig +++ b/arch/arm64/configs/raphael_defconfig @@ -239,7 +239,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y # CONFIG_SLAB_FREELIST_HARDENED is not set CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SYSTEM_DATA_VERIFICATION is not set -# CONFIG_PROFILING is not set +CONFIG_PROFILING=y CONFIG_JUMP_LABEL=y # CONFIG_STATIC_KEYS_SELFTEST is not set # CONFIG_UPROBES is not set From 1bad105bad58122fbb7bf7a67ae7730c3fd9443e Mon Sep 17 00:00:00 2001 From: Erik Ekman Date: Fri, 17 Jul 2020 20:51:18 +0200 Subject: [PATCH 158/386] USB: serial: qcserial: add EM7305 QDL product ID commit d2a4309c1ab6df424b2239fe2920d6f26f808d17 upstream. When running qmi-firmware-update on the Sierra Wireless EM7305 in a Toshiba laptop, it changed product ID to 0x9062 when entering QDL mode: usb 2-4: new high-speed USB device number 78 using xhci_hcd usb 2-4: New USB device found, idVendor=1199, idProduct=9062, bcdDevice= 0.00 usb 2-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0 usb 2-4: Product: EM7305 usb 2-4: Manufacturer: Sierra Wireless, Incorporated The upgrade could complete after running # echo 1199 9062 > /sys/bus/usb-serial/drivers/qcserial/new_id qcserial 2-4:1.0: Qualcomm USB modem converter detected usb 2-4: Qualcomm USB modem converter now attached to ttyUSB0 Signed-off-by: Erik Ekman Link: https://lore.kernel.org/r/20200717185118.3640219-1-erik@kryo.se Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/qcserial.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c index 27b4082f4d19..7662b2eb50d8 100644 --- a/drivers/usb/serial/qcserial.c +++ b/drivers/usb/serial/qcserial.c @@ -159,6 +159,7 @@ static const struct usb_device_id id_table[] = { {DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */ {DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */ {DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9062)}, /* Sierra Wireless EM7305 QDL */ {DEVICE_SWI(0x1199, 0x9063)}, /* Sierra Wireless EM7305 */ {DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx */ {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */ From ec2cbe4b8abf949a16574ba81d8255e52980186c Mon Sep 17 00:00:00 2001 From: Roi Dayan Date: Thu, 6 Aug 2020 19:05:42 -0700 Subject: [PATCH 159/386] net/mlx5e: Don't support phys switch id if not in switchdev mode Support for phys switch id ndo added for representors and if we do not have representors there is no need to support it. Since each port return different switch id supporting this block support for creating bond over PFs and attaching to bridge in legacy mode. This bug doesn't exist upstream as the code got refactored and the netdev api is totally different. Fixes: cb67b832921c ("net/mlx5e: Introduce SRIOV VF representors") Signed-off-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c index e69674d38f16..a3107d133b40 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c @@ -180,7 +180,7 @@ int mlx5e_attr_get(struct net_device *dev, struct switchdev_attr *attr) struct mlx5_eswitch_rep *rep = rpriv->rep; struct mlx5_eswitch *esw = priv->mdev->priv.eswitch; - if (esw->mode == SRIOV_NONE) + if (esw->mode != SRIOV_OFFLOADS) return -EOPNOTSUPP; switch (attr->id) { From ad9db0326bc4516980b0f6fd85724561bca5e474 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 26 Jul 2020 11:49:39 +0200 Subject: [PATCH 160/386] USB: iowarrior: fix up report size handling for some devices commit 17a82716587e9d7c3b246a789add490b2b5dcab6 upstream. In previous patches that added support for new iowarrior devices, the handling of the report size was not done correct. Fix that up and update the copyright date for the driver Reworked from an original patch written by Christoph Jung. Fixes: bab5417f5f01 ("USB: misc: iowarrior: add support for the 100 device") Fixes: 5f6f8da2d7b5 ("USB: misc: iowarrior: add support for the 28 and 28L devices") Fixes: 461d8deb26a7 ("USB: misc: iowarrior: add support for 2 OEMed devices") Cc: stable Reported-by: Christoph Jung Link: https://lore.kernel.org/r/20200726094939.1268978-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/iowarrior.c | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index 1ec32e5aa004..27e1ab9e1b07 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -1,8 +1,9 @@ /* * Native support for the I/O-Warrior USB devices * - * Copyright (c) 2003-2005 Code Mercenaries GmbH - * written by Christian Lucht + * Copyright (c) 2003-2005, 2020 Code Mercenaries GmbH + * written by Christian Lucht and + * Christoph Jung * * based on @@ -821,14 +822,28 @@ static int iowarrior_probe(struct usb_interface *interface, /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); - if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && - ((dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) || - (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56AM) || - (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28) || - (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28L) || - (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW100))) - /* IOWarrior56 has wMaxPacketSize different from report size */ - dev->report_size = 7; + + /* + * Some devices need the report size to be different than the + * endpoint size. + */ + if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) { + switch (dev->product_id) { + case USB_DEVICE_ID_CODEMERCS_IOW56: + case USB_DEVICE_ID_CODEMERCS_IOW56AM: + dev->report_size = 7; + break; + + case USB_DEVICE_ID_CODEMERCS_IOW28: + case USB_DEVICE_ID_CODEMERCS_IOW28L: + dev->report_size = 4; + break; + + case USB_DEVICE_ID_CODEMERCS_IOW100: + dev->report_size = 13; + break; + } + } /* create the urb and buffer for reading */ dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL); From 5eed80ea8f60cc3935f46ec848fa1677b5e1a31a Mon Sep 17 00:00:00 2001 From: Forest Crossman Date: Mon, 27 Jul 2020 23:24:07 -0500 Subject: [PATCH 161/386] usb: xhci: define IDs for various ASMedia host controllers commit 1841cb255da41e87bed9573915891d056f80e2e7 upstream. Not all ASMedia host controllers have a device ID that matches its part number. #define some of these IDs to make it clearer at a glance which chips require what quirks. Acked-by: Mathias Nyman Signed-off-by: Forest Crossman Link: https://lore.kernel.org/r/20200728042408.180529-2-cyrozap@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-pci.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index d4e29039305b..ab1a1c4a43e6 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -59,7 +59,9 @@ #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc +#define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 +#define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 static const char hcd_name[] = "xhci_hcd"; @@ -230,13 +232,13 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_BROKEN_STREAMS; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && - pdev->device == 0x1042) + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) xhci->quirks |= XHCI_BROKEN_STREAMS; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && - pdev->device == 0x1142) + pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) xhci->quirks |= XHCI_TRUST_TX_LENGTH; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && - pdev->device == 0x2142) + pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) xhci->quirks |= XHCI_NO_64BIT_SUPPORT; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && From c5021d4fa888ad248b4168947eb1e569de75fdb1 Mon Sep 17 00:00:00 2001 From: Forest Crossman Date: Mon, 27 Jul 2020 23:24:08 -0500 Subject: [PATCH 162/386] usb: xhci: Fix ASMedia ASM1142 DMA addressing commit ec37198acca7b4c17b96247697406e47aafe0605 upstream. I've confirmed that the ASMedia ASM1142 has the same problem as the ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA addresses when in fact it does not. As with the ASM2142/ASM3142, this can cause problems on systems where the upper bits matter, and adding the XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue. Acked-by: Mathias Nyman Signed-off-by: Forest Crossman Cc: stable Link: https://lore.kernel.org/r/20200728042408.180529-3-cyrozap@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index ab1a1c4a43e6..72c3ba0824f7 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -61,6 +61,7 @@ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 +#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242 #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142 static const char hcd_name[] = "xhci_hcd"; @@ -238,7 +239,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI) xhci->quirks |= XHCI_TRUST_TX_LENGTH; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && - pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI) + (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI || + pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)) xhci->quirks |= XHCI_NO_64BIT_SUPPORT; if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && From ccafbed8b2f6a9d9298534b39e76da9cb40ff717 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 4 Aug 2020 20:58:15 +0200 Subject: [PATCH 163/386] ALSA: seq: oss: Serialize ioctls commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c index 8cdf489df80e..4b7897959913 100644 --- a/sound/core/seq/oss/seq_oss.c +++ b/sound/core/seq/oss/seq_oss.c @@ -181,10 +181,16 @@ static long odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct seq_oss_devinfo *dp; + long rc; + dp = file->private_data; if (snd_BUG_ON(!dp)) return -ENXIO; - return snd_seq_oss_ioctl(dp, cmd, arg); + + mutex_lock(®ister_mutex); + rc = snd_seq_oss_ioctl(dp, cmd, arg); + mutex_unlock(®ister_mutex); + return rc; } #ifdef CONFIG_COMPAT From 79c70607e5403d31d267e31a1a34e5334318326d Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan Date: Thu, 30 Jul 2020 12:26:32 -0700 Subject: [PATCH 164/386] staging: android: ashmem: Fix lockdep warning for write operation commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream. syzbot report [1] describes a deadlock when write operation against an ashmem fd executed at the time when ashmem is shrinking its cache results in the following lock sequence: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(fs_reclaim); lock(&sb->s_type->i_mutex_key#13); lock(fs_reclaim); lock(&sb->s_type->i_mutex_key#13); kswapd takes fs_reclaim and then inode_lock while generic_perform_write takes inode_lock and then fs_reclaim. However ashmem does not support writing into backing shmem with a write syscall. The only way to change its content is to mmap it and operate on mapped memory. Therefore the race that lockdep is warning about is not valid. Resolve this by introducing a separate lockdep class for the backing shmem inodes. [1]: https://lkml.kernel.org/lkml/0000000000000b5f9d059aa2037f@google.com/ Reported-by: syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com Signed-off-by: Suren Baghdasaryan Cc: stable Reviewed-by: Joel Fernandes (Google) Link: https://lore.kernel.org/r/20200730192632.3088194-1-surenb@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index 9481c0b23386..22cae548df49 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -100,6 +100,15 @@ static DEFINE_MUTEX(ashmem_mutex); static struct kmem_cache *ashmem_area_cachep __read_mostly; static struct kmem_cache *ashmem_range_cachep __read_mostly; +/* + * A separate lockdep class for the backing shmem inodes to resolve the lockdep + * warning about the race between kswapd taking fs_reclaim before inode_lock + * and write syscall taking inode_lock and then fs_reclaim. + * Note that such race is impossible because ashmem does not support write + * syscalls operating on the backing shmem. + */ +static struct lock_class_key backing_shmem_inode_class; + static inline unsigned long range_size(struct ashmem_range *range) { return range->pgend - range->pgstart + 1; @@ -406,6 +415,7 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) if (!asma->file) { char *name = ASHMEM_NAME_DEF; struct file *vmfile; + struct inode *inode; if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0') name = asma->name; @@ -417,6 +427,8 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) goto out; } vmfile->f_mode |= FMODE_LSEEK; + inode = file_inode(vmfile); + lockdep_set_class(&inode->i_rwsem, &backing_shmem_inode_class); asma->file = vmfile; /* * override mmap operation of the vmfile so that it can't be From d91299b8382b129156708708d69876e753b9ade6 Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Fri, 10 Jul 2020 12:09:15 -0400 Subject: [PATCH 165/386] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. Check upon `num_rsp` is insufficient. A malformed event packet with a large `num_rsp` number makes hci_extended_inquiry_result_evt() go out of bounds. Fix it. This patch fixes the following syzbot bug: https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Acked-by: Greg Kroah-Hartman Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 56e4ae7d7f63..b398272bc729 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3826,7 +3826,7 @@ static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, BT_DBG("%s num_rsp %d", hdev->name, num_rsp); - if (!num_rsp) + if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) return; if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) From 8b0861f956f65f063662f9553a4dcad574a95b37 Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Fri, 10 Jul 2020 17:39:18 -0400 Subject: [PATCH 166/386] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream. Check `num_rsp` before using it as for-loop counter. Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index b398272bc729..975f73b58330 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2094,7 +2094,7 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) BT_DBG("%s num_rsp %d", hdev->name, num_rsp); - if (!num_rsp) + if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) return; if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) From 68bb9eddbf5da767131079325b2097341ab05dca Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Fri, 10 Jul 2020 17:45:26 -0400 Subject: [PATCH 167/386] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_event.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 975f73b58330..70b8e2de40cf 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -3623,6 +3623,9 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct inquiry_info_with_rssi_and_pscan_mode *info; info = (void *) (skb->data + 1); + if (skb->len < num_rsp * sizeof(*info) + 1) + goto unlock; + for (; num_rsp; num_rsp--, info++) { u32 flags; @@ -3644,6 +3647,9 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, } else { struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + if (skb->len < num_rsp * sizeof(*info) + 1) + goto unlock; + for (; num_rsp; num_rsp--, info++) { u32 flags; @@ -3664,6 +3670,7 @@ static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, } } +unlock: hci_dev_unlock(hdev); } From 9a0cb0a6bc88bc4684d7b1e8e8fc3892bb921ed1 Mon Sep 17 00:00:00 2001 From: Adam Ford Date: Tue, 30 Jun 2020 13:26:36 -0500 Subject: [PATCH 168/386] omapfb: dss: Fix max fclk divider for omap36xx commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream. The drm/omap driver was fixed to correct an issue where using a divider of 32 breaks the DSS despite the TRM stating 32 is a valid number. Through experimentation, it appears that 31 works, and it is consistent with the value used by the drm/omap driver. This patch fixes the divider for fbdev driver instead of the drm. Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") Cc: #4.5+ Signed-off-by: Adam Ford Reviewed-by: Tomi Valkeinen Cc: Dave Airlie Cc: Rob Clark [b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)] Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss.c b/drivers/video/fbdev/omap2/omapfb/dss/dss.c index 48c6500c24e1..4429ad37b64c 100644 --- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c +++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c @@ -843,7 +843,7 @@ static const struct dss_features omap34xx_dss_feats = { }; static const struct dss_features omap3630_dss_feats = { - .fck_div_max = 32, + .fck_div_max = 31, .dss_fck_multiplier = 1, .parent_clk_name = "dpll4_ck", .dpi_select_source = &dss_dpi_select_source_omap2_omap3, From f40f289b96bf856e1613f17bf9426140e8b89393 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Mon, 27 Jul 2020 14:04:24 +0200 Subject: [PATCH 169/386] binder: Prevent context manager from incrementing ref 0 commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. Binder is designed such that a binder_proc never has references to itself. If this rule is violated, memory corruption can occur when a process sends a transaction to itself; see e.g. . There is a remaining edgecase through which such a transaction-to-self can still occur from the context of a task with BINDER_SET_CONTEXT_MGR access: - task A opens /dev/binder twice, creating binder_proc instances P1 and P2 - P1 becomes context manager - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its handle table - P1 dies (by closing the /dev/binder fd and waiting a bit) - P2 becomes context manager - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its handle table [this triggers a warning: "binder: 1974:1974 tried to acquire reference to desc 0, got 1 instead"] - task B opens /dev/binder once, creating binder_proc instance P3 - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way transaction) - P2 receives the handle and uses it to call P3 (two-way transaction) - P3 calls P2 (via magic handle 0) (two-way transaction) - P2 calls P2 (via handle 1) (two-way transaction) And then, if P2 does *NOT* accept the incoming transaction work, but instead closes the binder fd, we get a crash. Solve it by preventing the context manager from using ACQUIRE on ref 0. There shouldn't be any legitimate reason for the context manager to do that. Additionally, print a warning if someone manages to find another way to trigger a transaction-to-self bug in the future. Cc: stable@vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Acked-by: Todd Kjos Signed-off-by: Jann Horn Reviewed-by: Martijn Coenen Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman --- drivers/android/binder.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 05e75d18b4d9..bd74a29cf86c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2813,6 +2813,12 @@ static void binder_transaction(struct binder_proc *proc, goto err_dead_binder; } e->to_node = target_node->debug_id; + if (WARN_ON(proc == target_proc)) { + return_error = BR_FAILED_REPLY; + return_error_param = -EINVAL; + return_error_line = __LINE__; + goto err_invalid_target_handle; + } if (security_binder_transaction(proc->tsk, target_proc->tsk) < 0) { return_error = BR_FAILED_REPLY; @@ -3288,10 +3294,17 @@ static int binder_thread_write(struct binder_proc *proc, struct binder_node *ctx_mgr_node; mutex_lock(&context->context_mgr_node_lock); ctx_mgr_node = context->binder_context_mgr_node; - if (ctx_mgr_node) + if (ctx_mgr_node) { + if (ctx_mgr_node->proc == proc) { + binder_user_error("%d:%d context manager tried to acquire desc 0\n", + proc->pid, thread->pid); + mutex_unlock(&context->context_mgr_node_lock); + return -EINVAL; + } ret = binder_inc_ref_for_node( proc, ctx_mgr_node, strong, NULL, &rdata); + } mutex_unlock(&context->context_mgr_node_lock); } if (ret) From 041a5a238a1e31992b5f22ef4f9792729d3b46ca Mon Sep 17 00:00:00 2001 From: Yunhai Zhang Date: Tue, 28 Jul 2020 09:58:03 +0800 Subject: [PATCH 170/386] vgacon: Fix for missing check in scrollback handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. vgacon_scrollback_update() always leaves enbough room in the scrollback buffer for the next call, but if the console size changed that room might not actually be enough, and so we need to re-check. The check should be in the loop since vgacon_scrollback_cur->tail is updated in the loop and count may be more than 1 when triggered by CSI M, as Jiri's PoC: #include #include #include #include #include #include #include int main(int argc, char** argv) { int fd = open("/dev/tty1", O_RDWR); unsigned short size[3] = {25, 200, 0}; ioctl(fd, 0x5609, size); // VT_RESIZE write(fd, "\e[1;1H", 6); for (int i = 0; i < 30; i++) write(fd, "\e[10M", 5); } It leads to various crashes as vgacon_scrollback_update writes out of the buffer: BUG: unable to handle page fault for address: ffffc900001752a0 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page RIP: 0010:mutex_unlock+0x13/0x30 ... Call Trace: n_tty_write+0x1a0/0x4d0 tty_write+0x1a0/0x2e0 Or to KASAN reports: BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed This fixes CVE-2020-14331. Reported-by: 张云海 Reported-by: Yang Yingliang Reported-by: Kyungtae Kim Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) Cc: stable@vger.kernel.org Cc: linux-fbdev@vger.kernel.org Cc: Linus Torvalds Cc: Solar Designer Cc: "Srivatsa S. Bhat" Cc: Anthony Liguori Cc: Yang Yingliang Cc: Bartlomiej Zolnierkiewicz Cc: Jiri Slaby Signed-off-by: Yunhai Zhang Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com Signed-off-by: Greg Kroah-Hartman --- drivers/video/console/vgacon.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index ff6612a3ddc8..8f061c18e115 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -246,6 +246,10 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) p = (void *) (c->vc_origin + t * c->vc_size_row); while (count--) { + if ((vgacon_scrollback_cur->tail + c->vc_size_row) > + vgacon_scrollback_cur->size) + vgacon_scrollback_cur->tail = 0; + scr_memcpyw(vgacon_scrollback_cur->data + vgacon_scrollback_cur->tail, p, c->vc_size_row); From 389c74c218d3b182e9cd767e98cee0e0fd0dabaa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 16 Jul 2020 13:53:46 +0200 Subject: [PATCH 171/386] mtd: properly check all write ioctls for permissions commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl which previously missed checking for this. Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: stable Signed-off-by: Greg Kroah-Hartman [rw: Fixed locking issue] Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/mtdchar.c | 56 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index fa4d12217652..18dd333f2d40 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -372,9 +372,6 @@ static int mtdchar_writeoob(struct file *file, struct mtd_info *mtd, uint32_t retlen; int ret = 0; - if (!(file->f_mode & FMODE_WRITE)) - return -EPERM; - if (length > 4096) return -EINVAL; @@ -681,6 +678,48 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) return -EFAULT; } + /* + * Check the file mode to require "dangerous" commands to have write + * permissions. + */ + switch (cmd) { + /* "safe" commands */ + case MEMGETREGIONCOUNT: + case MEMGETREGIONINFO: + case MEMGETINFO: + case MEMREADOOB: + case MEMREADOOB64: + case MEMLOCK: + case MEMUNLOCK: + case MEMISLOCKED: + case MEMGETOOBSEL: + case MEMGETBADBLOCK: + case MEMSETBADBLOCK: + case OTPSELECT: + case OTPGETREGIONCOUNT: + case OTPGETREGIONINFO: + case OTPLOCK: + case ECCGETLAYOUT: + case ECCGETSTATS: + case MTDFILEMODE: + case BLKPG: + case BLKRRPART: + break; + + /* "dangerous" commands */ + case MEMERASE: + case MEMERASE64: + case MEMWRITEOOB: + case MEMWRITEOOB64: + case MEMWRITE: + if (!(file->f_mode & FMODE_WRITE)) + return -EPERM; + break; + + default: + return -ENOTTY; + } + switch (cmd) { case MEMGETREGIONCOUNT: if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) @@ -728,9 +767,6 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) { struct erase_info *erase; - if(!(file->f_mode & FMODE_WRITE)) - return -EPERM; - erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); if (!erase) ret = -ENOMEM; @@ -1051,9 +1087,6 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg) ret = 0; break; } - - default: - ret = -ENOTTY; } return ret; @@ -1097,6 +1130,11 @@ static long mtdchar_compat_ioctl(struct file *file, unsigned int cmd, struct mtd_oob_buf32 buf; struct mtd_oob_buf32 __user *buf_user = argp; + if (!(file->f_mode & FMODE_WRITE)) { + ret = -EPERM; + break; + } + if (copy_from_user(&buf, argp, sizeof(buf))) ret = -EFAULT; else From dbe4aa36c940dc309133e5d10a5771f3d0bf2d28 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 1 Jun 2020 15:39:49 +0200 Subject: [PATCH 172/386] leds: wm831x-status: fix use-after-free on unbind commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-wm831x-status.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/leds/leds-wm831x-status.c b/drivers/leds/leds-wm831x-status.c index be93b20e792a..4f0ba19c3577 100644 --- a/drivers/leds/leds-wm831x-status.c +++ b/drivers/leds/leds-wm831x-status.c @@ -283,12 +283,23 @@ static int wm831x_status_probe(struct platform_device *pdev) drvdata->cdev.blink_set = wm831x_status_blink_set; drvdata->cdev.groups = wm831x_status_groups; - ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev); + ret = led_classdev_register(wm831x->dev, &drvdata->cdev); if (ret < 0) { dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); return ret; } + platform_set_drvdata(pdev, drvdata); + + return 0; +} + +static int wm831x_status_remove(struct platform_device *pdev) +{ + struct wm831x_status *drvdata = platform_get_drvdata(pdev); + + led_classdev_unregister(&drvdata->cdev); + return 0; } @@ -297,6 +308,7 @@ static struct platform_driver wm831x_status_driver = { .name = "wm831x-status", }, .probe = wm831x_status_probe, + .remove = wm831x_status_remove, }; module_platform_driver(wm831x_status_driver); From 1452c5ffe79f34ded327310a84a67d653a00e68e Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 1 Jun 2020 15:39:46 +0200 Subject: [PATCH 173/386] leds: da903x: fix use-after-free on unbind commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-da903x.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/leds/leds-da903x.c b/drivers/leds/leds-da903x.c index 5ff7d72f73aa..ecc265bb69a0 100644 --- a/drivers/leds/leds-da903x.c +++ b/drivers/leds/leds-da903x.c @@ -113,12 +113,23 @@ static int da903x_led_probe(struct platform_device *pdev) led->flags = pdata->flags; led->master = pdev->dev.parent; - ret = devm_led_classdev_register(led->master, &led->cdev); + ret = led_classdev_register(led->master, &led->cdev); if (ret) { dev_err(&pdev->dev, "failed to register LED %d\n", id); return ret; } + platform_set_drvdata(pdev, led); + + return 0; +} + +static int da903x_led_remove(struct platform_device *pdev) +{ + struct da903x_led *led = platform_get_drvdata(pdev); + + led_classdev_unregister(&led->cdev); + return 0; } @@ -127,6 +138,7 @@ static struct platform_driver da903x_led_driver = { .name = "da903x-led", }, .probe = da903x_led_probe, + .remove = da903x_led_remove, }; module_platform_driver(da903x_led_driver); From 661926601c318c4cf30272ac93ed2bf1c80ff778 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 1 Jun 2020 15:39:47 +0200 Subject: [PATCH 174/386] leds: lm3533: fix use-after-free on unbind commit d584221e683bbd173738603b83a315f27d27d043 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-lm3533.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/leds/leds-lm3533.c b/drivers/leds/leds-lm3533.c index 72224b599ffc..c1e562a4d6ad 100644 --- a/drivers/leds/leds-lm3533.c +++ b/drivers/leds/leds-lm3533.c @@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platform_device *pdev) platform_set_drvdata(pdev, led); - ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev); + ret = led_classdev_register(pdev->dev.parent, &led->cdev); if (ret) { dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id); return ret; @@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platform_device *pdev) ret = lm3533_led_setup(led, pdata); if (ret) - return ret; + goto err_deregister; ret = lm3533_ctrlbank_enable(&led->cb); if (ret) - return ret; + goto err_deregister; return 0; + +err_deregister: + led_classdev_unregister(&led->cdev); + + return ret; } static int lm3533_led_remove(struct platform_device *pdev) @@ -724,6 +729,7 @@ static int lm3533_led_remove(struct platform_device *pdev) dev_dbg(&pdev->dev, "%s\n", __func__); lm3533_ctrlbank_disable(&led->cb); + led_classdev_unregister(&led->cdev); return 0; } From efe1c042fa521dcce374ca23560480ff6927a58e Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Mon, 1 Jun 2020 15:39:45 +0200 Subject: [PATCH 175/386] leds: 88pm860x: fix use-after-free on unbind commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something which leads to use-after-free on driver unbind when the class device is released while still being registered. Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register") Cc: stable # 4.6 Cc: Amitoj Kaur Chawla Signed-off-by: Johan Hovold Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-88pm860x.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/leds/leds-88pm860x.c b/drivers/leds/leds-88pm860x.c index 77a104d2b124..13f414ff6fd0 100644 --- a/drivers/leds/leds-88pm860x.c +++ b/drivers/leds/leds-88pm860x.c @@ -207,21 +207,33 @@ static int pm860x_led_probe(struct platform_device *pdev) data->cdev.brightness_set_blocking = pm860x_led_set; mutex_init(&data->lock); - ret = devm_led_classdev_register(chip->dev, &data->cdev); + ret = led_classdev_register(chip->dev, &data->cdev); if (ret < 0) { dev_err(&pdev->dev, "Failed to register LED: %d\n", ret); return ret; } pm860x_led_set(&data->cdev, 0); + + platform_set_drvdata(pdev, data); + return 0; } +static int pm860x_led_remove(struct platform_device *pdev) +{ + struct pm860x_led *data = platform_get_drvdata(pdev); + + led_classdev_unregister(&data->cdev); + + return 0; +} static struct platform_driver pm860x_led_driver = { .driver = { .name = "88pm860x-led", }, .probe = pm860x_led_probe, + .remove = pm860x_led_remove, }; module_platform_driver(pm860x_led_driver); From e48afaff38159b7ca000bb9f00dcf1d0b277264d Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Fri, 10 Jul 2020 10:57:22 +0200 Subject: [PATCH 176/386] net/9p: validate fds in p9_fd_open [ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ] p9_fd_open just fgets file descriptors passed in from userspace, but doesn't verify that they are valid for read or writing. This gets cought down in the VFS when actually attempting a read or write, but a new warning added in linux-next upsets syzcaller. Fix this by just verifying the fds early on. Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig [Dominique: amend goto as per Doug Nazar's review] Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/trans_fd.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 32de8afbfbf8..9f020559c192 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -829,20 +829,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) return -ENOMEM; ts->rd = fget(rfd); + if (!ts->rd) + goto out_free_ts; + if (!(ts->rd->f_mode & FMODE_READ)) + goto out_put_rd; ts->wr = fget(wfd); - if (!ts->rd || !ts->wr) { - if (ts->rd) - fput(ts->rd); - if (ts->wr) - fput(ts->wr); - kfree(ts); - return -EIO; - } + if (!ts->wr) + goto out_put_rd; + if (!(ts->wr->f_mode & FMODE_WRITE)) + goto out_put_wr; client->trans = ts; client->status = Connected; return 0; + +out_put_wr: + fput(ts->wr); +out_put_rd: + fput(ts->rd); +out_free_ts: + kfree(ts); + return -EIO; } static int p9_socket_open(struct p9_client *client, struct socket *csocket) From 3793c4c127e34d1fded7e64158c1795b7f7d1983 Mon Sep 17 00:00:00 2001 From: Ben Skeggs Date: Fri, 24 Jul 2020 17:01:39 +1000 Subject: [PATCH 177/386] drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason [ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ] Stale pointer was tripping up the unload path. Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c index 2b12d82aac15..ee8f744dc488 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c +++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c @@ -543,6 +543,7 @@ fini: drm_fb_helper_fini(&fbcon->helper); free: kfree(fbcon); + drm->fbcon = NULL; return ret; } From 1a284881b0e66537a185973d72a54c5e7b4df47f Mon Sep 17 00:00:00 2001 From: Ben Skeggs Date: Fri, 24 Jul 2020 17:02:48 +1000 Subject: [PATCH 178/386] drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure [ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ] This is tripping up the format modifier patches. Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c index ee8f744dc488..9ffb09679cc4 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c +++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c @@ -310,7 +310,7 @@ nouveau_fbcon_create(struct drm_fb_helper *helper, struct nouveau_framebuffer *fb; struct nouveau_channel *chan; struct nouveau_bo *nvbo; - struct drm_mode_fb_cmd2 mode_cmd; + struct drm_mode_fb_cmd2 mode_cmd = {}; int ret; mode_cmd.width = sizes->surface_width; From fb49251695b1e735860b5fd953d691f6cf817873 Mon Sep 17 00:00:00 2001 From: Wolfram Sang Date: Sat, 25 Jul 2020 21:50:52 +0200 Subject: [PATCH 179/386] i2c: slave: improve sanity check when registering [ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ] Add check for ERR_PTR and simplify code while here. Signed-off-by: Wolfram Sang Reviewed-by: Alain Volmat Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-slave.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c index 4a78c65e9971..21051aba39e3 100644 --- a/drivers/i2c/i2c-core-slave.c +++ b/drivers/i2c/i2c-core-slave.c @@ -22,10 +22,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb) { int ret; - if (!client || !slave_cb) { - WARN(1, "insufficient data\n"); + if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n")) return -EINVAL; - } if (!(client->flags & I2C_CLIENT_SLAVE)) dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n", From 59822dace1c9258c22ebf16adb1b49a6eff0bdf2 Mon Sep 17 00:00:00 2001 From: Wolfram Sang Date: Sat, 25 Jul 2020 21:50:53 +0200 Subject: [PATCH 180/386] i2c: slave: add sanity check when unregistering [ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ] Signed-off-by: Wolfram Sang Reviewed-by: Alain Volmat Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-slave.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c index 21051aba39e3..d89bc31e0622 100644 --- a/drivers/i2c/i2c-core-slave.c +++ b/drivers/i2c/i2c-core-slave.c @@ -62,6 +62,9 @@ int i2c_slave_unregister(struct i2c_client *client) { int ret; + if (IS_ERR_OR_NULL(client)) + return -EINVAL; + if (!client->adapter->algo->unreg_slave) { dev_err(&client->dev, "%s: not supported by adapter\n", __func__); return -EOPNOTSUPP; From df1a89577ebbb6165f3f1d9e1da84fda80dd7e01 Mon Sep 17 00:00:00 2001 From: Julian Squires Date: Mon, 6 Jul 2020 17:13:53 -0400 Subject: [PATCH 181/386] cfg80211: check vendor command doit pointer before use [ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] In the case where a vendor command does not implement doit, and has no flags set, doit would not be validated and a NULL pointer dereference would occur, for example when invoking the vendor command via iw. I encountered this while developing new vendor commands. Perhaps in practice it is advisable to always implement doit along with dumpit, but it seems reasonable to me to always check doit anyway, not just when NEED_WDEV. Signed-off-by: Julian Squires Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/wireless/nl80211.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index d0b75781e6f7..9be7ee322093 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -11859,13 +11859,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) if (!wdev_running(wdev)) return -ENETDOWN; } - - if (!vcmd->doit) - return -EOPNOTSUPP; } else { wdev = NULL; } + if (!vcmd->doit) + return -EOPNOTSUPP; + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); From ccc98c7861e20035025b5db05a9bb302c8e385eb Mon Sep 17 00:00:00 2001 From: Francesco Ruggeri Date: Thu, 2 Jul 2020 15:39:06 -0700 Subject: [PATCH 182/386] igb: reinit_locked() should be called with rtnl_lock [ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ] We observed two panics involving races with igb_reset_task. The first panic is caused by this race condition: kworker reboot -f igb_reset_task igb_reinit_locked igb_down napi_synchronize __igb_shutdown igb_clear_interrupt_scheme igb_free_q_vectors igb_free_q_vector adapter->q_vector[v_idx] = NULL; napi_disable Panics trying to access adapter->q_vector[v_idx].napi_state The second panic (a divide error) is caused by this race: kworker reboot -f tx packet igb_reset_task __igb_shutdown rtnl_lock() ... igb_clear_interrupt_scheme igb_free_q_vectors adapter->num_tx_queues = 0 ... rtnl_unlock() rtnl_lock() igb_reinit_locked igb_down igb_up netif_tx_start_all_queues dev_hard_start_xmit igb_xmit_frame igb_tx_queue_mapping Panics on r_idx % adapter->num_tx_queues This commit applies to igb_reset_task the same changes that were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver"), commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in reset subtask"). Signed-off-by: Francesco Ruggeri Tested-by: Aaron Brown Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin --- drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 9c7e75b3b6c7..50fa0401c701 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -5487,9 +5487,18 @@ static void igb_reset_task(struct work_struct *work) struct igb_adapter *adapter; adapter = container_of(work, struct igb_adapter, reset_task); + rtnl_lock(); + /* If we're already down or resetting, just bail */ + if (test_bit(__IGB_DOWN, &adapter->state) || + test_bit(__IGB_RESETTING, &adapter->state)) { + rtnl_unlock(); + return; + } + igb_dump(adapter); netdev_err(adapter->netdev, "Reset adapter\n"); igb_reinit_locked(adapter); + rtnl_unlock(); } /** From 55939b710b1e35869af18983039559d04af3e0aa Mon Sep 17 00:00:00 2001 From: Xin Xiong Date: Wed, 29 Jul 2020 21:06:59 +0800 Subject: [PATCH 183/386] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent [ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ] atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a reference of atm_dev with increased refcount or NULL if fails. The refcount leaks issues occur in two error handling paths. If dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function returns 0 without decreasing the refcount kept by a local variable, resulting in refcount leaks. Fix the issue by adding atm_dev_put() before returning 0 both when dev_data->persist is zero or PRIV(dev)->vcc isn't NULL. Signed-off-by: Xin Xiong Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/atm/atmtcp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c index afebeb1c3e1e..723bad1201cc 100644 --- a/drivers/atm/atmtcp.c +++ b/drivers/atm/atmtcp.c @@ -432,9 +432,15 @@ static int atmtcp_remove_persistent(int itf) return -EMEDIUMTYPE; } dev_data = PRIV(dev); - if (!dev_data->persist) return 0; + if (!dev_data->persist) { + atm_dev_put(dev); + return 0; + } dev_data->persist = 0; - if (PRIV(dev)->vcc) return 0; + if (PRIV(dev)->vcc) { + atm_dev_put(dev); + return 0; + } kfree(dev_data); atm_dev_put(dev); atm_dev_deregister(dev); From bbeab31912b7118e2238c2dd5eab7d10cdcd7d98 Mon Sep 17 00:00:00 2001 From: Philippe Duplessis-Guindon Date: Thu, 30 Jul 2020 11:02:36 -0400 Subject: [PATCH 184/386] tools lib traceevent: Fix memory leak in process_dynamic_array_len [ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ] I compiled with AddressSanitizer and I had these memory leaks while I was using the tep_parse_format function: Direct leak of 28 byte(s) in 4 object(s) allocated from: #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe) #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985 #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140 #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206 #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291 #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299 #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849 #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161 #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207 #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786 #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285 #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369 #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335 #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389 #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431 #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251 #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284 #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593 #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727 #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048 #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127 #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152 #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252 #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347 #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461 #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673 #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) The token variable in the process_dynamic_array_len function is allocated in the read_expect_type function, but is not freed before calling the read_token function. Free the token variable before calling read_token in order to plug the leak. Signed-off-by: Philippe Duplessis-Guindon Reviewed-by: Steven Rostedt (VMware) Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin --- tools/lib/traceevent/event-parse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c index 8211e8010e09..d260ca680f07 100644 --- a/tools/lib/traceevent/event-parse.c +++ b/tools/lib/traceevent/event-parse.c @@ -2780,6 +2780,7 @@ process_dynamic_array_len(struct event_format *event, struct print_arg *arg, if (read_expected(EVENT_DELIM, ")") < 0) goto out_err; + free_token(token); type = read_token(&token); *tok = token; From 152983b40ccd8a3b6acb1948c87b7fba2edf8707 Mon Sep 17 00:00:00 2001 From: Dexuan Cui Date: Sun, 19 Jan 2020 15:29:22 -0800 Subject: [PATCH 185/386] Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23) [ Upstream commit ddc9d357b991838c2d975e8d7e4e9db26f37a7ff ] When a Linux hv_sock app tries to connect to a Service GUID on which no host app is listening, a recent host (RS3+) sends a CHANNELMSG_TL_CONNECT_RESULT (23) message to Linux and this triggers such a warning: unknown msgtype=23 WARNING: CPU: 2 PID: 0 at drivers/hv/vmbus_drv.c:1031 vmbus_on_msg_dpc Actually Linux can safely ignore the message because the Linux app's connect() will time out in 2 seconds: see VSOCK_DEFAULT_CONNECT_TIMEOUT and vsock_stream_connect(). We don't bother to make use of the message because: 1) it's only supported on recent hosts; 2) a non-trivial effort is required to use the message in Linux, but the benefit is small. So, let's not see the warning by silently ignoring the message. Signed-off-by: Dexuan Cui Reviewed-by: Michael Kelley Signed-off-by: Sasha Levin --- drivers/hv/channel_mgmt.c | 21 +++++++-------------- drivers/hv/vmbus_drv.c | 4 ++++ include/linux/hyperv.h | 2 ++ 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index 43eaf54736f4..462f7f363faa 100644 --- a/drivers/hv/channel_mgmt.c +++ b/drivers/hv/channel_mgmt.c @@ -1228,6 +1228,8 @@ channel_message_table[CHANNELMSG_COUNT] = { { CHANNELMSG_19, 0, NULL }, { CHANNELMSG_20, 0, NULL }, { CHANNELMSG_TL_CONNECT_REQUEST, 0, NULL }, + { CHANNELMSG_22, 0, NULL }, + { CHANNELMSG_TL_CONNECT_RESULT, 0, NULL }, }; /* @@ -1239,23 +1241,14 @@ void vmbus_onmessage(void *context) { struct hv_message *msg = context; struct vmbus_channel_message_header *hdr; - int size; hdr = (struct vmbus_channel_message_header *)msg->u.payload; - size = msg->header.payload_size; - if (hdr->msgtype >= CHANNELMSG_COUNT) { - pr_err("Received invalid channel message type %d size %d\n", - hdr->msgtype, size); - print_hex_dump_bytes("", DUMP_PREFIX_NONE, - (unsigned char *)msg->u.payload, size); - return; - } - - if (channel_message_table[hdr->msgtype].message_handler) - channel_message_table[hdr->msgtype].message_handler(hdr); - else - pr_err("Unhandled channel message type %d\n", hdr->msgtype); + /* + * vmbus_on_msg_dpc() makes sure the hdr->msgtype here can not go + * out of bound and the message_handler pointer can not be NULL. + */ + channel_message_table[hdr->msgtype].message_handler(hdr); } /* diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 1fd812ed679b..45b8ccdfb085 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -890,6 +890,10 @@ void vmbus_on_msg_dpc(unsigned long data) } entry = &channel_message_table[hdr->msgtype]; + + if (!entry->message_handler) + goto msg_handled; + if (entry->handler_type == VMHT_BLOCKING) { ctx = kmalloc(sizeof(*ctx), GFP_ATOMIC); if (ctx == NULL) diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h index 8d3ca6da3342..63cd81e5610d 100644 --- a/include/linux/hyperv.h +++ b/include/linux/hyperv.h @@ -422,6 +422,8 @@ enum vmbus_channel_message_type { CHANNELMSG_19 = 19, CHANNELMSG_20 = 20, CHANNELMSG_TL_CONNECT_REQUEST = 21, + CHANNELMSG_22 = 22, + CHANNELMSG_TL_CONNECT_RESULT = 23, CHANNELMSG_COUNT }; From 89f95b8cff15cbf1ef71602da0f6c0465c6d9e73 Mon Sep 17 00:00:00 2001 From: Frank van der Linden Date: Tue, 23 Jun 2020 22:39:18 +0000 Subject: [PATCH 186/386] xattr: break delegations in {set,remove}xattr commit 08b5d5014a27e717826999ad20e394a8811aae92 upstream. set/removexattr on an exported filesystem should break NFS delegations. This is true in general, but also for the upcoming support for RFC 8726 (NFSv4 extended attribute support). Make sure that they do. Additionally, they need to grow a _locked variant, since callers might call this with i_rwsem held (like the NFS server code). Cc: stable@vger.kernel.org # v4.9+ Cc: linux-fsdevel@vger.kernel.org Cc: Al Viro Signed-off-by: Frank van der Linden Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman --- fs/xattr.c | 84 +++++++++++++++++++++++++++++++++++++++---- include/linux/xattr.h | 2 ++ 2 files changed, 79 insertions(+), 7 deletions(-) diff --git a/fs/xattr.c b/fs/xattr.c index 50029811fbe3..94f9559ba0f8 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -204,10 +204,22 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name, return error; } - +/** + * __vfs_setxattr_locked: set an extended attribute while holding the inode + * lock + * + * @dentry - object to perform setxattr on + * @name - xattr name to set + * @value - value to set @name to + * @size - size of @value + * @flags - flags to pass into filesystem operations + * @delegated_inode - on return, will contain an inode pointer that + * a delegation was broken on, NULL if none. + */ int -vfs_setxattr(struct dentry *dentry, const char *name, const void *value, - size_t size, int flags) +__vfs_setxattr_locked(struct dentry *dentry, const char *name, + const void *value, size_t size, int flags, + struct inode **delegated_inode) { struct inode *inode = dentry->d_inode; int error; @@ -216,15 +228,40 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, if (error) return error; - inode_lock(inode); error = security_inode_setxattr(dentry, name, value, size, flags); if (error) goto out; + error = try_break_deleg(inode, delegated_inode); + if (error) + goto out; + error = __vfs_setxattr_noperm(dentry, name, value, size, flags); out: + return error; +} +EXPORT_SYMBOL_GPL(__vfs_setxattr_locked); + +int +vfs_setxattr(struct dentry *dentry, const char *name, const void *value, + size_t size, int flags) +{ + struct inode *inode = dentry->d_inode; + struct inode *delegated_inode = NULL; + int error; + +retry_deleg: + inode_lock(inode); + error = __vfs_setxattr_locked(dentry, name, value, size, flags, + &delegated_inode); inode_unlock(inode); + + if (delegated_inode) { + error = break_deleg_wait(&delegated_inode); + if (!error) + goto retry_deleg; + } return error; } EXPORT_SYMBOL_GPL(vfs_setxattr); @@ -380,8 +417,18 @@ __vfs_removexattr(struct dentry *dentry, const char *name) } EXPORT_SYMBOL(__vfs_removexattr); +/** + * __vfs_removexattr_locked: set an extended attribute while holding the inode + * lock + * + * @dentry - object to perform setxattr on + * @name - name of xattr to remove + * @delegated_inode - on return, will contain an inode pointer that + * a delegation was broken on, NULL if none. + */ int -vfs_removexattr(struct dentry *dentry, const char *name) +__vfs_removexattr_locked(struct dentry *dentry, const char *name, + struct inode **delegated_inode) { struct inode *inode = dentry->d_inode; int error; @@ -390,11 +437,14 @@ vfs_removexattr(struct dentry *dentry, const char *name) if (error) return error; - inode_lock(inode); error = security_inode_removexattr(dentry, name); if (error) goto out; + error = try_break_deleg(inode, delegated_inode); + if (error) + goto out; + error = __vfs_removexattr(dentry, name); if (!error) { @@ -403,12 +453,32 @@ vfs_removexattr(struct dentry *dentry, const char *name) } out: + return error; +} +EXPORT_SYMBOL_GPL(__vfs_removexattr_locked); + +int +vfs_removexattr(struct dentry *dentry, const char *name) +{ + struct inode *inode = dentry->d_inode; + struct inode *delegated_inode = NULL; + int error; + +retry_deleg: + inode_lock(inode); + error = __vfs_removexattr_locked(dentry, name, &delegated_inode); inode_unlock(inode); + + if (delegated_inode) { + error = break_deleg_wait(&delegated_inode); + if (!error) + goto retry_deleg; + } + return error; } EXPORT_SYMBOL_GPL(vfs_removexattr); - /* * Extended attribute SET operations */ diff --git a/include/linux/xattr.h b/include/linux/xattr.h index d70f77a4b62a..b0945fb7242f 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -52,8 +52,10 @@ ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); int __vfs_setxattr(struct dentry *, struct inode *, const char *, const void *, size_t, int); int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int); +int __vfs_setxattr_locked(struct dentry *, const char *, const void *, size_t, int, struct inode **); int vfs_setxattr(struct dentry *, const char *, const void *, size_t, int); int __vfs_removexattr(struct dentry *, const char *); +int __vfs_removexattr_locked(struct dentry *, const char *, struct inode **); int vfs_removexattr(struct dentry *, const char *); ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size); From cc6af908962ad436604d510e4812aabcbc218a48 Mon Sep 17 00:00:00 2001 From: Ido Schimmel Date: Wed, 29 Jul 2020 11:37:13 +0300 Subject: [PATCH 187/386] ipv4: Silence suspicious RCU usage warning [ Upstream commit 83f3522860f702748143e022f1a546547314c715 ] fib_trie_unmerge() is called with RTNL held, but not from an RCU read-side critical section. This leads to the following warning [1] when the FIB alias list in a leaf is traversed with hlist_for_each_entry_rcu(). Since the function is always called with RTNL held and since modification of the list is protected by RTNL, simply use hlist_for_each_entry() and silence the warning. [1] WARNING: suspicious RCU usage 5.8.0-rc4-custom-01520-gc1f937f3f83b #30 Not tainted ----------------------------- net/ipv4/fib_trie.c:1867 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/164: #0: ffffffff85a27850 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x49a/0xbd0 stack backtrace: CPU: 0 PID: 164 Comm: ip Not tainted 5.8.0-rc4-custom-01520-gc1f937f3f83b #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 Call Trace: dump_stack+0x100/0x184 lockdep_rcu_suspicious+0x153/0x15d fib_trie_unmerge+0x608/0xdb0 fib_unmerge+0x44/0x360 fib4_rule_configure+0xc8/0xad0 fib_nl_newrule+0x37a/0x1dd0 rtnetlink_rcv_msg+0x4f7/0xbd0 netlink_rcv_skb+0x17a/0x480 rtnetlink_rcv+0x22/0x30 netlink_unicast+0x5ae/0x890 netlink_sendmsg+0x98a/0xf40 ____sys_sendmsg+0x879/0xa00 ___sys_sendmsg+0x122/0x190 __sys_sendmsg+0x103/0x1d0 __x64_sys_sendmsg+0x7d/0xb0 do_syscall_64+0x54/0xa0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc80a234e97 Code: Bad RIP value. RSP: 002b:00007ffef8b66798 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc80a234e97 RDX: 0000000000000000 RSI: 00007ffef8b66800 RDI: 0000000000000003 RBP: 000000005f141b1c R08: 0000000000000001 R09: 0000000000000000 R10: 00007fc80a2a8ac0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 00007ffef8b67008 R15: 0000556fccb10020 Fixes: 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/fib_trie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c index 3f9509679f0e..0c8fcc050ad2 100644 --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c @@ -1729,7 +1729,7 @@ struct fib_table *fib_trie_unmerge(struct fib_table *oldtb) while ((l = leaf_walk_rcu(&tp, key)) != NULL) { struct key_vector *local_l = NULL, *local_tp; - hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) { + hlist_for_each_entry(fa, &l->leaf, fa_list) { struct fib_alias *new_fa; if (local_tb->tb_id != fa->tb_id) From da34873e8fb08a306de0c95457de1f63690114ce Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Sat, 25 Jul 2020 15:40:53 -0700 Subject: [PATCH 188/386] ipv6: fix memory leaks on IPV6_ADDRFORM path [ Upstream commit 8c0de6e96c9794cb523a516c465991a70245da1c ] IPV6_ADDRFORM causes resource leaks when converting an IPv6 socket to IPv4, particularly struct ipv6_ac_socklist. Similar to struct ipv6_mc_socklist, we should just close it on this path. This bug can be easily reproduced with the following C program: #include #include #include #include #include int main() { int s, value; struct sockaddr_in6 addr; struct ipv6_mreq m6; s = socket(AF_INET6, SOCK_DGRAM, 0); addr.sin6_family = AF_INET6; addr.sin6_port = htons(5000); inet_pton(AF_INET6, "::ffff:192.168.122.194", &addr.sin6_addr); connect(s, (struct sockaddr *)&addr, sizeof(addr)); inet_pton(AF_INET6, "fe80::AAAA", &m6.ipv6mr_multiaddr); m6.ipv6mr_interface = 5; setsockopt(s, SOL_IPV6, IPV6_JOIN_ANYCAST, &m6, sizeof(m6)); value = AF_INET; setsockopt(s, SOL_IPV6, IPV6_ADDRFORM, &value, sizeof(value)); close(s); return 0; } Reported-by: ch3332xr@gmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/net/addrconf.h | 1 + net/ipv6/anycast.c | 17 ++++++++++++----- net/ipv6/ipv6_sockglue.c | 1 + 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/include/net/addrconf.h b/include/net/addrconf.h index f30ee99a1d72..a4cda4768210 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h @@ -270,6 +270,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr); int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr); +void __ipv6_sock_ac_close(struct sock *sk); void ipv6_sock_ac_close(struct sock *sk); int __ipv6_dev_ac_inc(struct inet6_dev *idev, const struct in6_addr *addr); diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c index 0bbab8a4b5d8..4d8b3d1d530b 100644 --- a/net/ipv6/anycast.c +++ b/net/ipv6/anycast.c @@ -170,7 +170,7 @@ int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr) return 0; } -void ipv6_sock_ac_close(struct sock *sk) +void __ipv6_sock_ac_close(struct sock *sk) { struct ipv6_pinfo *np = inet6_sk(sk); struct net_device *dev = NULL; @@ -178,10 +178,7 @@ void ipv6_sock_ac_close(struct sock *sk) struct net *net = sock_net(sk); int prev_index; - if (!np->ipv6_ac_list) - return; - - rtnl_lock(); + ASSERT_RTNL(); pac = np->ipv6_ac_list; np->ipv6_ac_list = NULL; @@ -198,6 +195,16 @@ void ipv6_sock_ac_close(struct sock *sk) sock_kfree_s(sk, pac, sizeof(*pac)); pac = next; } +} + +void ipv6_sock_ac_close(struct sock *sk) +{ + struct ipv6_pinfo *np = inet6_sk(sk); + + if (!np->ipv6_ac_list) + return; + rtnl_lock(); + __ipv6_sock_ac_close(sk); rtnl_unlock(); } diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index c183222967d0..3f44316db51b 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -207,6 +207,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, fl6_free_socklist(sk); __ipv6_sock_mc_close(sk); + __ipv6_sock_ac_close(sk); /* * Sock is moving from IPv6 to IPv4 (sk_prot), so From 64ce1286449faf7a3ce066d46e81de1d03ad200b Mon Sep 17 00:00:00 2001 From: Landen Chao Date: Wed, 29 Jul 2020 10:15:17 +0200 Subject: [PATCH 189/386] net: ethernet: mtk_eth_soc: fix MTU warnings [ Upstream commit 555a893303872e044fb86f0a5834ce78d41ad2e2 ] in recent kernel versions there are warnings about incorrect MTU size like these: eth0: mtu greater than device maximum mtk_soc_eth 1b100000.ethernet eth0: error -22 setting MTU to include DSA overhead Fixes: bfcb813203e6 ("net: dsa: configure the MTU for switch ports") Fixes: 72579e14a1d3 ("net: dsa: don't fail to probe if we couldn't set the MTU") Fixes: 7a4c53bee332 ("net: report invalid mtu value via netlink extack") Signed-off-by: Landen Chao Signed-off-by: Frank Wunderlich Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c index 9ba699cbdbc5..a52909db67f6 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -2452,6 +2452,8 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) eth->netdev[id]->irq = eth->irq[0]; eth->netdev[id]->dev.of_node = np; + eth->netdev[id]->max_mtu = MTK_MAX_RX_LENGTH - MTK_RX_ETH_HLEN; + return 0; free_netdev: From 49a3f519e22690d902c7a161eeff1fbb391efd4e Mon Sep 17 00:00:00 2001 From: Ido Schimmel Date: Wed, 29 Jul 2020 11:34:36 +0300 Subject: [PATCH 190/386] vxlan: Ensure FDB dump is performed under RCU [ Upstream commit b5141915b5aec3b29a63db869229e3741ebce258 ] The commit cited below removed the RCU read-side critical section from rtnl_fdb_dump() which means that the ndo_fdb_dump() callback is invoked without RCU protection. This results in the following warning [1] in the VXLAN driver, which relied on the callback being invoked from an RCU read-side critical section. Fix this by calling rcu_read_lock() in the VXLAN driver, as already done in the bridge driver. [1] WARNING: suspicious RCU usage 5.8.0-rc4-custom-01521-g481007553ce6 #29 Not tainted ----------------------------- drivers/net/vxlan.c:1379 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by bridge/166: #0: ffffffff85a27850 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xea/0x1090 stack backtrace: CPU: 1 PID: 166 Comm: bridge Not tainted 5.8.0-rc4-custom-01521-g481007553ce6 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 Call Trace: dump_stack+0x100/0x184 lockdep_rcu_suspicious+0x153/0x15d vxlan_fdb_dump+0x51e/0x6d0 rtnl_fdb_dump+0x4dc/0xad0 netlink_dump+0x540/0x1090 __netlink_dump_start+0x695/0x950 rtnetlink_rcv_msg+0x802/0xbd0 netlink_rcv_skb+0x17a/0x480 rtnetlink_rcv+0x22/0x30 netlink_unicast+0x5ae/0x890 netlink_sendmsg+0x98a/0xf40 __sys_sendto+0x279/0x3b0 __x64_sys_sendto+0xe6/0x1a0 do_syscall_64+0x54/0xa0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fe14fa2ade0 Code: Bad RIP value. RSP: 002b:00007fff75bb5b88 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00005614b1ba0020 RCX: 00007fe14fa2ade0 RDX: 000000000000011c RSI: 00007fff75bb5b90 RDI: 0000000000000003 RBP: 00007fff75bb5b90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00005614b1b89160 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Fixes: 5e6d24358799 ("bridge: netlink dump interface at par with brctl") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/vxlan.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index afdc2c290fd0..5d642e39db11 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -974,6 +974,7 @@ static int vxlan_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb, for (h = 0; h < FDB_HASH_SIZE; ++h) { struct vxlan_fdb *f; + rcu_read_lock(); hlist_for_each_entry_rcu(f, &vxlan->fdb_head[h], hlist) { struct vxlan_rdst *rd; @@ -986,12 +987,15 @@ static int vxlan_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb, cb->nlh->nlmsg_seq, RTM_NEWNEIGH, NLM_F_MULTI, rd); - if (err < 0) + if (err < 0) { + rcu_read_unlock(); goto out; + } skip: *idx += 1; } } + rcu_read_unlock(); } out: return err; From 7105bb40072f3f7de6e06e0a52f804b0f20aa634 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Tue, 28 Jul 2020 14:10:31 +0200 Subject: [PATCH 191/386] net: lan78xx: replace bogus endpoint lookup [ Upstream commit ea060b352654a8de1e070140d25fe1b7e4d50310 ] Drop the bogus endpoint-lookup helper which could end up accepting interfaces based on endpoints belonging to unrelated altsettings. Note that the returned bulk pipes and interrupt endpoint descriptor were never actually used. Instead the bulk-endpoint numbers are hardcoded to 1 and 2 (matching the specification), while the interrupt- endpoint descriptor was assumed to be the third descriptor created by USB core. Try to bring some order to this by dropping the bogus lookup helper and adding the missing endpoint sanity checks while keeping the interrupt- descriptor assumption for now. Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/lan78xx.c | 117 ++++++++++---------------------------- 1 file changed, 30 insertions(+), 87 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 895f307979c8..120e99914fd6 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -363,10 +363,6 @@ struct lan78xx_net { struct tasklet_struct bh; struct delayed_work wq; - struct usb_host_endpoint *ep_blkin; - struct usb_host_endpoint *ep_blkout; - struct usb_host_endpoint *ep_intr; - int msg_enable; struct urb *urb_intr; @@ -2751,78 +2747,12 @@ lan78xx_start_xmit(struct sk_buff *skb, struct net_device *net) return NETDEV_TX_OK; } -static int -lan78xx_get_endpoints(struct lan78xx_net *dev, struct usb_interface *intf) -{ - int tmp; - struct usb_host_interface *alt = NULL; - struct usb_host_endpoint *in = NULL, *out = NULL; - struct usb_host_endpoint *status = NULL; - - for (tmp = 0; tmp < intf->num_altsetting; tmp++) { - unsigned ep; - - in = NULL; - out = NULL; - status = NULL; - alt = intf->altsetting + tmp; - - for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) { - struct usb_host_endpoint *e; - int intr = 0; - - e = alt->endpoint + ep; - switch (e->desc.bmAttributes) { - case USB_ENDPOINT_XFER_INT: - if (!usb_endpoint_dir_in(&e->desc)) - continue; - intr = 1; - /* FALLTHROUGH */ - case USB_ENDPOINT_XFER_BULK: - break; - default: - continue; - } - if (usb_endpoint_dir_in(&e->desc)) { - if (!intr && !in) - in = e; - else if (intr && !status) - status = e; - } else { - if (!out) - out = e; - } - } - if (in && out) - break; - } - if (!alt || !in || !out) - return -EINVAL; - - dev->pipe_in = usb_rcvbulkpipe(dev->udev, - in->desc.bEndpointAddress & - USB_ENDPOINT_NUMBER_MASK); - dev->pipe_out = usb_sndbulkpipe(dev->udev, - out->desc.bEndpointAddress & - USB_ENDPOINT_NUMBER_MASK); - dev->ep_intr = status; - - return 0; -} - static int lan78xx_bind(struct lan78xx_net *dev, struct usb_interface *intf) { struct lan78xx_priv *pdata = NULL; int ret; int i; - ret = lan78xx_get_endpoints(dev, intf); - if (ret) { - netdev_warn(dev->net, "lan78xx_get_endpoints failed: %d\n", - ret); - return ret; - } - dev->data[0] = (unsigned long)kzalloc(sizeof(*pdata), GFP_KERNEL); pdata = (struct lan78xx_priv *)(dev->data[0]); @@ -3567,6 +3497,7 @@ static void lan78xx_stat_monitor(unsigned long param) static int lan78xx_probe(struct usb_interface *intf, const struct usb_device_id *id) { + struct usb_host_endpoint *ep_blkin, *ep_blkout, *ep_intr; struct lan78xx_net *dev; struct net_device *netdev; struct usb_device *udev; @@ -3617,6 +3548,34 @@ static int lan78xx_probe(struct usb_interface *intf, mutex_init(&dev->stats.access_lock); + if (intf->cur_altsetting->desc.bNumEndpoints < 3) { + ret = -ENODEV; + goto out2; + } + + dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); + ep_blkin = usb_pipe_endpoint(udev, dev->pipe_in); + if (!ep_blkin || !usb_endpoint_is_bulk_in(&ep_blkin->desc)) { + ret = -ENODEV; + goto out2; + } + + dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); + ep_blkout = usb_pipe_endpoint(udev, dev->pipe_out); + if (!ep_blkout || !usb_endpoint_is_bulk_out(&ep_blkout->desc)) { + ret = -ENODEV; + goto out2; + } + + ep_intr = &intf->cur_altsetting->endpoint[2]; + if (!usb_endpoint_is_int_in(&ep_intr->desc)) { + ret = -ENODEV; + goto out2; + } + + dev->pipe_intr = usb_rcvintpipe(dev->udev, + usb_endpoint_num(&ep_intr->desc)); + ret = lan78xx_bind(dev, intf); if (ret < 0) goto out2; @@ -3629,23 +3588,7 @@ static int lan78xx_probe(struct usb_interface *intf, netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); - if (intf->cur_altsetting->desc.bNumEndpoints < 3) { - ret = -ENODEV; - goto out3; - } - - dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; - dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; - dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; - - dev->pipe_in = usb_rcvbulkpipe(udev, BULK_IN_PIPE); - dev->pipe_out = usb_sndbulkpipe(udev, BULK_OUT_PIPE); - - dev->pipe_intr = usb_rcvintpipe(dev->udev, - dev->ep_intr->desc.bEndpointAddress & - USB_ENDPOINT_NUMBER_MASK); - period = dev->ep_intr->desc.bInterval; - + period = ep_intr->desc.bInterval; maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); buf = kmalloc(maxp, GFP_KERNEL); if (buf) { From 236a93cb8a0beae688ccc1146247d81bb2f1114a Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 4 Aug 2020 09:54:15 -0700 Subject: [PATCH 192/386] hv_netvsc: do not use VF device if link is down [ Upstream commit 7c9864bbccc23e1812ac82966555d68c13ea4006 ] If the accelerated networking SRIOV VF device has lost carrier use the synthetic network device which is available as backup path. This is a rare case since if VF link goes down, normally the VMBus device will also loose external connectivity as well. But if the communication is between two VM's on the same host the VMBus device will still work. Reported-by: "Shah, Ashish N" Fixes: 0c195567a8f6 ("netvsc: transparent VF management") Signed-off-by: Stephen Hemminger Reviewed-by: Haiyang Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/hyperv/netvsc_drv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 14451e14d99d..10c3480c2da8 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -532,12 +532,13 @@ static int netvsc_start_xmit(struct sk_buff *skb, struct net_device *net) u32 hash; struct hv_page_buffer pb[MAX_PAGE_BUFFER_COUNT]; - /* if VF is present and up then redirect packets - * already called with rcu_read_lock_bh + /* If VF is present and up then redirect packets to it. + * Skip the VF if it is marked down or has no carrier. + * If netpoll is in uses, then VF can not be used either. */ vf_netdev = rcu_dereference_bh(net_device_ctx->vf_netdev); if (vf_netdev && netif_running(vf_netdev) && - !netpoll_tx_running(net)) + netif_carrier_ok(vf_netdev) && !netpoll_tx_running(net)) return netvsc_vf_xmit(net, vf_netdev, skb); /* We will atmost need two pages to describe the rndis From b3e3feb569e0c3628b8a0d68459a9318ce5d891e Mon Sep 17 00:00:00 2001 From: Lorenzo Bianconi Date: Fri, 31 Jul 2020 20:12:05 +0200 Subject: [PATCH 193/386] net: gre: recompute gre csum for sctp over gre tunnels [ Upstream commit 622e32b7d4a6492cf5c1f759ef833f817418f7b3 ] The GRE tunnel can be used to transport traffic that does not rely on a Internet checksum (e.g. SCTP). The issue can be triggered creating a GRE or GRETAP tunnel and transmitting SCTP traffic ontop of it where CRC offload has been disabled. In order to fix the issue we need to recompute the GRE csum in gre_gso_segment() not relying on the inner checksum. The issue is still present when we have the CRC offload enabled. In this case we need to disable the CRC offload if we require GRE checksum since otherwise skb_checksum() will report a wrong value. Fixes: 90017accff61 ("sctp: Add GSO support") Signed-off-by: Lorenzo Bianconi Reviewed-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/gre_offload.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c index 6a7d980105f6..095c30863745 100644 --- a/net/ipv4/gre_offload.c +++ b/net/ipv4/gre_offload.c @@ -19,12 +19,12 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, netdev_features_t features) { int tnl_hlen = skb_inner_mac_header(skb) - skb_transport_header(skb); + bool need_csum, need_recompute_csum, gso_partial; struct sk_buff *segs = ERR_PTR(-EINVAL); u16 mac_offset = skb->mac_header; __be16 protocol = skb->protocol; u16 mac_len = skb->mac_len; int gre_offset, outer_hlen; - bool need_csum, gso_partial; if (!skb->encapsulation) goto out; @@ -45,6 +45,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, skb->protocol = skb->inner_protocol; need_csum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_GRE_CSUM); + need_recompute_csum = skb->csum_not_inet; skb->encap_hdr_csum = need_csum; features &= skb->dev->hw_enc_features; @@ -102,7 +103,15 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb, } *(pcsum + 1) = 0; - *pcsum = gso_make_checksum(skb, 0); + if (need_recompute_csum && !skb_is_gso(skb)) { + __wsum csum; + + csum = skb_checksum(skb, gre_offset, + skb->len - gre_offset, 0); + *pcsum = csum_fold(csum); + } else { + *pcsum = gso_make_checksum(skb, 0); + } } while ((skb = skb->next)); out: return segs; From bf4c61248445f08fc0e778c1b14f396b1c689b2e Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Fri, 31 Jul 2020 00:48:38 -0400 Subject: [PATCH 194/386] openvswitch: Prevent kernel-infoleak in ovs_ct_put_key() [ Upstream commit 9aba6c5b49254d5bee927d81593ed4429e91d4ae ] ovs_ct_put_key() is potentially copying uninitialized kernel stack memory into socket buffers, since the compiler may leave a 3-byte hole at the end of `struct ovs_key_ct_tuple_ipv4` and `struct ovs_key_ct_tuple_ipv6`. Fix it by initializing `orig` with memset(). Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") Suggested-by: Dan Carpenter Signed-off-by: Peilin Ye Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/openvswitch/conntrack.c | 38 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 737e37b28d93..a39ef1a048fd 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -255,10 +255,6 @@ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key) ovs_ct_update_key(skb, NULL, key, false, false); } -#define IN6_ADDR_INITIALIZER(ADDR) \ - { (ADDR).s6_addr32[0], (ADDR).s6_addr32[1], \ - (ADDR).s6_addr32[2], (ADDR).s6_addr32[3] } - int ovs_ct_put_key(const struct sw_flow_key *swkey, const struct sw_flow_key *output, struct sk_buff *skb) { @@ -280,24 +276,30 @@ int ovs_ct_put_key(const struct sw_flow_key *swkey, if (swkey->ct_orig_proto) { if (swkey->eth.type == htons(ETH_P_IP)) { - struct ovs_key_ct_tuple_ipv4 orig = { - output->ipv4.ct_orig.src, - output->ipv4.ct_orig.dst, - output->ct.orig_tp.src, - output->ct.orig_tp.dst, - output->ct_orig_proto, - }; + struct ovs_key_ct_tuple_ipv4 orig; + + memset(&orig, 0, sizeof(orig)); + orig.ipv4_src = output->ipv4.ct_orig.src; + orig.ipv4_dst = output->ipv4.ct_orig.dst; + orig.src_port = output->ct.orig_tp.src; + orig.dst_port = output->ct.orig_tp.dst; + orig.ipv4_proto = output->ct_orig_proto; + if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, sizeof(orig), &orig)) return -EMSGSIZE; } else if (swkey->eth.type == htons(ETH_P_IPV6)) { - struct ovs_key_ct_tuple_ipv6 orig = { - IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.src), - IN6_ADDR_INITIALIZER(output->ipv6.ct_orig.dst), - output->ct.orig_tp.src, - output->ct.orig_tp.dst, - output->ct_orig_proto, - }; + struct ovs_key_ct_tuple_ipv6 orig; + + memset(&orig, 0, sizeof(orig)); + memcpy(orig.ipv6_src, output->ipv6.ct_orig.src.s6_addr32, + sizeof(orig.ipv6_src)); + memcpy(orig.ipv6_dst, output->ipv6.ct_orig.dst.s6_addr32, + sizeof(orig.ipv6_dst)); + orig.src_port = output->ct.orig_tp.src; + orig.dst_port = output->ct.orig_tp.dst; + orig.ipv6_proto = output->ct_orig_proto; + if (nla_put(skb, OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, sizeof(orig), &orig)) return -EMSGSIZE; From 4cbdf39a899a8028b9cedc13f65c0570ce44479c Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Wed, 5 Aug 2020 10:41:31 +0800 Subject: [PATCH 195/386] Revert "vxlan: fix tos value before xmit" [ Upstream commit a0dced17ad9dc08b1b25e0065b54c97a318e6e8b ] This reverts commit 71130f29979c7c7956b040673e6b9d5643003176. In commit 71130f29979c ("vxlan: fix tos value before xmit") we want to make sure the tos value are filtered by RT_TOS() based on RFC1349. 0 1 2 3 4 5 6 7 +-----+-----+-----+-----+-----+-----+-----+-----+ | PRECEDENCE | TOS | MBZ | +-----+-----+-----+-----+-----+-----+-----+-----+ But RFC1349 has been obsoleted by RFC2474. The new DSCP field defined like 0 1 2 3 4 5 6 7 +-----+-----+-----+-----+-----+-----+-----+-----+ | DS FIELD, DSCP | ECN FIELD | +-----+-----+-----+-----+-----+-----+-----+-----+ So with IPTOS_TOS_MASK 0x1E RT_TOS(tos) ((tos)&IPTOS_TOS_MASK) the first 3 bits DSCP info will get lost. To take all the DSCP info in xmit, we should revert the patch and just push all tos bits to ip_tunnel_ecn_encap(), which will handling ECN field later. Fixes: 71130f29979c ("vxlan: fix tos value before xmit") Signed-off-by: Hangbin Liu Acked-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/vxlan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 5d642e39db11..82efa5bbf568 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -2222,7 +2222,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, skb_dst_update_pmtu(skb, mtu); } - tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr), vni, md, flags, udp_sum); @@ -2263,7 +2263,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, skb_dst_update_pmtu(skb, mtu); } - tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ttl = ttl ? : ip6_dst_hoplimit(ndst); skb_scrub_packet(skb, xnet); err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr), From 5200f946ca1fe164bde8cadd1a170a728e9ae190 Mon Sep 17 00:00:00 2001 From: Willem de Bruijn Date: Wed, 5 Aug 2020 04:40:45 -0400 Subject: [PATCH 196/386] selftests/net: relax cpu affinity requirement in msg_zerocopy test [ Upstream commit 16f6458f2478b55e2b628797bc81a4455045c74e ] The msg_zerocopy test pins the sender and receiver threads to separate cores to reduce variance between runs. But it hardcodes the cores and skips core 0, so it fails on machines with the selected cores offline, or simply fewer cores. The test mainly gives code coverage in automated runs. The throughput of zerocopy ('-z') and non-zerocopy runs is logged for manual inspection. Continue even when sched_setaffinity fails. Just log to warn anyone interpreting the data. Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") Reported-by: Colin Ian King Signed-off-by: Willem de Bruijn Acked-by: Colin Ian King Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- tools/testing/selftests/net/msg_zerocopy.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index e11fe84de0fd..6184d2a4c4a6 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -121,9 +121,8 @@ static int do_setcpu(int cpu) CPU_ZERO(&mask); CPU_SET(cpu, &mask); if (sched_setaffinity(0, sizeof(mask), &mask)) - error(1, 0, "setaffinity %d", cpu); - - if (cfg_verbose) + fprintf(stderr, "cpu: unable to pin, may increase variance.\n"); + else if (cfg_verbose) fprintf(stderr, "cpu: %u\n", cpu); return 0; From 226422a2bfff136455297792bea62470a4f0855c Mon Sep 17 00:00:00 2001 From: Rustam Kovhaev Date: Mon, 27 Jul 2020 23:42:17 -0700 Subject: [PATCH 197/386] usb: hso: check for return value in hso_serial_common_create() [ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ] in case of an error tty_register_device_attr() returns ERR_PTR(), add IS_ERR() check Reported-and-tested-by: syzbot+67b2bd0e34f952d0321e@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e Signed-off-by: Rustam Kovhaev Reviewed-by: Greg Kroah-Hartman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/hso.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 7988c41bff1d..0e3d13e192e3 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -2272,12 +2272,14 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, minor = get_free_serial_index(); if (minor < 0) - goto exit; + goto exit2; /* register our minor number */ serial->parent->dev = tty_port_register_device_attr(&serial->port, tty_drv, minor, &serial->parent->interface->dev, serial->parent, hso_serial_dev_groups); + if (IS_ERR(serial->parent->dev)) + goto exit2; dev = serial->parent->dev; /* fill in specific data for later use */ @@ -2323,6 +2325,7 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, return 0; exit: hso_serial_tty_unregister(serial); +exit2: hso_serial_common_free(serial); return -1; } From 6aa01b947c3ac40fc62c97a7f53b45a503a6d91b Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 29 Jul 2020 00:03:56 +0100 Subject: [PATCH 198/386] rxrpc: Fix race between recvmsg and sendmsg on immediate call failure [ Upstream commit 65550098c1c4db528400c73acf3e46bfa78d9264 ] There's a race between rxrpc_sendmsg setting up a call, but then failing to send anything on it due to an error, and recvmsg() seeing the call completion occur and trying to return the state to the user. An assertion fails in rxrpc_recvmsg() because the call has already been released from the socket and is about to be released again as recvmsg deals with it. (The recvmsg_q queue on the socket holds a ref, so there's no problem with use-after-free.) We also have to be careful not to end up reporting an error twice, in such a way that both returns indicate to userspace that the user ID supplied with the call is no longer in use - which could cause the client to malfunction if it recycles the user ID fast enough. Fix this by the following means: (1) When sendmsg() creates a call after the point that the call has been successfully added to the socket, don't return any errors through sendmsg(), but rather complete the call and let recvmsg() retrieve them. Make sendmsg() return 0 at this point. Further calls to sendmsg() for that call will fail with ESHUTDOWN. Note that at this point, we haven't send any packets yet, so the server doesn't yet know about the call. (2) If sendmsg() returns an error when it was expected to create a new call, it means that the user ID wasn't used. (3) Mark the call disconnected before marking it completed to prevent an oops in rxrpc_release_call(). (4) recvmsg() will then retrieve the error and set MSG_EOR to indicate that the user ID is no longer known by the kernel. An oops like the following is produced: kernel BUG at net/rxrpc/recvmsg.c:605! ... RIP: 0010:rxrpc_recvmsg+0x256/0x5ae ... Call Trace: ? __init_waitqueue_head+0x2f/0x2f ____sys_recvmsg+0x8a/0x148 ? import_iovec+0x69/0x9c ? copy_msghdr_from_user+0x5c/0x86 ___sys_recvmsg+0x72/0xaa ? __fget_files+0x22/0x57 ? __fget_light+0x46/0x51 ? fdget+0x9/0x1b do_recvmmsg+0x15e/0x232 ? _raw_spin_unlock+0xa/0xb ? vtime_delta+0xf/0x25 __x64_sys_recvmmsg+0x2c/0x2f do_syscall_64+0x4c/0x78 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 357f5ef64628 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()") Reported-by: syzbot+b54969381df354936d96@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Marc Dionne Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/rxrpc/call_object.c | 27 +++++++++++++++++++-------- net/rxrpc/conn_object.c | 8 +++++--- net/rxrpc/recvmsg.c | 2 +- net/rxrpc/sendmsg.c | 3 +++ 4 files changed, 28 insertions(+), 12 deletions(-) diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index 7021725fa38a..1c98a026b41a 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -275,7 +275,7 @@ struct rxrpc_call *rxrpc_new_client_call(struct rxrpc_sock *rx, */ ret = rxrpc_connect_call(call, cp, srx, gfp); if (ret < 0) - goto error; + goto error_attached_to_socket; trace_rxrpc_call(call, rxrpc_call_connected, atomic_read(&call->usage), here, NULL); @@ -295,18 +295,29 @@ struct rxrpc_call *rxrpc_new_client_call(struct rxrpc_sock *rx, error_dup_user_ID: write_unlock(&rx->call_lock); release_sock(&rx->sk); - ret = -EEXIST; - -error: __rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR, - RX_CALL_DEAD, ret); + RX_CALL_DEAD, -EEXIST); trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage), - here, ERR_PTR(ret)); + here, ERR_PTR(-EEXIST)); rxrpc_release_call(rx, call); mutex_unlock(&call->user_mutex); rxrpc_put_call(call, rxrpc_call_put); - _leave(" = %d", ret); - return ERR_PTR(ret); + _leave(" = -EEXIST"); + return ERR_PTR(-EEXIST); + + /* We got an error, but the call is attached to the socket and is in + * need of release. However, we might now race with recvmsg() when + * completing the call queues it. Return 0 from sys_sendmsg() and + * leave the error to recvmsg() to deal with. + */ +error_attached_to_socket: + trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage), + here, ERR_PTR(ret)); + set_bit(RXRPC_CALL_DISCONNECTED, &call->flags); + __rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR, + RX_CALL_DEAD, ret); + _leave(" = c=%08x [err]", call->debug_id); + return call; } /* diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c index af0232820597..0e5087b9e07c 100644 --- a/net/rxrpc/conn_object.c +++ b/net/rxrpc/conn_object.c @@ -196,9 +196,11 @@ void rxrpc_disconnect_call(struct rxrpc_call *call) call->peer->cong_cwnd = call->cong_cwnd; - spin_lock_bh(&conn->params.peer->lock); - hlist_del_init(&call->error_link); - spin_unlock_bh(&conn->params.peer->lock); + if (!hlist_unhashed(&call->error_link)) { + spin_lock_bh(&conn->params.peer->lock); + hlist_del_init(&call->error_link); + spin_unlock_bh(&conn->params.peer->lock); + } if (rxrpc_is_client_call(call)) return rxrpc_disconnect_client_call(call); diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c index e82e91fe6178..1cdd8b380d47 100644 --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -522,7 +522,7 @@ try_again: goto error_unlock_call; } - if (msg->msg_name) { + if (msg->msg_name && call->peer) { struct sockaddr_rxrpc *srx = msg->msg_name; size_t len = sizeof(call->peer->srx); diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index f4386ad975cf..8f9a2a7eeb7c 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -579,6 +579,9 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) if (IS_ERR(call)) return PTR_ERR(call); /* ... and we have the call lock. */ + ret = 0; + if (READ_ONCE(call->state) == RXRPC_CALL_COMPLETE) + goto out_put_unlock; } else { switch (READ_ONCE(call->state)) { case RXRPC_CALL_UNINITIALISED: From a963ddc8fffada154a87ca407fdfc850618ba49b Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 8 Jul 2020 13:15:20 -0700 Subject: [PATCH 199/386] Smack: fix use-after-free in smk_write_relabel_self() commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream. smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_creds() and commit_creds() to correctly modify the task's credentials. Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": #include #include #include static void *thrproc(void *arg) { int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); for (;;) write(fd, "foo", 3); } int main() { pthread_t t; pthread_create(&t, NULL, thrproc, NULL); thrproc(NULL); } Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com Fixes: 38416e53936e ("Smack: limited capability for changing process label") Cc: # v4.4+ Signed-off-by: Eric Biggers Signed-off-by: Casey Schaufler Signed-off-by: Greg Kroah-Hartman --- security/smack/smackfs.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 371ae368da35..10ee51d04492 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2746,7 +2746,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = current_security(); char *data; int rc; LIST_HEAD(list_tmp); @@ -2771,11 +2770,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, kfree(data); if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { + struct cred *new; + struct task_smack *tsp; + + new = prepare_creds(); + if (!new) { + rc = -ENOMEM; + goto out; + } + tsp = new->security; smk_destroy_label_list(&tsp->smk_relabel); list_splice(&list_tmp, &tsp->smk_relabel); + commit_creds(new); return count; } - +out: smk_destroy_label_list(&list_tmp); return rc; } From 25dfa86fe24396cc4b198228735b4a0e13f9a769 Mon Sep 17 00:00:00 2001 From: Nick Desaulniers Date: Thu, 30 Jul 2020 15:45:54 -0700 Subject: [PATCH 200/386] tracepoint: Mark __tracepoint_string's __used commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream. __tracepoint_string's have their string data stored in .rodata, and an address to that data stored in the "__tracepoint_str" section. Functions that refer to those strings refer to the symbol of the address. Compiler optimization can replace those address references with references directly to the string data. If the address doesn't appear to have other uses, then it appears dead to the compiler and is removed. This can break the /tracing/printk_formats sysfs node which iterates the addresses stored in the "__tracepoint_str" section. Like other strings stored in custom sections in this header, mark these __used to inform the compiler that there are other non-obvious users of the address, so they should still be emitted. Link: https://lkml.kernel.org/r/20200730224555.2142154-2-ndesaulniers@google.com Cc: Ingo Molnar Cc: Miguel Ojeda Cc: stable@vger.kernel.org Fixes: 102c9323c35a8 ("tracing: Add __tracepoint_string() to export string pointers") Reported-by: Tim Murray Reported-by: Simon MacMullen Suggested-by: Greg Hackmann Signed-off-by: Nick Desaulniers Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- include/linux/tracepoint.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h index a26ffbe09e71..06cb9184a42a 100644 --- a/include/linux/tracepoint.h +++ b/include/linux/tracepoint.h @@ -318,7 +318,7 @@ extern void syscall_unregfunc(void); static const char *___tp_str __tracepoint_string = str; \ ___tp_str; \ }) -#define __tracepoint_string __attribute__((section("__tracepoint_str"))) +#define __tracepoint_string __attribute__((section("__tracepoint_str"), used)) #else /* * tracepoint_string() is used to save the string address for userspace From 2d5fdf1588074054c4a50213148cbcd35946a1c9 Mon Sep 17 00:00:00 2001 From: Grant Likely Date: Fri, 10 Jul 2020 16:19:39 +0100 Subject: [PATCH 201/386] HID: input: Fix devices that return multiple bytes in battery report commit 4f57cace81438cc873a96f9f13f08298815c9b51 upstream. Some devices, particularly the 3DConnexion Spacemouse wireless 3D controllers, return more than just the battery capacity in the battery report. The Spacemouse devices return an additional byte with a device specific field. However, hidinput_query_battery_capacity() only requests a 2 byte transfer. When a spacemouse is connected via USB (direct wire, no wireless dongle) and it returns a 3 byte report instead of the assumed 2 byte battery report the larger transfer confuses and frightens the USB subsystem which chooses to ignore the transfer. Then after 2 seconds assume the device has stopped responding and reset it. This can be reproduced easily by using a wired connection with a wireless spacemouse. The Spacemouse will enter a loop of resetting every 2 seconds which can be observed in dmesg. This patch solves the problem by increasing the transfer request to 4 bytes instead of 2. The fix isn't particularly elegant, but it is simple and safe to backport to stable kernels. A further patch will follow to more elegantly handle battery reports that contain additional data. Signed-off-by: Grant Likely Cc: Darren Hart Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: stable@vger.kernel.org Tested-by: Darren Hart Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-input.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 14e4003fde4d..204ccf674533 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -362,13 +362,13 @@ static int hidinput_query_battery_capacity(struct hid_device *dev) u8 *buf; int ret; - buf = kmalloc(2, GFP_KERNEL); + buf = kmalloc(4, GFP_KERNEL); if (!buf) return -ENOMEM; - ret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 2, + ret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 4, dev->battery_report_type, HID_REQ_GET_REPORT); - if (ret != 2) { + if (ret < 2) { kfree(buf); return -ENODATA; } From 1bfba2f4270c64c912756fc76621bbce959ddf2e Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Thu, 13 Aug 2020 20:29:16 +0000 Subject: [PATCH 202/386] cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone() Add skcd->no_refcnt check which is missed when backporting ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()"). This patch is needed in stable-4.9, stable-4.14 and stable-4.19. Signed-off-by: Yang Yingliang Signed-off-by: Sasha Levin --- kernel/cgroup/cgroup.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index a2fed8fbd2bd..ada060e628ce 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -5827,6 +5827,8 @@ void cgroup_sk_clone(struct sock_cgroup_data *skcd) { /* Socket clone path */ if (skcd->val) { + if (skcd->no_refcnt) + return; /* * We might be cloning a socket which is left in an empty * cgroup and the cgroup might have already been rmdir'd. From d7fcad6aebb04a013270e9d2b34e1ad2cd99e8f9 Mon Sep 17 00:00:00 2001 From: Zhenzhong Duan Date: Thu, 11 Jun 2020 10:32:38 +0800 Subject: [PATCH 203/386] x86/mce/inject: Fix a wrong assignment of i_mce.status [ Upstream commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 ] The original code is a nop as i_mce.status is or'ed with part of itself, fix it. Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts") Signed-off-by: Zhenzhong Duan Signed-off-by: Borislav Petkov Acked-by: Yazen Ghannam Link: https://lkml.kernel.org/r/20200611023238.3830-1-zhenzhong.duan@gmail.com Signed-off-by: Sasha Levin --- arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c index e57b59762f9f..94aa91b09c28 100644 --- a/arch/x86/kernel/cpu/mcheck/mce-inject.c +++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c @@ -518,7 +518,7 @@ static void do_inject(void) */ if (inj_type == DFR_INT_INJ) { i_mce.status |= MCI_STATUS_DEFERRED; - i_mce.status |= (i_mce.status & ~MCI_STATUS_UC); + i_mce.status &= ~MCI_STATUS_UC; } /* From a51095df01d344ea85c7eb7d10a2f8f660542e80 Mon Sep 17 00:00:00 2001 From: Peng Liu Date: Tue, 9 Jun 2020 23:09:36 +0800 Subject: [PATCH 204/386] sched: correct SD_flags returned by tl->sd_flags() [ Upstream commit 9b1b234bb86bcdcdb142e900d39b599185465dbb ] During sched domain init, we check whether non-topological SD_flags are returned by tl->sd_flags(), if found, fire a waning and correct the violation, but the code failed to correct the violation. Correct this. Fixes: 143e1e28cb40 ("sched: Rework sched_domain topology definition") Signed-off-by: Peng Liu Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Reviewed-by: Valentin Schneider Link: https://lkml.kernel.org/r/20200609150936.GA13060@iZj6chx1xj0e0buvshuecpZ Signed-off-by: Sasha Levin --- kernel/sched/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index 867d173dab48..152ffe0c2433 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -1117,7 +1117,7 @@ sd_init(struct sched_domain_topology_level *tl, sd_flags = (*tl->sd_flags)(); if (WARN_ONCE(sd_flags & ~TOPOLOGY_SD_FLAGS, "wrong sd_flags in topology description\n")) - sd_flags &= ~TOPOLOGY_SD_FLAGS; + sd_flags &= TOPOLOGY_SD_FLAGS; *sd = (struct sched_domain){ .min_interval = sd_weight, From e97bf96656e126a60451613e0b44474ad7e08327 Mon Sep 17 00:00:00 2001 From: Heiko Stuebner Date: Thu, 4 Jun 2020 11:12:39 +0200 Subject: [PATCH 205/386] arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio [ Upstream commit 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff ] The puma vcc5v0_host regulator node currently uses opposite active-values for the enable pin. The gpio-declaration uses active-high while the separate enable-active-low property marks the pin as active low. While on the kernel side this works ok, other DT users may get confused - as seen with uboot right now. So bring this in line and make both properties match, similar to the gmac fix. Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20200604091239.424318-1-heiko@sntech.de Signed-off-by: Sasha Levin --- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi index 1fc5060d7027..b08a998ca102 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi @@ -138,7 +138,7 @@ vcc5v0_host: vcc5v0-host-regulator { compatible = "regulator-fixed"; - gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_HIGH>; + gpio = <&gpio4 RK_PA3 GPIO_ACTIVE_LOW>; enable-active-low; pinctrl-names = "default"; pinctrl-0 = <&vcc5v0_host_en>; From 59b5331268406b08016e6b58d89bae30042d844e Mon Sep 17 00:00:00 2001 From: Heiko Stuebner Date: Wed, 3 Jun 2020 15:28:36 +0200 Subject: [PATCH 206/386] arm64: dts: rockchip: fix rk3399-puma gmac reset gpio [ Upstream commit 8a445086f8af0b7b9bd8d1901d6f306bb154f70d ] The puma gmac node currently uses opposite active-values for the gmac phy reset pin. The gpio-declaration uses active-high while the separate snps,reset-active-low property marks the pin as active low. While on the kernel side this works ok, other DT users may get confused - as seen with uboot right now. So bring this in line and make both properties match, similar to the other Rockchip board. Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") Signed-off-by: Heiko Stuebner Link: https://lore.kernel.org/r/20200603132836.362519-1-heiko@sntech.de Signed-off-by: Sasha Levin --- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi index b08a998ca102..0d5679380b2a 100644 --- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi @@ -193,7 +193,7 @@ phy-mode = "rgmii"; pinctrl-names = "default"; pinctrl-0 = <&rgmii_pins>; - snps,reset-gpio = <&gpio3 RK_PC0 GPIO_ACTIVE_HIGH>; + snps,reset-gpio = <&gpio3 RK_PC0 GPIO_ACTIVE_LOW>; snps,reset-active-low; snps,reset-delays-us = <0 10000 50000>; tx_delay = <0x10>; From 46f7ec5fe967f8cb8e5ce479fa23e5476bbee2c1 Mon Sep 17 00:00:00 2001 From: Qiushi Wu Date: Thu, 28 May 2020 15:22:37 -0500 Subject: [PATCH 207/386] EDAC: Fix reference count leaks [ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] When kobject_init_and_add() returns an error, it should be handled because kobject_init_and_add() takes a reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Therefore, replace calling kfree() and call kobject_put() and add a missing kobject_put() in the edac_device_register_sysfs_main_kobj() error path. [ bp: Massage and merge into a single patch. ] Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") Signed-off-by: Qiushi Wu Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu Signed-off-by: Sasha Levin --- drivers/edac/edac_device_sysfs.c | 1 + drivers/edac/edac_pci_sysfs.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c index 0e7ea3591b78..5e7593753799 100644 --- a/drivers/edac/edac_device_sysfs.c +++ b/drivers/edac/edac_device_sysfs.c @@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) /* Error exit stack */ err_kobj_reg: + kobject_put(&edac_dev->kobj); module_put(edac_dev->owner); err_out: diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c index 72c9eb9fdffb..53042af7262e 100644 --- a/drivers/edac/edac_pci_sysfs.c +++ b/drivers/edac/edac_pci_sysfs.c @@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void) /* Error unwind statck */ kobject_init_and_add_fail: - kfree(edac_pci_top_main_kobj); + kobject_put(edac_pci_top_main_kobj); kzalloc_fail: module_put(THIS_MODULE); From 7e672bd32482130379ce34dbc4c2af41924762d0 Mon Sep 17 00:00:00 2001 From: Stephan Gerhold Date: Fri, 5 Jun 2020 20:59:14 +0200 Subject: [PATCH 208/386] arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property [ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ] msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio pin configurations. This was likely copied from the qcom kernel fork where the same property was used for these audio pins. However, "bias-pull-none" actually does not exist at all - not in mainline and not in downstream. I can only guess that the original intention was to configure "no pull", i.e. bias-disable. Change it to that instead. Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls") Cc: Srinivas Kandagatla Signed-off-by: Stephan Gerhold Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin --- arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi index 4cb0b5834143..69ba1d79bcd5 100644 --- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi @@ -542,7 +542,7 @@ pins = "gpio63", "gpio64", "gpio65", "gpio66", "gpio67", "gpio68"; drive-strength = <8>; - bias-pull-none; + bias-disable; }; }; cdc_pdm_lines_sus: pdm_lines_off { @@ -571,7 +571,7 @@ pins = "gpio113", "gpio114", "gpio115", "gpio116"; drive-strength = <8>; - bias-pull-none; + bias-disable; }; }; @@ -599,7 +599,7 @@ pinconf { pins = "gpio110"; drive-strength = <8>; - bias-pull-none; + bias-disable; }; }; @@ -625,7 +625,7 @@ pinconf { pins = "gpio116"; drive-strength = <8>; - bias-pull-none; + bias-disable; }; }; ext_mclk_tlmm_lines_sus: mclk_lines_off { @@ -653,7 +653,7 @@ pins = "gpio112", "gpio117", "gpio118", "gpio119"; drive-strength = <8>; - bias-pull-none; + bias-disable; }; }; ext_sec_tlmm_lines_sus: tlmm_lines_off { From ed03eb0021b73fc7f4067da3cb71d625bbd75967 Mon Sep 17 00:00:00 2001 From: Alim Akhtar Date: Sun, 5 Jul 2020 12:39:17 +0530 Subject: [PATCH 209/386] arm64: dts: exynos: Fix silent hang after boot on Espresso [ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ] Once regulators are disabled after kernel boot, on Espresso board silent hang observed because of LDO7 being disabled. LDO7 actually provide power to CPU cores and non-cpu blocks circuitries. Keep this regulator always-on to fix this hang. Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") Signed-off-by: Alim Akhtar Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin --- arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts index 4a8b1fb51243..c8824b918693 100644 --- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts @@ -155,6 +155,7 @@ regulator-min-microvolt = <700000>; regulator-max-microvolt = <1150000>; regulator-enable-ramp-delay = <125>; + regulator-always-on; }; ldo8_reg: LDO8 { From 275ae397e4ef7474d45075813b4383a736443d7e Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Sun, 31 May 2020 09:12:13 +1000 Subject: [PATCH 210/386] m68k: mac: Don't send IOP message until channel is idle [ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] In the following sequence of calls, iop_do_send() gets called when the "send" channel is not in the IOP_MSG_IDLE state: iop_ism_irq() iop_handle_send() (msg->handler)() iop_send_message() iop_do_send() Avoid this by testing the channel state before calling iop_do_send(). When sending, and iop_send_queue is empty, call iop_do_send() because the channel is idle. If iop_send_queue is not empty, iop_do_send() will get called later by iop_handle_send(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Cc: Joshua Thompson Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin --- arch/m68k/mac/iop.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c index 4c1e606e7d03..fb61af5ac4ab 100644 --- a/arch/m68k/mac/iop.c +++ b/arch/m68k/mac/iop.c @@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan) msg->status = IOP_MSGSTATUS_UNUSED; msg = msg->next; iop_send_queue[iop_num][chan] = msg; - if (msg) iop_do_send(msg); + if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) + iop_do_send(msg); } /* @@ -490,16 +491,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata, if (!(q = iop_send_queue[iop_num][chan])) { iop_send_queue[iop_num][chan] = msg; + iop_do_send(msg); } else { while (q->next) q = q->next; q->next = msg; } - if (iop_readb(iop_base[iop_num], - IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) { - iop_do_send(msg); - } - return 0; } From 06681b8e26c6f03bc7869ac1aedda08ac525f6e3 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Sun, 31 May 2020 09:12:13 +1000 Subject: [PATCH 211/386] m68k: mac: Fix IOP status/control register writes [ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] When writing values to the IOP status/control register make sure those values do not have any extraneous bits that will clear interrupt flags. To place the SCC IOP into bypass mode would be desirable but this is not achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS to the control register. Drop this ineffective register write. Remove the flawed and unused iop_bypass() function. Make use of the unused iop_stop() function. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Cc: Joshua Thompson Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin --- arch/m68k/mac/iop.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c index fb61af5ac4ab..0b94f6672c5f 100644 --- a/arch/m68k/mac/iop.c +++ b/arch/m68k/mac/iop.c @@ -183,7 +183,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8 static __inline__ void iop_stop(volatile struct mac_iop *iop) { - iop->status_ctrl &= ~IOP_RUN; + iop->status_ctrl = IOP_AUTOINC; } static __inline__ void iop_start(volatile struct mac_iop *iop) @@ -191,14 +191,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop) iop->status_ctrl = IOP_RUN | IOP_AUTOINC; } -static __inline__ void iop_bypass(volatile struct mac_iop *iop) -{ - iop->status_ctrl |= IOP_BYPASS; -} - static __inline__ void iop_interrupt(volatile struct mac_iop *iop) { - iop->status_ctrl |= IOP_IRQ; + iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC; } static int iop_alive(volatile struct mac_iop *iop) @@ -244,7 +239,6 @@ void __init iop_preinit(void) } else { iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA; } - iop_base[IOP_NUM_SCC]->status_ctrl = 0x87; iop_scc_present = 1; } else { iop_base[IOP_NUM_SCC] = NULL; @@ -256,7 +250,7 @@ void __init iop_preinit(void) } else { iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA; } - iop_base[IOP_NUM_ISM]->status_ctrl = 0; + iop_stop(iop_base[IOP_NUM_ISM]); iop_ism_present = 1; } else { iop_base[IOP_NUM_ISM] = NULL; From 1593a21976f59d832618517b64fe68bdb65eedb6 Mon Sep 17 00:00:00 2001 From: Lu Wei Date: Fri, 10 Jul 2020 17:30:17 +0800 Subject: [PATCH 212/386] platform/x86: intel-hid: Fix return value check in check_acpi_dev() [ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys") Reported-by: Hulk Robot Signed-off-by: Lu Wei Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin --- drivers/platform/x86/intel-hid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c index e34fd70b67af..3add7b3f9658 100644 --- a/drivers/platform/x86/intel-hid.c +++ b/drivers/platform/x86/intel-hid.c @@ -366,7 +366,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) return AE_OK; if (acpi_match_device_ids(dev, ids) == 0) - if (acpi_create_platform_device(dev, NULL)) + if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) dev_info(&dev->dev, "intel-hid: created platform device\n"); From 93753a2ccedd2a5191e22eddccab56b04255f0a1 Mon Sep 17 00:00:00 2001 From: Lu Wei Date: Fri, 10 Jul 2020 17:30:18 +0800 Subject: [PATCH 213/386] platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() [ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button") Reported-by: Hulk Robot Signed-off-by: Lu Wei Signed-off-by: Andy Shevchenko Signed-off-by: Sasha Levin --- drivers/platform/x86/intel-vbtn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c index 58c5ff36523a..d7fa2b88d27a 100644 --- a/drivers/platform/x86/intel-vbtn.c +++ b/drivers/platform/x86/intel-vbtn.c @@ -178,7 +178,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) return AE_OK; if (acpi_match_device_ids(dev, ids) == 0) - if (acpi_create_platform_device(dev, NULL)) + if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) dev_info(&dev->dev, "intel-vbtn: created platform device\n"); From ce5a8ad3ad9ecab4544f8352d5a7953321a6ec7e Mon Sep 17 00:00:00 2001 From: yu kuai Date: Thu, 4 Jun 2020 20:33:01 +0800 Subject: [PATCH 214/386] ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() [ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM") Signed-off-by: yu kuai Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com Signed-off-by: Sasha Levin --- arch/arm/mach-at91/pm.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c index 849014c01cf4..bebaa0b0aef4 100644 --- a/arch/arm/mach-at91/pm.c +++ b/arch/arm/mach-at91/pm.c @@ -456,13 +456,13 @@ static void __init at91_pm_sram_init(void) sram_pool = gen_pool_get(&pdev->dev, NULL); if (!sram_pool) { pr_warn("%s: sram pool unavailable!\n", __func__); - return; + goto out_put_device; } sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz); if (!sram_base) { pr_warn("%s: unable to alloc sram!\n", __func__); - return; + goto out_put_device; } sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base); @@ -470,12 +470,17 @@ static void __init at91_pm_sram_init(void) at91_pm_suspend_in_sram_sz, false); if (!at91_suspend_sram_fn) { pr_warn("SRAM: Could not map\n"); - return; + goto out_put_device; } /* Copy the pm suspend handler to SRAM */ at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn, &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz); + return; + +out_put_device: + put_device(&pdev->dev); + return; } static void __init at91_pm_backup_init(void) From f6f0a1ae40359e01a756065fe3046d3e5fff4e92 Mon Sep 17 00:00:00 2001 From: Dilip Kota Date: Fri, 17 Jul 2020 14:27:50 +0800 Subject: [PATCH 215/386] spi: lantiq: fix: Rx overflow error in full duplex mode [ Upstream commit 661ccf2b3f1360be50242726f7c26ced6a9e7d52 ] In full duplex mode, rx overflow error is observed. To overcome the error, wait until the complete data got received and proceed further. Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller") Signed-off-by: Dilip Kota Link: https://lore.kernel.org/r/efb650b0faa49a00788c4e0ca8ef7196bdba851d.1594957019.git.eswara.kota@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin --- drivers/spi/spi-lantiq-ssc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/spi/spi-lantiq-ssc.c b/drivers/spi/spi-lantiq-ssc.c index d5976615d924..dc740b5f720b 100644 --- a/drivers/spi/spi-lantiq-ssc.c +++ b/drivers/spi/spi-lantiq-ssc.c @@ -187,6 +187,7 @@ struct lantiq_ssc_spi { unsigned int tx_fifo_size; unsigned int rx_fifo_size; unsigned int base_cs; + unsigned int fdx_tx_level; }; static u32 lantiq_ssc_readl(const struct lantiq_ssc_spi *spi, u32 reg) @@ -484,6 +485,7 @@ static void tx_fifo_write(struct lantiq_ssc_spi *spi) u32 data; unsigned int tx_free = tx_fifo_free(spi); + spi->fdx_tx_level = 0; while (spi->tx_todo && tx_free) { switch (spi->bits_per_word) { case 2 ... 8: @@ -512,6 +514,7 @@ static void tx_fifo_write(struct lantiq_ssc_spi *spi) lantiq_ssc_writel(spi, data, LTQ_SPI_TB); tx_free--; + spi->fdx_tx_level++; } } @@ -523,6 +526,13 @@ static void rx_fifo_read_full_duplex(struct lantiq_ssc_spi *spi) u32 data; unsigned int rx_fill = rx_fifo_level(spi); + /* + * Wait until all expected data to be shifted in. + * Otherwise, rx overrun may occur. + */ + while (rx_fill != spi->fdx_tx_level) + rx_fill = rx_fifo_level(spi); + while (rx_fill) { data = lantiq_ssc_readl(spi, LTQ_SPI_RB); From 02f10f560590a8140df0a0a572afff3c9766e8fd Mon Sep 17 00:00:00 2001 From: Yu Kuai Date: Tue, 21 Jul 2020 21:45:51 +0800 Subject: [PATCH 216/386] ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh() [ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram") Signed-off-by: Yu Kuai Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin --- arch/arm/mach-socfpga/pm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c index c378ab0c2431..93f2245c9775 100644 --- a/arch/arm/mach-socfpga/pm.c +++ b/arch/arm/mach-socfpga/pm.c @@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void) if (!ocram_pool) { pr_warn("%s: ocram pool unavailable!\n", __func__); ret = -ENODEV; - goto put_node; + goto put_device; } ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz); if (!ocram_base) { pr_warn("%s: unable to alloc ocram!\n", __func__); ret = -ENOMEM; - goto put_node; + goto put_device; } ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); @@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void) if (!suspend_ocram_base) { pr_warn("%s: __arm_ioremap_exec failed!\n", __func__); ret = -ENOMEM; - goto put_node; + goto put_device; } /* Copy the code that puts DDR in self refresh to ocram */ @@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void) if (!socfpga_sdram_self_refresh_in_ocram) ret = -EFAULT; +put_device: + put_device(&pdev->dev); put_node: of_node_put(np); From 6fa182ef2356ebc0f331d724bf5b84a0a22bbb9a Mon Sep 17 00:00:00 2001 From: Tomi Valkeinen Date: Wed, 29 Apr 2020 13:42:32 +0300 Subject: [PATCH 217/386] drm/tilcdc: fix leak & null ref in panel_connector_get_modes [ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] If videomode_from_timings() returns true, the mode allocated with drm_mode_create will be leaked. Also, the return value of drm_mode_create() is never checked, and thus could cause NULL deref. Fix these two issues. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com Reviewed-by: Jyri Sarha Acked-by: Sam Ravnborg Signed-off-by: Sasha Levin --- drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c index 1813a3623ce6..0484b2cf0e2b 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c +++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c @@ -152,12 +152,16 @@ static int panel_connector_get_modes(struct drm_connector *connector) int i; for (i = 0; i < timings->num_timings; i++) { - struct drm_display_mode *mode = drm_mode_create(dev); + struct drm_display_mode *mode; struct videomode vm; if (videomode_from_timings(timings, &vm, i)) break; + mode = drm_mode_create(dev); + if (!mode) + break; + drm_display_mode_from_videomode(&vm, mode); mode->type = DRM_MODE_TYPE_DRIVER; From af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9 Mon Sep 17 00:00:00 2001 From: Lihong Kou Date: Tue, 23 Jun 2020 20:28:41 +0800 Subject: [PATCH 218/386] Bluetooth: add a mutex lock to avoid UAF in do_enale_set [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug. BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events do_enable_set Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fb/0x318 lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:374 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 chan_create net/bluetooth/6lowpan.c:640 [inline] bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10d/0x220 mm/slab.c:3757 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888096950000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff888096950000, ffff888096950800) The buggy address belongs to the page: page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com Signed-off-by: Lihong Kou Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/6lowpan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index 357475cceec6..9a75f9b00b51 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -57,6 +57,7 @@ static bool enable_6lowpan; /* We are listening incoming connections via this channel */ static struct l2cap_chan *listen_chan; +static DEFINE_MUTEX(set_lock); struct lowpan_peer { struct list_head list; @@ -1082,12 +1083,14 @@ static void do_enable_set(struct work_struct *work) enable_6lowpan = set_enable->flag; + mutex_lock(&set_lock); if (listen_chan) { l2cap_chan_close(listen_chan, 0); l2cap_chan_put(listen_chan); } listen_chan = bt_6lowpan_listen(); + mutex_unlock(&set_lock); kfree(set_enable); } @@ -1139,11 +1142,13 @@ static ssize_t lowpan_control_write(struct file *fp, if (ret == -EINVAL) return ret; + mutex_lock(&set_lock); if (listen_chan) { l2cap_chan_close(listen_chan, 0); l2cap_chan_put(listen_chan); listen_chan = NULL; } + mutex_unlock(&set_lock); if (conn) { struct lowpan_peer *peer; From ad372ce97bf08929af5b174d0329450de0021c32 Mon Sep 17 00:00:00 2001 From: "Paul E. McKenney" Date: Fri, 8 May 2020 14:15:37 -0700 Subject: [PATCH 219/386] fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls [ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] Very large I/Os can cause the following RCU CPU stall warning: RIP: 0010:rb_prev+0x8/0x50 Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = 89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48 RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13 RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0 RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630 RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238 R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001 R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0 __lookup_extent_mapping+0xa0/0x110 try_release_extent_mapping+0xdc/0x220 btrfs_releasepage+0x45/0x70 shrink_page_list+0xa39/0xb30 shrink_inactive_list+0x18f/0x3b0 shrink_lruvec+0x38e/0x6b0 shrink_node+0x14d/0x690 do_try_to_free_pages+0xc6/0x3e0 try_to_free_mem_cgroup_pages+0xe6/0x1e0 reclaim_high.constprop.73+0x87/0xc0 mem_cgroup_handle_over_high+0x66/0x150 exit_to_usermode_loop+0x82/0xd0 do_syscall_64+0xd4/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 On a PREEMPT=n kernel, the try_release_extent_mapping() function's "while" loop might run for a very long time on a large I/O. This commit therefore adds a cond_resched() to this loop, providing RCU any needed quiescent states. Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin --- fs/btrfs/extent_io.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 6d2bfbb63d9b..ef1fd6a09d8e 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -4323,6 +4323,8 @@ int try_release_extent_mapping(struct extent_map_tree *map, /* once for us */ free_extent_map(em); + + cond_resched(); /* Allow large-extent preemption. */ } } return try_release_extent_state(map, tree, page, mask); From dec0847921c5c9b1ad8fe9bd3fa4ef93f95860e2 Mon Sep 17 00:00:00 2001 From: Aditya Pakki Date: Sat, 13 Jun 2020 21:21:22 -0500 Subject: [PATCH 220/386] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync [ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Acked-by: Evan Quan Signed-off-by: Aditya Pakki Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/radeon/radeon_display.c | 4 +++- drivers/gpu/drm/radeon/radeon_drv.c | 4 +++- drivers/gpu/drm/radeon/radeon_kms.c | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c index d86110cdf085..b2334349799d 100644 --- a/drivers/gpu/drm/radeon/radeon_display.c +++ b/drivers/gpu/drm/radeon/radeon_display.c @@ -627,8 +627,10 @@ radeon_crtc_set_config(struct drm_mode_set *set, dev = set->crtc->dev; ret = pm_runtime_get_sync(dev->dev); - if (ret < 0) + if (ret < 0) { + pm_runtime_put_autosuspend(dev->dev); return ret; + } ret = drm_crtc_helper_set_config(set, ctx); diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c index f6908e2f9e55..41e8abd09978 100644 --- a/drivers/gpu/drm/radeon/radeon_drv.c +++ b/drivers/gpu/drm/radeon/radeon_drv.c @@ -496,8 +496,10 @@ long radeon_drm_ioctl(struct file *filp, long ret; dev = file_priv->minor->dev; ret = pm_runtime_get_sync(dev->dev); - if (ret < 0) + if (ret < 0) { + pm_runtime_put_autosuspend(dev->dev); return ret; + } ret = drm_ioctl(filp, cmd, arg); diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c index dfee8f7d94ae..2e28cf811840 100644 --- a/drivers/gpu/drm/radeon/radeon_kms.c +++ b/drivers/gpu/drm/radeon/radeon_kms.c @@ -659,8 +659,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) file_priv->driver_priv = NULL; r = pm_runtime_get_sync(dev->dev); - if (r < 0) + if (r < 0) { + pm_runtime_put_autosuspend(dev->dev); return r; + } /* new gpu have virtual address space support */ if (rdev->family >= CHIP_CAYMAN) { From 471005a0e1df13e3aea6d58c7c405eb28cc0daff Mon Sep 17 00:00:00 2001 From: Evgeny Novikov Date: Tue, 30 Jun 2020 22:54:51 +0300 Subject: [PATCH 221/386] video: fbdev: neofb: fix memory leak in neo_scan_monitor() [ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] neofb_probe() calls neo_scan_monitor() that can successfully allocate a memory for info->monspecs.modedb and proceed to case 0x03. There it does not free the memory and returns -1. neofb_probe() goes to label err_scan_monitor, thus, it does not free this memory through calling fb_destroy_modedb() as well. We can not go to label err_init_hw since neo_scan_monitor() can fail during memory allocation. So, the patch frees the memory directly for case 0x03. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Cc: Jani Nikula Cc: Mike Rapoport Cc: Daniel Vetter Cc: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru Signed-off-by: Sasha Levin --- drivers/video/fbdev/neofb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c index 5d3a444083f7..2018e1ca33eb 100644 --- a/drivers/video/fbdev/neofb.c +++ b/drivers/video/fbdev/neofb.c @@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info) #else printk(KERN_ERR "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n"); + kfree(info->monspecs.modedb); return -1; #endif default: From b9b1fa1e361c29e386a02f4be0af46303fca1b60 Mon Sep 17 00:00:00 2001 From: Zhao Heming Date: Thu, 9 Jul 2020 11:29:29 +0800 Subject: [PATCH 222/386] md-cluster: fix wild pointer of unlock_all_bitmaps() [ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ] reproduction steps: ``` node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb node1 # mdadm -G /dev/md0 -b none mdadm: failed to remove clustered bitmap. node1 # mdadm -S --scan ^C <==== mdadm hung & kernel crash ``` kernel stack: ``` [ 335.230657] general protection fault: 0000 [#1] SMP NOPTI [...] [ 335.230848] Call Trace: [ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster] [ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster] [ 335.230899] leave+0x10f/0x190 [md_cluster] [ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod] [ 335.230947] ? leave+0x5/0x190 [md_cluster] [ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod] [ 335.230999] md_bitmap_free+0x142/0x150 [md_mod] [ 335.231013] ? _cond_resched+0x15/0x40 [ 335.231025] ? mutex_lock+0xe/0x30 [ 335.231056] __md_stop+0x1c/0xa0 [md_mod] [ 335.231083] do_md_stop+0x160/0x580 [md_mod] [ 335.231119] ? 0xffffffffc05fb078 [ 335.231148] md_ioctl+0xa04/0x1930 [md_mod] [ 335.231165] ? filename_lookup+0xf2/0x190 [ 335.231179] blkdev_ioctl+0x93c/0xa10 [ 335.231205] ? _cond_resched+0x15/0x40 [ 335.231214] ? __check_object_size+0xd4/0x1a0 [ 335.231224] block_ioctl+0x39/0x40 [ 335.231243] do_vfs_ioctl+0xa0/0x680 [ 335.231253] ksys_ioctl+0x70/0x80 [ 335.231261] __x64_sys_ioctl+0x16/0x20 [ 335.231271] do_syscall_64+0x65/0x1f0 [ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 ``` Signed-off-by: Zhao Heming Signed-off-by: Song Liu Signed-off-by: Sasha Levin --- drivers/md/md-cluster.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c index 10057ac85476..035d5ec8e677 100644 --- a/drivers/md/md-cluster.c +++ b/drivers/md/md-cluster.c @@ -1423,6 +1423,7 @@ static void unlock_all_bitmaps(struct mddev *mddev) } } kfree(cinfo->other_bitmap_lockres); + cinfo->other_bitmap_lockres = NULL; } } From 970673cb2e0aaae710528babd1d2783175f4b884 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= Date: Mon, 1 Jun 2020 08:33:06 +0200 Subject: [PATCH 223/386] arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit bbe28fc3cbabbef781bcdf847615d52ce2e26e42 ] hi3660-hikey960.dts: Define a 'ports' node for 'adv7533: adv7533@39' and the 'adi,dsi-lanes' property to make it compliant with the adi,adv7533 DT binding. This fills the requirements to meet the binding requirements, remote endpoints are not defined. hi6220-hikey.dts: Change property name s/pd-gpio/pd-gpios, gpio properties should be plural. This is just a cosmetic change. Signed-off-by: Ricardo Cañuelo Acked-by: Laurent Pinchart Signed-off-by: Wei Xu Signed-off-by: Sasha Levin --- arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts | 11 +++++++++++ arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts b/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts index e9f87cb61ade..8587912e1eb0 100644 --- a/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts +++ b/arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts @@ -210,6 +210,17 @@ status = "ok"; compatible = "adi,adv7533"; reg = <0x39>; + adi,dsi-lanes = <4>; + ports { + #address-cells = <1>; + #size-cells = <0>; + port@0 { + reg = <0>; + }; + port@1 { + reg = <1>; + }; + }; }; }; diff --git a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts index 6887cc1a743d..f78e6468b02f 100644 --- a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts +++ b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts @@ -513,7 +513,7 @@ reg = <0x39>; interrupt-parent = <&gpio1>; interrupts = <1 2>; - pd-gpio = <&gpio0 4 0>; + pd-gpios = <&gpio0 4 0>; adi,dsi-lanes = <4>; #sound-dai-cells = <0>; From 42479de3daeae1728b3b2d2baef218f109e37361 Mon Sep 17 00:00:00 2001 From: Aditya Pakki Date: Sat, 13 Jun 2020 20:41:56 -0500 Subject: [PATCH 224/386] drm/nouveau: fix multiple instances of reference count leaks [ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_drm.c | 8 ++++++-- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index d00524a5d7f0..fb6b1d0f7fef 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -840,8 +840,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv) /* need to bring up power immediately if opening device */ ret = pm_runtime_get_sync(dev->dev); - if (ret < 0 && ret != -EACCES) + if (ret < 0 && ret != -EACCES) { + pm_runtime_put_autosuspend(dev->dev); return ret; + } get_task_comm(tmpname, current); snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); @@ -930,8 +932,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) long ret; ret = pm_runtime_get_sync(dev->dev); - if (ret < 0 && ret != -EACCES) + if (ret < 0 && ret != -EACCES) { + pm_runtime_put_autosuspend(dev->dev); return ret; + } switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { case DRM_NOUVEAU_NVIF: diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index 60ffb70bb908..c6149b5be073 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem) int ret; ret = pm_runtime_get_sync(dev); - if (WARN_ON(ret < 0 && ret != -EACCES)) + if (WARN_ON(ret < 0 && ret != -EACCES)) { + pm_runtime_put_autosuspend(dev); return; + } if (gem->import_attach) drm_prime_gem_destroy(gem, nvbo->bo.sg); From cf8d94475a83bf5727aeaeae3b7338462c400ed5 Mon Sep 17 00:00:00 2001 From: Michael Tretter Date: Thu, 17 Aug 2017 12:43:07 +0200 Subject: [PATCH 225/386] drm/debugfs: fix plain echo to connector "force" attribute [ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ] Using plain echo to set the "force" connector attribute fails with -EINVAL, because echo appends a newline to the output. Replace strcmp with sysfs_streq to also accept strings that end with a newline. v2: use sysfs_streq instead of stripping trailing whitespace Signed-off-by: Michael Tretter Reviewed-by: Jani Nikula Signed-off-by: Emil Velikov Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de Signed-off-by: Sasha Levin --- drivers/gpu/drm/drm_debugfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c index c1807d5754b2..454deba13ee5 100644 --- a/drivers/gpu/drm/drm_debugfs.c +++ b/drivers/gpu/drm/drm_debugfs.c @@ -250,13 +250,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf, buf[len] = '\0'; - if (!strcmp(buf, "on")) + if (sysfs_streq(buf, "on")) connector->force = DRM_FORCE_ON; - else if (!strcmp(buf, "digital")) + else if (sysfs_streq(buf, "digital")) connector->force = DRM_FORCE_ON_DIGITAL; - else if (!strcmp(buf, "off")) + else if (sysfs_streq(buf, "off")) connector->force = DRM_FORCE_OFF; - else if (!strcmp(buf, "unspecified")) + else if (sysfs_streq(buf, "unspecified")) connector->force = DRM_FORCE_UNSPECIFIED; else return -EINVAL; From f7987153ab716d2e87dd694926c486c55313c8b3 Mon Sep 17 00:00:00 2001 From: Bartosz Golaszewski Date: Mon, 15 Jun 2020 09:44:45 +0200 Subject: [PATCH 226/386] irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock [ Upstream commit 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 ] This driver may take a regular spinlock when a raw spinlock (irq_desc->lock) is already taken which results in the following lockdep splat: ============================= [ BUG: Invalid wait context ] 5.7.0-rc7 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffffff800303b798 (&chip_data->lock){....}-{3:3}, at: mtk_sysirq_set_type+0x48/0xc0 other info that might help us debug this: context-{5:5} 2 locks held by swapper/0/0: #0: ffffff800302ee68 (&desc->request_mutex){....}-{4:4}, at: __setup_irq+0xc4/0x8a0 #1: ffffff800302ecf0 (&irq_desc_lock_class){....}-{2:2}, at: __setup_irq+0xe4/0x8a0 stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc7 #1 Hardware name: Pumpkin MT8516 (DT) Call trace: dump_backtrace+0x0/0x180 show_stack+0x14/0x20 dump_stack+0xd0/0x118 __lock_acquire+0x8c8/0x2270 lock_acquire+0xf8/0x470 _raw_spin_lock_irqsave+0x50/0x78 mtk_sysirq_set_type+0x48/0xc0 __irq_set_trigger+0x58/0x170 __setup_irq+0x420/0x8a0 request_threaded_irq+0xd8/0x190 timer_of_init+0x1e8/0x2c4 mtk_gpt_init+0x5c/0x1dc timer_probe+0x74/0xf4 time_init+0x14/0x44 start_kernel+0x394/0x4f0 Replace the spinlock_t with raw_spinlock_t to avoid this warning. Signed-off-by: Bartosz Golaszewski Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20200615074445.3579-1-brgl@bgdev.pl Signed-off-by: Sasha Levin --- drivers/irqchip/irq-mtk-sysirq.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/irqchip/irq-mtk-sysirq.c b/drivers/irqchip/irq-mtk-sysirq.c index 90aaf190157f..42455f31b061 100644 --- a/drivers/irqchip/irq-mtk-sysirq.c +++ b/drivers/irqchip/irq-mtk-sysirq.c @@ -23,7 +23,7 @@ #include struct mtk_sysirq_chip_data { - spinlock_t lock; + raw_spinlock_t lock; u32 nr_intpol_bases; void __iomem **intpol_bases; u32 *intpol_words; @@ -45,7 +45,7 @@ static int mtk_sysirq_set_type(struct irq_data *data, unsigned int type) reg_index = chip_data->which_word[hwirq]; offset = hwirq & 0x1f; - spin_lock_irqsave(&chip_data->lock, flags); + raw_spin_lock_irqsave(&chip_data->lock, flags); value = readl_relaxed(base + reg_index * 4); if (type == IRQ_TYPE_LEVEL_LOW || type == IRQ_TYPE_EDGE_FALLING) { if (type == IRQ_TYPE_LEVEL_LOW) @@ -61,7 +61,7 @@ static int mtk_sysirq_set_type(struct irq_data *data, unsigned int type) data = data->parent_data; ret = data->chip->irq_set_type(data, type); - spin_unlock_irqrestore(&chip_data->lock, flags); + raw_spin_unlock_irqrestore(&chip_data->lock, flags); return ret; } @@ -220,7 +220,7 @@ static int __init mtk_sysirq_of_init(struct device_node *node, ret = -ENOMEM; goto out_free_which_word; } - spin_lock_init(&chip_data->lock); + raw_spin_lock_init(&chip_data->lock); return 0; From c93552d3a243f755306683c89eae404f5ae3e210 Mon Sep 17 00:00:00 2001 From: "Paul E. McKenney" Date: Thu, 16 Apr 2020 16:46:10 -0700 Subject: [PATCH 227/386] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls [ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] A large process running on a heavily loaded system can encounter the following RCU CPU stall warning: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190 (t=21013 jiffies g=1005461 q=132576) NMI backtrace for cpu 3 CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1 Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016 Call Trace: dump_stack+0x46/0x60 nmi_cpu_backtrace.cold.3+0x13/0x50 ? lapic_can_unplug_cpu.cold.27+0x34/0x34 nmi_trigger_cpumask_backtrace+0xba/0xca rcu_dump_cpu_stacks+0x99/0xc7 rcu_sched_clock_irq.cold.87+0x1aa/0x397 ? tick_sched_do_timer+0x60/0x60 update_process_times+0x28/0x60 tick_sched_timer+0x37/0x70 __hrtimer_run_queues+0xfe/0x270 hrtimer_interrupt+0xf4/0x210 smp_apic_timer_interrupt+0x5e/0x120 apic_timer_interrupt+0xf/0x20 RIP: 0010:kmem_cache_free+0x223/0x300 Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65 RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030 RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18 RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00 ? remove_vma+0x4f/0x60 remove_vma+0x4f/0x60 exit_mmap+0xd6/0x160 mmput+0x4a/0x110 do_exit+0x278/0xae0 ? syscall_trace_enter+0x1d3/0x2b0 ? handle_mm_fault+0xaa/0x1c0 do_group_exit+0x3a/0xa0 __x64_sys_exit_group+0x14/0x20 do_syscall_64+0x42/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run for a very long time given a large process. This commit therefore adds a cond_resched() to this loop, providing RCU any needed quiescent states. Cc: Andrew Morton Cc: Reviewed-by: Shakeel Butt Reviewed-by: Joel Fernandes (Google) Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin --- mm/mmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/mmap.c b/mm/mmap.c index 8c6ed06983f9..724b7c4f1a5b 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3065,6 +3065,7 @@ void exit_mmap(struct mm_struct *mm) if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); vma = remove_vma(vma); + cond_resched(); } vm_unacct_memory(nr_accounted); } From 688c077b341e953df008ce7105df2172bcd661c4 Mon Sep 17 00:00:00 2001 From: Prasanna Kerekoppa Date: Thu, 4 Jun 2020 02:18:35 -0500 Subject: [PATCH 228/386] brcmfmac: To fix Bss Info flag definition Bug [ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] Bss info flag definition need to be fixed from 0x2 to 0x4 This flag is for rssi info received on channel. All Firmware branches defined as 0x4 and this is bug in brcmfmac. Signed-off-by: Prasanna Kerekoppa Signed-off-by: Chi-hsien Lin Signed-off-by: Wright Feng Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com Signed-off-by: Sasha Levin --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h index e0d22fedb2b4..05bd636011ec 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h @@ -30,7 +30,7 @@ #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008 #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */ -#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002 +#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004 #define BRCMF_STA_WME 0x00000002 /* WMM association */ #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */ From ccf28790086cd6b27e33d02f1f185572fa89c07b Mon Sep 17 00:00:00 2001 From: Wright Feng Date: Wed, 24 Jun 2020 04:16:07 -0500 Subject: [PATCH 229/386] brcmfmac: set state of hanger slot to FREE when flushing PSQ [ Upstream commit fcdd7a875def793c38d7369633af3eba6c7cf089 ] When USB or SDIO device got abnormal bus disconnection, host driver tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger slot linked to PSQ and TSQ), so we should set the state of skb hanger slot to BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb. In brcmf_fws_bus_txq_cleanup it already sets BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb, therefore we add the same thing in brcmf_fws_psq_flush to avoid following warning message. [ 1580.012880] ------------ [ cut here ]------------ [ 1580.017550] WARNING: CPU: 3 PID: 3065 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x21/0x30 [brcmutil] [ 1580.184017] Call Trace: [ 1580.186514] brcmf_fws_cleanup+0x14e/0x190 [brcmfmac] [ 1580.191594] brcmf_fws_del_interface+0x70/0x90 [brcmfmac] [ 1580.197029] brcmf_proto_bcdc_del_if+0xe/0x10 [brcmfmac] [ 1580.202418] brcmf_remove_interface+0x69/0x190 [brcmfmac] [ 1580.207888] brcmf_detach+0x90/0xe0 [brcmfmac] [ 1580.212385] brcmf_usb_disconnect+0x76/0xb0 [brcmfmac] [ 1580.217557] usb_unbind_interface+0x72/0x260 [ 1580.221857] device_release_driver_internal+0x141/0x200 [ 1580.227152] device_release_driver+0x12/0x20 [ 1580.231460] bus_remove_device+0xfd/0x170 [ 1580.235504] device_del+0x1d9/0x300 [ 1580.239041] usb_disable_device+0x9e/0x270 [ 1580.243160] usb_disconnect+0x94/0x270 [ 1580.246980] hub_event+0x76d/0x13b0 [ 1580.250499] process_one_work+0x144/0x360 [ 1580.254564] worker_thread+0x4d/0x3c0 [ 1580.258247] kthread+0x109/0x140 [ 1580.261515] ? rescuer_thread+0x340/0x340 [ 1580.265543] ? kthread_park+0x60/0x60 [ 1580.269237] ? SyS_exit_group+0x14/0x20 [ 1580.273118] ret_from_fork+0x25/0x30 [ 1580.300446] ------------ [ cut here ]------------ Acked-by: Arend van Spriel Signed-off-by: Wright Feng Signed-off-by: Chi-hsien Lin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200624091608.25154-2-wright.feng@cypress.com Signed-off-by: Sasha Levin --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c index 2370060ef980..080733128489 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c @@ -653,6 +653,7 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h, static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, int ifidx) { + struct brcmf_fws_hanger_item *hi; bool (*matchfn)(struct sk_buff *, void *) = NULL; struct sk_buff *skb; int prec; @@ -664,6 +665,9 @@ static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q, skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx); while (skb) { hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT); + hi = &fws->hanger.items[hslot]; + WARN_ON(skb != hi->pkt); + hi->state = BRCMF_FWS_HANGER_ITEM_STATE_FREE; brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb, true); brcmu_pkt_buf_free_skb(skb); From eaa75754757e352a5121f5dfca5fa5be5376b3cb Mon Sep 17 00:00:00 2001 From: Bolarinwa Olayemi Saheed Date: Mon, 13 Jul 2020 19:55:27 +0200 Subject: [PATCH 230/386] iwlegacy: Check the return value of pcie_capability_read_*() [ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 & x). This bug can be avoided without changing the function's behaviour if the return value of pcie_capability_read_dword is checked to confirm success. Check the return value of pcie_capability_read_dword() to ensure success. Suggested-by: Bjorn Helgaas Signed-off-by: Bolarinwa Olayemi Saheed Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/intel/iwlegacy/common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c index 6e6b124f0d5e..3ca84577803c 100644 --- a/drivers/net/wireless/intel/iwlegacy/common.c +++ b/drivers/net/wireless/intel/iwlegacy/common.c @@ -4302,8 +4302,8 @@ il_apm_init(struct il_priv *il) * power savings, even without L1. */ if (il->cfg->set_l0s) { - pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); - if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { + ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); + if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) { /* L1-ASPM enabled; disable(!) L0S */ il_set_bit(il, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED); From 47298eebd502c9b6651a23d72c80384b4de9e99f Mon Sep 17 00:00:00 2001 From: Dmitry Osipenko Date: Mon, 29 Jun 2020 06:18:41 +0300 Subject: [PATCH 231/386] gpu: host1x: debug: Fix multiple channels emitting messages simultaneously [ Upstream commit 35681862808472a0a4b9a8817ae2789c0b5b3edc ] Once channel's job is hung, it dumps the channel's state into KMSG before tearing down the offending job. If multiple channels hang at once, then they dump messages simultaneously, making the debug info unreadable, and thus, useless. This patch adds mutex which allows only one channel to emit debug messages at a time. Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin --- drivers/gpu/host1x/debug.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/host1x/debug.c b/drivers/gpu/host1x/debug.c index 2aae0e63214c..0b8c23c399c2 100644 --- a/drivers/gpu/host1x/debug.c +++ b/drivers/gpu/host1x/debug.c @@ -25,6 +25,8 @@ #include "debug.h" #include "channel.h" +static DEFINE_MUTEX(debug_lock); + unsigned int host1x_debug_trace_cmdbuf; static pid_t host1x_debug_force_timeout_pid; @@ -49,12 +51,14 @@ static int show_channel(struct host1x_channel *ch, void *data, bool show_fifo) struct output *o = data; mutex_lock(&ch->cdma.lock); + mutex_lock(&debug_lock); if (show_fifo) host1x_hw_show_channel_fifo(m, ch, o); host1x_hw_show_channel_cdma(m, ch, o); + mutex_unlock(&debug_lock); mutex_unlock(&ch->cdma.lock); return 0; From 7f15121bd7ef35c57558d317123aabffc501d434 Mon Sep 17 00:00:00 2001 From: Evgeny Novikov Date: Tue, 21 Jul 2020 23:15:58 +0300 Subject: [PATCH 232/386] usb: gadget: net2280: fix memory leak on probe error handling paths [ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] Driver does not release memory for device on error handling paths in net2280_probe() when gadget_release() is not registered yet. The patch fixes the bug like in other similar drivers. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/net2280.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c index 170327f84ea1..f1ac9a49e2bf 100644 --- a/drivers/usb/gadget/udc/net2280.c +++ b/drivers/usb/gadget/udc/net2280.c @@ -3786,8 +3786,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id) return 0; done: - if (dev) + if (dev) { net2280_remove(pdev); + kfree(dev); + } return retval; } From 6f4c9d91c1aa088dd73d330e752e8a121ac0c52d Mon Sep 17 00:00:00 2001 From: Sasi Kumar Date: Wed, 22 Jul 2020 13:07:42 -0400 Subject: [PATCH 233/386] bdc: Fix bug causing crash after multiple disconnects [ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] Multiple connects/disconnects can cause a crash on the second disconnect. The driver had a problem where it would try to send endpoint commands after it was disconnected which is not allowed by the hardware. The fix is to only allow the endpoint commands when the endpoint is connected. This will also fix issues that showed up when using configfs to create gadgets. Signed-off-by: Sasi Kumar Signed-off-by: Al Cooper Acked-by: Florian Fainelli Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++ drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c index 7a8af4b916cf..2660cc2e42a0 100644 --- a/drivers/usb/gadget/udc/bdc/bdc_core.c +++ b/drivers/usb/gadget/udc/bdc/bdc_core.c @@ -288,6 +288,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) * in that case reinit is passed as 1 */ if (reinit) { + int i; /* Enable interrupts */ temp = bdc_readl(bdc->regs, BDC_BDCSC); temp |= BDC_GIE; @@ -297,6 +298,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) /* Initialize SRR to 0 */ memset(bdc->srr.sr_bds, 0, NUM_SR_ENTRIES * sizeof(struct bdc_bd)); + /* clear ep flags to avoid post disconnect stops/deconfigs */ + for (i = 1; i < bdc->num_eps; ++i) + bdc->bdc_ep_array[i]->flags = 0; } else { /* One time initiaization only */ /* Enable status report function pointers */ diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c index be9f40bc9c12..bb2d5ebd97b5 100644 --- a/drivers/usb/gadget/udc/bdc/bdc_ep.c +++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c @@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep) } bdc_dbg_bd_list(bdc, ep); /* only for ep0: config ep is called for ep0 from connect event */ - ep->flags |= BDC_EP_ENABLED; if (ep->ep_num == 1) return ret; @@ -765,10 +764,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req) __func__, ep->name, start_bdi, end_bdi); dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n", ep, (void *)ep->usb_ep.desc); - /* Stop the ep to see where the HW is ? */ - ret = bdc_stop_ep(bdc, ep->ep_num); - /* if there is an issue with stopping ep, then no need to go further */ - if (ret) + /* if still connected, stop the ep to see where the HW is ? */ + if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) { + ret = bdc_stop_ep(bdc, ep->ep_num); + /* if there is an issue, then no need to go further */ + if (ret) + return 0; + } else return 0; /* @@ -1917,7 +1919,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep) __func__, ep->name, ep->flags); if (!(ep->flags & BDC_EP_ENABLED)) { - dev_warn(bdc->dev, "%s is already disabled\n", ep->name); + if (bdc->gadget.speed != USB_SPEED_UNKNOWN) + dev_warn(bdc->dev, "%s is already disabled\n", + ep->name); return 0; } spin_lock_irqsave(&bdc->lock, flags); From fd0b60b0524920c29a57df1240a62b3a208360ec Mon Sep 17 00:00:00 2001 From: Danesh Petigara Date: Wed, 22 Jul 2020 13:07:45 -0400 Subject: [PATCH 234/386] usb: bdc: Halt controller on suspend [ Upstream commit 5fc453d7de3d0c345812453823a3a56783c5f82c ] GISB bus error kernel panics have been observed during S2 transition tests on the 7271t platform. The errors are a result of the BDC interrupt handler trying to access BDC register space after the system's suspend callbacks have completed. Adding a suspend hook to the BDC driver that halts the controller before S2 entry thus preventing unwanted access to the BDC register space during this transition. Signed-off-by: Danesh Petigara Signed-off-by: Al Cooper Acked-by: Florian Fainelli Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/gadget/udc/bdc/bdc_core.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c index 2660cc2e42a0..58ba04d858ba 100644 --- a/drivers/usb/gadget/udc/bdc/bdc_core.c +++ b/drivers/usb/gadget/udc/bdc/bdc_core.c @@ -613,9 +613,14 @@ static int bdc_remove(struct platform_device *pdev) static int bdc_suspend(struct device *dev) { struct bdc *bdc = dev_get_drvdata(dev); + int ret; - clk_disable_unprepare(bdc->clk); - return 0; + /* Halt the controller */ + ret = bdc_stop(bdc); + if (!ret) + clk_disable_unprepare(bdc->clk); + + return ret; } static int bdc_resume(struct device *dev) From 001499d15b0a8929393821d7e9ecc4a8fad8c190 Mon Sep 17 00:00:00 2001 From: Jim Cromie Date: Sun, 19 Jul 2020 17:10:47 -0600 Subject: [PATCH 235/386] dyndbg: fix a BUG_ON in ddebug_describe_flags [ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] ddebug_describe_flags() currently fills a caller provided string buffer, after testing its size (also passed) in a BUG_ON. Fix this by replacing them with a known-big-enough string buffer wrapped in a struct, and passing that instead. Also simplify ddebug_describe_flags() flags parameter from a struct to a member in that struct, and hoist the member deref up to the caller. This makes the function reusable (soon) where flags are unpacked. Acked-by: Signed-off-by: Jim Cromie Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- lib/dynamic_debug.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c index c7c96bc7654a..91c451e0f474 100644 --- a/lib/dynamic_debug.c +++ b/lib/dynamic_debug.c @@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = { { _DPRINTK_FLAGS_NONE, '_' }, }; +struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; }; + /* format a string into buf[] which describes the _ddebug's flags */ -static char *ddebug_describe_flags(struct _ddebug *dp, char *buf, - size_t maxlen) +static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb) { - char *p = buf; + char *p = fb->buf; int i; - BUG_ON(maxlen < 6); for (i = 0; i < ARRAY_SIZE(opt_array); ++i) - if (dp->flags & opt_array[i].flag) + if (flags & opt_array[i].flag) *p++ = opt_array[i].opt_char; - if (p == buf) + if (p == fb->buf) *p++ = '_'; *p = '\0'; - return buf; + return fb->buf; } #define vpr_info(fmt, ...) \ @@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query, struct ddebug_table *dt; unsigned int newflags; unsigned int nfound = 0; - char flagbuf[10]; + struct flagsbuf fbuf; /* search for matching ddebugs */ mutex_lock(&ddebug_lock); @@ -199,8 +199,7 @@ static int ddebug_change(const struct ddebug_query *query, vpr_info("changed %s:%d [%s]%s =%s\n", trim_prefix(dp->filename), dp->lineno, dt->mod_name, dp->function, - ddebug_describe_flags(dp, flagbuf, - sizeof(flagbuf))); + ddebug_describe_flags(dp->flags, &fbuf)); } } mutex_unlock(&ddebug_lock); @@ -779,7 +778,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) { struct ddebug_iter *iter = m->private; struct _ddebug *dp = p; - char flagsbuf[10]; + struct flagsbuf flags; vpr_info("called m=%p p=%p\n", m, p); @@ -792,7 +791,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) seq_printf(m, "%s:%u [%s]%s =%s \"", trim_prefix(dp->filename), dp->lineno, iter->table->mod_name, dp->function, - ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf))); + ddebug_describe_flags(dp->flags, &flags)); seq_escape(m, dp->format, "\t\r\n\""); seq_puts(m, "\"\n"); From a4b718cf04a1f8a70e0ad9f0024087cdd4722d9a Mon Sep 17 00:00:00 2001 From: Coly Li Date: Sat, 25 Jul 2020 20:00:26 +0800 Subject: [PATCH 236/386] bcache: fix super block seq numbers comparision in register_cache_set() [ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] In register_cache_set(), c is pointer to struct cache_set, and ca is pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this registering cache has up to date version and other members, the in- memory version and other members should be updated to the newer value. But current implementation makes a cache set only has a single cache device, so the above assumption works well except for a special case. The execption is when a cache device new created and both ca->sb.seq and c->sb.seq are 0, because the super block is never flushed out yet. In the location for the following if() check, 2156 if (ca->sb.seq > c->sb.seq) { 2157 c->sb.version = ca->sb.version; 2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); 2159 c->sb.flags = ca->sb.flags; 2160 c->sb.seq = ca->sb.seq; 2161 pr_debug("set version = %llu\n", c->sb.version); 2162 } c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0, the if() check will fail (because both values are 0), and the cache set version, set_uuid, flags and seq won't be updated. The above problem is hiden for current code, because the bucket size is compatible among different super block version. And the next time when running cache set again, ca->sb.seq will be larger than 0 and cache set super block version will be updated properly. But if the large bucket feature is enabled, sb->bucket_size is the low 16bits of the bucket size. For a power of 2 value, when the actual bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then read_super_common() will fail because the if() check to is_power_of_2(sb->bucket_size) is false. This is how the long time hidden bug is triggered. This patch modifies the if() check to the following way, 2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { Then cache set's version, set_uuid, flags and seq will always be updated corectly including for a new created cache device. Signed-off-by: Coly Li Reviewed-by: Hannes Reinecke Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- drivers/md/bcache/super.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c index 690aeb09bbf5..32498b912ce7 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1780,7 +1780,14 @@ found: sysfs_create_link(&c->kobj, &ca->kobj, buf)) goto err; - if (ca->sb.seq > c->sb.seq) { + /* + * A special case is both ca->sb.seq and c->sb.seq are 0, + * such condition happens on a new created cache device whose + * super block is never flushed yet. In this case c->sb.version + * and other members should be updated too, otherwise we will + * have a mistaken super block version in cache set. + */ + if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { c->sb.version = ca->sb.version; memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); c->sb.flags = ca->sb.flags; From 57645ea316d0c43b82ea82664f1685e072fd396e Mon Sep 17 00:00:00 2001 From: Erik Kaneda Date: Mon, 20 Jul 2020 10:31:20 -0700 Subject: [PATCH 237/386] ACPICA: Do not increment operation_region reference counts for field units [ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 Object reference counts are used as a part of ACPICA's garbage collection mechanism. This mechanism keeps track of references to heap-allocated structures such as the ACPI operand objects. Recent server firmware has revealed that this reference count can overflow on large servers that declare many field units under the same operation_region. This occurs because each field unit declaration will add a reference count to the source operation_region. This change solves the reference count overflow for operation_regions objects by preventing fieldunits from incrementing their operation_region's reference count. Each operation_region's reference count will not be changed by named objects declared under the Field operator. During namespace deletion, the operation_region namespace node will be deleted and each fieldunit will be deleted without touching the deleted operation_region object. Link: https://github.com/acpica/acpica/commit/e17b28cf Signed-off-by: Erik Kaneda Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin --- drivers/acpi/acpica/exprep.c | 4 ---- drivers/acpi/acpica/utdelete.c | 6 +----- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c index 8de060664204..e23f3d54bb31 100644 --- a/drivers/acpi/acpica/exprep.c +++ b/drivers/acpi/acpica/exprep.c @@ -507,10 +507,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) (u8)access_byte_width; } } - /* An additional reference for the container */ - - acpi_ut_add_reference(obj_desc->field.region_obj); - ACPI_DEBUG_PRINT((ACPI_DB_BFIELD, "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n", obj_desc->field.start_field_bit_offset, diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c index c6eb9fae70f9..61a979d0fbc5 100644 --- a/drivers/acpi/acpica/utdelete.c +++ b/drivers/acpi/acpica/utdelete.c @@ -593,11 +593,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) next_object = object->buffer_field.buffer_obj; break; - case ACPI_TYPE_LOCAL_REGION_FIELD: - - next_object = object->field.region_obj; - break; - case ACPI_TYPE_LOCAL_BANK_FIELD: next_object = object->bank_field.bank_obj; @@ -638,6 +633,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) } break; + case ACPI_TYPE_LOCAL_REGION_FIELD: case ACPI_TYPE_REGION: default: From b3ad6a3db008e4565d97da15c00ef25ee4b5b59a Mon Sep 17 00:00:00 2001 From: Qiushi Wu Date: Fri, 22 May 2020 09:34:51 +0100 Subject: [PATCH 238/386] agp/intel: Fix a memory leak on module initialisation failure [ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ] In intel_gtt_setup_scratch_page(), pointer "page" is not released if pci_dma_mapping_error() return an error, leading to a memory leak on module initialisation failure. Simply fix this issue by freeing "page" before return. Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page") Signed-off-by: Qiushi Wu Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk Signed-off-by: Sasha Levin --- drivers/char/agp/intel-gtt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c index 7516ba981b63..34cc853772bc 100644 --- a/drivers/char/agp/intel-gtt.c +++ b/drivers/char/agp/intel-gtt.c @@ -304,8 +304,10 @@ static int intel_gtt_setup_scratch_page(void) if (intel_private.needs_dmar) { dma_addr = pci_map_page(intel_private.pcidev, page, 0, PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); - if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) + if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) { + __free_page(page); return -EINVAL; + } intel_private.scratch_page_dma = dma_addr; } else From fc894cda6fe36838008c4c3dce26fb80698391a8 Mon Sep 17 00:00:00 2001 From: Dejin Zheng Date: Thu, 23 Apr 2020 00:07:19 +0800 Subject: [PATCH 239/386] video: fbdev: sm712fb: fix an issue about iounmap for a wrong address [ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] the sfb->fb->screen_base is not save the value get by iounmap() when the chip id is 0x720. so iounmap() for address sfb->fb->screen_base is not right. Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev") Cc: Andy Shevchenko Cc: Sudip Mukherjee Cc: Teddy Wang Cc: Greg Kroah-Hartman Signed-off-by: Dejin Zheng Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com Signed-off-by: Sasha Levin --- drivers/video/fbdev/sm712fb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c index f1dcc6766d1e..1781ca697f66 100644 --- a/drivers/video/fbdev/sm712fb.c +++ b/drivers/video/fbdev/sm712fb.c @@ -1429,6 +1429,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb, static void smtc_unmap_smem(struct smtcfb_info *sfb) { if (sfb && sfb->fb->screen_base) { + if (sfb->chip_id == 0x720) + sfb->fb->screen_base -= 0x00200000; iounmap(sfb->fb->screen_base); sfb->fb->screen_base = NULL; } From 93a7e1d1fc4ba3e76ec82bc905a9fc152d73d033 Mon Sep 17 00:00:00 2001 From: Dejin Zheng Date: Fri, 24 Apr 2020 00:42:51 +0800 Subject: [PATCH 240/386] console: newport_con: fix an issue about leak related system resources [ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] A call of the function do_take_over_console() can fail here. The corresponding system resources were not released then. Thus add a call of iounmap() and release_mem_region() together with the check of a failure predicate. and also add release_mem_region() on device removal. Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding") Suggested-by: Bartlomiej Zolnierkiewicz Signed-off-by: Dejin Zheng Reviewed-by: Andy Shevchenko Cc: Greg Kroah-Hartman cc: Thomas Gleixner Cc: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com Signed-off-by: Sasha Levin --- drivers/video/console/newport_con.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c index 42d02a206059..d3b0850391e0 100644 --- a/drivers/video/console/newport_con.c +++ b/drivers/video/console/newport_con.c @@ -31,6 +31,8 @@ #include #include +#define NEWPORT_LEN 0x10000 + #define FONT_DATA ((unsigned char *)font_vga_8x16.data) /* borrowed from fbcon.c */ @@ -42,6 +44,7 @@ static unsigned char *font_data[MAX_NR_CONSOLES]; static struct newport_regs *npregs; +static unsigned long newport_addr; static int logo_active; static int topscan; @@ -701,7 +704,6 @@ const struct consw newport_con = { static int newport_probe(struct gio_device *dev, const struct gio_device_id *id) { - unsigned long newport_addr; int err; if (!dev->resource.start) @@ -711,7 +713,7 @@ static int newport_probe(struct gio_device *dev, return -EBUSY; /* we only support one Newport as console */ newport_addr = dev->resource.start + 0xF0000; - if (!request_mem_region(newport_addr, 0x10000, "Newport")) + if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport")) return -ENODEV; npregs = (struct newport_regs *)/* ioremap cannot fail */ @@ -719,6 +721,11 @@ static int newport_probe(struct gio_device *dev, console_lock(); err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1); console_unlock(); + + if (err) { + iounmap((void *)npregs); + release_mem_region(newport_addr, NEWPORT_LEN); + } return err; } @@ -726,6 +733,7 @@ static void newport_remove(struct gio_device *dev) { give_up_console(&newport_con); iounmap((void *)npregs); + release_mem_region(newport_addr, NEWPORT_LEN); } static struct gio_device_id newport_ids[] = { From 613da0efb4aa7168ce54f0e990c068b7bc2fae28 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Wed, 29 Apr 2020 10:45:05 +0200 Subject: [PATCH 241/386] video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call [ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ] 'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()' not 'dma_free_wc()'. The correct dma_free_ function is already used in the error handling path of the probe function. Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable") Signed-off-by: Christophe JAILLET Cc: Sumit Semwal Cc: Rafael J. Wysocki Cc: Jonathan Corbet Cc: Viresh Kumar Cc: Jani Nikula cc: Mauro Carvalho Chehab Cc: Eric Miao Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin --- drivers/video/fbdev/pxafb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c index 29f00eccdd01..08ee77d5df8b 100644 --- a/drivers/video/fbdev/pxafb.c +++ b/drivers/video/fbdev/pxafb.c @@ -2449,8 +2449,8 @@ static int pxafb_remove(struct platform_device *dev) free_pages_exact(fbi->video_mem, fbi->video_mem_size); - dma_free_wc(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, - fbi->dma_buff_phys); + dma_free_coherent(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, + fbi->dma_buff_phys); iounmap(fbi->mmio_base); From ce2f02ca2995159910dba37aa2eab822fde80690 Mon Sep 17 00:00:00 2001 From: Tomasz Duszynski Date: Mon, 1 Jun 2020 18:15:52 +0200 Subject: [PATCH 242/386] iio: improve IIO_CONCENTRATION channel type description [ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting raw concentrations of pollutants. Raw value should be meaningless before being properly scaled. Because of that description shouldn't mention raw value unit whatsoever. Fix this by rephrasing existing description so it follows conventions used throughout IIO ABI docs. Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type") Signed-off-by: Tomasz Duszynski Acked-by: Matt Ranostay Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin --- Documentation/ABI/testing/sysfs-bus-iio | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio index 64e65450f483..e21e2ca3e4f9 100644 --- a/Documentation/ABI/testing/sysfs-bus-iio +++ b/Documentation/ABI/testing/sysfs-bus-iio @@ -1524,7 +1524,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw KernelVersion: 4.3 Contact: linux-iio@vger.kernel.org Description: - Raw (unscaled no offset etc.) percentage reading of a substance. + Raw (unscaled no offset etc.) reading of a substance. Units + after application of scale and offset are percents. What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw From 325dbbbefbe9cab6842cf67baf23e6521e39f6f2 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Thu, 18 Jun 2020 11:04:00 +0100 Subject: [PATCH 243/386] drm/arm: fix unintentional integer overflow on left shift [ Upstream commit 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 ] Shifting the integer value 1 is evaluated using 32-bit arithmetic and then used in an expression that expects a long value leads to a potential integer overflow. Fix this by using the BIT macro to perform the shift to avoid the overflow. Addresses-Coverity: ("Unintentional integer overflow") Fixes: ad49f8602fe8 ("drm/arm: Add support for Mali Display Processors") Signed-off-by: Colin Ian King Acked-by: Liviu Dudau Signed-off-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20200618100400.11464-1-colin.king@canonical.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/arm/malidp_planes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/arm/malidp_planes.c b/drivers/gpu/drm/arm/malidp_planes.c index 16b8b310ae5c..7072d738b072 100644 --- a/drivers/gpu/drm/arm/malidp_planes.c +++ b/drivers/gpu/drm/arm/malidp_planes.c @@ -369,7 +369,7 @@ int malidp_de_planes_init(struct drm_device *drm) const struct malidp_hw_regmap *map = &malidp->dev->map; struct malidp_plane *plane = NULL; enum drm_plane_type plane_type; - unsigned long crtcs = 1 << drm->mode_config.num_crtc; + unsigned long crtcs = BIT(drm->mode_config.num_crtc); unsigned long flags = DRM_MODE_ROTATE_0 | DRM_MODE_ROTATE_90 | DRM_MODE_ROTATE_180 | DRM_MODE_ROTATE_270 | DRM_MODE_REFLECT_X | DRM_MODE_REFLECT_Y; u32 *formats; From e361b9c851ad749dc4f5dae18c00a6070e946b38 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 5 May 2020 16:19:17 +0200 Subject: [PATCH 244/386] leds: lm355x: avoid enum conversion warning [ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] clang points out that doing arithmetic between diffent enums is usually a mistake: drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] reg_val = pdata->pin_tx2 | pdata->ntc_pin; ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ In this driver, it is intentional, so add a cast to hide the false-positive warning. It appears to be the only instance of this warning at the moment. Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips") Signed-off-by: Arnd Bergmann Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin --- drivers/leds/leds-lm355x.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c index 6cb94f9a2f3f..b9c60dd2b132 100644 --- a/drivers/leds/leds-lm355x.c +++ b/drivers/leds/leds-lm355x.c @@ -168,18 +168,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip) /* input and output pins configuration */ switch (chip->type) { case CHIP_LM3554: - reg_val = pdata->pin_tx2 | pdata->ntc_pin; + reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin; ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val); if (ret < 0) goto out; - reg_val = pdata->pass_mode; + reg_val = (u32)pdata->pass_mode; ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val); if (ret < 0) goto out; break; case CHIP_LM3556: - reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; + reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin | + (u32)pdata->pass_mode; ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val); if (ret < 0) goto out; From 6059d5a8c6217e843f69a38117800b9f26e0c08b Mon Sep 17 00:00:00 2001 From: Chuhong Yuan Date: Wed, 3 Jun 2020 18:41:22 +0200 Subject: [PATCH 245/386] media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities() [ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] preview_init_entities() does not call v4l2_ctrl_handler_free() when it fails. Add the missed function to fix it. Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") Signed-off-by: Chuhong Yuan Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/platform/omap3isp/isppreview.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c index e981eb2330f1..ac005ae4d21b 100644 --- a/drivers/media/platform/omap3isp/isppreview.c +++ b/drivers/media/platform/omap3isp/isppreview.c @@ -2290,7 +2290,7 @@ static int preview_init_entities(struct isp_prev_device *prev) me->ops = &preview_media_ops; ret = media_entity_pads_init(me, PREV_PADS_NUM, pads); if (ret < 0) - return ret; + goto error_handler_free; preview_init_formats(sd, NULL); @@ -2323,6 +2323,8 @@ error_video_out: omap3isp_video_cleanup(&prev->video_in); error_video_in: media_entity_cleanup(&prev->subdev.entity); +error_handler_free: + v4l2_ctrl_handler_free(&prev->ctrls); return ret; } From 95a6447b0a346b65bfd0e6566b69d7371afd6040 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bossart Date: Thu, 25 Jun 2020 14:12:55 -0500 Subject: [PATCH 246/386] ASoC: Intel: bxt_rt298: add missing .owner field [ Upstream commit 88cee34b776f80d2da04afb990c2a28c36799c43 ] This field is required for ASoC cards. Not setting it will result in a module->name pointer being NULL and generate problems such as cat /proc/asound/modules 0 (efault) Fixes: 76016322ec56 ('ASoC: Intel: Add Broxton-P machine driver') Reported-by: Jaroslav Kysela Suggested-by: Takashi Iwai Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200625191308.3322-5-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin --- sound/soc/intel/boards/bxt_rt298.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c index 7843104fadcb..1b01bc318fd2 100644 --- a/sound/soc/intel/boards/bxt_rt298.c +++ b/sound/soc/intel/boards/bxt_rt298.c @@ -529,6 +529,7 @@ static int bxt_card_late_probe(struct snd_soc_card *card) /* broxton audio machine driver for SPT + RT298S */ static struct snd_soc_card broxton_rt298 = { .name = "broxton-rt298", + .owner = THIS_MODULE, .dai_link = broxton_rt298_dais, .num_links = ARRAY_SIZE(broxton_rt298_dais), .controls = broxton_controls, @@ -544,6 +545,7 @@ static struct snd_soc_card broxton_rt298 = { static struct snd_soc_card geminilake_rt298 = { .name = "geminilake-rt298", + .owner = THIS_MODULE, .dai_link = broxton_rt298_dais, .num_links = ARRAY_SIZE(broxton_rt298_dais), .controls = broxton_controls, From 7c58f4ad2e57893f9dfbf254426ded22d4226f4a Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Thu, 25 Jun 2020 22:47:30 +0200 Subject: [PATCH 247/386] scsi: cumana_2: Fix different dev_id between request_irq() and free_irq() [ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Acked-by: Russell King Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/arm/cumana_2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c index edce5f3cfdba..93ba83e3148e 100644 --- a/drivers/scsi/arm/cumana_2.c +++ b/drivers/scsi/arm/cumana_2.c @@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec, if (info->info.scsi.dma != NO_DMA) free_dma(info->info.scsi.dma); - free_irq(ec->irq, host); + free_irq(ec->irq, info); out_release: fas216_release(host); From 7e5271637d74f5d0981a101e59e959d736449e28 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Tue, 5 May 2020 17:03:29 +0100 Subject: [PATCH 248/386] drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline [ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ] The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently using the generic write. This does not look right. Perhaps some platforms don't distinguish between the two writers? Cc: Robert Chiras Cc: Vinay Simha BN Cc: Jani Nikula Cc: Thierry Reding Fixes: e83950816367 ("drm/dsi: Implement set tear scanline") Signed-off-by: Emil Velikov Reviewed-by: Thierry Reding Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c index 4b47226b90d4..6f0de951b75d 100644 --- a/drivers/gpu/drm/drm_mipi_dsi.c +++ b/drivers/gpu/drm/drm_mipi_dsi.c @@ -1029,11 +1029,11 @@ EXPORT_SYMBOL(mipi_dsi_dcs_set_pixel_format); */ int mipi_dsi_dcs_set_tear_scanline(struct mipi_dsi_device *dsi, u16 scanline) { - u8 payload[3] = { MIPI_DCS_SET_TEAR_SCANLINE, scanline >> 8, - scanline & 0xff }; + u8 payload[2] = { scanline >> 8, scanline & 0xff }; ssize_t err; - err = mipi_dsi_generic_write(dsi, payload, sizeof(payload)); + err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_TEAR_SCANLINE, payload, + sizeof(payload)); if (err < 0) return err; From 4d36d0a898b4d13ba36f66c897dd7e871b3cdef3 Mon Sep 17 00:00:00 2001 From: Wang Hai Date: Tue, 2 Jun 2020 20:07:33 +0800 Subject: [PATCH 249/386] cxl: Fix kobject memleak [ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Fix it by adding a call to kobject_put() in the error path of kobject_init_and_add(). Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Andrew Donnellan Acked-by: Frederic Barrat Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/misc/cxl/sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c index 393a80bdb846..b0285c5d8d38 100644 --- a/drivers/misc/cxl/sysfs.c +++ b/drivers/misc/cxl/sysfs.c @@ -606,7 +606,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type, &afu->dev.kobj, "cr%i", cr->cr); if (rc) - goto err; + goto err1; rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr); if (rc) From da89c73f12f6c7cff0581d6a7d260d5ee6cefba8 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Wed, 24 Jun 2020 13:07:10 +0100 Subject: [PATCH 250/386] drm/radeon: fix array out-of-bounds read and write issues [ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] There is an off-by-one bounds check on the index into arrays table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that can lead to reads and writes outside of arrays. Fix the bound checking off-by-one error. Addresses-Coverity: ("Out-of-bounds read/write") Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") Signed-off-by: Colin Ian King Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin --- drivers/gpu/drm/radeon/ci_dpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c index 6e607cc7b6e5..81bc2b89222f 100644 --- a/drivers/gpu/drm/radeon/ci_dpm.c +++ b/drivers/gpu/drm/radeon/ci_dpm.c @@ -4342,7 +4342,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev, table->mc_reg_table_entry[k].mc_data[j] |= 0x100; } j++; - if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) return -EINVAL; if (!pi->mem_gddr5) { From e050ad8f5316c961033276b4b76c31dc4cd90183 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Fri, 26 Jun 2020 05:59:48 +0200 Subject: [PATCH 251/386] scsi: powertec: Fix different dev_id between request_irq() and free_irq() [ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/arm/powertec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c index 79aa88911b7f..b5e4a25ea1ef 100644 --- a/drivers/scsi/arm/powertec.c +++ b/drivers/scsi/arm/powertec.c @@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec, if (info->info.scsi.dma != NO_DMA) free_dma(info->info.scsi.dma); - free_irq(ec->irq, host); + free_irq(ec->irq, info); out_release: fas216_release(host); From c0658ced3cec83be3c4d745ddc2e4d38d450573f Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Fri, 26 Jun 2020 06:05:53 +0200 Subject: [PATCH 252/386] scsi: eesox: Fix different dev_id between request_irq() and free_irq() [ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/arm/eesox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c index e93e047f4316..65bb34ce93b9 100644 --- a/drivers/scsi/arm/eesox.c +++ b/drivers/scsi/arm/eesox.c @@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id) if (info->info.scsi.dma != NO_DMA) free_dma(info->info.scsi.dma); - free_irq(ec->irq, host); + free_irq(ec->irq, info); out_remove: fas216_remove(host); From ff9e162946e1b8051ffe357994d382077d909b2e Mon Sep 17 00:00:00 2001 From: Julian Anastasov Date: Wed, 1 Jul 2020 18:17:19 +0300 Subject: [PATCH 253/386] ipvs: allow connection reuse for unconfirmed conntrack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f ] YangYuxi is reporting that connection reuse is causing one-second delay when SYN hits existing connection in TIME_WAIT state. Such delay was added to give time to expire both the IPVS connection and the corresponding conntrack. This was considered a rare case at that time but it is causing problem for some environments such as Kubernetes. As nf_conntrack_tcp_packet() can decide to release the conntrack in TIME_WAIT state and to replace it with a fresh NEW conntrack, we can use this to allow rescheduling just by tuning our check: if the conntrack is confirmed we can not schedule it to different real server and the one-second delay still applies but if new conntrack was created, we are free to select new real server without any delays. YangYuxi lists some of the problem reports: - One second connection delay in masquerading mode: https://marc.info/?t=151683118100004&r=1&w=2 - IPVS low throughput #70747 https://github.com/kubernetes/kubernetes/issues/70747 - Apache Bench can fill up ipvs service proxy in seconds #544 https://github.com/cloudnativelabs/kube-router/issues/544 - Additional 1s latency in `host -> service IP -> pod` https://github.com/kubernetes/kubernetes/issues/90854 Fixes: f719e3754ee2 ("ipvs: drop first packet to redirect conntrack") Co-developed-by: YangYuxi Signed-off-by: YangYuxi Signed-off-by: Julian Anastasov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- include/net/ip_vs.h | 10 ++++------ net/netfilter/ipvs/ip_vs_core.c | 12 +++++++----- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index f4e5ac8aa366..1fb79c78e200 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h @@ -1607,18 +1607,16 @@ static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp) } #endif /* CONFIG_IP_VS_NFCT */ -/* Really using conntrack? */ -static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp, - struct sk_buff *skb) +/* Using old conntrack that can not be redirected to another real server? */ +static inline bool ip_vs_conn_uses_old_conntrack(struct ip_vs_conn *cp, + struct sk_buff *skb) { #ifdef CONFIG_IP_VS_NFCT enum ip_conntrack_info ctinfo; struct nf_conn *ct; - if (!(cp->flags & IP_VS_CONN_F_NFCT)) - return false; ct = nf_ct_get(skb, &ctinfo); - if (ct) + if (ct && nf_ct_is_confirmed(ct)) return true; #endif return false; diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 2156571455db..a95fe5fe9f04 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1916,14 +1916,14 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int conn_reuse_mode = sysctl_conn_reuse_mode(ipvs); if (conn_reuse_mode && !iph.fragoffs && is_new_conn(skb, &iph) && cp) { - bool uses_ct = false, resched = false; + bool old_ct = false, resched = false; if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp->dest && unlikely(!atomic_read(&cp->dest->weight))) { resched = true; - uses_ct = ip_vs_conn_uses_conntrack(cp, skb); + old_ct = ip_vs_conn_uses_old_conntrack(cp, skb); } else if (is_new_conn_expected(cp, conn_reuse_mode)) { - uses_ct = ip_vs_conn_uses_conntrack(cp, skb); + old_ct = ip_vs_conn_uses_old_conntrack(cp, skb); if (!atomic_read(&cp->n_control)) { resched = true; } else { @@ -1931,15 +1931,17 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int * that uses conntrack while it is still * referenced by controlled connection(s). */ - resched = !uses_ct; + resched = !old_ct; } } if (resched) { + if (!old_ct) + cp->flags &= ~IP_VS_CONN_F_NFCT; if (!atomic_read(&cp->n_control)) ip_vs_conn_expire_now(cp); __ip_vs_conn_put(cp); - if (uses_ct) + if (old_ct) return NF_DROP; cp = NULL; } From faff4562a4f6b1ded4fee75abeb52c6a23d8cfc8 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 8 May 2020 16:40:22 +0200 Subject: [PATCH 254/386] media: firewire: Using uninitialized values in node_probe() [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So then the "strlen(model_names[i]) <= name_len" is true because strlen() is unsigned and -ENOENT is type promoted to a very high positive value. Then the "strncmp(name, model_names[i], name_len)" uses uninitialized data because "name" is uninitialized. Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/firewire/firedtv-fw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c index 247f0e7cb5f7..5d634706a7ea 100644 --- a/drivers/media/firewire/firedtv-fw.c +++ b/drivers/media/firewire/firedtv-fw.c @@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) name_len = fw_csr_string(unit->directory, CSR_MODEL, name, sizeof(name)); + if (name_len < 0) + return name_len; for (i = ARRAY_SIZE(model_names); --i; ) if (strlen(model_names[i]) <= name_len && strncmp(name, model_names[i], name_len) == 0) From 2d74cda0cdbc4f75e10a084643bcb31b02ea583b Mon Sep 17 00:00:00 2001 From: Chuhong Yuan Date: Thu, 28 May 2020 08:41:47 +0200 Subject: [PATCH 255/386] media: exynos4-is: Add missed check for pinctrl_lookup_state() [ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). Add the missed check to fix it. Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") Signed-off-by: Chuhong Yuan Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/platform/exynos4-is/media-dev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c index b2eb830c0360..f772c9b92d9b 100644 --- a/drivers/media/platform/exynos4-is/media-dev.c +++ b/drivers/media/platform/exynos4-is/media-dev.c @@ -1258,6 +1258,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, PINCTRL_STATE_IDLE); + if (IS_ERR(pctl->state_idle)) + return PTR_ERR(pctl->state_idle); + return 0; } From c37f37c5b1b6c6fb6d4ac59b97f7316e3cd04c94 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Mon, 29 Jun 2020 14:47:18 -0700 Subject: [PATCH 256/386] xfs: fix reflink quota reservation accounting error [ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ] Quota reservations are supposed to account for the blocks that might be allocated due to a bmap btree split. Reflink doesn't do this, so fix this to make the quota accounting more accurate before we start rearranging things. Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another") Signed-off-by: Darrick J. Wong Reviewed-by: Brian Foster Signed-off-by: Sasha Levin --- fs/xfs/xfs_reflink.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c index db7f9fdd20a3..4d37f1b59436 100644 --- a/fs/xfs/xfs_reflink.c +++ b/fs/xfs/xfs_reflink.c @@ -1076,6 +1076,7 @@ xfs_reflink_remap_extent( xfs_filblks_t rlen; xfs_filblks_t unmap_len; xfs_off_t newlen; + int64_t qres; int error; unmap_len = irec->br_startoff + irec->br_blockcount - destoff; @@ -1098,13 +1099,19 @@ xfs_reflink_remap_extent( xfs_ilock(ip, XFS_ILOCK_EXCL); xfs_trans_ijoin(tp, ip, 0); - /* If we're not just clearing space, then do we have enough quota? */ - if (real_extent) { - error = xfs_trans_reserve_quota_nblks(tp, ip, - irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS); - if (error) - goto out_cancel; - } + /* + * Reserve quota for this operation. We don't know if the first unmap + * in the dest file will cause a bmap btree split, so we always reserve + * at least enough blocks for that split. If the extent being mapped + * in is written, we need to reserve quota for that too. + */ + qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK); + if (real_extent) + qres += irec->br_blockcount; + error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0, + XFS_QMOPT_RES_REGBLKS); + if (error) + goto out_cancel; trace_xfs_reflink_remap(ip, irec->br_startoff, irec->br_blockcount, irec->br_startblock); From 7751804f04f3784b59b4812a06458efddd730659 Mon Sep 17 00:00:00 2001 From: Bjorn Helgaas Date: Thu, 25 Jun 2020 18:14:55 -0500 Subject: [PATCH 257/386] PCI: Fix pci_cfg_wait queue locking problem [ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ] The pci_cfg_wait queue is used to prevent user-space config accesses to devices while they are recovering from reset. Previously we used these operations on pci_cfg_wait: __add_wait_queue(&pci_cfg_wait, ...) __remove_wait_queue(&pci_cfg_wait, ...) wake_up_all(&pci_cfg_wait) The wake_up acquires the wait queue lock, but the add and remove do not. Originally these were all protected by the pci_lock, but cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved wake_up_all() outside pci_lock, so it could race with add/remove operations, which caused occasional kernel panics, e.g., during vfio-pci hotplug/unplug testing: Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000 Resolve this by using wait_event() instead of __add_wait_queue() and __remove_wait_queue(). The wait queue lock is held by both wait_event() and wake_up_all(), so it provides mutual exclusion. Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock") Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/ Based-on-patch-by: Xiang Zheng Signed-off-by: Bjorn Helgaas Tested-by: Xiang Zheng Cc: Heyi Guo Cc: Biaoxiang Ye Signed-off-by: Sasha Levin --- drivers/pci/access.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/pci/access.c b/drivers/pci/access.c index 913d6722ece9..8c585e7ca520 100644 --- a/drivers/pci/access.c +++ b/drivers/pci/access.c @@ -205,17 +205,13 @@ EXPORT_SYMBOL(pci_bus_set_ops); static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait); static noinline void pci_wait_cfg(struct pci_dev *dev) + __must_hold(&pci_lock) { - DECLARE_WAITQUEUE(wait, current); - - __add_wait_queue(&pci_cfg_wait, &wait); do { - set_current_state(TASK_UNINTERRUPTIBLE); raw_spin_unlock_irq(&pci_lock); - schedule(); + wait_event(pci_cfg_wait, !dev->block_cfg_access); raw_spin_lock_irq(&pci_lock); } while (dev->block_cfg_access); - __remove_wait_queue(&pci_cfg_wait, &wait); } /* Returns 0 on success, negative values indicate error. */ From a14ab85a26751b93d9b0597600e0895488a75730 Mon Sep 17 00:00:00 2001 From: Kai-Heng Feng Date: Thu, 2 Jul 2020 13:45:00 +0800 Subject: [PATCH 258/386] leds: core: Flush scheduled work for system suspend [ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ] Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon system suspend. led_set_brightness_nopm() uses schedule_work() to set LED brightness. However, there's no guarantee that the scheduled work gets executed because no one flushes the work. So flush the scheduled work to make sure LED gets turned off. Signed-off-by: Kai-Heng Feng Acked-by: Jacek Anaszewski Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions") Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin --- drivers/leds/led-class.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c index b0e2d55acbd6..6c7269fcfa77 100644 --- a/drivers/leds/led-class.c +++ b/drivers/leds/led-class.c @@ -173,6 +173,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev) { led_cdev->flags |= LED_SUSPENDED; led_set_brightness_nopm(led_cdev, 0); + flush_work(&led_cdev->set_brightness_work); } EXPORT_SYMBOL_GPL(led_classdev_suspend); From 9b0d455389e53f264a601423b6fbc92b11a41a84 Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Sun, 12 Jul 2020 01:53:17 +0300 Subject: [PATCH 259/386] drm: panel: simple: Fix bpc for LG LB070WV8 panel [ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] The LG LB070WV8 panel incorrectly reports a 16 bits per component value, while the panel uses 8 bits per component. Fix it. Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel") Signed-off-by: Laurent Pinchart Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/panel/panel-simple.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c index c1daed3fe842..6df312ba1826 100644 --- a/drivers/gpu/drm/panel/panel-simple.c +++ b/drivers/gpu/drm/panel/panel-simple.c @@ -1253,7 +1253,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = { static const struct panel_desc lg_lb070wv8 = { .modes = &lg_lb070wv8_mode, .num_modes = 1, - .bpc = 16, + .bpc = 8, .size = { .width = 151, .height = 91, From 9bd86777b4b0700ce6ce678d893382813ee09c2f Mon Sep 17 00:00:00 2001 From: Tom Rix Date: Sun, 12 Jul 2020 08:24:53 -0700 Subject: [PATCH 260/386] drm/bridge: sil_sii8620: initialize return of sii8620_readb [ Upstream commit 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 ] clang static analysis flags this error sil-sii8620.c:184:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] return ret; ^~~~~~~~~~ sii8620_readb calls sii8620_read_buf. sii8620_read_buf can return without setting its output pararmeter 'ret'. So initialize ret. Fixes: ce6e153f414a ("drm/bridge: add Silicon Image SiI8620 driver") Signed-off-by: Tom Rix Reviewed-by: Laurent Pinchart Reviewed-by: Andrzej Hajda Signed-off-by: Sam Ravnborg Link: https://patchwork.freedesktop.org/patch/msgid/20200712152453.27510-1-trix@redhat.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/bridge/sil-sii8620.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c index 0cb69ee94ac1..b93486892f4a 100644 --- a/drivers/gpu/drm/bridge/sil-sii8620.c +++ b/drivers/gpu/drm/bridge/sil-sii8620.c @@ -167,7 +167,7 @@ static void sii8620_read_buf(struct sii8620 *ctx, u16 addr, u8 *buf, int len) static u8 sii8620_readb(struct sii8620 *ctx, u16 addr) { - u8 ret; + u8 ret = 0; sii8620_read_buf(ctx, addr, &ret, 1); return ret; From 4665a815ffe8295d687d4b3ffec0bbdd98b1731a Mon Sep 17 00:00:00 2001 From: John Garry Date: Thu, 9 Jul 2020 20:23:19 +0800 Subject: [PATCH 261/386] scsi: scsi_debug: Add check for sdebug_max_queue during module init [ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ] sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like this can be triggered by passing an out-of-range value: Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--) pc : schedule_resp+0x2a4/0xa70 [scsi_debug] lr : schedule_resp+0x52c/0xa70 [scsi_debug] sp : ffff800022ab36f0 x29: ffff800022ab36f0 x28: ffff0023a935a610 x27: ffff800008e0a648 x26: 0000000000000003 x25: ffff0023e84f3200 x24: 00000000003d0900 x23: 0000000000000000 x22: 0000000000000000 x21: ffff0023be60a320 x20: ffff0023be60b538 x19: ffff800008e13000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000001 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 00000000000000c1 x5 : 0000020000200000 x4 : dead0000000000ff x3 : 0000000000000200 x2 : 0000000000000200 x1 : ffff800008e13d88 x0 : 0000000000000000 Call trace: schedule_resp+0x2a4/0xa70 [scsi_debug] scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug] scsi_queue_rq+0x698/0x840 __blk_mq_try_issue_directly+0x108/0x228 blk_mq_request_issue_directly+0x58/0x98 blk_mq_try_issue_list_directly+0x5c/0xf0 blk_mq_sched_insert_requests+0x18c/0x200 blk_mq_flush_plug_list+0x11c/0x190 blk_flush_plug_list+0xdc/0x110 blk_finish_plug+0x38/0x210 blkdev_direct_IO+0x450/0x4d8 generic_file_read_iter+0x84/0x180 blkdev_read_iter+0x3c/0x50 aio_read+0xc0/0x170 io_submit_one+0x5c8/0xc98 __arm64_sys_io_submit+0x1b0/0x258 el0_svc_common.constprop.3+0x68/0x170 do_el0_svc+0x24/0x90 el0_sync_handler+0x13c/0x1a8 el0_sync+0x158/0x180 Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340) In addition, it should not be less than 1. So add checks for these, and fail the module init for those cases. [mkp: changed if condition to match error message] Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com Fixes: c483739430f1 ("scsi_debug: add multiple queue support") Reviewed-by: Ming Lei Acked-by: Douglas Gilbert Signed-off-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/scsi_debug.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index ac936b5ca74e..aba1a3396890 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -4993,6 +4993,12 @@ static int __init scsi_debug_init(void) pr_err("submit_queues must be 1 or more\n"); return -EINVAL; } + + if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) { + pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE); + return -EINVAL; + } + sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue), GFP_KERNEL); if (sdebug_q_arr == NULL) From 164d80107670adadf8a5de9ffa8e31cee5979e7f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 8 Jul 2020 14:58:57 +0300 Subject: [PATCH 262/386] mwifiex: Prevent memory corruption handling keys [ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ] The length of the key comes from the network and it's a 16 bit number. It needs to be capped to prevent a buffer overflow. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Dan Carpenter Acked-by: Ganapathi Bhat Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda Signed-off-by: Sasha Levin --- .../wireless/marvell/mwifiex/sta_cmdresp.c | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c index 0fba5b10ef2d..19ce279df24d 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c @@ -585,6 +585,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, { struct host_cmd_ds_802_11_key_material *key = &resp->params.key_material; + int len; + + len = le16_to_cpu(key->key_param_set.key_len); + if (len > sizeof(key->key_param_set.key)) + return -EINVAL; if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) { if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) { @@ -598,9 +603,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, memset(priv->aes_key.key_param_set.key, 0, sizeof(key->key_param_set.key)); - priv->aes_key.key_param_set.key_len = key->key_param_set.key_len; - memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, - le16_to_cpu(priv->aes_key.key_param_set.key_len)); + priv->aes_key.key_param_set.key_len = cpu_to_le16(len); + memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len); return 0; } @@ -615,9 +619,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, struct host_cmd_ds_command *resp) { struct host_cmd_ds_802_11_key_material_v2 *key_v2; - __le16 len; + int len; key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); + if (len > WLAN_KEY_LEN_CCMP) + return -EINVAL; + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) { mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n"); @@ -633,10 +642,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, WLAN_KEY_LEN_CCMP); priv->aes_key_v2.key_param_set.key_params.aes.key_len = - key_v2->key_param_set.key_params.aes.key_len; - len = priv->aes_key_v2.key_param_set.key_params.aes.key_len; + cpu_to_le16(len); memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, - key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len)); + key_v2->key_param_set.key_params.aes.key, len); return 0; } From 172f9611b745fbda27a46a23af4d381b96eb148f Mon Sep 17 00:00:00 2001 From: Milton Miller Date: Thu, 16 Jul 2020 09:37:04 +1000 Subject: [PATCH 263/386] powerpc/vdso: Fix vdso cpu truncation [ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] The code in vdso_cpu_init that exposes the cpu and numa node to userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means that any kernel running on a box with more than 4096 threads (NR_CPUS advertises a limit of of 8192 cpus) would expose userspace to two cpu contexts running at the same time with the same cpu number. Note: I'm not aware of any distro shipping a kernel with support for more than 4096 threads today, nor of any system image that currently exceeds 4096 threads. Found via code browsing. Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu") Signed-off-by: Milton Miller Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org Signed-off-by: Sasha Levin --- arch/powerpc/kernel/vdso.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c index 22b01a3962f0..3edaee28b638 100644 --- a/arch/powerpc/kernel/vdso.c +++ b/arch/powerpc/kernel/vdso.c @@ -704,7 +704,7 @@ int vdso_getcpu_init(void) node = cpu_to_node(cpu); WARN_ON_ONCE(node > 0xffff); - val = (cpu & 0xfff) | ((node & 0xffff) << 16); + val = (cpu & 0xffff) | ((node & 0xffff) << 16); mtspr(SPRN_SPRG_VDSO_WRITE, val); get_paca()->sprg_vdso = val; From d548f0f566fc1a3bd8efb58df66d7749476d0b3e Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Thu, 16 Jul 2020 16:47:20 +0100 Subject: [PATCH 264/386] staging: rtl8192u: fix a dubious looking mask before a shift [ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ] Currently the masking of ret with 0xff and followed by a right shift of 8 bits always leaves a zero result. It appears the mask of 0xff is incorrect and should be 0xff00, but I don't have the hardware to test this. Fix this to mask the upper 8 bits before shifting. [ Not tested ] Addresses-Coverity: ("Operands don't affect result") Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/staging/rtl8192u/r8192U_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c index fbbd1b59dc11..b5941ae410d9 100644 --- a/drivers/staging/rtl8192u/r8192U_core.c +++ b/drivers/staging/rtl8192u/r8192U_core.c @@ -2519,7 +2519,7 @@ static int rtl8192_read_eeprom_info(struct net_device *dev) ret = eprom_read(dev, (EEPROM_TxPwIndex_CCK >> 1)); if (ret < 0) return ret; - priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff) >> 8; + priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff00) >> 8; } else priv->EEPROMTxPowerLevelCCK = 0x10; RT_TRACE(COMP_EPROM, "CCK Tx Power Levl: 0x%02x\n", priv->EEPROMTxPowerLevelCCK); From 910e33e2f62376b3cd2a1cd25e5d08d3298cc90c Mon Sep 17 00:00:00 2001 From: Xiongfeng Wang Date: Fri, 17 Jul 2020 15:59:25 +0800 Subject: [PATCH 265/386] PCI/ASPM: Add missing newline in sysfs 'policy' [ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ] When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a newline for easy reading. Other sysfs attributes already include a newline. [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy [default] performance powersave powersupersave [root@localhost ~]# Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com Signed-off-by: Xiongfeng Wang Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin --- drivers/pci/pcie/aspm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c index 04d5c62588b7..f41c105adfbd 100644 --- a/drivers/pci/pcie/aspm.c +++ b/drivers/pci/pcie/aspm.c @@ -1111,6 +1111,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp) cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]); else cnt += sprintf(buffer + cnt, "%s ", policy_str[i]); + cnt += sprintf(buffer + cnt, "\n"); return cnt; } From 7491a5bff0b9e4f1c8f24dfcab024a4dc0313c24 Mon Sep 17 00:00:00 2001 From: Marco Felsch Date: Thu, 11 Jun 2020 14:43:32 +0200 Subject: [PATCH 266/386] drm/imx: tve: fix regulator_disable error path [ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ] Add missing regulator_disable() as devm_action to avoid dedicated unbind() callback and fix the missing error handling. Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") Signed-off-by: Marco Felsch Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin --- drivers/gpu/drm/imx/imx-tve.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c index bc27c2699464..c22c3e6e9b7a 100644 --- a/drivers/gpu/drm/imx/imx-tve.c +++ b/drivers/gpu/drm/imx/imx-tve.c @@ -498,6 +498,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve) return 0; } +static void imx_tve_disable_regulator(void *data) +{ + struct imx_tve *tve = data; + + regulator_disable(tve->dac_reg); +} + static bool imx_tve_readable_reg(struct device *dev, unsigned int reg) { return (reg % 4 == 0) && (reg <= 0xdc); @@ -622,6 +629,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) ret = regulator_enable(tve->dac_reg); if (ret) return ret; + ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve); + if (ret) + return ret; } tve->clk = devm_clk_get(dev, "tve"); @@ -668,18 +678,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) return 0; } -static void imx_tve_unbind(struct device *dev, struct device *master, - void *data) -{ - struct imx_tve *tve = dev_get_drvdata(dev); - - if (!IS_ERR(tve->dac_reg)) - regulator_disable(tve->dac_reg); -} - static const struct component_ops imx_tve_ops = { .bind = imx_tve_bind, - .unbind = imx_tve_unbind, }; static int imx_tve_probe(struct platform_device *pdev) From 84e7557dc2217ab10b12b0ac09fd1f95ccc395d5 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 16 Jul 2020 10:50:55 +0200 Subject: [PATCH 267/386] USB: serial: iuu_phoenix: fix led-activity helpers [ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ] The set-led command is eight bytes long and starts with a command byte followed by six bytes of RGB data and ends with a byte encoding a frequency (see iuu_led() and iuu_rgbf_fill_buffer()). The led activity helpers had a few long-standing bugs which corrupted the command packets by inserting a second command byte and thereby offsetting the RGB data and dropping the frequency in non-xmas mode. In xmas mode, a related off-by-one error left the frequency field uninitialised. Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver") Reported-by: George Spelvin Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin --- drivers/usb/serial/iuu_phoenix.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c index a1a11f8bb2a3..0c9e24b217f7 100644 --- a/drivers/usb/serial/iuu_phoenix.c +++ b/drivers/usb/serial/iuu_phoenix.c @@ -359,10 +359,11 @@ static void iuu_led_activity_on(struct urb *urb) struct usb_serial_port *port = urb->context; int result; char *buf_ptr = port->write_urb->transfer_buffer; - *buf_ptr++ = IUU_SET_LED; + if (xmas) { - get_random_bytes(buf_ptr, 6); - *(buf_ptr+7) = 1; + buf_ptr[0] = IUU_SET_LED; + get_random_bytes(buf_ptr + 1, 6); + buf_ptr[7] = 1; } else { iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255); } @@ -380,13 +381,14 @@ static void iuu_led_activity_off(struct urb *urb) struct usb_serial_port *port = urb->context; int result; char *buf_ptr = port->write_urb->transfer_buffer; + if (xmas) { iuu_rxcmd(urb); return; - } else { - *buf_ptr++ = IUU_SET_LED; - iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); } + + iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); + usb_fill_bulk_urb(port->write_urb, port->serial->dev, usb_sndbulkpipe(port->serial->dev, port->bulk_out_endpointAddress), From de3661a5687b209fdd2803c5c1769aca0f5d2ac6 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 16 Jun 2020 12:19:49 +0300 Subject: [PATCH 268/386] thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor() [ Upstream commit 0f348db01fdf128813fdd659fcc339038fb421a4 ] This condition is reversed and will cause breakage. Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20200616091949.GA11940@mwanda Signed-off-by: Sasha Levin --- drivers/thermal/ti-soc-thermal/ti-thermal-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c index fa98c398d70f..d43fbe4ad767 100644 --- a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +++ b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c @@ -183,7 +183,7 @@ int ti_thermal_expose_sensor(struct ti_bandgap *bgp, int id, data = ti_bandgap_get_sensor_data(bgp, id); - if (!IS_ERR_OR_NULL(data)) + if (IS_ERR_OR_NULL(data)) data = ti_thermal_build_data(bgp, id); if (!data) From 93934e5d463b31e9d118c4b52aa8d1266c7f503e Mon Sep 17 00:00:00 2001 From: Sai Prakash Ranjan Date: Thu, 16 Jul 2020 11:57:42 -0600 Subject: [PATCH 269/386] coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() [ Upstream commit d021f5c5ff679432c5e9faee0fd7350db2efb97c ] Reading TMC mode register without proper coresight power management can lead to exceptions like the one in the call trace below in tmc_read_unprepare_etb() when the trace data is read after the sink is disabled. So fix this by having a check for coresight sysfs mode before reading TMC mode management register in tmc_read_unprepare_etb() similar to tmc_read_prepare_etb(). SError Interrupt on CPU6, code 0xbe000411 -- SError pstate: 80400089 (Nzcv daIf +PAN -UAO) pc : tmc_read_unprepare_etb+0x74/0x108 lr : tmc_read_unprepare_etb+0x54/0x108 sp : ffffff80d9507c30 x29: ffffff80d9507c30 x28: ffffff80b3569a0c x27: 0000000000000000 x26: 00000000000a0001 x25: ffffff80cbae9550 x24: 0000000000000010 x23: ffffffd07296b0f0 x22: ffffffd0109ee028 x21: 0000000000000000 x20: ffffff80d19e70e0 x19: ffffff80d19e7080 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: dfffffd000000001 x9 : 0000000000000000 x8 : 0000000000000002 x7 : ffffffd071d0fe78 x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : ffffffd071d0fe98 x2 : 0000000000000000 x1 : 0000000000000004 x0 : 0000000000000001 Kernel panic - not syncing: Asynchronous SError Interrupt Fixes: 4525412a5046 ("coresight: tmc: making prepare/unprepare functions generic") Reported-by: Mike Leach Signed-off-by: Sai Prakash Ranjan Tested-by: Mike Leach Signed-off-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200716175746.3338735-14-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/hwtracing/coresight/coresight-tmc-etf.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c index 0a00f4e941fb..9bddbfbfbe03 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etf.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c @@ -587,15 +587,14 @@ int tmc_read_unprepare_etb(struct tmc_drvdata *drvdata) spin_lock_irqsave(&drvdata->spinlock, flags); - /* There is no point in reading a TMC in HW FIFO mode */ - mode = readl_relaxed(drvdata->base + TMC_MODE); - if (mode != TMC_MODE_CIRCULAR_BUFFER) { - spin_unlock_irqrestore(&drvdata->spinlock, flags); - return -EINVAL; - } - /* Re-enable the TMC if need be */ if (drvdata->mode == CS_MODE_SYSFS) { + /* There is no point in reading a TMC in HW FIFO mode */ + mode = readl_relaxed(drvdata->base + TMC_MODE); + if (mode != TMC_MODE_CIRCULAR_BUFFER) { + spin_unlock_irqrestore(&drvdata->spinlock, flags); + return -EINVAL; + } /* * The trace run will continue with the same allocated trace * buffer. As such zero-out the buffer so that we don't end From ee5f968a2df9c3880434a8240407355278e40d4f Mon Sep 17 00:00:00 2001 From: Yu Kuai Date: Tue, 21 Jul 2020 21:47:18 +0800 Subject: [PATCH 270/386] MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init() [ Upstream commit e8b9fc10f2615b9a525fce56981e40b489528355 ] if of_find_device_by_node() succeed, dwc3_octeon_device_init() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: 93e502b3c2d4 ("MIPS: OCTEON: Platform support for OCTEON III USB controller") Signed-off-by: Yu Kuai Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin --- arch/mips/cavium-octeon/octeon-usb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/mips/cavium-octeon/octeon-usb.c b/arch/mips/cavium-octeon/octeon-usb.c index bfdfaf32d2c4..75189ff2f3c7 100644 --- a/arch/mips/cavium-octeon/octeon-usb.c +++ b/arch/mips/cavium-octeon/octeon-usb.c @@ -517,6 +517,7 @@ static int __init dwc3_octeon_device_init(void) res = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (res == NULL) { + put_device(&pdev->dev); dev_err(&pdev->dev, "No memory resources\n"); return -ENXIO; } @@ -528,8 +529,10 @@ static int __init dwc3_octeon_device_init(void) * know the difference. */ base = devm_ioremap_resource(&pdev->dev, res); - if (IS_ERR(base)) + if (IS_ERR(base)) { + put_device(&pdev->dev); return PTR_ERR(base); + } mutex_lock(&dwc3_octeon_clocks_mutex); dwc3_octeon_clocks_start(&pdev->dev, (u64)base); From 8a8841b9f3eb1f46e3fc6d56a9b9299c53f4f86f Mon Sep 17 00:00:00 2001 From: Marek Szyprowski Date: Thu, 16 Jul 2020 14:09:48 +0200 Subject: [PATCH 271/386] usb: dwc2: Fix error path in gadget registration [ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ] When gadget registration fails, one should not call usb_del_gadget_udc(). Ensure this by setting gadget->udc to NULL. Also in case of a failure there is no need to disable low-level hardware, so return immiedetly instead of jumping to error_init label. This fixes the following kernel NULL ptr dereference on gadget failure (can be easily triggered with g_mass_storage without any module parameters): dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM Mass Storage Function, version: 2009/09/11 LUN: removable file: (no medium) no file given for LUN0 g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000104 pgd = (ptrval) [00000104] *pgd=00000000 Internal error: Oops: 805 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events deferred_probe_work_func PC is at usb_del_gadget_udc+0x38/0xc4 LR is at __mutex_lock+0x31c/0xb18 ... Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) Stack: (0xef121db0 to 0xef122000) ... [] (usb_del_gadget_udc) from [] (dwc2_hsotg_remove+0x10/0x20) [] (dwc2_hsotg_remove) from [] (dwc2_driver_probe+0x57c/0x69c) [] (dwc2_driver_probe) from [] (platform_drv_probe+0x6c/0xa4) [] (platform_drv_probe) from [] (really_probe+0x200/0x48c) [] (really_probe) from [] (driver_probe_device+0x78/0x1fc) [] (driver_probe_device) from [] (bus_for_each_drv+0x74/0xb8) [] (bus_for_each_drv) from [] (__device_attach+0xd4/0x16c) [] (__device_attach) from [] (bus_probe_device+0x88/0x90) [] (bus_probe_device) from [] (deferred_probe_work_func+0x3c/0xd0) [] (deferred_probe_work_func) from [] (process_one_work+0x234/0x7dc) [] (process_one_work) from [] (worker_thread+0x44/0x51c) [] (worker_thread) from [] (kthread+0x158/0x1a0) [] (kthread) from [] (ret_from_fork+0x14/0x20) Exception stack(0xef121fb0 to 0xef121ff8) ... ---[ end trace 9724c2fc7cc9c982 ]--- While fixing this also fix the double call to dwc2_lowlevel_hw_disable() if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level hardware is already disabled before calling usb_add_gadget_udc(). That function correctly preserves low-level hardware state, there is no need for the second unconditional dwc2_lowlevel_hw_disable() call. Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") Acked-by: Minas Harutyunyan Signed-off-by: Marek Szyprowski Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin --- drivers/usb/dwc2/platform.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c index 442cb93935dd..405dccf92a31 100644 --- a/drivers/usb/dwc2/platform.c +++ b/drivers/usb/dwc2/platform.c @@ -459,6 +459,7 @@ static int dwc2_driver_probe(struct platform_device *dev) if (hsotg->gadget_enabled) { retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); if (retval) { + hsotg->gadget.udc = NULL; dwc2_hsotg_remove(hsotg); goto error; } @@ -467,7 +468,8 @@ static int dwc2_driver_probe(struct platform_device *dev) return 0; error: - dwc2_lowlevel_hw_disable(hsotg); + if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) + dwc2_lowlevel_hw_disable(hsotg); return retval; } From 74d1e724b115abb7ed40498c9cd75b1ff2c69f1e Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Thu, 23 Jul 2020 09:25:51 +1000 Subject: [PATCH 272/386] scsi: mesh: Fix panic after host or bus reset [ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus results in EH measures and a panic: [ 25.499838] mesh: configured for synchronous 5 MB/s [ 25.787154] mesh: performing initial bus reset... [ 29.867115] scsi host0: MESH [ 29.929527] mesh: target 0 synchronous at 3.6 MB/s [ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS [ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB) [ 32.070975] sd 0:0:0:0: [sda] Write Protect is off [ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08 [ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 32.332708] sda: [mac] sda1 sda2 sda3 [ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk ... snip ... [ 76.687067] mesh_abort((ptrval)) [ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) [ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 [ 76.880720] dma stat=84e0 cmdptr=1f73d000 [ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 [ 77.005567] dma_st=1 dma_ct=0 n_msgout=0 [ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0 [ 77.130512] mesh_abort((ptrval)) [ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) [ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 [ 77.325778] dma stat=84e0 cmdptr=1f73d000 [ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 [ 77.453665] dma_st=1 dma_ct=0 n_msgout=0 [ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0 [ 77.582902] mesh_host_reset [ 88.187083] Kernel panic - not syncing: mesh: double DMA start ! [ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1 [ 88.323302] Call Trace: [ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable) [ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414 [ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70 [ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384 [ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8 [ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178 [ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8 [ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520 [ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8 [ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c [ 89.044112] Rebooting in 180 seconds.. In theory, a panic can happen after a bus or host reset with dma_started flag set. Fix this by halting the DMA before reinitializing the host. Don't assume that ms->current_req is set when halt_dma() is invoked as it may not hold for bus or host reset. BTW, this particular Conner drive can be made to work by inhibiting disconnect/reselect with 'mesh.resel_targets=0'. Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Paul Mackerras Reported-and-tested-by: Stan Johnson Signed-off-by: Finn Thain Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/mesh.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c index 1753e42826dd..a880abf5abaa 100644 --- a/drivers/scsi/mesh.c +++ b/drivers/scsi/mesh.c @@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms) while ((in_8(&mr->bus_status1) & BS1_RST) != 0) udelay(1); printk("done\n"); + if (ms->dma_started) + halt_dma(ms); handle_reset(ms); /* request_q is empty, no point in mesh_start() */ return; @@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms) ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd), ms->tgts[ms->conn_tgt].data_goes_out); } - scsi_dma_unmap(cmd); + if (cmd) + scsi_dma_unmap(cmd); ms->dma_started = 0; } @@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd) spin_lock_irqsave(ms->host->host_lock, flags); + if (ms->dma_started) + halt_dma(ms); + /* Reset the controller & dbdma channel */ out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */ out_8(&mr->exception, 0xff); /* clear all exception bits */ From 5af2995953ec553ee190a5ba8d544d2f942efd76 Mon Sep 17 00:00:00 2001 From: Chris Packham Date: Fri, 24 Jul 2020 11:21:20 +1200 Subject: [PATCH 273/386] net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration [ Upstream commit 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f ] The MV88E6097 chip does not support configuring jumbo frames. Prior to commit 5f4366660d65 only the 6352, 6351, 6165 and 6320 chips configured jumbo mode. The refactor accidentally added the function for the 6097. Remove the erroneous function pointer assignment. Fixes: 5f4366660d65 ("net: dsa: mv88e6xxx: Refactor setting of jumbo frames") Signed-off-by: Chris Packham Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/dsa/mv88e6xxx/chip.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c index 10ea01459a36..f4268f032266 100644 --- a/drivers/net/dsa/mv88e6xxx/chip.c +++ b/drivers/net/dsa/mv88e6xxx/chip.c @@ -2450,7 +2450,6 @@ static const struct mv88e6xxx_ops mv88e6097_ops = { .port_set_frame_mode = mv88e6351_port_set_frame_mode, .port_set_egress_floods = mv88e6352_port_set_egress_floods, .port_set_ether_type = mv88e6351_port_set_ether_type, - .port_set_jumbo_size = mv88e6165_port_set_jumbo_size, .port_egress_rate_limiting = mv88e6095_port_egress_rate_limiting, .port_pause_limit = mv88e6097_port_pause_limit, .port_disable_learn_limit = mv88e6xxx_port_disable_learn_limit, From 12917b448aa665cfa032f37925a10ae5f43bee35 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 23 Jul 2020 18:22:19 +0300 Subject: [PATCH 274/386] Smack: fix another vsscanf out of bounds [ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in vsscanf") where we added a bounds check on "rule". Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") Signed-off-by: Dan Carpenter Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin --- security/smack/smackfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 10ee51d04492..981f582539ac 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -933,6 +933,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, for (i = 0; i < catlen; i++) { rule += SMK_DIGITLEN; + if (rule > data + count) { + rc = -EOVERFLOW; + goto out; + } ret = sscanf(rule, "%u", &cat); if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) goto out; From 75f8b5a67b62b40d6308f3f2998de2cfa264f212 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 23 Jul 2020 18:23:05 +0300 Subject: [PATCH 275/386] Smack: prevent underflow in smk_set_cipso() [ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ] We have an upper bound on "maplevel" but forgot to check for negative values. Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Dan Carpenter Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin --- security/smack/smackfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 981f582539ac..accd3846f1e3 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -912,7 +912,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, } ret = sscanf(rule, "%d", &maplevel); - if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) + if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) goto out; rule += SMK_DIGITLEN; From ca869971a904aa67813a1b04624df4cd83e06196 Mon Sep 17 00:00:00 2001 From: Tom Rix Date: Sun, 12 Jul 2020 12:23:51 -0700 Subject: [PATCH 276/386] power: supply: check if calc_soc succeeded in pm860x_init_battery [ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] clang static analysis flags this error 88pm860x_battery.c:522:19: warning: Assigned value is garbage or undefined [core.uninitialized.Assign] info->start_soc = soc; ^ ~~~ soc is set by calling calc_soc. But calc_soc can return without setting soc. So check the return status and bail similarly to other checks in pm860x_init_battery and initialize soc to silence the warning. Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x") Signed-off-by: Tom Rix Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin --- drivers/power/supply/88pm860x_battery.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/power/supply/88pm860x_battery.c b/drivers/power/supply/88pm860x_battery.c index 63c57dc82ac1..4eda5065b5bb 100644 --- a/drivers/power/supply/88pm860x_battery.c +++ b/drivers/power/supply/88pm860x_battery.c @@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) int ret; int data; int bat_remove; - int soc; + int soc = 0; /* measure enable on GPADC1 */ data = MEAS1_GP1; @@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) } mutex_unlock(&info->lock); - calc_soc(info, OCV_MODE_ACTIVE, &soc); + ret = calc_soc(info, OCV_MODE_ACTIVE, &soc); + if (ret < 0) + goto out; data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG); bat_remove = data & BAT_WU_LOG; From 36bac0f1d441fc6603017dd5881a3641f011fbd5 Mon Sep 17 00:00:00 2001 From: Nicolas Boichat Date: Tue, 21 Jul 2020 10:37:16 +0800 Subject: [PATCH 277/386] Bluetooth: hci_serdev: Only unregister device if it was registered [ Upstream commit 202798db9570104728dce8bb57dfeed47ce764bc ] We should not call hci_unregister_dev if the device was not successfully registered. Fixes: c34dc3bfa7642fd ("Bluetooth: hci_serdev: Introduce hci_uart_unregister_device()") Signed-off-by: Nicolas Boichat Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- drivers/bluetooth/hci_serdev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c index 69c00a3db538..72cf2d97b682 100644 --- a/drivers/bluetooth/hci_serdev.c +++ b/drivers/bluetooth/hci_serdev.c @@ -361,7 +361,8 @@ void hci_uart_unregister_device(struct hci_uart *hu) struct hci_dev *hdev = hu->hdev; clear_bit(HCI_UART_PROTO_READY, &hu->flags); - hci_unregister_dev(hdev); + if (test_bit(HCI_UART_REGISTERED, &hu->flags)) + hci_unregister_dev(hdev); hci_free_dev(hdev); cancel_work_sync(&hu->write_work); From 1700e567440ccadb5b5a1ddaebc700f0f8c4fdcf Mon Sep 17 00:00:00 2001 From: Harish Date: Tue, 9 Jun 2020 13:44:23 +0530 Subject: [PATCH 278/386] selftests/powerpc: Fix CPU affinity for child process [ Upstream commit 854eb5022be04f81e318765f089f41a57c8e5d83 ] On systems with large number of cpus, test fails trying to set affinity by calling sched_setaffinity() with smaller size for affinity mask. This patch fixes it by making sure that the size of allocated affinity mask is dependent on the number of CPUs as reported by get_nprocs(). Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark") Reported-by: Shirisha Ganta Signed-off-by: Sandipan Das Signed-off-by: Harish Reviewed-by: Kamalesh Babulal Reviewed-by: Satheesh Rajendran Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com Signed-off-by: Sasha Levin --- .../powerpc/benchmarks/context_switch.c | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/tools/testing/selftests/powerpc/benchmarks/context_switch.c b/tools/testing/selftests/powerpc/benchmarks/context_switch.c index f4241339edd2..7136eae2170b 100644 --- a/tools/testing/selftests/powerpc/benchmarks/context_switch.c +++ b/tools/testing/selftests/powerpc/benchmarks/context_switch.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include #include @@ -97,8 +98,9 @@ static void start_thread_on(void *(*fn)(void *), void *arg, unsigned long cpu) static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) { - int pid; - cpu_set_t cpuset; + int pid, ncpus; + cpu_set_t *cpuset; + size_t size; pid = fork(); if (pid == -1) { @@ -109,14 +111,23 @@ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) if (pid) return; - CPU_ZERO(&cpuset); - CPU_SET(cpu, &cpuset); + ncpus = get_nprocs(); + size = CPU_ALLOC_SIZE(ncpus); + cpuset = CPU_ALLOC(ncpus); + if (!cpuset) { + perror("malloc"); + exit(1); + } + CPU_ZERO_S(size, cpuset); + CPU_SET_S(cpu, size, cpuset); - if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) { + if (sched_setaffinity(0, size, cpuset)) { perror("sched_setaffinity"); + CPU_FREE(cpuset); exit(1); } + CPU_FREE(cpuset); fn(arg); exit(0); From 581752c3f34936dbf0f2491a45d9cb57b89f688d Mon Sep 17 00:00:00 2001 From: Hanjun Guo Date: Wed, 22 Jul 2020 17:44:28 +0800 Subject: [PATCH 279/386] PCI: Release IVRS table in AMD ACS quirk [ Upstream commit 090688fa4e448284aaa16136372397d7d10814db ] The acpi_get_table() should be coupled with acpi_put_table() if the mapped table is not used at runtime to release the table mapping. In pci_quirk_amd_sb_acs(), IVRS table is just used for checking AMD IOMMU is supported, not used at runtime, so put the table after using it. Fixes: 15b100dfd1c9 ("PCI: Claim ACS support for AMD southbridge devices") Link: https://lore.kernel.org/r/1595411068-15440-1-git-send-email-guohanjun@huawei.com Signed-off-by: Hanjun Guo Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin --- drivers/pci/quirks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index 243b16ce0c8e..da790f26d295 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -4307,6 +4307,8 @@ static int pci_quirk_amd_sb_acs(struct pci_dev *dev, u16 acs_flags) if (ACPI_FAILURE(status)) return -ENODEV; + acpi_put_table(header); + /* Filter out flags not applicable to multifunction */ acs_flags &= (PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_EC | PCI_ACS_DT); From 0f85a744df434cfe37ce8eea24b84bdb444b7a2e Mon Sep 17 00:00:00 2001 From: Sandipan Das Date: Thu, 30 Jul 2020 10:38:46 +0530 Subject: [PATCH 280/386] selftests/powerpc: Fix online CPU selection [ Upstream commit dfa03fff86027e58c8dba5c03ae68150d4e513ad ] The size of the CPU affinity mask must be large enough for systems with a very large number of CPUs. Otherwise, tests which try to determine the first online CPU by calling sched_getaffinity() will fail. This makes sure that the size of the allocated affinity mask is dependent on the number of CPUs as reported by get_nprocs_conf(). Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs") Reported-by: Shirisha Ganta Signed-off-by: Sandipan Das Reviewed-by: Kamalesh Babulal Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com Signed-off-by: Sasha Levin --- tools/testing/selftests/powerpc/utils.c | 39 ++++++++++++++++--------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/tools/testing/selftests/powerpc/utils.c b/tools/testing/selftests/powerpc/utils.c index d46916867a6f..77db4f6ecf2f 100644 --- a/tools/testing/selftests/powerpc/utils.c +++ b/tools/testing/selftests/powerpc/utils.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include @@ -81,26 +82,38 @@ void *get_auxv_entry(int type) int pick_online_cpu(void) { - cpu_set_t mask; - int cpu; + int ncpus, cpu = -1; + cpu_set_t *mask; + size_t size; - CPU_ZERO(&mask); - - if (sched_getaffinity(0, sizeof(mask), &mask)) { - perror("sched_getaffinity"); + ncpus = get_nprocs_conf(); + size = CPU_ALLOC_SIZE(ncpus); + mask = CPU_ALLOC(ncpus); + if (!mask) { + perror("malloc"); return -1; } + CPU_ZERO_S(size, mask); + + if (sched_getaffinity(0, size, mask)) { + perror("sched_getaffinity"); + goto done; + } + /* We prefer a primary thread, but skip 0 */ - for (cpu = 8; cpu < CPU_SETSIZE; cpu += 8) - if (CPU_ISSET(cpu, &mask)) - return cpu; + for (cpu = 8; cpu < ncpus; cpu += 8) + if (CPU_ISSET_S(cpu, size, mask)) + goto done; /* Search for anything, but in reverse */ - for (cpu = CPU_SETSIZE - 1; cpu >= 0; cpu--) - if (CPU_ISSET(cpu, &mask)) - return cpu; + for (cpu = ncpus - 1; cpu >= 0; cpu--) + if (CPU_ISSET_S(cpu, size, mask)) + goto done; printf("No cpus in affinity mask?!\n"); - return -1; + +done: + CPU_FREE(mask); + return cpu; } From 75d838fab1538eb4906d02efbb7eb8779937e795 Mon Sep 17 00:00:00 2001 From: Julian Wiedmann Date: Thu, 30 Jul 2020 17:01:20 +0200 Subject: [PATCH 281/386] s390/qeth: don't process empty bridge port events [ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] Discard events that don't contain any entries. This shouldn't happen, but subsequent code relies on being able to use entry 0. So better be safe than accessing garbage. Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control") Signed-off-by: Julian Wiedmann Reviewed-by: Alexandra Winter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/s390/net/qeth_l2_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c index 6fa07c246915..ae310d5ced10 100644 --- a/drivers/s390/net/qeth_l2_main.c +++ b/drivers/s390/net/qeth_l2_main.c @@ -1559,6 +1559,10 @@ static void qeth_bridge_state_change(struct qeth_card *card, int extrasize; QETH_CARD_TEXT(card, 2, "brstchng"); + if (qports->num_entries == 0) { + QETH_CARD_TEXT(card, 2, "BPempty"); + return; + } if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) { QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length); return; From 96f448206b4b6679b93a25dc30feb0ce1f996278 Mon Sep 17 00:00:00 2001 From: Wang Hai Date: Thu, 30 Jul 2020 15:39:39 +0800 Subject: [PATCH 282/386] wl1251: fix always return 0 error [ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ] wl1251_event_ps_report() should not always return 0 because wl1251_ps_set_mode() may fail. Change it to return 'ret'. Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ti/wl1251/event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c index f5acd24d0e2b..988abb49771f 100644 --- a/drivers/net/wireless/ti/wl1251/event.c +++ b/drivers/net/wireless/ti/wl1251/event.c @@ -84,7 +84,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl, break; } - return 0; + return ret; } static void wl1251_event_mbox_dump(struct event_mailbox *mbox) From 431a1b512ee33f7b765e2cd6737ae802b292ea58 Mon Sep 17 00:00:00 2001 From: Andrii Nakryiko Date: Thu, 30 Jul 2020 19:42:44 -0700 Subject: [PATCH 283/386] tools, build: Propagate build failures from tools/build/Makefile.build [ Upstream commit a278f3d8191228212c553a5d4303fa603214b717 ] The '&&' command seems to have a bad effect when $(cmd_$(1)) exits with non-zero effect: the command failure is masked (despite `set -e`) and all but the first command of $(dep-cmd) is executed (successfully, as they are mostly printfs), thus overall returning 0 in the end. This means in practice that despite compilation errors, tools's build Makefile will return success. We see this very reliably with libbpf's Makefile, which doesn't get compilation error propagated properly. This in turns causes issues with selftests build, as well as bpftool and other projects that rely on building libbpf. The fix is simple: don't use &&. Given `set -e`, we don't need to chain commands with &&. The shell will exit on first failure, giving desired behavior and propagating error properly. Fixes: 275e2d95591e ("tools build: Move dependency copy into function") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Jiri Olsa Link: https://lore.kernel.org/bpf/20200731024244.872574-1-andriin@fb.com Signed-off-by: Sasha Levin --- tools/build/Build.include | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/build/Build.include b/tools/build/Build.include index d9048f145f97..63bb9752612a 100644 --- a/tools/build/Build.include +++ b/tools/build/Build.include @@ -74,7 +74,8 @@ dep-cmd = $(if $(wildcard $(fixdep)), # dependencies in the cmd file if_changed_dep = $(if $(strip $(any-prereq) $(arg-check)), \ @set -e; \ - $(echo-cmd) $(cmd_$(1)) && $(dep-cmd)) + $(echo-cmd) $(cmd_$(1)); \ + $(dep-cmd)) # if_changed - execute command if any prerequisite is newer than # target, or command line has changed From f5cf824da9a4300d7cd8ce5457e2562c091d583c Mon Sep 17 00:00:00 2001 From: Tianjia Zhang Date: Sun, 2 Aug 2020 19:15:37 +0800 Subject: [PATCH 284/386] net: ethernet: aquantia: Fix wrong return value [ Upstream commit 0470a48880f8bc42ce26962b79c7b802c5a695ec ] In function hw_atl_a0_hw_multicast_list_set(), when an invalid request is encountered, a negative error code should be returned. Fixes: bab6de8fd180b ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions") Cc: David VomLehn Signed-off-by: Tianjia Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c index b83ee74d2839..77e5c6926814 100644 --- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c +++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c @@ -746,7 +746,7 @@ static int hw_atl_a0_hw_multicast_list_set(struct aq_hw_s *self, int err = 0; if (count > (HW_ATL_A0_MAC_MAX - HW_ATL_A0_MAC_MIN)) { - err = EBADRQC; + err = -EBADRQC; goto err_exit; } for (self->aq_nic_cfg->mc_list_count = 0U; From 927b8e3acb5858d975a93b47708f61c8fbf675c5 Mon Sep 17 00:00:00 2001 From: Tianjia Zhang Date: Sun, 2 Aug 2020 19:15:44 +0800 Subject: [PATCH 285/386] liquidio: Fix wrong return value in cn23xx_get_pf_num() [ Upstream commit aa027850a292ea65524b8fab83eb91a124ad362c ] On an error exit path, a negative error code should be returned instead of a positive return value. Fixes: 0c45d7fe12c7e ("liquidio: fix use of pf in pass-through mode in a virtual machine") Cc: Rick Farrington Signed-off-by: Tianjia Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c index 2e089b5ff8f3..30f0e54f658e 100644 --- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c @@ -1167,7 +1167,7 @@ static int cn23xx_get_pf_num(struct octeon_device *oct) oct->pf_num = ((fdl_bit >> CN23XX_PCIE_SRIOV_FDL_BIT_POS) & CN23XX_PCIE_SRIOV_FDL_MASK); } else { - ret = EINVAL; + ret = -EINVAL; /* Under some virtual environments, extended PCI regs are * inaccessible, in which case the above read will have failed. From 5184569002c4296c8bb94dc012b11b6ede9d9ea4 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sun, 2 Aug 2020 15:53:33 +0200 Subject: [PATCH 286/386] net: spider_net: Fix the size used in a 'dma_free_coherent()' call [ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ] Update the size used in 'dma_free_coherent()' in order to match the one used in the corresponding 'dma_alloc_coherent()', in 'spider_net_init_chain()'. Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/toshiba/spider_net.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c index da136b8843dd..a0fed9035f53 100644 --- a/drivers/net/ethernet/toshiba/spider_net.c +++ b/drivers/net/ethernet/toshiba/spider_net.c @@ -296,8 +296,8 @@ spider_net_free_chain(struct spider_net_card *card, descr = descr->next; } while (descr != chain->ring); - dma_free_coherent(&card->pdev->dev, chain->num_desc, - chain->hwring, chain->dma_addr); + dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr), + chain->hwring, chain->dma_addr); } /** From 178c6c8d0c47e4bd97ee65474979ef695ffbc0e7 Mon Sep 17 00:00:00 2001 From: Florinel Iordache Date: Mon, 3 Aug 2020 10:07:30 +0300 Subject: [PATCH 287/386] fsl/fman: use 32-bit unsigned integer [ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ] Potentially overflowing expression (ts_freq << 16 and intgr << 16) declared as type u32 (32-bit unsigned) is evaluated using 32-bit arithmetic and then used in a context that expects an expression of type u64 (64-bit unsigned) which ultimately is used as 16-bit unsigned by typecasting to u16. Fixed by using an unsigned 32-bit integer since the value is truncated anyway in the end. Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/freescale/fman/fman.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c index 9080d2332d03..cdd48b1cc84a 100644 --- a/drivers/net/ethernet/freescale/fman/fman.c +++ b/drivers/net/ethernet/freescale/fman/fman.c @@ -1396,8 +1396,7 @@ static void enable_time_stamp(struct fman *fman) { struct fman_fpm_regs __iomem *fpm_rg = fman->fpm_regs; u16 fm_clk_freq = fman->state->fm_clk_freq; - u32 tmp, intgr, ts_freq; - u64 frac; + u32 tmp, intgr, ts_freq, frac; ts_freq = (u32)(1 << fman->state->count1_micro_bit); /* configure timestamp so that bit 8 will count 1 microsecond From b13f68bc6480bd8db6bcb10cd570221b9e453a5b Mon Sep 17 00:00:00 2001 From: Florinel Iordache Date: Mon, 3 Aug 2020 10:07:31 +0300 Subject: [PATCH 288/386] fsl/fman: fix dereference null return value [ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ] Check before using returned value to avoid dereferencing null pointer. Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/freescale/fman/fman_port.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c index 495190764155..ac3d791f5282 100644 --- a/drivers/net/ethernet/freescale/fman/fman_port.c +++ b/drivers/net/ethernet/freescale/fman/fman_port.c @@ -1744,6 +1744,7 @@ static int fman_port_probe(struct platform_device *of_dev) struct fman_port *port; struct fman *fman; struct device_node *fm_node, *port_node; + struct platform_device *fm_pdev; struct resource res; struct resource *dev_res; u32 val; @@ -1768,8 +1769,14 @@ static int fman_port_probe(struct platform_device *of_dev) goto return_err; } - fman = dev_get_drvdata(&of_find_device_by_node(fm_node)->dev); + fm_pdev = of_find_device_by_node(fm_node); of_node_put(fm_node); + if (!fm_pdev) { + err = -EINVAL; + goto return_err; + } + + fman = dev_get_drvdata(&fm_pdev->dev); if (!fman) { err = -EINVAL; goto return_err; From 80c8e386044c422894b49410acf64c729cf84947 Mon Sep 17 00:00:00 2001 From: Florinel Iordache Date: Mon, 3 Aug 2020 10:07:32 +0300 Subject: [PATCH 289/386] fsl/fman: fix unreachable code [ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ] The parameter 'priority' is incorrectly forced to zero which ultimately induces logically dead code in the subsequent lines. Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/freescale/fman/fman_memac.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c index b33650a897f1..1fbeb991bcdf 100644 --- a/drivers/net/ethernet/freescale/fman/fman_memac.c +++ b/drivers/net/ethernet/freescale/fman/fman_memac.c @@ -855,7 +855,6 @@ int memac_set_tx_pause_frames(struct fman_mac *memac, u8 priority, tmp = ioread32be(®s->command_config); tmp &= ~CMD_CFG_PFC_MODE; - priority = 0; iowrite32be(tmp, ®s->command_config); From ee11e170e8205d1918e1f2f9b9b9868de96eb9a1 Mon Sep 17 00:00:00 2001 From: Florinel Iordache Date: Mon, 3 Aug 2020 10:07:33 +0300 Subject: [PATCH 290/386] fsl/fman: check dereferencing null pointer [ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ] Add a safe check to avoid dereferencing null pointer Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 ++-- drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +- drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/freescale/fman/fman_dtsec.c b/drivers/net/ethernet/freescale/fman/fman_dtsec.c index 7af31ddd093f..61238b3af204 100644 --- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c +++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c @@ -1159,7 +1159,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) list_for_each(pos, &dtsec->multicast_addr_hash->lsts[bucket]) { hash_entry = ETH_HASH_ENTRY_OBJ(pos); - if (hash_entry->addr == addr) { + if (hash_entry && hash_entry->addr == addr) { list_del_init(&hash_entry->node); kfree(hash_entry); break; @@ -1172,7 +1172,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) list_for_each(pos, &dtsec->unicast_addr_hash->lsts[bucket]) { hash_entry = ETH_HASH_ENTRY_OBJ(pos); - if (hash_entry->addr == addr) { + if (hash_entry && hash_entry->addr == addr) { list_del_init(&hash_entry->node); kfree(hash_entry); break; diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c index 1fbeb991bcdf..460f9e58e987 100644 --- a/drivers/net/ethernet/freescale/fman/fman_memac.c +++ b/drivers/net/ethernet/freescale/fman/fman_memac.c @@ -956,7 +956,7 @@ int memac_del_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr) list_for_each(pos, &memac->multicast_addr_hash->lsts[hash]) { hash_entry = ETH_HASH_ENTRY_OBJ(pos); - if (hash_entry->addr == addr) { + if (hash_entry && hash_entry->addr == addr) { list_del_init(&hash_entry->node); kfree(hash_entry); break; diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c index e575259d20f4..c8ad9b8a75f8 100644 --- a/drivers/net/ethernet/freescale/fman/fman_tgec.c +++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c @@ -585,7 +585,7 @@ int tgec_del_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr) list_for_each(pos, &tgec->multicast_addr_hash->lsts[hash]) { hash_entry = ETH_HASH_ENTRY_OBJ(pos); - if (hash_entry->addr == addr) { + if (hash_entry && hash_entry->addr == addr) { list_del_init(&hash_entry->node); kfree(hash_entry); break; From 4ac2e3425382667ceb957d0837c81e81dc02a2dc Mon Sep 17 00:00:00 2001 From: Florinel Iordache Date: Mon, 3 Aug 2020 10:07:34 +0300 Subject: [PATCH 291/386] fsl/fman: fix eth hash table allocation [ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ] Fix memory allocation for ethernet address hash table. The code was wrongly allocating an array for eth hash table which is incorrect because this is the main structure for eth hash table (struct eth_hash_t) that contains inside a number of elements. Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/freescale/fman/fman_mac.h b/drivers/net/ethernet/freescale/fman/fman_mac.h index dd6d0526f6c1..19f327efdaff 100644 --- a/drivers/net/ethernet/freescale/fman/fman_mac.h +++ b/drivers/net/ethernet/freescale/fman/fman_mac.h @@ -252,7 +252,7 @@ static inline struct eth_hash_t *alloc_hash_table(u16 size) struct eth_hash_t *hash; /* Allocate address hash table */ - hash = kmalloc_array(size, sizeof(struct eth_hash_t *), GFP_KERNEL); + hash = kmalloc(sizeof(*hash), GFP_KERNEL); if (!hash) return NULL; From 2f0bd77337c2810271c04ab09a9b5154e9fa2188 Mon Sep 17 00:00:00 2001 From: Wang Hai Date: Mon, 15 Jun 2020 11:25:33 +0800 Subject: [PATCH 292/386] dlm: Fix kobject memleak [ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Set do_unreg = 1 before kobject_init_and_add() to ensure that kobject_put() can be called in its error patch. Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: David Teigland Signed-off-by: Sasha Levin --- fs/dlm/lockspace.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c index 9c8c9a09b4a6..7a6b0327ceb0 100644 --- a/fs/dlm/lockspace.c +++ b/fs/dlm/lockspace.c @@ -633,6 +633,9 @@ static int new_lockspace(const char *name, const char *cluster, wait_event(ls->ls_recover_lock_wait, test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags)); + /* let kobject handle freeing of ls if there's an error */ + do_unreg = 1; + ls->ls_kobj.kset = dlm_kset; error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL, "%s", ls->ls_name); @@ -640,9 +643,6 @@ static int new_lockspace(const char *name, const char *cluster, goto out_recoverd; kobject_uevent(&ls->ls_kobj, KOBJ_ADD); - /* let kobject handle freeing of ls if there's an error */ - do_unreg = 1; - /* This uevent triggers dlm_controld in userspace to add us to the group of nodes that are members of this lockspace (managed by the cluster infrastructure.) Once it's done that, it tells us who the From ac67d2b38a800387f108899e5ae57e1dd9a758b6 Mon Sep 17 00:00:00 2001 From: Drew Fustini Date: Mon, 8 Jun 2020 14:51:43 +0200 Subject: [PATCH 293/386] pinctrl-single: fix pcs_parse_pinconf() return value [ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ] This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no pinctrl_map is added. The current behavior is to return 0 when !PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry() incorrectly assumes that a map was added and sets num_maps = 2. Analysis: ========= The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf() if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf() returns 0 to indicate there was no error and num_maps is then set to 2: 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, 981 struct device_node *np, 982 struct pinctrl_map **map, 983 unsigned *num_maps, 984 const char **pgnames) 985 { 1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP; 1054 (*map)->data.mux.group = np->name; 1055 (*map)->data.mux.function = np->name; 1056 1057 if (PCS_HAS_PINCONF && function) { 1058 res = pcs_parse_pinconf(pcs, np, function, map); 1059 if (res) 1060 goto free_pingroups; 1061 *num_maps = 2; 1062 } else { 1063 *num_maps = 1; 1064 } However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or !nconfs. I believe these conditions should indicate that no map was added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry() will set num_maps = 2 even though no maps were successfully added, as it does not reach "m++" on line 940: 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, 896 struct pcs_function *func, 897 struct pinctrl_map **map) 898 899 { 900 struct pinctrl_map *m = *map; 917 /* If pinconf isn't supported, don't parse properties in below. */ 918 if (!PCS_HAS_PINCONF) 919 return 0; 920 921 /* cacluate how much properties are supported in current node */ 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) { 923 if (of_find_property(np, prop2[i].name, NULL)) 924 nconfs++; 925 } 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) { 927 if (of_find_property(np, prop4[i].name, NULL)) 928 nconfs++; 929 } 930 if (!nconfs) 919 return 0; 932 933 func->conf = devm_kcalloc(pcs->dev, 934 nconfs, sizeof(struct pcs_conf_vals), 935 GFP_KERNEL); 936 if (!func->conf) 937 return -ENOMEM; 938 func->nconfs = nconfs; 939 conf = &(func->conf[0]); 940 m++; This situtation will cause a boot failure [0] on the BeagleBone Black (AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi has compatible = "pinconf-single" instead of "pinctrl-single". The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no map was added. Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps is set to 1 as it is valid for pinconf to be enabled and a given pin group to not any pinconf properties. [0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/ Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf") Signed-off-by: Drew Fustini Acked-by: Tony Lindgren Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1 Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin --- drivers/pinctrl/pinctrl-single.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c index b8b3d932cd73..f751b5c3bf7e 100644 --- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -888,7 +888,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, /* If pinconf isn't supported, don't parse properties in below. */ if (!PCS_HAS_PINCONF) - return 0; + return -ENOTSUPP; /* cacluate how much properties are supported in current node */ for (i = 0; i < ARRAY_SIZE(prop2); i++) { @@ -900,7 +900,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, nconfs++; } if (!nconfs) - return 0; + return -ENOTSUPP; func->conf = devm_kzalloc(pcs->dev, sizeof(struct pcs_conf_vals) * nconfs, @@ -1024,9 +1024,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, if (PCS_HAS_PINCONF) { res = pcs_parse_pinconf(pcs, np, function, map); - if (res) + if (res == 0) + *num_maps = 2; + else if (res == -ENOTSUPP) + *num_maps = 1; + else goto free_pingroups; - *num_maps = 2; } else { *num_maps = 1; } From 7ee1fff8cd878bd961a2c9aeded72dc0c7700d13 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 14 Aug 2020 11:16:17 -0700 Subject: [PATCH 294/386] x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task [ Upstream commit 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239 ] syzbot found its way in 86_fsgsbase_read_task() and triggered this oops: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0 RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393 Call Trace: putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876 genregs32_set arch/x86/kernel/ptrace.c:1026 [inline] genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006 copy_regset_from_user include/linux/regset.h:326 [inline] ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline] compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198 __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline] __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline] __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389 do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline] __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c This can happen if ptrace() or sigreturn() pokes an LDT selector into FS or GS for a task with no LDT and something tries to read the base before a return to usermode notices the bad selector and fixes it. The fix is to make sure ldt pointer is not NULL. Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately") Co-developed-by: Jann Horn Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Andy Lutomirski Cc: Chang S. Bae Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Markus T Metzger Cc: Peter Zijlstra Cc: Ravi Shankar Cc: Rik van Riel Cc: Thomas Gleixner Cc: Ingo Molnar Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- arch/x86/kernel/ptrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c index 734549492a18..dc4d27000aa3 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -374,7 +374,7 @@ static unsigned long task_seg_base(struct task_struct *task, */ mutex_lock(&task->mm->context.lock); ldt = task->mm->context.ldt; - if (unlikely(idx >= ldt->nr_entries)) + if (unlikely(!ldt || idx >= ldt->nr_entries)) base = 0; else base = get_desc_base(ldt->entries + idx); From ffe484d867918a019b55a16b7e1821d2504b89d8 Mon Sep 17 00:00:00 2001 From: Jian Cai Date: Mon, 22 Jun 2020 16:24:33 -0700 Subject: [PATCH 295/386] crypto: aesni - add compatibility with IAS [ Upstream commit 44069737ac9625a0f02f0f7f5ab96aae4cd819bc ] Clang's integrated assembler complains "invalid reassignment of non-absolute variable 'var_ddq_add'" while assembling arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was reassigned with non-absolute values several times, which IAS did not support. We can avoid the reassignment by replacing the uses of var_ddq_add with its definitions accordingly to have compatilibility with IAS. Link: https://github.com/ClangBuiltLinux/linux/issues/1008 Reported-by: Sedat Dilek Reported-by: Fangrui Song Tested-by: Sedat Dilek # build+boot Linux v5.7.5; clang v11.0.0-git Signed-off-by: Jian Cai Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin --- arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S index 5f6a5af9c489..77043a82da51 100644 --- a/arch/x86/crypto/aes_ctrby8_avx-x86_64.S +++ b/arch/x86/crypto/aes_ctrby8_avx-x86_64.S @@ -127,10 +127,6 @@ ddq_add_8: /* generate a unique variable for ddq_add_x */ -.macro setddq n - var_ddq_add = ddq_add_\n -.endm - /* generate a unique variable for xmm register */ .macro setxdata n var_xdata = %xmm\n @@ -140,9 +136,7 @@ ddq_add_8: .macro club name, id .altmacro - .if \name == DDQ_DATA - setddq %\id - .elseif \name == XDATA + .if \name == XDATA setxdata %\id .endif .noaltmacro @@ -165,9 +159,8 @@ ddq_add_8: .set i, 1 .rept (by - 1) - club DDQ_DATA, i club XDATA, i - vpaddq var_ddq_add(%rip), xcounter, var_xdata + vpaddq (ddq_add_1 + 16 * (i - 1))(%rip), xcounter, var_xdata vptest ddq_low_msk(%rip), var_xdata jnz 1f vpaddq ddq_high_add_1(%rip), var_xdata, var_xdata @@ -180,8 +173,7 @@ ddq_add_8: vmovdqa 1*16(p_keys), xkeyA vpxor xkey0, xdata0, xdata0 - club DDQ_DATA, by - vpaddq var_ddq_add(%rip), xcounter, xcounter + vpaddq (ddq_add_1 + 16 * (by - 1))(%rip), xcounter, xcounter vptest ddq_low_msk(%rip), xcounter jnz 1f vpaddq ddq_high_add_1(%rip), xcounter, xcounter From a1b1a3d2dff2ac034682eb8610eec83e0efd33b0 Mon Sep 17 00:00:00 2001 From: John Ogness Date: Thu, 13 Aug 2020 21:45:25 +0206 Subject: [PATCH 296/386] af_packet: TPACKET_V3: fix fill status rwlock imbalance [ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ] After @blk_fill_in_prog_lock is acquired there is an early out vnet situation that can occur. In that case, the rwlock needs to be released. Also, since @blk_fill_in_prog_lock is only acquired when @tp_version is exactly TPACKET_V3, only release it on that exact condition as well. And finally, add sparse annotation so that it is clearer that prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring and releasing @blk_fill_in_prog_lock, respectively. sparse is still unable to understand the balance, but the warnings are now on a higher level that make more sense. Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop") Signed-off-by: John Ogness Reported-by: kernel test robot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 102750bd751c..c2356611b3cb 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -989,6 +989,7 @@ static int prb_queue_frozen(struct tpacket_kbdq_core *pkc) } static void prb_clear_blk_fill_status(struct packet_ring_buffer *rb) + __releases(&pkc->blk_fill_in_prog_lock) { struct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(rb); atomic_dec(&pkc->blk_fill_in_prog); @@ -1036,6 +1037,7 @@ static void prb_fill_curr_block(char *curr, struct tpacket_kbdq_core *pkc, struct tpacket_block_desc *pbd, unsigned int len) + __acquires(&pkc->blk_fill_in_prog_lock) { struct tpacket3_hdr *ppd; @@ -2311,8 +2313,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), - vio_le(), true, 0)) + vio_le(), true, 0)) { + if (po->tp_version == TPACKET_V3) + prb_clear_blk_fill_status(&po->rx_ring); goto drop_n_account; + } if (po->tp_version <= TPACKET_V2) { packet_increment_rx_head(po, &po->rx_ring); @@ -2418,7 +2423,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, __clear_bit(slot_id, po->rx_ring.rx_owner_map); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk); - } else { + } else if (po->tp_version == TPACKET_V3) { prb_clear_blk_fill_status(&po->rx_ring); } From beafe1d05798982ae21db383884611bb389a1639 Mon Sep 17 00:00:00 2001 From: Xie He Date: Wed, 5 Aug 2020 18:50:40 -0700 Subject: [PATCH 297/386] drivers/net/wan/lapbether: Added needed_headroom and a skb->len check [ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ] 1. Added a skb->len check This driver expects upper layers to include a pseudo header of 1 byte when passing down a skb for transmission. This driver will read this 1-byte header. This patch added a skb->len check before reading the header to make sure the header exists. 2. Changed to use needed_headroom instead of hard_header_len to request necessary headroom to be allocated In net/packet/af_packet.c, the function packet_snd first reserves a headroom of length (dev->hard_header_len + dev->needed_headroom). Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header, which calls dev->header_ops->create, to create the link layer header. If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of length (dev->hard_header_len), and assumes the user to provide the appropriate link layer header. So according to the logic of af_packet.c, dev->hard_header_len should be the length of the header that would be created by dev->header_ops->create. However, this driver doesn't provide dev->header_ops, so logically dev->hard_header_len should be 0. So we should use dev->needed_headroom instead of dev->hard_header_len to request necessary headroom to be allocated. This change fixes kernel panic when this driver is used with AF_PACKET SOCK_RAW sockets. Call stack when panic: [ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20 put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0 dev:veth0 ... [ 168.399255] Call Trace: [ 168.399259] skb_push.cold+0x14/0x24 [ 168.399262] eth_header+0x2b/0xc0 [ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether] [ 168.399275] lapb_data_transmit+0x22/0x2c [lapb] [ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb] [ 168.399279] lapb_kick+0xe3/0x1c0 [lapb] [ 168.399281] lapb_data_request+0x76/0xc0 [lapb] [ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether] [ 168.399286] dev_hard_start_xmit+0x91/0x1f0 [ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100 [ 168.399291] __dev_queue_xmit+0x721/0x8e0 [ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110 [ 168.399297] dev_queue_xmit+0x10/0x20 [ 168.399298] packet_sendmsg+0xbf0/0x19b0 ...... Cc: Willem de Bruijn Cc: Martin Schiller Cc: Brian Norris Signed-off-by: Xie He Acked-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/wan/lapbether.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c index ac34257e9f20..c94dfa70f2a3 100644 --- a/drivers/net/wan/lapbether.c +++ b/drivers/net/wan/lapbether.c @@ -160,6 +160,12 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb, if (!netif_running(dev)) goto drop; + /* There should be a pseudo header of 1 byte added by upper layers. + * Check to make sure it is there before reading it. + */ + if (skb->len < 1) + goto drop; + switch (skb->data[0]) { case X25_IFACE_DATA: break; @@ -308,6 +314,7 @@ static void lapbeth_setup(struct net_device *dev) dev->netdev_ops = &lapbeth_netdev_ops; dev->needs_free_netdev = true; dev->type = ARPHRD_X25; + dev->hard_header_len = 0; dev->mtu = 1000; dev->addr_len = 0; } @@ -334,7 +341,8 @@ static int lapbeth_new_device(struct net_device *dev) * then this driver prepends a length field of 2 bytes, * then the underlying Ethernet device prepends its own header. */ - ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len; + ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len + + dev->needed_headroom; lapbeth = netdev_priv(ndev); lapbeth->axdev = ndev; From 980415fffec6952602edac586eb8c3a7d3f50b43 Mon Sep 17 00:00:00 2001 From: Qingyu Li Date: Mon, 10 Aug 2020 09:51:00 +0800 Subject: [PATCH 298/386] net/nfc/rawsock.c: add CAP_NET_RAW check. [ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ] When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. Signed-off-by: Qingyu Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/rawsock.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c index e2188deb08dc..b927730d9ab0 100644 --- a/net/nfc/rawsock.c +++ b/net/nfc/rawsock.c @@ -344,10 +344,13 @@ static int rawsock_create(struct net *net, struct socket *sock, if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW)) return -ESOCKTNOSUPPORT; - if (sock->type == SOCK_RAW) + if (sock->type == SOCK_RAW) { + if (!capable(CAP_NET_RAW)) + return -EPERM; sock->ops = &rawsock_raw_ops; - else + } else { sock->ops = &rawsock_ops; + } sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern); if (!sk) From 6de6d1ca5f3e8383cb175777f0e9aba7a3c397f5 Mon Sep 17 00:00:00 2001 From: Tim Froidcoeur Date: Tue, 11 Aug 2020 20:33:23 +0200 Subject: [PATCH 299/386] net: refactor bind_bucket fastreuse into helper [ Upstream commit 62ffc589abb176821662efc4525ee4ac0b9c3894 ] Refactor the fastreuse update code in inet_csk_get_port into a small helper function that can be called from other places. Acked-by: Matthieu Baerts Signed-off-by: Tim Froidcoeur Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/net/inet_connection_sock.h | 4 ++ net/ipv4/inet_connection_sock.c | 93 ++++++++++++++++-------------- 2 files changed, 55 insertions(+), 42 deletions(-) diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h index 13e4c89a8231..ceab3a5dd530 100644 --- a/include/net/inet_connection_sock.h +++ b/include/net/inet_connection_sock.h @@ -321,5 +321,9 @@ int inet_csk_compat_getsockopt(struct sock *sk, int level, int optname, int inet_csk_compat_setsockopt(struct sock *sk, int level, int optname, char __user *optval, unsigned int optlen); +/* update the fast reuse flag when adding a socket */ +void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, + struct sock *sk); + struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu); #endif /* _INET_CONNECTION_SOCK_H */ diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index 7826fba34b14..08ba0f91f2ab 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -276,51 +276,12 @@ static inline int sk_reuseport_match(struct inet_bind_bucket *tb, ipv6_only_sock(sk), true); } -/* Obtain a reference to a local port for the given sock, - * if snum is zero it means select any available local port. - * We try to allocate an odd port (and leave even ports for connect()) - */ -int inet_csk_get_port(struct sock *sk, unsigned short snum) +void inet_csk_update_fastreuse(struct inet_bind_bucket *tb, + struct sock *sk) { - bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; - struct inet_hashinfo *hinfo = sk->sk_prot->h.hashinfo; - int ret = 1, port = snum; - struct inet_bind_hashbucket *head; - struct net *net = sock_net(sk); - struct inet_bind_bucket *tb = NULL; kuid_t uid = sock_i_uid(sk); + bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; - if (!port) { - head = inet_csk_find_open_port(sk, &tb, &port); - if (!head) - return ret; - if (!tb) - goto tb_not_found; - goto success; - } - head = &hinfo->bhash[inet_bhashfn(net, port, - hinfo->bhash_size)]; - spin_lock_bh(&head->lock); - inet_bind_bucket_for_each(tb, &head->chain) - if (net_eq(ib_net(tb), net) && tb->port == port) - goto tb_found; -tb_not_found: - tb = inet_bind_bucket_create(hinfo->bind_bucket_cachep, - net, head, port); - if (!tb) - goto fail_unlock; -tb_found: - if (!hlist_empty(&tb->owners)) { - if (sk->sk_reuse == SK_FORCE_REUSE) - goto success; - - if ((tb->fastreuse > 0 && reuse) || - sk_reuseport_match(tb, sk)) - goto success; - if (inet_csk_bind_conflict(sk, tb, true, true)) - goto fail_unlock; - } -success: if (hlist_empty(&tb->owners)) { tb->fastreuse = reuse; if (sk->sk_reuseport) { @@ -364,6 +325,54 @@ success: tb->fastreuseport = 0; } } +} + +/* Obtain a reference to a local port for the given sock, + * if snum is zero it means select any available local port. + * We try to allocate an odd port (and leave even ports for connect()) + */ +int inet_csk_get_port(struct sock *sk, unsigned short snum) +{ + bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN; + struct inet_hashinfo *hinfo = sk->sk_prot->h.hashinfo; + int ret = 1, port = snum; + struct inet_bind_hashbucket *head; + struct net *net = sock_net(sk); + struct inet_bind_bucket *tb = NULL; + + if (!port) { + head = inet_csk_find_open_port(sk, &tb, &port); + if (!head) + return ret; + if (!tb) + goto tb_not_found; + goto success; + } + head = &hinfo->bhash[inet_bhashfn(net, port, + hinfo->bhash_size)]; + spin_lock_bh(&head->lock); + inet_bind_bucket_for_each(tb, &head->chain) + if (net_eq(ib_net(tb), net) && tb->port == port) + goto tb_found; +tb_not_found: + tb = inet_bind_bucket_create(hinfo->bind_bucket_cachep, + net, head, port); + if (!tb) + goto fail_unlock; +tb_found: + if (!hlist_empty(&tb->owners)) { + if (sk->sk_reuse == SK_FORCE_REUSE) + goto success; + + if ((tb->fastreuse > 0 && reuse) || + sk_reuseport_match(tb, sk)) + goto success; + if (inet_csk_bind_conflict(sk, tb, true, true)) + goto fail_unlock; + } +success: + inet_csk_update_fastreuse(tb, sk); + if (!inet_csk(sk)->icsk_bind_hash) inet_bind_hash(sk, tb, port); WARN_ON(inet_csk(sk)->icsk_bind_hash != tb); From bb70a1cbe5e470cf740f33091190b144c8a99461 Mon Sep 17 00:00:00 2001 From: Miaohe Lin Date: Thu, 6 Aug 2020 19:53:16 +0800 Subject: [PATCH 300/386] net: Set fput_needed iff FDPUT_FPUT is set [ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ] We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed accordingly. Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light") Signed-off-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/socket.c b/net/socket.c index 6a5ec658fcd8..c74cfe1ee169 100644 --- a/net/socket.c +++ b/net/socket.c @@ -496,7 +496,7 @@ static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed) if (f.file) { sock = sock_from_file(f.file, err); if (likely(sock)) { - *fput_needed = f.flags; + *fput_needed = f.flags & FDPUT_FPUT; return sock; } fdput(f); From b00b89e16ecf186153a5c62b15a940b991a6a3ef Mon Sep 17 00:00:00 2001 From: Brant Merryman Date: Fri, 26 Jun 2020 04:24:20 +0000 Subject: [PATCH 301/386] USB: serial: cp210x: re-enable auto-RTS on open commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream. CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware flow control mode and UART on cp210x hardware is disabled. When re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS must be re-enabled in the driver. Signed-off-by: Brant Merryman Co-developed-by: Phu Luu Signed-off-by: Phu Luu Link: https://lore.kernel.org/r/ECCF8E73-91F3-4080-BE17-1714BC8818FB@silabs.com [ johan: fix up tags and problem description ] Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") Cc: stable # 2.6.12 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/cp210x.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c index 8dd9852f399d..9ed3e0cc717e 100644 --- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -925,6 +925,7 @@ static void cp210x_get_termios_port(struct usb_serial_port *port, u32 baud; u16 bits; u32 ctl_hs; + u32 flow_repl; cp210x_read_u32_reg(port, CP210X_GET_BAUDRATE, &baud); @@ -1025,6 +1026,22 @@ static void cp210x_get_termios_port(struct usb_serial_port *port, ctl_hs = le32_to_cpu(flow_ctl.ulControlHandshake); if (ctl_hs & CP210X_SERIAL_CTS_HANDSHAKE) { dev_dbg(dev, "%s - flow control = CRTSCTS\n", __func__); + /* + * When the port is closed, the CP210x hardware disables + * auto-RTS and RTS is deasserted but it leaves auto-CTS when + * in hardware flow control mode. When re-opening the port, if + * auto-CTS is enabled on the cp210x, then auto-RTS must be + * re-enabled in the driver. + */ + flow_repl = le32_to_cpu(flow_ctl.ulFlowReplace); + flow_repl &= ~CP210X_SERIAL_RTS_MASK; + flow_repl |= CP210X_SERIAL_RTS_SHIFT(CP210X_SERIAL_RTS_FLOW_CTL); + flow_ctl.ulFlowReplace = cpu_to_le32(flow_repl); + cp210x_write_reg_block(port, + CP210X_SET_FLOW, + &flow_ctl, + sizeof(flow_ctl)); + cflag |= CRTSCTS; } else { dev_dbg(dev, "%s - flow control = NONE\n", __func__); From 11a800116d76d3466739c9de6d1056d248f6dc05 Mon Sep 17 00:00:00 2001 From: Brant Merryman Date: Fri, 26 Jun 2020 04:22:58 +0000 Subject: [PATCH 302/386] USB: serial: cp210x: enable usb generic throttle/unthrottle commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream. Assign the .throttle and .unthrottle functions to be generic function in the driver structure to prevent data loss that can otherwise occur if the host does not enable USB throttling. Signed-off-by: Brant Merryman Co-developed-by: Phu Luu Signed-off-by: Phu Luu Link: https://lore.kernel.org/r/57401AF3-9961-461F-95E1-F8AFC2105F5E@silabs.com [ johan: fix up tags ] Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control") Cc: stable # 2.6.12 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/cp210x.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c index 9ed3e0cc717e..630c8338d791 100644 --- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -271,6 +271,8 @@ static struct usb_serial_driver cp210x_device = { .break_ctl = cp210x_break_ctl, .set_termios = cp210x_set_termios, .tx_empty = cp210x_tx_empty, + .throttle = usb_serial_generic_throttle, + .unthrottle = usb_serial_generic_unthrottle, .tiocmget = cp210x_tiocmget, .tiocmset = cp210x_tiocmset, .attach = cp210x_attach, From b10bafd333b75f9f85f99d2d96f5e33c50664679 Mon Sep 17 00:00:00 2001 From: Mirko Dietrich Date: Thu, 6 Aug 2020 14:48:50 +0200 Subject: [PATCH 303/386] ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream. Adds an entry for Creative USB X-Fi to the rc_config array in mixer_quirks.c to allow use of volume knob on the device. Adds support for newer X-Fi Pro card, known as "Model No. SB1095" with USB ID "041e:3263" Signed-off-by: Mirko Dietrich Cc: Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/mixer_quirks.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c index 5604cce30a58..d7878ed5ecc0 100644 --- a/sound/usb/mixer_quirks.c +++ b/sound/usb/mixer_quirks.c @@ -196,6 +196,7 @@ static const struct rc_config { { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */ { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ + { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */ { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */ }; From 6fa2227bb563179772163d02697703493e2e1606 Mon Sep 17 00:00:00 2001 From: Hector Martin Date: Mon, 10 Aug 2020 13:53:19 +0900 Subject: [PATCH 304/386] ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream. Matching by device matches all interfaces, which breaks the video/HID portions of the device depending on module load order. Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109") Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/quirks-table.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h index ec56ce382061..69df7862dc26 100644 --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -3335,7 +3335,13 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), * with. */ { - USB_DEVICE(0x534d, 0x2109), + .match_flags = USB_DEVICE_ID_MATCH_DEVICE | + USB_DEVICE_ID_MATCH_INT_CLASS | + USB_DEVICE_ID_MATCH_INT_SUBCLASS, + .idVendor = 0x534d, + .idProduct = 0x2109, + .bInterfaceClass = USB_CLASS_AUDIO, + .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { .vendor_name = "MacroSilicon", .product_name = "MS2109", From 17b84284d2a2b49f5fe625d063cd0a0ac58e10e1 Mon Sep 17 00:00:00 2001 From: Hector Martin Date: Mon, 10 Aug 2020 17:25:02 +0900 Subject: [PATCH 305/386] ALSA: usb-audio: add quirk for Pioneer DDJ-RB commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream. This is just another Pioneer device with fixed endpoints. Input is dummy but used as feedback (it always returns silence). Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/quirks-table.h | 56 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h index 69df7862dc26..689fd3103e5b 100644 --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -3380,5 +3380,61 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), } } }, +{ + /* + * PIONEER DJ DDJ-RB + * PCM is 4 channels out, 2 dummy channels in @ 44.1 fixed + * The feedback for the output is the dummy input. + */ + USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e), + .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { + .ifnum = QUIRK_ANY_INTERFACE, + .type = QUIRK_COMPOSITE, + .data = (const struct snd_usb_audio_quirk[]) { + { + .ifnum = 0, + .type = QUIRK_AUDIO_FIXED_ENDPOINT, + .data = &(const struct audioformat) { + .formats = SNDRV_PCM_FMTBIT_S24_3LE, + .channels = 4, + .iface = 0, + .altsetting = 1, + .altset_idx = 1, + .endpoint = 0x01, + .ep_attr = USB_ENDPOINT_XFER_ISOC| + USB_ENDPOINT_SYNC_ASYNC, + .rates = SNDRV_PCM_RATE_44100, + .rate_min = 44100, + .rate_max = 44100, + .nr_rates = 1, + .rate_table = (unsigned int[]) { 44100 } + } + }, + { + .ifnum = 0, + .type = QUIRK_AUDIO_FIXED_ENDPOINT, + .data = &(const struct audioformat) { + .formats = SNDRV_PCM_FMTBIT_S24_3LE, + .channels = 2, + .iface = 0, + .altsetting = 1, + .altset_idx = 1, + .endpoint = 0x82, + .ep_attr = USB_ENDPOINT_XFER_ISOC| + USB_ENDPOINT_SYNC_ASYNC| + USB_ENDPOINT_USAGE_IMPLICIT_FB, + .rates = SNDRV_PCM_RATE_44100, + .rate_min = 44100, + .rate_max = 44100, + .nr_rates = 1, + .rate_table = (unsigned int[]) { 44100 } + } + }, + { + .ifnum = -1 + } + } + } +}, #undef USB_DEVICE_VENDOR_SPEC From 454b00bb81679c95f763d3ecdb706d985d053f7a Mon Sep 17 00:00:00 2001 From: Tom Rix Date: Mon, 13 Jul 2020 07:06:34 -0700 Subject: [PATCH 306/386] crypto: qat - fix double free in qat_uclo_create_batch_init_list commit c06c76602e03bde24ee69a2022a829127e504202 upstream. clang static analysis flags this error qat_uclo.c:297:3: warning: Attempt to free released memory [unix.Malloc] kfree(*init_tab_base); ^~~~~~~~~~~~~~~~~~~~~ When input *init_tab_base is null, the function allocates memory for the head of the list. When there is problem allocating other list elements the list is unwound and freed. Then a check is made if the list head was allocated and is also freed. Keeping track of the what may need to be freed is the variable 'tail_old'. The unwinding/freeing block is while (tail_old) { mem_init = tail_old->next; kfree(tail_old); tail_old = mem_init; } The problem is that the first element of tail_old is also what was allocated for the list head init_header = kzalloc(sizeof(*init_header), GFP_KERNEL); ... *init_tab_base = init_header; flag = 1; } tail_old = init_header; So *init_tab_base/init_header are freed twice. There is another problem. When the input *init_tab_base is non null the tail_old is calculated by traveling down the list to first non null entry. tail_old = init_header; while (tail_old->next) tail_old = tail_old->next; When the unwinding free happens, the last entry of the input list will be freed. So the freeing needs a general changed. If locally allocated the first element of tail_old is freed, else it is skipped. As a bit of cleanup, reset *init_tab_base if it came in as null. Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader") Cc: Signed-off-by: Tom Rix Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/qat/qat_common/qat_uclo.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c index e2454d90d949..4f1cd83bf56f 100644 --- a/drivers/crypto/qat/qat_common/qat_uclo.c +++ b/drivers/crypto/qat/qat_common/qat_uclo.c @@ -332,13 +332,18 @@ static int qat_uclo_create_batch_init_list(struct icp_qat_fw_loader_handle } return 0; out_err: + /* Do not free the list head unless we allocated it. */ + tail_old = tail_old->next; + if (flag) { + kfree(*init_tab_base); + *init_tab_base = NULL; + } + while (tail_old) { mem_init = tail_old->next; kfree(tail_old); tail_old = mem_init; } - if (flag) - kfree(*init_tab_base); return -ENOMEM; } From 99e69b921dae3ebe63d2c424ce00f91b4cab2826 Mon Sep 17 00:00:00 2001 From: John Allen Date: Mon, 22 Jun 2020 15:24:02 -0500 Subject: [PATCH 307/386] crypto: ccp - Fix use of merged scatterlists commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream. Running the crypto manager self tests with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors when using the ccp-crypto driver: alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ... alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ... alg: ahash: sha224-ccp test failed (wrong result) on test vector ... These errors are the result of improper processing of scatterlists mapped for DMA. Given a scatterlist in which entries are merged as part of mapping the scatterlist for DMA, the DMA length of a merged entry will reflect the combined length of the entries that were merged. The subsequent scatterlist entry will contain DMA information for the scatterlist entry after the last merged entry, but the non-DMA information will be that of the first merged entry. The ccp driver does not take this scatterlist merging into account. To address this, add a second scatterlist pointer to track the current position in the DMA mapped representation of the scatterlist. Both the DMA representation and the original representation of the scatterlist must be tracked as while most of the driver can use just the DMA representation, scatterlist_map_and_copy() must use the original representation and expects the scatterlist pointer to be accurate to the original representation. In order to properly walk the original scatterlist, the scatterlist must be walked until the combined lengths of the entries seen is equal to the DMA length of the current entry being processed in the DMA mapped representation. Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support") Signed-off-by: John Allen Cc: stable@vger.kernel.org Acked-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/ccp/ccp-dev.h | 1 + drivers/crypto/ccp/ccp-ops.c | 37 +++++++++++++++++++++++++----------- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/drivers/crypto/ccp/ccp-dev.h b/drivers/crypto/ccp/ccp-dev.h index 7442b0422f8a..bd43b5c1450c 100644 --- a/drivers/crypto/ccp/ccp-dev.h +++ b/drivers/crypto/ccp/ccp-dev.h @@ -471,6 +471,7 @@ struct ccp_sg_workarea { unsigned int sg_used; struct scatterlist *dma_sg; + struct scatterlist *dma_sg_head; struct device *dma_dev; unsigned int dma_count; enum dma_data_direction dma_dir; diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c index 43b74cf0787e..626b643d610e 100644 --- a/drivers/crypto/ccp/ccp-ops.c +++ b/drivers/crypto/ccp/ccp-ops.c @@ -67,7 +67,7 @@ static u32 ccp_gen_jobid(struct ccp_device *ccp) static void ccp_sg_free(struct ccp_sg_workarea *wa) { if (wa->dma_count) - dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir); + dma_unmap_sg(wa->dma_dev, wa->dma_sg_head, wa->nents, wa->dma_dir); wa->dma_count = 0; } @@ -96,6 +96,7 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, return 0; wa->dma_sg = sg; + wa->dma_sg_head = sg; wa->dma_dev = dev; wa->dma_dir = dma_dir; wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir); @@ -108,14 +109,28 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len) { unsigned int nbytes = min_t(u64, len, wa->bytes_left); + unsigned int sg_combined_len = 0; if (!wa->sg) return; wa->sg_used += nbytes; wa->bytes_left -= nbytes; - if (wa->sg_used == wa->sg->length) { - wa->sg = sg_next(wa->sg); + if (wa->sg_used == sg_dma_len(wa->dma_sg)) { + /* Advance to the next DMA scatterlist entry */ + wa->dma_sg = sg_next(wa->dma_sg); + + /* In the case that the DMA mapped scatterlist has entries + * that have been merged, the non-DMA mapped scatterlist + * must be advanced multiple times for each merged entry. + * This ensures that the current non-DMA mapped entry + * corresponds to the current DMA mapped entry. + */ + do { + sg_combined_len += wa->sg->length; + wa->sg = sg_next(wa->sg); + } while (wa->sg_used > sg_combined_len); + wa->sg_used = 0; } } @@ -304,7 +319,7 @@ static unsigned int ccp_queue_buf(struct ccp_data *data, unsigned int from) /* Update the structures and generate the count */ buf_count = 0; while (sg_wa->bytes_left && (buf_count < dm_wa->length)) { - nbytes = min(sg_wa->sg->length - sg_wa->sg_used, + nbytes = min(sg_dma_len(sg_wa->dma_sg) - sg_wa->sg_used, dm_wa->length - buf_count); nbytes = min_t(u64, sg_wa->bytes_left, nbytes); @@ -336,11 +351,11 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, * and destination. The resulting len values will always be <= UINT_MAX * because the dma length is an unsigned int. */ - sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used; + sg_src_len = sg_dma_len(src->sg_wa.dma_sg) - src->sg_wa.sg_used; sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len); if (dst) { - sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used; + sg_dst_len = sg_dma_len(dst->sg_wa.dma_sg) - dst->sg_wa.sg_used; sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len); op_len = min(sg_src_len, sg_dst_len); } else { @@ -370,7 +385,7 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, /* Enough data in the sg element, but we need to * adjust for any previously copied data */ - op->src.u.dma.address = sg_dma_address(src->sg_wa.sg); + op->src.u.dma.address = sg_dma_address(src->sg_wa.dma_sg); op->src.u.dma.offset = src->sg_wa.sg_used; op->src.u.dma.length = op_len & ~(block_size - 1); @@ -391,7 +406,7 @@ static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst, /* Enough room in the sg element, but we need to * adjust for any previously used area */ - op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg); + op->dst.u.dma.address = sg_dma_address(dst->sg_wa.dma_sg); op->dst.u.dma.offset = dst->sg_wa.sg_used; op->dst.u.dma.length = op->src.u.dma.length; } @@ -2034,7 +2049,7 @@ ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) dst.sg_wa.sg_used = 0; for (i = 1; i <= src.sg_wa.dma_count; i++) { if (!dst.sg_wa.sg || - (dst.sg_wa.sg->length < src.sg_wa.sg->length)) { + (sg_dma_len(dst.sg_wa.sg) < sg_dma_len(src.sg_wa.sg))) { ret = -EINVAL; goto e_dst; } @@ -2060,8 +2075,8 @@ ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) goto e_dst; } - dst.sg_wa.sg_used += src.sg_wa.sg->length; - if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) { + dst.sg_wa.sg_used += sg_dma_len(src.sg_wa.sg); + if (dst.sg_wa.sg_used == sg_dma_len(dst.sg_wa.sg)) { dst.sg_wa.sg = sg_next(dst.sg_wa.sg); dst.sg_wa.sg_used = 0; } From a2c4136587cf19066758091eb60694a8f5120897 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Wed, 17 Jun 2020 09:48:56 -0400 Subject: [PATCH 308/386] crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified commit 9e27c99104707f083dccd3b4d79762859b5a0614 upstream. There is this call chain: cvm_encrypt -> cvm_enc_dec -> cptvf_do_request -> process_request -> kzalloc where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP was not specified. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org # v4.11+ Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT") Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/cavium/cpt/cptvf_algs.c | 1 + drivers/crypto/cavium/cpt/cptvf_reqmanager.c | 12 ++++++------ drivers/crypto/cavium/cpt/request_manager.h | 2 ++ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/crypto/cavium/cpt/cptvf_algs.c b/drivers/crypto/cavium/cpt/cptvf_algs.c index df21d996db7e..2d1b28c29a8e 100644 --- a/drivers/crypto/cavium/cpt/cptvf_algs.c +++ b/drivers/crypto/cavium/cpt/cptvf_algs.c @@ -205,6 +205,7 @@ static inline int cvm_enc_dec(struct ablkcipher_request *req, u32 enc) int status; memset(req_info, 0, sizeof(struct cpt_request_info)); + req_info->may_sleep = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) != 0; memset(fctx, 0, sizeof(struct fc_context)); create_input_list(req, enc, enc_iv_len); create_output_list(req, enc_iv_len); diff --git a/drivers/crypto/cavium/cpt/cptvf_reqmanager.c b/drivers/crypto/cavium/cpt/cptvf_reqmanager.c index b0ba4331944b..43fe69d0981a 100644 --- a/drivers/crypto/cavium/cpt/cptvf_reqmanager.c +++ b/drivers/crypto/cavium/cpt/cptvf_reqmanager.c @@ -136,7 +136,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, /* Setup gather (input) components */ g_sz_bytes = ((req->incnt + 3) / 4) * sizeof(struct sglist_component); - info->gather_components = kzalloc(g_sz_bytes, GFP_KERNEL); + info->gather_components = kzalloc(g_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); if (!info->gather_components) { ret = -ENOMEM; goto scatter_gather_clean; @@ -153,7 +153,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, /* Setup scatter (output) components */ s_sz_bytes = ((req->outcnt + 3) / 4) * sizeof(struct sglist_component); - info->scatter_components = kzalloc(s_sz_bytes, GFP_KERNEL); + info->scatter_components = kzalloc(s_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); if (!info->scatter_components) { ret = -ENOMEM; goto scatter_gather_clean; @@ -170,7 +170,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, /* Create and initialize DPTR */ info->dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE; - info->in_buffer = kzalloc(info->dlen, GFP_KERNEL); + info->in_buffer = kzalloc(info->dlen, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); if (!info->in_buffer) { ret = -ENOMEM; goto scatter_gather_clean; @@ -198,7 +198,7 @@ static inline int setup_sgio_list(struct cpt_vf *cptvf, } /* Create and initialize RPTR */ - info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, GFP_KERNEL); + info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); if (!info->out_buffer) { ret = -ENOMEM; goto scatter_gather_clean; @@ -434,7 +434,7 @@ int process_request(struct cpt_vf *cptvf, struct cpt_request_info *req) struct cpt_vq_command vq_cmd; union cpt_inst_s cptinst; - info = kzalloc(sizeof(*info), GFP_KERNEL); + info = kzalloc(sizeof(*info), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); if (unlikely(!info)) { dev_err(&pdev->dev, "Unable to allocate memory for info_buffer\n"); return -ENOMEM; @@ -456,7 +456,7 @@ int process_request(struct cpt_vf *cptvf, struct cpt_request_info *req) * Get buffer for union cpt_res_s response * structure and its physical address */ - info->completion_addr = kzalloc(sizeof(union cpt_res_s), GFP_KERNEL); + info->completion_addr = kzalloc(sizeof(union cpt_res_s), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC); if (unlikely(!info->completion_addr)) { dev_err(&pdev->dev, "Unable to allocate memory for completion_addr\n"); ret = -ENOMEM; diff --git a/drivers/crypto/cavium/cpt/request_manager.h b/drivers/crypto/cavium/cpt/request_manager.h index 80ee074c6e0c..09930d95ad24 100644 --- a/drivers/crypto/cavium/cpt/request_manager.h +++ b/drivers/crypto/cavium/cpt/request_manager.h @@ -65,6 +65,8 @@ struct cpt_request_info { union ctrl_info ctrl; /* User control information */ struct cptvf_request req; /* Request Information (Core specific) */ + bool may_sleep; + struct buf_ptr in[MAX_BUF_CNT]; struct buf_ptr out[MAX_BUF_CNT]; From b4840e848efa4648a551e3d833bfe7cebde344d2 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Mon, 10 Aug 2020 11:21:11 -0700 Subject: [PATCH 309/386] bitfield.h: don't compile-time validate _val in FIELD_FIT commit 444da3f52407d74c9aa12187ac6b01f76ee47d62 upstream. When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the compiler to deduce a case where _val can only have the value of -1 at compile time. Specifically, /* struct bpf_insn: _s32 imm */ u64 imm = insn->imm; /* sign extend */ if (imm >> 32) { /* non-zero only if insn->imm is negative */ /* inlined from ur_load_imm_any */ u32 __imm = imm >> 32; /* therefore, always 0xffffffff */ if (__builtin_constant_p(__imm) && __imm > 255) compiletime_assert_XXX() This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that checks that a given value is representable in one byte (interpreted as unsigned). FIELD_FIT() should return true or false at runtime for whether a value can fit for not. Don't break the build over a value that's too large for the mask. We'd prefer to keep the inlining and compiler optimizations though we know this case will always return false. Cc: stable@vger.kernel.org Fixes: 1697599ee301a ("bitfield.h: add FIELD_FIT() helper") Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/ Reported-by: Masahiro Yamada Debugged-by: Sami Tolvanen Signed-off-by: Jakub Kicinski Signed-off-by: Nick Desaulniers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/linux/bitfield.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h index f2deb71958b2..a0675db325e0 100644 --- a/include/linux/bitfield.h +++ b/include/linux/bitfield.h @@ -71,7 +71,7 @@ */ #define FIELD_FIT(_mask, _val) \ ({ \ - __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_FIT: "); \ + __BF_FIELD_CHECK(_mask, 0ULL, 0ULL, "FIELD_FIT: "); \ !((((typeof(_mask))_val) << __bf_shf(_mask)) & ~(_mask)); \ }) From 3c775629a5ffe3f6305f9a4f53d8167f629435ad Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 11 Aug 2020 18:35:24 -0700 Subject: [PATCH 310/386] fs/minix: check return value of sb_getblk() commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream. Patch series "fs/minix: fix syzbot bugs and set s_maxbytes". This series fixes all syzbot bugs in the minix filesystem: KASAN: null-ptr-deref Write in get_block KASAN: use-after-free Write in get_block KASAN: use-after-free Read in get_block WARNING in inc_nlink KMSAN: uninit-value in get_block WARNING in drop_nlink It also fixes the minix filesystem to set s_maxbytes correctly, so that userspace sees the correct behavior when exceeding the max file size. This patch (of 6): sb_getblk() can fail, so check its return value. This fixes a NULL pointer dereference. Originally from Qiujun Huang. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Qiujun Huang Cc: Alexander Viro Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/minix/itree_common.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/minix/itree_common.c b/fs/minix/itree_common.c index 043c3fdbc8e7..446148792f41 100644 --- a/fs/minix/itree_common.c +++ b/fs/minix/itree_common.c @@ -75,6 +75,7 @@ static int alloc_branch(struct inode *inode, int n = 0; int i; int parent = minix_new_block(inode); + int err = -ENOSPC; branch[0].key = cpu_to_block(parent); if (parent) for (n = 1; n < num; n++) { @@ -85,6 +86,11 @@ static int alloc_branch(struct inode *inode, break; branch[n].key = cpu_to_block(nr); bh = sb_getblk(inode->i_sb, parent); + if (!bh) { + minix_free_block(inode, nr); + err = -ENOMEM; + break; + } lock_buffer(bh); memset(bh->b_data, 0, bh->b_size); branch[n].bh = bh; @@ -103,7 +109,7 @@ static int alloc_branch(struct inode *inode, bforget(branch[i].bh); for (i = 0; i < n; i++) minix_free_block(inode, block_to_cpu(branch[i].key)); - return -ENOSPC; + return err; } static inline int splice_branch(struct inode *inode, From 12490f06ef084bc34f5e5dbda104aa034e376f2e Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 11 Aug 2020 18:35:27 -0700 Subject: [PATCH 311/386] fs/minix: don't allow getting deleted inodes commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream. If an inode has no links, we need to mark it bad rather than allowing it to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when doing directory operations on a fuzzed filesystem. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/minix/inode.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index b6829d679643..97a6ec14431f 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -471,6 +471,13 @@ static struct inode *V1_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-EIO); } + if (raw_inode->i_nlinks == 0) { + printk("MINIX-fs: deleted inode referenced: %lu\n", + inode->i_ino); + brelse(bh); + iget_failed(inode); + return ERR_PTR(-ESTALE); + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); @@ -504,6 +511,13 @@ static struct inode *V2_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-EIO); } + if (raw_inode->i_nlinks == 0) { + printk("MINIX-fs: deleted inode referenced: %lu\n", + inode->i_ino); + brelse(bh); + iget_failed(inode); + return ERR_PTR(-ESTALE); + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); From 0900097ef667097b0a4afb0155a4f5add77ece19 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 11 Aug 2020 18:35:30 -0700 Subject: [PATCH 312/386] fs/minix: reject too-large maximum file size commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Andrew Morton Cc: Alexander Viro Cc: Qiujun Huang Cc: Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index 97a6ec14431f..d49337b5abfa 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -155,6 +155,23 @@ static int minix_remount (struct super_block * sb, int * flags, char * data) return 0; } +static bool minix_check_superblock(struct minix_sb_info *sbi) +{ + if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) + return false; + + /* + * s_max_size must not exceed the block mapping limitation. This check + * is only needed for V1 filesystems, since V2/V3 support an extra level + * of indirect blocks which places the limit well above U32_MAX. + */ + if (sbi->s_version == MINIX_V1 && + sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) + return false; + + return true; +} + static int minix_fill_super(struct super_block *s, void *data, int silent) { struct buffer_head *bh; @@ -233,11 +250,12 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) } else goto out_no_fs; + if (!minix_check_superblock(sbi)) + goto out_illegal_sb; + /* * Allocate the buffer map to keep the superblock small. */ - if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) - goto out_illegal_sb; i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); map = kzalloc(i, GFP_KERNEL); if (!map) From ff114bcd7635211d051c6031fac800fd45424ece Mon Sep 17 00:00:00 2001 From: Hector Martin Date: Mon, 10 Aug 2020 17:24:00 +0900 Subject: [PATCH 313/386] ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 commit 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 upstream. Further investigation of the L-R swap problem on the MS2109 reveals that the problem isn't that the channels are swapped, but rather that they are swapped and also out of phase by one sample. In other words, the issue is actually that the very first frame that comes from the hardware is a half-frame containing only the right channel, and after that everything becomes offset. So introduce a new quirk field to drop the very first 2 bytes that come in after the format is configured and a capture stream starts. This puts the channels in phase and in the correct order. Cc: stable@vger.kernel.org Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200810082400.225858-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/card.h | 1 + sound/usb/pcm.c | 6 ++++++ sound/usb/quirks.c | 3 +++ sound/usb/stream.c | 1 + 4 files changed, 11 insertions(+) diff --git a/sound/usb/card.h b/sound/usb/card.h index ed87cc83eb47..0cde519bfa42 100644 --- a/sound/usb/card.h +++ b/sound/usb/card.h @@ -126,6 +126,7 @@ struct snd_usb_substream { unsigned int tx_length_quirk:1; /* add length specifier to transfers */ unsigned int fmt_type; /* USB audio format type (1-3) */ unsigned int pkt_offset_adj; /* Bytes to drop from beginning of packets (for non-compliant devices) */ + unsigned int stream_offset_adj; /* Bytes to drop from beginning of stream (for non-compliant devices) */ unsigned int running: 1; /* running status */ diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index ff38fca1781b..f27213b846e6 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -1313,6 +1313,12 @@ static void retire_capture_urb(struct snd_usb_substream *subs, // continue; } bytes = urb->iso_frame_desc[i].actual_length; + if (subs->stream_offset_adj > 0) { + unsigned int adj = min(subs->stream_offset_adj, bytes); + cp += adj; + bytes -= adj; + subs->stream_offset_adj -= adj; + } frames = bytes / stride; if (!subs->txfr_quirk) bytes = frames * stride; diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c index cd36394e27ae..4f4dc43e56a7 100644 --- a/sound/usb/quirks.c +++ b/sound/usb/quirks.c @@ -1120,6 +1120,9 @@ void snd_usb_set_format_quirk(struct snd_usb_substream *subs, case USB_ID(0x041e, 0x3f19): /* E-Mu 0204 USB */ set_format_emu_quirk(subs, fmt); break; + case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */ + subs->stream_offset_adj = 2; + break; } } diff --git a/sound/usb/stream.c b/sound/usb/stream.c index d1776e5517ff..452646959586 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -95,6 +95,7 @@ static void snd_usb_init_substream(struct snd_usb_stream *as, subs->tx_length_quirk = as->chip->tx_length_quirk; subs->speed = snd_usb_get_speed(subs->dev); subs->pkt_offset_adj = 0; + subs->stream_offset_adj = 0; snd_usb_set_pcm_ops(as->pcm, stream); From f337f8a302f715ba280477ecf2cdaeae0d86b45e Mon Sep 17 00:00:00 2001 From: Zheng Bin Date: Mon, 15 Jun 2020 09:21:53 +0800 Subject: [PATCH 314/386] 9p: Fix memory leak in v9fs_mount commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream. v9fs_mount v9fs_session_init v9fs_cache_session_get_cookie v9fs_random_cachetag -->alloc cachetag v9ses->fscache = fscache_acquire_cookie -->maybe NULL sb = sget -->fail, goto clunk clunk_fid: v9fs_session_close if (v9ses->fscache) -->NULL kfree(v9ses->cachetag) Thus memleak happens. Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com Fixes: 60e78d2c993e ("9p: Add fscache support to 9p") Cc: # v2.6.32+ Signed-off-by: Zheng Bin Signed-off-by: Dominique Martinet Signed-off-by: Greg Kroah-Hartman --- fs/9p/v9fs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c index c52f10efdc9c..b4dbe7b71151 100644 --- a/fs/9p/v9fs.c +++ b/fs/9p/v9fs.c @@ -513,10 +513,9 @@ void v9fs_session_close(struct v9fs_session_info *v9ses) } #ifdef CONFIG_9P_FSCACHE - if (v9ses->fscache) { + if (v9ses->fscache) v9fs_cache_session_put_cookie(v9ses); - kfree(v9ses->cachetag); - } + kfree(v9ses->cachetag); #endif kfree(v9ses->uname); kfree(v9ses->aname); From 2fd8f313a9fdeb06986bd2bb8caa7c87602b9729 Mon Sep 17 00:00:00 2001 From: Christian Eggers Date: Tue, 28 Jul 2020 12:08:32 +0200 Subject: [PATCH 315/386] spi: spidev: Align buffers for DMA commit aa9e862d7d5bcecd4dca9f39e8b684b93dd84ee7 upstream. Simply copying all xfers from userspace into one bounce buffer causes alignment problems if the SPI controller uses DMA. Ensure that all transfer data blocks within the rx and tx bounce buffers are aligned for DMA (according to ARCH_KMALLOC_MINALIGN). Alignment may increase the usage of the bounce buffers. In some cases, the buffers may need to be increased using the "bufsiz" module parameter. Signed-off-by: Christian Eggers Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200728100832.24788-1-ceggers@arri.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman --- drivers/spi/spidev.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c index 167047760d79..e444e7cc6968 100644 --- a/drivers/spi/spidev.c +++ b/drivers/spi/spidev.c @@ -232,6 +232,11 @@ static int spidev_message(struct spidev_data *spidev, for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers; n; n--, k_tmp++, u_tmp++) { + /* Ensure that also following allocations from rx_buf/tx_buf will meet + * DMA alignment requirements. + */ + unsigned int len_aligned = ALIGN(u_tmp->len, ARCH_KMALLOC_MINALIGN); + k_tmp->len = u_tmp->len; total += k_tmp->len; @@ -247,17 +252,17 @@ static int spidev_message(struct spidev_data *spidev, if (u_tmp->rx_buf) { /* this transfer needs space in RX bounce buffer */ - rx_total += k_tmp->len; + rx_total += len_aligned; if (rx_total > bufsiz) { status = -EMSGSIZE; goto done; } k_tmp->rx_buf = rx_buf; - rx_buf += k_tmp->len; + rx_buf += len_aligned; } if (u_tmp->tx_buf) { /* this transfer needs space in TX bounce buffer */ - tx_total += k_tmp->len; + tx_total += len_aligned; if (tx_total > bufsiz) { status = -EMSGSIZE; goto done; @@ -267,7 +272,7 @@ static int spidev_message(struct spidev_data *spidev, (uintptr_t) u_tmp->tx_buf, u_tmp->len)) goto done; - tx_buf += k_tmp->len; + tx_buf += len_aligned; } k_tmp->cs_change = !!u_tmp->cs_change; @@ -297,16 +302,16 @@ static int spidev_message(struct spidev_data *spidev, goto done; /* copy any rx data out of bounce buffer */ - rx_buf = spidev->rx_buffer; - for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) { + for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers; + n; + n--, k_tmp++, u_tmp++) { if (u_tmp->rx_buf) { if (copy_to_user((u8 __user *) - (uintptr_t) u_tmp->rx_buf, rx_buf, + (uintptr_t) u_tmp->rx_buf, k_tmp->rx_buf, u_tmp->len)) { status = -EFAULT; goto done; } - rx_buf += u_tmp->len; } } status = total; From 337be2b46991cf3d5afe3dbb114440946b84fe42 Mon Sep 17 00:00:00 2001 From: Sivaprakash Murugesan Date: Fri, 12 Jun 2020 13:28:15 +0530 Subject: [PATCH 316/386] mtd: rawnand: qcom: avoid write to unavailable register commit 443440cc4a901af462239d286cd10721aa1c7dfc upstream. SFLASHC_BURST_CFG is only available on older ipq NAND platforms, this register has been removed when the NAND controller got implemented in the qpic controller. Avoid writing this register on devices which are based on qpic NAND controller. Fixes: dce84760b09f ("mtd: nand: qcom: Support for IPQ8074 QPIC NAND controller") Cc: stable@vger.kernel.org Signed-off-by: Sivaprakash Murugesan Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/1591948696-16015-2-git-send-email-sivaprak@codeaurora.org Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/nand/qcom_nandc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/qcom_nandc.c b/drivers/mtd/nand/qcom_nandc.c index 65d1be2c3049..b57678970033 100644 --- a/drivers/mtd/nand/qcom_nandc.c +++ b/drivers/mtd/nand/qcom_nandc.c @@ -435,11 +435,13 @@ struct qcom_nand_host { * among different NAND controllers. * @ecc_modes - ecc mode for NAND * @is_bam - whether NAND controller is using BAM + * @is_qpic - whether NAND CTRL is part of qpic IP * @dev_cmd_reg_start - NAND_DEV_CMD_* registers starting offset */ struct qcom_nandc_props { u32 ecc_modes; bool is_bam; + bool is_qpic; u32 dev_cmd_reg_start; }; @@ -2508,7 +2510,8 @@ static int qcom_nandc_setup(struct qcom_nand_controller *nandc) u32 nand_ctrl; /* kill onenand */ - nandc_write(nandc, SFLASHC_BURST_CFG, 0); + if (!nandc->props->is_qpic) + nandc_write(nandc, SFLASHC_BURST_CFG, 0); nandc_write(nandc, dev_cmd_reg_addr(nandc, NAND_DEV_CMD_VLD), NAND_DEV_CMD_VLD_VAL); @@ -2779,12 +2782,14 @@ static const struct qcom_nandc_props ipq806x_nandc_props = { static const struct qcom_nandc_props ipq4019_nandc_props = { .ecc_modes = (ECC_BCH_4BIT | ECC_BCH_8BIT), .is_bam = true, + .is_qpic = true, .dev_cmd_reg_start = 0x0, }; static const struct qcom_nandc_props ipq8074_nandc_props = { .ecc_modes = (ECC_BCH_4BIT | ECC_BCH_8BIT), .is_bam = true, + .is_qpic = true, .dev_cmd_reg_start = 0x7000, }; From 0ca974e9e527afb1e9941f5f13c0cecac8d2b7b6 Mon Sep 17 00:00:00 2001 From: John David Anglin Date: Thu, 30 Jul 2020 08:59:12 -0400 Subject: [PATCH 317/386] parisc: Implement __smp_store_release and __smp_load_acquire barriers commit e96ebd589debd9a6a793608c4ec7019c38785dea upstream. This patch implements the __smp_store_release and __smp_load_acquire barriers using ordered stores and loads. This avoids the sync instruction present in the generic implementation. Cc: # 4.14+ Signed-off-by: Dave Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman --- arch/parisc/include/asm/barrier.h | 61 +++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/arch/parisc/include/asm/barrier.h b/arch/parisc/include/asm/barrier.h index dbaaca84f27f..640d46edf32e 100644 --- a/arch/parisc/include/asm/barrier.h +++ b/arch/parisc/include/asm/barrier.h @@ -26,6 +26,67 @@ #define __smp_rmb() mb() #define __smp_wmb() mb() +#define __smp_store_release(p, v) \ +do { \ + typeof(p) __p = (p); \ + union { typeof(*p) __val; char __c[1]; } __u = \ + { .__val = (__force typeof(*p)) (v) }; \ + compiletime_assert_atomic_type(*p); \ + switch (sizeof(*p)) { \ + case 1: \ + asm volatile("stb,ma %0,0(%1)" \ + : : "r"(*(__u8 *)__u.__c), "r"(__p) \ + : "memory"); \ + break; \ + case 2: \ + asm volatile("sth,ma %0,0(%1)" \ + : : "r"(*(__u16 *)__u.__c), "r"(__p) \ + : "memory"); \ + break; \ + case 4: \ + asm volatile("stw,ma %0,0(%1)" \ + : : "r"(*(__u32 *)__u.__c), "r"(__p) \ + : "memory"); \ + break; \ + case 8: \ + if (IS_ENABLED(CONFIG_64BIT)) \ + asm volatile("std,ma %0,0(%1)" \ + : : "r"(*(__u64 *)__u.__c), "r"(__p) \ + : "memory"); \ + break; \ + } \ +} while (0) + +#define __smp_load_acquire(p) \ +({ \ + union { typeof(*p) __val; char __c[1]; } __u; \ + typeof(p) __p = (p); \ + compiletime_assert_atomic_type(*p); \ + switch (sizeof(*p)) { \ + case 1: \ + asm volatile("ldb,ma 0(%1),%0" \ + : "=r"(*(__u8 *)__u.__c) : "r"(__p) \ + : "memory"); \ + break; \ + case 2: \ + asm volatile("ldh,ma 0(%1),%0" \ + : "=r"(*(__u16 *)__u.__c) : "r"(__p) \ + : "memory"); \ + break; \ + case 4: \ + asm volatile("ldw,ma 0(%1),%0" \ + : "=r"(*(__u32 *)__u.__c) : "r"(__p) \ + : "memory"); \ + break; \ + case 8: \ + if (IS_ENABLED(CONFIG_64BIT)) \ + asm volatile("ldd,ma 0(%1),%0" \ + : "=r"(*(__u64 *)__u.__c) : "r"(__p) \ + : "memory"); \ + break; \ + } \ + __u.__val; \ +}) #include #endif /* !__ASSEMBLY__ */ From b1dd9a06bcc8e724ee8e5acbc83b29f05f598211 Mon Sep 17 00:00:00 2001 From: Sven Schnelle Date: Tue, 11 Aug 2020 18:19:19 +0200 Subject: [PATCH 318/386] parisc: mask out enable and reserved bits from sba imask commit 5b24993c21cbf2de11aff077a48c5cb0505a0450 upstream. When using kexec the SBA IOMMU IBASE might still have the RE bit set. This triggers a WARN_ON when trying to write back the IBASE register later, and it also makes some mask calculations fail. Cc: Signed-off-by: Sven Schnelle Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman --- drivers/parisc/sba_iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c index 5468490d2298..55b3274328eb 100644 --- a/drivers/parisc/sba_iommu.c +++ b/drivers/parisc/sba_iommu.c @@ -1291,7 +1291,7 @@ sba_ioc_init_pluto(struct parisc_device *sba, struct ioc *ioc, int ioc_num) ** (one that doesn't overlap memory or LMMIO space) in the ** IBASE and IMASK registers. */ - ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE); + ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE) & ~0x1fffffULL; iova_space_size = ~(READ_REG(ioc->ioc_hpa + IOC_IMASK) & 0xFFFFFFFFUL) + 1; if ((ioc->ibase < 0xfed00000UL) && ((ioc->ibase + iova_space_size) > 0xfee00000UL)) { From 86a92de7833342f34e1cb98429ac100797605f73 Mon Sep 17 00:00:00 2001 From: Nathan Huckleberry Date: Fri, 10 Jul 2020 20:23:37 +0100 Subject: [PATCH 319/386] ARM: 8992/1: Fix unwind_frame for clang-built kernels commit b4d5ec9b39f8b31d98f65bc5577b5d15d93795d7 upstream. Since clang does not push pc and sp in function prologues, the current implementation of unwind_frame does not work. By using the previous frame's lr/fp instead of saved pc/sp we get valid unwinds on clang-built kernels. The bounds check on next frame pointer must be changed as well since there are 8 less bytes between frames. This fixes /proc//stack. Link: https://github.com/ClangBuiltLinux/linux/issues/912 Reported-by: Miles Chen Tested-by: Miles Chen Cc: stable@vger.kernel.org Reviewed-by: Nick Desaulniers Signed-off-by: Nathan Huckleberry Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman --- arch/arm/kernel/stacktrace.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c index 65228bf4c6df..ba9b9a77bcd2 100644 --- a/arch/arm/kernel/stacktrace.c +++ b/arch/arm/kernel/stacktrace.c @@ -20,6 +20,19 @@ * A simple function epilogue looks like this: * ldm sp, {fp, sp, pc} * + * When compiled with clang, pc and sp are not pushed. A simple function + * prologue looks like this when built with clang: + * + * stmdb {..., fp, lr} + * add fp, sp, #x + * sub sp, sp, #y + * + * A simple function epilogue looks like this when built with clang: + * + * sub sp, fp, #x + * ldm {..., fp, pc} + * + * * Note that with framepointer enabled, even the leaf functions have the same * prologue and epilogue, therefore we can ignore the LR value in this case. */ @@ -32,6 +45,16 @@ int notrace unwind_frame(struct stackframe *frame) low = frame->sp; high = ALIGN(low, THREAD_SIZE); +#ifdef CONFIG_CC_IS_CLANG + /* check current frame pointer is within bounds */ + if (fp < low + 4 || fp > high - 4) + return -EINVAL; + + frame->sp = frame->fp; + frame->fp = *(unsigned long *)(fp); + frame->pc = frame->lr; + frame->lr = *(unsigned long *)(fp + 4); +#else /* check current frame pointer is within bounds */ if (fp < low + 12 || fp > high - 4) return -EINVAL; @@ -40,6 +63,7 @@ int notrace unwind_frame(struct stackframe *frame) frame->fp = *(unsigned long *)(fp - 12); frame->sp = *(unsigned long *)(fp - 8); frame->pc = *(unsigned long *)(fp - 4); +#endif return 0; } From 0673b5b73c6ed8c2a6e08770d0b3d6ec0078cbf3 Mon Sep 17 00:00:00 2001 From: Jon Derrick Date: Tue, 21 Jul 2020 14:26:09 -0600 Subject: [PATCH 320/386] irqdomain/treewide: Free firmware node after domain removal commit ec0160891e387f4771f953b888b1fe951398e5d9 upstream. Commit 711419e504eb ("irqdomain: Add the missing assignment of domain->fwnode for named fwnode") unintentionally caused a dangling pointer page fault issue on firmware nodes that were freed after IRQ domain allocation. Commit e3beca48a45b fixed that dangling pointer issue by only freeing the firmware node after an IRQ domain allocation failure. That fix no longer frees the firmware node immediately, but leaves the firmware node allocated after the domain is removed. The firmware node must be kept around through irq_domain_remove, but should be freed it afterwards. Add the missing free operations after domain removal where where appropriate. Fixes: e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated") Signed-off-by: Jon Derrick Signed-off-by: Thomas Gleixner Reviewed-by: Andy Shevchenko Acked-by: Bjorn Helgaas # drivers/pci Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1595363169-7157-1-git-send-email-jonathan.derrick@intel.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/apic/io_apic.c | 5 +++++ drivers/iommu/intel_irq_remapping.c | 8 ++++++++ drivers/pci/host/vmd.c | 3 +++ 3 files changed, 16 insertions(+) diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c index b5652233e674..a1c4a13782da 100644 --- a/arch/x86/kernel/apic/io_apic.c +++ b/arch/x86/kernel/apic/io_apic.c @@ -2252,8 +2252,13 @@ static int mp_irqdomain_create(int ioapic) static void ioapic_destroy_irqdomain(int idx) { + struct ioapic_domain_cfg *cfg = &ioapics[idx].irqdomain_cfg; + struct fwnode_handle *fn = ioapics[idx].irqdomain->fwnode; + if (ioapics[idx].irqdomain) { irq_domain_remove(ioapics[idx].irqdomain); + if (!cfg->dev) + irq_domain_free_fwnode(fn); ioapics[idx].irqdomain = NULL; } } diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c index 154949a499c2..7cc5b04e30b7 100644 --- a/drivers/iommu/intel_irq_remapping.c +++ b/drivers/iommu/intel_irq_remapping.c @@ -601,13 +601,21 @@ out_free_table: static void intel_teardown_irq_remapping(struct intel_iommu *iommu) { + struct fwnode_handle *fn; + if (iommu && iommu->ir_table) { if (iommu->ir_msi_domain) { + fn = iommu->ir_msi_domain->fwnode; + irq_domain_remove(iommu->ir_msi_domain); + irq_domain_free_fwnode(fn); iommu->ir_msi_domain = NULL; } if (iommu->ir_domain) { + fn = iommu->ir_domain->fwnode; + irq_domain_remove(iommu->ir_domain); + irq_domain_free_fwnode(fn); iommu->ir_domain = NULL; } free_pages((unsigned long)iommu->ir_table->base, diff --git a/drivers/pci/host/vmd.c b/drivers/pci/host/vmd.c index 05f191ae0ff1..79d56638878c 100644 --- a/drivers/pci/host/vmd.c +++ b/drivers/pci/host/vmd.c @@ -651,6 +651,7 @@ static int vmd_enable_domain(struct vmd_dev *vmd) if (!vmd->bus) { pci_free_resource_list(&resources); irq_domain_remove(vmd->irq_domain); + irq_domain_free_fwnode(fn); return -ENODEV; } @@ -753,6 +754,7 @@ static void vmd_cleanup_srcu(struct vmd_dev *vmd) static void vmd_remove(struct pci_dev *dev) { struct vmd_dev *vmd = pci_get_drvdata(dev); + struct fwnode_handle *fn = vmd->irq_domain->fwnode; sysfs_remove_link(&vmd->dev->dev.kobj, "domain"); pci_stop_root_bus(vmd->bus); @@ -761,6 +763,7 @@ static void vmd_remove(struct pci_dev *dev) vmd_teardown_dma_ops(vmd); vmd_detach_resources(vmd); irq_domain_remove(vmd->irq_domain); + irq_domain_free_fwnode(fn); } #ifdef CONFIG_PM_SLEEP From 6235d910a5b85ec92cd3da929cb57971fb530f88 Mon Sep 17 00:00:00 2001 From: Roger Pau Monne Date: Mon, 27 Jul 2020 11:13:39 +0200 Subject: [PATCH 321/386] xen/balloon: fix accounting in alloc_xenballooned_pages error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream. target_unpopulated is incremented with nr_pages at the start of the function, but the call to free_xenballooned_pages will only subtract pgno number of pages, and thus the rest need to be subtracted before returning or else accounting will be skewed. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman --- drivers/xen/balloon.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c index 3f9260af701f..ff6660f1fa68 100644 --- a/drivers/xen/balloon.c +++ b/drivers/xen/balloon.c @@ -695,6 +695,12 @@ int alloc_xenballooned_pages(int nr_pages, struct page **pages) out_undo: mutex_unlock(&balloon_mutex); free_xenballooned_pages(pgno, pages); + /* + * NB: free_xenballooned_pages will only subtract pgno pages, but since + * target_unpopulated is incremented with nr_pages at the start we need + * to remove the remaining ones also, or accounting will be screwed. + */ + balloon_stats.target_unpopulated -= nr_pages - pgno; return ret; } EXPORT_SYMBOL(alloc_xenballooned_pages); From bc3f473342464ac741471ba1486467614e92d464 Mon Sep 17 00:00:00 2001 From: Roger Pau Monne Date: Mon, 27 Jul 2020 11:13:40 +0200 Subject: [PATCH 322/386] xen/balloon: make the balloon wait interruptible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream. So it can be killed, or else processes can get hung indefinitely waiting for balloon pages. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman --- drivers/xen/balloon.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c index ff6660f1fa68..a8e0836dffd4 100644 --- a/drivers/xen/balloon.c +++ b/drivers/xen/balloon.c @@ -633,11 +633,13 @@ static int add_ballooned_pages(int nr_pages) if (xen_hotplug_unpopulated) { st = reserve_additional_memory(); if (st != BP_ECANCELED) { + int rc; + mutex_unlock(&balloon_mutex); - wait_event(balloon_wq, + rc = wait_event_interruptible(balloon_wq, !list_empty(&ballooned_pages)); mutex_lock(&balloon_mutex); - return 0; + return rc ? -ENOMEM : 0; } } From b4d2f15c8dd70bc9d007dd08379ac93617a94a6e Mon Sep 17 00:00:00 2001 From: Tim Froidcoeur Date: Tue, 11 Aug 2020 20:33:24 +0200 Subject: [PATCH 323/386] net: initialize fastreuse on inet_inherit_port commit d76f3351cea2d927fdf70dd7c06898235035e84e upstream. In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind behaviour or in the incorrect reuse of a bind. the kernel keeps track for each bind_bucket if all sockets in the bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags. These flags allow skipping the costly bind_conflict check when possible (meaning when all sockets have the proper SO_REUSE option). For every socket added to a bind_bucket, these flags need to be updated. As soon as a socket that does not support reuse is added, the flag is set to false and will never go back to true, unless the bind_bucket is deleted. Note that there is no mechanism to re-evaluate these flags when a socket is removed (this might make sense when removing a socket that would not allow reuse; this leaves room for a future patch). For this optimization to work, it is mandatory that these flags are properly initialized and updated. When a child socket is created from a listen socket in __inet_inherit_port, the TPROXY case could create a new bind bucket without properly initializing these flags, thus preventing the optimization to work. Alternatively, a socket not allowing reuse could be added to an existing bind bucket without updating the flags, causing bind_conflict to never be called as it should. Call inet_csk_update_fastreuse when __inet_inherit_port decides to create a new bind_bucket or use a different bind_bucket than the one of the listen socket. Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()") Acked-by: Matthieu Baerts Signed-off-by: Tim Froidcoeur Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/inet_hashtables.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 0af13f5bdc9a..8a54babf5c90 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -160,6 +160,7 @@ int __inet_inherit_port(const struct sock *sk, struct sock *child) return -ENOMEM; } } + inet_csk_update_fastreuse(tb, child); } inet_bind_hash(child, tb, port); spin_unlock(&head->lock); From 233f70bdb12800fce6b153c270ec987acbaa773b Mon Sep 17 00:00:00 2001 From: Steve French Date: Thu, 16 Jul 2020 00:34:21 -0500 Subject: [PATCH 324/386] smb3: warn on confusing error scenario with sec=krb5 commit 0a018944eee913962bce8ffebbb121960d5125d9 upstream. When mounting with Kerberos, users have been confused about the default error returned in scenarios in which either keyutils is not installed or the user did not properly acquire a krb5 ticket. Log a warning message in the case that "ENOKEY" is returned from the get_spnego_key upcall so that users can better understand why mount failed in those two cases. CC: Stable Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/smb2pdu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 1c87a429ce72..2097b5fd51ba 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -942,6 +942,8 @@ SMB2_auth_kerberos(struct SMB2_sess_data *sess_data) spnego_key = cifs_get_spnego_key(ses); if (IS_ERR(spnego_key)) { rc = PTR_ERR(spnego_key); + if (rc == -ENOKEY) + cifs_dbg(VFS, "Verify user has a krb5 ticket and keyutils is installed\n"); spnego_key = NULL; goto out; } From ceeb1defbd59ef1585f32bb95d0498c7beeebd9b Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" Date: Fri, 26 Jun 2020 19:42:34 +0200 Subject: [PATCH 325/386] PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context() commit dae68d7fd4930315389117e9da35b763f12238f9 upstream. If context is not NULL in acpiphp_grab_context(), but the is_going_away flag is set for the device's parent, the reference counter of the context needs to be decremented before returning NULL or the context will never be freed, so make that happen. Fixes: edf5bf34d408 ("ACPI / dock: Use callback pointers from devices' ACPI hotplug contexts") Reported-by: Vasily Averin Cc: 3.15+ # 3.15+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman --- drivers/pci/hotplug/acpiphp_glue.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c index 711875afdd70..f2c1008e0f76 100644 --- a/drivers/pci/hotplug/acpiphp_glue.c +++ b/drivers/pci/hotplug/acpiphp_glue.c @@ -136,13 +136,21 @@ static struct acpiphp_context *acpiphp_grab_context(struct acpi_device *adev) struct acpiphp_context *context; acpi_lock_hp_context(); + context = acpiphp_get_context(adev); - if (!context || context->func.parent->is_going_away) { - acpi_unlock_hp_context(); - return NULL; + if (!context) + goto unlock; + + if (context->func.parent->is_going_away) { + acpiphp_put_context(context); + context = NULL; + goto unlock; } + get_bridge(context->func.parent); acpiphp_put_context(context); + +unlock: acpi_unlock_hp_context(); return context; } From aac009ffa0758952be9631f7427d5d7b2f55026a Mon Sep 17 00:00:00 2001 From: Qu Wenruo Date: Tue, 16 Jun 2020 10:17:34 +0800 Subject: [PATCH 326/386] btrfs: don't allocate anonymous block device for user invisible roots commit 851fd730a743e072badaf67caf39883e32439431 upstream. [BUG] When a lot of subvolumes are created, there is a user report about transaction aborted: BTRFS: Transaction aborted (error -24) WARNING: CPU: 17 PID: 17041 at fs/btrfs/transaction.c:1576 create_pending_snapshot+0xbc4/0xd10 [btrfs] RIP: 0010:create_pending_snapshot+0xbc4/0xd10 [btrfs] Call Trace: create_pending_snapshots+0x82/0xa0 [btrfs] btrfs_commit_transaction+0x275/0x8c0 [btrfs] btrfs_mksubvol+0x4b9/0x500 [btrfs] btrfs_ioctl_snap_create_transid+0x174/0x180 [btrfs] btrfs_ioctl_snap_create_v2+0x11c/0x180 [btrfs] btrfs_ioctl+0x11a4/0x2da0 [btrfs] do_vfs_ioctl+0xa9/0x640 ksys_ioctl+0x67/0x90 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ---[ end trace 33f2f83f3d5250e9 ]--- BTRFS: error (device sda1) in create_pending_snapshot:1576: errno=-24 unknown BTRFS info (device sda1): forced readonly BTRFS warning (device sda1): Skipping commit of aborted transaction. BTRFS: error (device sda1) in cleanup_transaction:1831: errno=-24 unknown [CAUSE] The error is EMFILE (Too many files open) and comes from the anonymous block device allocation. The ids are in a shared pool of size 1<<20. The ids are assigned to live subvolumes, ie. the root structure exists in memory (eg. after creation or after the root appears in some path). The pool could be exhausted if the numbers are not reclaimed fast enough, after subvolume deletion or if other system component uses the anon block devices. [WORKAROUND] Since it's not possible to completely solve the problem, we can only minimize the time the id is allocated to a subvolume root. Firstly, we can reduce the use of anon_dev by trees that are not subvolume roots, like data reloc tree. This patch will do extra check on root objectid, to skip roots that don't need anon_dev. Currently it's only data reloc tree and orphan roots. Reported-by: Greed Rong Link: https://lore.kernel.org/linux-btrfs/CA+UqX+NTrZ6boGnWHhSeZmEY5J76CTqmYjO2S+=tHJX7nb9DPw@mail.gmail.com/ CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Josef Bacik Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/disk-io.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 096c015b22a4..893066970c68 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -1509,9 +1509,16 @@ int btrfs_init_fs_root(struct btrfs_root *root) spin_lock_init(&root->ino_cache_lock); init_waitqueue_head(&root->ino_cache_wait); - ret = get_anon_bdev(&root->anon_dev); - if (ret) - goto fail; + /* + * Don't assign anonymous block device to roots that are not exposed to + * userspace, the id pool is limited to 1M + */ + if (is_fstree(root->root_key.objectid) && + btrfs_root_refs(&root->root_item) > 0) { + ret = get_anon_bdev(&root->anon_dev); + if (ret) + goto fail; + } mutex_lock(&root->objectid_mutex); ret = btrfs_find_highest_objectid(root, From 10742034076daea73acc17779e8f234060e03489 Mon Sep 17 00:00:00 2001 From: Josef Bacik Date: Mon, 27 Jul 2020 10:28:05 -0400 Subject: [PATCH 327/386] btrfs: only search for left_info if there is no right_info in try_merge_free_space commit bf53d4687b8f3f6b752f091eb85f62369a515dfd upstream. In try_to_merge_free_space we attempt to find entries to the left and right of the entry we are adding to see if they can be merged. We search for an entry past our current info (saved into right_info), and then if right_info exists and it has a rb_prev() we save the rb_prev() into left_info. However there's a slight problem in the case that we have a right_info, but no entry previous to that entry. At that point we will search for an entry just before the info we're attempting to insert. This will simply find right_info again, and assign it to left_info, making them both the same pointer. Now if right_info _can_ be merged with the range we're inserting, we'll add it to the info and free right_info. However further down we'll access left_info, which was right_info, and thus get a use-after-free. Fix this by only searching for the left entry if we don't find a right entry at all. The CVE referenced had a specially crafted file system that could trigger this use-after-free. However with the tree checker improvements we no longer trigger the conditions for the UAF. But the original conditions still apply, hence this fix. Reference: CVE-2019-19448 Fixes: 963030817060 ("Btrfs: use hybrid extents+bitmap rb tree for free space") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/free-space-cache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c index abeb26d48d0a..57f89708fab1 100644 --- a/fs/btrfs/free-space-cache.c +++ b/fs/btrfs/free-space-cache.c @@ -2169,7 +2169,7 @@ out: static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl, struct btrfs_free_space *info, bool update_stat) { - struct btrfs_free_space *left_info; + struct btrfs_free_space *left_info = NULL; struct btrfs_free_space *right_info; bool merged = false; u64 offset = info->offset; @@ -2184,7 +2184,7 @@ static bool try_merge_free_space(struct btrfs_free_space_ctl *ctl, if (right_info && rb_prev(&right_info->offset_index)) left_info = rb_entry(rb_prev(&right_info->offset_index), struct btrfs_free_space, offset_index); - else + else if (!right_info) left_info = tree_search_offset(ctl, offset - 1, 0, 0); if (right_info && !right_info->bitmap) { From 547cc243f66b9fae46530f67f7bc7c6c5b022747 Mon Sep 17 00:00:00 2001 From: Filipe Manana Date: Wed, 29 Jul 2020 10:17:50 +0100 Subject: [PATCH 328/386] btrfs: fix memory leaks after failure to lookup checksums during inode logging commit 4f26433e9b3eb7a55ed70d8f882ae9cd48ba448b upstream. While logging an inode, at copy_items(), if we fail to lookup the checksums for an extent we release the destination path, free the ins_data array and then return immediately. However a previous iteration of the for loop may have added checksums to the ordered_sums list, in which case we leak the memory used by them. So fix this by making sure we iterate the ordered_sums list and free all its checksums before returning. Fixes: 3650860b90cc2a ("Btrfs: remove almost all of the BUG()'s from tree-log.c") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Johannes Thumshirn Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/tree-log.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index bcfb7a772c8e..3d30bf90d59e 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -3854,11 +3854,8 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, fs_info->csum_root, ds + cs, ds + cs + cl - 1, &ordered_sums, 0); - if (ret) { - btrfs_release_path(dst_path); - kfree(ins_data); - return ret; - } + if (ret) + break; } } } @@ -3871,7 +3868,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans, * we have to do this after the loop above to avoid changing the * log tree while trying to change the log tree. */ - ret = 0; while (!list_empty(&ordered_sums)) { struct btrfs_ordered_sum *sums = list_entry(ordered_sums.next, struct btrfs_ordered_sum, From f9a6664b7d26a1266a3c851bba339af267c2e1ba Mon Sep 17 00:00:00 2001 From: Christian Eggers Date: Mon, 27 Jul 2020 12:16:05 +0200 Subject: [PATCH 329/386] dt-bindings: iio: io-channel-mux: Fix compatible string in example code commit add48ba425192c6e04ce70549129cacd01e2a09e upstream. The correct compatible string is "gpio-mux" (see bindings/mux/gpio-mux.txt). Cc: stable@vger.kernel.org # v4.13+ Reviewed-by: Peter Rosin Signed-off-by: Christian Eggers Link: https://lore.kernel.org/r/20200727101605.24384-1-ceggers@arri.de Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman --- .../devicetree/bindings/iio/multiplexer/io-channel-mux.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt b/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt index c82794002595..89647d714387 100644 --- a/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt +++ b/Documentation/devicetree/bindings/iio/multiplexer/io-channel-mux.txt @@ -21,7 +21,7 @@ controller state. The mux controller state is described in Example: mux: mux-controller { - compatible = "mux-gpio"; + compatible = "gpio-mux"; #mux-control-cells = <0>; mux-gpios = <&pioA 0 GPIO_ACTIVE_HIGH>, From 8ebdb47527b01fc083dafead2068385f18a3942d Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 6 Jul 2020 14:02:57 +0300 Subject: [PATCH 330/386] iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() commit 65afb0932a81c1de719ceee0db0b276094b10ac8 upstream. There are 2 exit paths where the lock isn't held, but try to unlock the mutex when exiting. In these places we should just return from the function. A neater approach would be to cleanup the ad5592r_read_raw(), but that would make this patch more difficult to backport to stable versions. Fixes 56ca9db862bf3: ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs") Reported-by: Charles Stanhope Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/iio/dac/ad5592r-base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/dac/ad5592r-base.c b/drivers/iio/dac/ad5592r-base.c index 69bde5909854..5c998ac8c840 100644 --- a/drivers/iio/dac/ad5592r-base.c +++ b/drivers/iio/dac/ad5592r-base.c @@ -417,7 +417,7 @@ static int ad5592r_read_raw(struct iio_dev *iio_dev, s64 tmp = *val * (3767897513LL / 25LL); *val = div_s64_rem(tmp, 1000000000LL, val2); - ret = IIO_VAL_INT_PLUS_MICRO; + return IIO_VAL_INT_PLUS_MICRO; } else { int mult; @@ -448,7 +448,7 @@ static int ad5592r_read_raw(struct iio_dev *iio_dev, ret = IIO_VAL_INT; break; default: - ret = -EINVAL; + return -EINVAL; } unlock: From ffcb9544744baa43c07b86ae0f370968f4a46eeb Mon Sep 17 00:00:00 2001 From: Max Filippov Date: Fri, 31 Jul 2020 12:37:32 -0700 Subject: [PATCH 331/386] xtensa: fix xtensa_pmu_setup prototype MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 6d65d3769d1910379e1cfa61ebf387efc6bfb22c upstream. Fix the following build error in configurations with CONFIG_XTENSA_VARIANT_HAVE_PERF_EVENTS=y: arch/xtensa/kernel/perf_event.c:420:29: error: passing argument 3 of ‘cpuhp_setup_state’ from incompatible pointer type Cc: stable@vger.kernel.org Fixes: 25a77b55e74c ("xtensa/perf: Convert the hotplug notifier to state machine callbacks") Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman --- arch/xtensa/kernel/perf_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/xtensa/kernel/perf_event.c b/arch/xtensa/kernel/perf_event.c index ff1d81385ed7..768e1f7ab871 100644 --- a/arch/xtensa/kernel/perf_event.c +++ b/arch/xtensa/kernel/perf_event.c @@ -404,7 +404,7 @@ static struct pmu xtensa_pmu = { .read = xtensa_pmu_read, }; -static int xtensa_pmu_setup(int cpu) +static int xtensa_pmu_setup(unsigned int cpu) { unsigned i; From 028b34d23dbc08e44b3494384a0878064f833ffa Mon Sep 17 00:00:00 2001 From: Michael Ellerman Date: Tue, 4 Aug 2020 22:44:06 +1000 Subject: [PATCH 332/386] powerpc: Fix circular dependency between percpu.h and mmu.h commit 0c83b277ada72b585e6a3e52b067669df15bcedb upstream. Recently random.h started including percpu.h (see commit f227e3ec3b5c ("random32: update the net random state on interrupt and activity")), which broke corenet64_smp_defconfig: In file included from /linux/arch/powerpc/include/asm/paca.h:18, from /linux/arch/powerpc/include/asm/percpu.h:13, from /linux/include/linux/random.h:14, from /linux/lib/uuid.c:14: /linux/arch/powerpc/include/asm/mmu.h:139:22: error: unknown type name 'next_tlbcam_idx' 139 | DECLARE_PER_CPU(int, next_tlbcam_idx); This is due to a circular header dependency: asm/mmu.h includes asm/percpu.h, which includes asm/paca.h, which includes asm/mmu.h Which means DECLARE_PER_CPU() isn't defined when mmu.h needs it. We can fix it by moving the include of paca.h below the include of asm-generic/percpu.h. This moves the include of paca.h out of the #ifdef __powerpc64__, but that is OK because paca.h is almost entirely inside #ifdef CONFIG_PPC64 anyway. It also moves the include of paca.h out of the #ifdef CONFIG_SMP, which could possibly break something, but seems to have no ill effects. Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity") Cc: stable@vger.kernel.org # v5.8 Reported-by: Stephen Rothwell Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200804130558.292328-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/include/asm/percpu.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h index dce863a7635c..8e5b7d0b851c 100644 --- a/arch/powerpc/include/asm/percpu.h +++ b/arch/powerpc/include/asm/percpu.h @@ -10,8 +10,6 @@ #ifdef CONFIG_SMP -#include - #define __my_cpu_offset local_paca->data_offset #endif /* CONFIG_SMP */ @@ -19,4 +17,6 @@ #include +#include + #endif /* _ASM_POWERPC_PERCPU_H_ */ From 783539b347a8cb3cefaef1002f1e629e40ba2520 Mon Sep 17 00:00:00 2001 From: Jonathan McDowell Date: Wed, 12 Aug 2020 20:37:23 +0100 Subject: [PATCH 333/386] net: ethernet: stmmac: Disable hardware multicast filter commit df43dd526e6609769ae513a81443c7aa727c8ca3 upstream. The IPQ806x does not appear to have a functional multicast ethernet address filter. This was observed as a failure to correctly receive IPv6 packets on a LAN to the all stations address. Checking the vendor driver shows that it does not attempt to enable the multicast filter and instead falls back to receiving all multicast packets, internally setting ALLMULTI. Use the new fallback support in the dwmac1000 driver to correctly achieve the same with the mainline IPQ806x driver. Confirmed to fix IPv6 functionality on an RB3011 router. Cc: stable@vger.kernel.org Signed-off-by: Jonathan McDowell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c index bcc5d1e16ce2..1924788d28da 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c @@ -362,6 +362,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) plat_dat->has_gmac = true; plat_dat->bsp_priv = gmac; plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed; + plat_dat->multicast_filter_bins = 0; err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); if (err) From a5b5d63d537341738b8cb3e93a4bf5387dc9119e Mon Sep 17 00:00:00 2001 From: Jonathan McDowell Date: Wed, 12 Aug 2020 20:37:01 +0100 Subject: [PATCH 334/386] net: stmmac: dwmac1000: provide multicast filter fallback commit 592d751c1e174df5ff219946908b005eb48934b3 upstream. If we don't have a hardware multicast filter available then instead of silently failing to listen for the requested ethernet broadcast addresses fall back to receiving all multicast packets, in a similar fashion to other drivers with no multicast filter. Cc: stable@vger.kernel.org Signed-off-by: Jonathan McDowell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c index f76d4a7281af..f07d9d3456a4 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c @@ -176,6 +176,9 @@ static void dwmac1000_set_filter(struct mac_device_info *hw, value = GMAC_FRAME_FILTER_PR; } else if (dev->flags & IFF_ALLMULTI) { value = GMAC_FRAME_FILTER_PM; /* pass all multi */ + } else if (!netdev_mc_empty(dev) && (mcbitslog2 == 0)) { + /* Fall back to all multicast if we've no filter */ + value = GMAC_FRAME_FILTER_PM; } else if (!netdev_mc_empty(dev)) { struct netdev_hw_addr *ha; From e34237a26c04308c721b6ce460b0beaa7d7e0e28 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 9 Jun 2020 16:11:29 -0700 Subject: [PATCH 335/386] net/compat: Add missing sock updates for SCM_RIGHTS commit d9539752d23283db4692384a634034f451261e29 upstream. Add missed sock updates to compat path via a new helper, which will be used more in coming patches. (The net/core/scm.c code is left as-is here to assist with -stable backports for the compat path.) Cc: Christoph Hellwig Cc: Sargun Dhillon Cc: Jakub Kicinski Cc: stable@vger.kernel.org Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly") Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly") Acked-by: Christian Brauner Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman --- include/net/sock.h | 4 ++++ net/compat.c | 1 + net/core/sock.c | 21 +++++++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/include/net/sock.h b/include/net/sock.h index a2e10d0b1280..55d16db84ea4 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -816,6 +816,8 @@ static inline int sk_memalloc_socks(void) { return static_key_false(&memalloc_socks); } + +void __receive_sock(struct file *file); #else static inline int sk_memalloc_socks(void) @@ -823,6 +825,8 @@ static inline int sk_memalloc_socks(void) return 0; } +static inline void __receive_sock(struct file *file) +{ } #endif static inline gfp_t sk_gfp_mask(const struct sock *sk, gfp_t gfp_mask) diff --git a/net/compat.c b/net/compat.c index 790851e70dab..45349658ed01 100644 --- a/net/compat.c +++ b/net/compat.c @@ -289,6 +289,7 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) break; } /* Bump the usage count and install the file. */ + __receive_sock(fp[i]); fd_install(new_fd, get_file(fp[i])); } diff --git a/net/core/sock.c b/net/core/sock.c index af1201676abc..3b65fedf77ca 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2563,6 +2563,27 @@ int sock_no_mmap(struct file *file, struct socket *sock, struct vm_area_struct * } EXPORT_SYMBOL(sock_no_mmap); +/* + * When a file is received (via SCM_RIGHTS, etc), we must bump the + * various sock-based usage counts. + */ +void __receive_sock(struct file *file) +{ + struct socket *sock; + int error; + + /* + * The resulting value of "error" is ignored here since we only + * need to take action when the file is a socket and testing + * "sock" for NULL is sufficient. + */ + sock = sock_from_file(file, &error); + if (sock) { + sock_update_netprioidx(&sock->sk->sk_cgrp_data); + sock_update_classid(&sock->sk->sk_cgrp_data); + } +} + ssize_t sock_no_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags) { ssize_t res; From b9ce604687f34c133aa921c3345e60a81609fecf Mon Sep 17 00:00:00 2001 From: ChangSyun Peng Date: Fri, 31 Jul 2020 17:50:17 +0800 Subject: [PATCH 336/386] md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 commit a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef upstream. In degraded raid5, we need to read parity to do reconstruct-write when data disks fail. However, we can not read parity from handle_stripe_dirtying() in force reconstruct-write mode. Reproducible Steps: 1. Create degraded raid5 mdadm -C /dev/md2 --assume-clean -l5 -n3 /dev/sda2 /dev/sdb2 missing 2. Set rmw_level to 0 echo 0 > /sys/block/md2/md/rmw_level 3. IO to raid5 Now some io may be stuck in raid5. We can use handle_stripe_fill() to read the parity in this situation. Cc: # v4.4+ Reviewed-by: Alex Wu Reviewed-by: BingJing Chang Reviewed-by: Danny Shih Signed-off-by: ChangSyun Peng Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman --- drivers/md/raid5.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index d5c14d56a714..cd055664dce3 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -3593,6 +3593,7 @@ static int need_this_block(struct stripe_head *sh, struct stripe_head_state *s, * is missing/faulty, then we need to read everything we can. */ if (sh->raid_conf->level != 6 && + sh->raid_conf->rmw_level != PARITY_DISABLE_RMW && sh->sector < sh->raid_conf->mddev->recovery_cp) /* reconstruct-write isn't being forced */ return 0; @@ -4829,7 +4830,7 @@ static void handle_stripe(struct stripe_head *sh) * or to load a block that is being partially written. */ if (s.to_read || s.non_overwrite - || (conf->level == 6 && s.to_write && s.failed) + || (s.to_write && s.failed) || (s.syncing && (s.uptodate + s.compute < disks)) || s.replacing || s.expanding) From 4476c8ef04dd52a3bd6f382cd133ad725980f923 Mon Sep 17 00:00:00 2001 From: Coly Li Date: Sat, 25 Jul 2020 20:00:16 +0800 Subject: [PATCH 337/386] bcache: allocate meta data pages as compound pages commit 5fe48867856367142d91a82f2cbf7a57a24cbb70 upstream. There are some meta data of bcache are allocated by multiple pages, and they are used as bio bv_page for I/Os to the cache device. for example cache_set->uuids, cache->disk_buckets, journal_write->data, bset_tree->data. For such meta data memory, all the allocated pages should be treated as a single memory block. Then the memory management and underlying I/O code can treat them more clearly. This patch adds __GFP_COMP flag to all the location allocating >0 order pages for the above mentioned meta data. Then their pages are treated as compound pages now. Signed-off-by: Coly Li Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/md/bcache/bset.c | 2 +- drivers/md/bcache/btree.c | 2 +- drivers/md/bcache/journal.c | 4 ++-- drivers/md/bcache/super.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c index 1edf9515345e..03fb06c61e1c 100644 --- a/drivers/md/bcache/bset.c +++ b/drivers/md/bcache/bset.c @@ -319,7 +319,7 @@ int bch_btree_keys_alloc(struct btree_keys *b, unsigned page_order, gfp_t gfp) b->page_order = page_order; - t->data = (void *) __get_free_pages(gfp, b->page_order); + t->data = (void *) __get_free_pages(__GFP_COMP|gfp, b->page_order); if (!t->data) goto err; diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index 66c764491a83..9fca837d0b41 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -794,7 +794,7 @@ int bch_btree_cache_alloc(struct cache_set *c) mutex_init(&c->verify_lock); c->verify_ondisk = (void *) - __get_free_pages(GFP_KERNEL, ilog2(bucket_pages(c))); + __get_free_pages(GFP_KERNEL|__GFP_COMP, ilog2(bucket_pages(c))); c->verify_data = mca_bucket_alloc(c, &ZERO_KEY, GFP_KERNEL); diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c index 6394be5ee9a8..6aafda26903c 100644 --- a/drivers/md/bcache/journal.c +++ b/drivers/md/bcache/journal.c @@ -838,8 +838,8 @@ int bch_journal_alloc(struct cache_set *c) j->w[1].c = c; if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) || - !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) || - !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS))) + !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)) || + !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS))) return -ENOMEM; return 0; diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c index 32498b912ce7..7fcc1ba12bc0 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1468,7 +1468,7 @@ void bch_cache_set_unregister(struct cache_set *c) } #define alloc_bucket_pages(gfp, c) \ - ((void *) __get_free_pages(__GFP_ZERO|gfp, ilog2(bucket_pages(c)))) + ((void *) __get_free_pages(__GFP_ZERO|__GFP_COMP|gfp, ilog2(bucket_pages(c)))) struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) { From 737e3834e607f86f74d45dce6eb1ca6f4a711c1a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 3 Aug 2020 11:02:10 +0200 Subject: [PATCH 338/386] mac80211: fix misplaced while instead of if commit 5981fe5b0529ba25d95f37d7faa434183ad618c5 upstream. This never was intended to be a 'while' loop, it should've just been an 'if' instead of 'while'. Fix this. I noticed this while applying another patch from Ben that intended to fix a busy loop at this spot. Cc: stable@vger.kernel.org Fixes: b16798f5b907 ("mac80211: mark station unauthorized before key removal") Reported-by: Ben Greear Link: https://lore.kernel.org/r/20200803110209.253009ae41ff.I3522aad099392b31d5cf2dcca34cbac7e5832dde@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/sta_info.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 77ab9cc1a230..6af5fda6461c 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -952,7 +952,7 @@ static void __sta_info_destroy_part2(struct sta_info *sta) might_sleep(); lockdep_assert_held(&local->sta_mtx); - while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { + if (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); WARN_ON_ONCE(ret); } From f9bff9442312af9117723e4d32c11cfbb9d93afa Mon Sep 17 00:00:00 2001 From: Huacai Chen Date: Thu, 16 Jul 2020 18:40:23 +0800 Subject: [PATCH 339/386] MIPS: CPU#0 is not hotpluggable commit 9cce844abf07b683cff5f0273977d5f8d0af94c7 upstream. Now CPU#0 is not hotpluggable on MIPS, so prevent to create /sys/devices /system/cpu/cpu0/online which confuses some user-space tools. Cc: stable@vger.kernel.org Signed-off-by: Huacai Chen Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman --- arch/mips/kernel/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/kernel/topology.c b/arch/mips/kernel/topology.c index cd3e1f82e1a5..08ad6371fbe0 100644 --- a/arch/mips/kernel/topology.c +++ b/arch/mips/kernel/topology.c @@ -20,7 +20,7 @@ static int __init topology_init(void) for_each_present_cpu(i) { struct cpu *c = &per_cpu(cpu_devices, i); - c->hotpluggable = 1; + c->hotpluggable = !!i; ret = register_cpu(c, i); if (ret) printk(KERN_WARNING "topology_init: register_cpu %d " From 56525e594a0a2837160f4e36decdc1b09db4ee5d Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Mon, 20 Apr 2020 16:02:21 -0400 Subject: [PATCH 340/386] ext2: fix missing percpu_counter_inc commit bc2fbaa4d3808aef82dd1064a8e61c16549fe956 upstream. sbi->s_freeinodes_counter is only decreased by the ext2 code, it is never increased. This patch fixes it. Note that sbi->s_freeinodes_counter is only used in the algorithm that tries to find the group for new allocations, so this bug is not easily visible (the only visibility is that the group finding algorithm selects inoptinal result). Link: https://lore.kernel.org/r/alpine.LRH.2.02.2004201538300.19436@file01.intranet.prod.int.rdu2.redhat.com Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/ext2/ialloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ext2/ialloc.c b/fs/ext2/ialloc.c index a1fc3dabca41..6d5fce776d8e 100644 --- a/fs/ext2/ialloc.c +++ b/fs/ext2/ialloc.c @@ -80,6 +80,7 @@ static void ext2_release_inode(struct super_block *sb, int group, int dir) if (dir) le16_add_cpu(&desc->bg_used_dirs_count, -1); spin_unlock(sb_bgl_lock(EXT2_SB(sb), group)); + percpu_counter_inc(&EXT2_SB(sb)->s_freeinodes_counter); if (dir) percpu_counter_dec(&EXT2_SB(sb)->s_dirs_counter); mark_buffer_dirty(bh); @@ -531,7 +532,7 @@ got: goto fail; } - percpu_counter_add(&sbi->s_freeinodes_counter, -1); + percpu_counter_dec(&sbi->s_freeinodes_counter); if (S_ISDIR(mode)) percpu_counter_inc(&sbi->s_dirs_counter); From 2905e9be282a87cd398441c0f342682df2ddf7ed Mon Sep 17 00:00:00 2001 From: Junxiao Bi Date: Thu, 6 Aug 2020 23:18:02 -0700 Subject: [PATCH 341/386] ocfs2: change slot number type s16 to u16 commit 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 upstream. Dan Carpenter reported the following static checker warning. fs/ocfs2/super.c:1269 ocfs2_parse_options() warn: '(-1)' 65535 can't fit into 32767 'mopt->slot' fs/ocfs2/suballoc.c:859 ocfs2_init_inode_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_inode_steal_slot' fs/ocfs2/suballoc.c:867 ocfs2_init_meta_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_meta_steal_slot' That's because OCFS2_INVALID_SLOT is (u16)-1. Slot number in ocfs2 can be never negative, so change s16 to u16. Fixes: 9277f8334ffc ("ocfs2: fix value of OCFS2_INVALID_SLOT") Reported-by: Dan Carpenter Signed-off-by: Junxiao Bi Signed-off-by: Andrew Morton Reviewed-by: Joseph Qi Reviewed-by: Gang He Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Link: http://lkml.kernel.org/r/20200627001259.19757-1-junxiao.bi@oracle.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/ocfs2/ocfs2.h | 4 ++-- fs/ocfs2/suballoc.c | 4 ++-- fs/ocfs2/super.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h index 9a50f222ac97..b15537a76516 100644 --- a/fs/ocfs2/ocfs2.h +++ b/fs/ocfs2/ocfs2.h @@ -336,8 +336,8 @@ struct ocfs2_super spinlock_t osb_lock; u32 s_next_generation; unsigned long osb_flags; - s16 s_inode_steal_slot; - s16 s_meta_steal_slot; + u16 s_inode_steal_slot; + u16 s_meta_steal_slot; atomic_t s_num_inodes_stolen; atomic_t s_num_meta_stolen; diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 4ca2f71565f9..8d03630dfd59 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -895,9 +895,9 @@ static void __ocfs2_set_steal_slot(struct ocfs2_super *osb, int slot, int type) { spin_lock(&osb->osb_lock); if (type == INODE_ALLOC_SYSTEM_INODE) - osb->s_inode_steal_slot = slot; + osb->s_inode_steal_slot = (u16)slot; else if (type == EXTENT_ALLOC_SYSTEM_INODE) - osb->s_meta_steal_slot = slot; + osb->s_meta_steal_slot = (u16)slot; spin_unlock(&osb->osb_lock); } diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c index 24ab735d91dd..8216550faf45 100644 --- a/fs/ocfs2/super.c +++ b/fs/ocfs2/super.c @@ -92,7 +92,7 @@ struct mount_options unsigned long commit_interval; unsigned long mount_opt; unsigned int atime_quantum; - signed short slot; + unsigned short slot; int localalloc_opt; unsigned int resv_level; int dir_resv_level; @@ -1369,7 +1369,7 @@ static int ocfs2_parse_options(struct super_block *sb, goto bail; } if (option) - mopt->slot = (s16)option; + mopt->slot = (u16)option; break; case Opt_commit: if (match_int(&args[0], &option)) { From 2b5858751a051fbd7ad7dc831fadf8bbed741ccc Mon Sep 17 00:00:00 2001 From: Chengming Zhou Date: Wed, 29 Jul 2020 02:05:53 +0800 Subject: [PATCH 342/386] ftrace: Setup correct FTRACE_FL_REGS flags for module commit 8a224ffb3f52b0027f6b7279854c71a31c48fc97 upstream. When module loaded and enabled, we will use __ftrace_replace_code for module if any ftrace_ops referenced it found. But we will get wrong ftrace_addr for module rec in ftrace_get_addr_new, because rec->flags has not been setup correctly. It can cause the callback function of a ftrace_ops has FTRACE_OPS_FL_SAVE_REGS to be called with pt_regs set to NULL. So setup correct FTRACE_FL_REGS flags for rec when we call referenced_filters to find ftrace_ops references it. Link: https://lkml.kernel.org/r/20200728180554.65203-1-zhouchengming@bytedance.com Cc: stable@vger.kernel.org Fixes: 8c4f3c3fa9681 ("ftrace: Check module functions being traced on reload") Signed-off-by: Chengming Zhou Signed-off-by: Muchun Song Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/ftrace.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 8a8d92a8045b..9e831623d2de 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -5721,8 +5721,11 @@ static int referenced_filters(struct dyn_ftrace *rec) int cnt = 0; for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) { - if (ops_references_rec(ops, rec)) - cnt++; + if (ops_references_rec(ops, rec)) { + cnt++; + if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) + rec->flags |= FTRACE_FL_REGS; + } } return cnt; @@ -5871,8 +5874,8 @@ void ftrace_module_enable(struct module *mod) if (ftrace_start_up) cnt += referenced_filters(rec); - /* This clears FTRACE_FL_DISABLED */ - rec->flags = cnt; + rec->flags &= ~FTRACE_FL_DISABLED; + rec->flags += cnt; if (ftrace_start_up && cnt) { int failed = __ftrace_replace_code(rec, 1); From afd39cbaca880da82f35b726fabbc6111da20ac3 Mon Sep 17 00:00:00 2001 From: Muchun Song Date: Tue, 28 Jul 2020 14:45:36 +0800 Subject: [PATCH 343/386] kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler commit 0cb2f1372baa60af8456388a574af6133edd7d80 upstream. We found a case of kernel panic on our server. The stack trace is as follows(omit some irrelevant information): BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:kprobe_ftrace_handler+0x5e/0xe0 RSP: 0018:ffffb512c6550998 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8e9d16eea018 RCX: 0000000000000000 RDX: ffffffffbe1179c0 RSI: ffffffffc0535564 RDI: ffffffffc0534ec0 RBP: ffffffffc0534ec1 R08: ffff8e9d1bbb0f00 R09: 0000000000000004 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8e9d1f797060 R14: 000000000000bacc R15: ffff8e9ce13eca00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000080 CR3: 00000008453d0005 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ftrace_ops_assist_func+0x56/0xe0 ftrace_call+0x5/0x34 tcpa_statistic_send+0x5/0x130 [ttcp_engine] The tcpa_statistic_send is the function being kprobed. After analysis, the root cause is that the fourth parameter regs of kprobe_ftrace_handler is NULL. Why regs is NULL? We use the crash tool to analyze the kdump. crash> dis tcpa_statistic_send -r : callq 0xffffffffbd8018c0 The tcpa_statistic_send calls ftrace_caller instead of ftrace_regs_caller. So it is reasonable that the fourth parameter regs of kprobe_ftrace_handler is NULL. In theory, we should call the ftrace_regs_caller instead of the ftrace_caller. After in-depth analysis, we found a reproducible path. Writing a simple kernel module which starts a periodic timer. The timer's handler is named 'kprobe_test_timer_handler'. The module name is kprobe_test.ko. 1) insmod kprobe_test.ko 2) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}' 3) echo 0 > /proc/sys/kernel/ftrace_enabled 4) rmmod kprobe_test 5) stop step 2) kprobe 6) insmod kprobe_test.ko 7) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}' We mark the kprobe as GONE but not disarm the kprobe in the step 4). The step 5) also do not disarm the kprobe when unregister kprobe. So we do not remove the ip from the filter. In this case, when the module loads again in the step 6), we will replace the code to ftrace_caller via the ftrace_module_enable(). When we register kprobe again, we will not replace ftrace_caller to ftrace_regs_caller because the ftrace is disabled in the step 3). So the step 7) will trigger kernel panic. Fix this problem by disarming the kprobe when the module is going away. Link: https://lkml.kernel.org/r/20200728064536.24405-1-songmuchun@bytedance.com Cc: stable@vger.kernel.org Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization") Acked-by: Masami Hiramatsu Signed-off-by: Muchun Song Co-developed-by: Chengming Zhou Signed-off-by: Chengming Zhou Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/kprobes.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f2d2194b51ca..7b3a5c35904a 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2134,6 +2134,13 @@ static void kill_kprobe(struct kprobe *p) * the original probed function (which will be freed soon) any more. */ arch_remove_kprobe(p); + + /* + * The module is going away. We should disarm the kprobe which + * is using ftrace. + */ + if (kprobe_ftrace(p)) + disarm_kprobe_ftrace(p); } /* Disable one kprobe */ From c3bb307dc629225a9730bff0bb9b73b0cd726361 Mon Sep 17 00:00:00 2001 From: Kevin Hao Date: Thu, 30 Jul 2020 16:23:18 +0800 Subject: [PATCH 344/386] tracing/hwlat: Honor the tracing_cpumask commit 96b4833b6827a62c295b149213c68b559514c929 upstream. In calculation of the cpu mask for the hwlat kernel thread, the wrong cpu mask is used instead of the tracing_cpumask, this causes the tracing/tracing_cpumask useless for hwlat tracer. Fixes it. Link: https://lkml.kernel.org/r/20200730082318.42584-2-haokexin@gmail.com Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: 0330f7aa8ee6 ("tracing: Have hwlat trace migrate across tracing_cpumask CPUs") Signed-off-by: Kevin Hao Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/trace_hwlat.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_hwlat.c b/kernel/trace/trace_hwlat.c index bff6c033d70e..64a98a5bb641 100644 --- a/kernel/trace/trace_hwlat.c +++ b/kernel/trace/trace_hwlat.c @@ -272,6 +272,7 @@ static bool disable_migrate; static void move_to_next_cpu(void) { struct cpumask *current_mask = &save_cpumask; + struct trace_array *tr = hwlat_trace; int next_cpu; if (disable_migrate) @@ -285,7 +286,7 @@ static void move_to_next_cpu(void) goto disable; get_online_cpus(); - cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask); + cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); next_cpu = cpumask_next(smp_processor_id(), current_mask); put_online_cpus(); @@ -359,7 +360,7 @@ static int start_kthread(struct trace_array *tr) /* Just pick the first CPU on first iteration */ current_mask = &save_cpumask; get_online_cpus(); - cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask); + cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); put_online_cpus(); next_cpu = cpumask_first(current_mask); From c9e38a3cc4b3917ae59a9446fa56bda05f1ab43d Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (VMware)" Date: Tue, 4 Aug 2020 20:00:02 -0400 Subject: [PATCH 345/386] tracing: Use trace_sched_process_free() instead of exit() for pid tracing commit afcab636657421f7ebfa0783a91f90256bba0091 upstream. On exit, if a process is preempted after the trace_sched_process_exit() tracepoint but before the process is done exiting, then when it gets scheduled in, the function tracers will not filter it properly against the function tracing pid filters. That is because the function tracing pid filters hooks to the sched_process_exit() tracepoint to remove the exiting task's pid from the filter list. Because the filtering happens at the sched_switch tracepoint, when the exiting task schedules back in to finish up the exit, it will no longer be in the function pid filtering tables. This was noticeable in the notrace self tests on a preemptable kernel, as the tests would fail as it exits and preempted after being taken off the notrace filter table and on scheduling back in it would not be in the notrace list, and then the ending of the exit function would trace. The test detected this and would fail. Cc: stable@vger.kernel.org Cc: Namhyung Kim Fixes: 1e10486ffee0a ("ftrace: Add 'function-fork' trace option") Fixes: c37775d57830a ("tracing: Add infrastructure to allow set_event_pid to follow children" Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Greg Kroah-Hartman --- kernel/trace/ftrace.c | 4 ++-- kernel/trace/trace_events.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 9e831623d2de..7cbfccd2fb03 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -6242,12 +6242,12 @@ void ftrace_pid_follow_fork(struct trace_array *tr, bool enable) if (enable) { register_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork, tr); - register_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit, + register_trace_sched_process_free(ftrace_pid_follow_sched_process_exit, tr); } else { unregister_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork, tr); - unregister_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit, + unregister_trace_sched_process_free(ftrace_pid_follow_sched_process_exit, tr); } } diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 421166a39253..e72a44ecb81d 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -533,12 +533,12 @@ void trace_event_follow_fork(struct trace_array *tr, bool enable) if (enable) { register_trace_prio_sched_process_fork(event_filter_pid_sched_process_fork, tr, INT_MIN); - register_trace_prio_sched_process_exit(event_filter_pid_sched_process_exit, + register_trace_prio_sched_process_free(event_filter_pid_sched_process_exit, tr, INT_MAX); } else { unregister_trace_sched_process_fork(event_filter_pid_sched_process_fork, tr); - unregister_trace_sched_process_exit(event_filter_pid_sched_process_exit, + unregister_trace_sched_process_free(event_filter_pid_sched_process_exit, tr); } } From e60f0961e9c706fc92017b4cace9d6ce347b0532 Mon Sep 17 00:00:00 2001 From: Ahmad Fatoum Date: Thu, 11 Jun 2020 21:17:43 +0200 Subject: [PATCH 346/386] watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options commit e871e93fb08a619dfc015974a05768ed6880fd82 upstream. The driver supports populating bootstatus with WDIOF_CARDRESET, but so far userspace couldn't portably determine whether absence of this flag meant no watchdog reset or no driver support. Or-in the bit to fix this. Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read") Cc: stable@vger.kernel.org Signed-off-by: Ahmad Fatoum Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200611191750.28096-3-a.fatoum@pengutronix.de Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman --- drivers/watchdog/f71808e_wdt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c index 88cd2a52d8d3..2ad84c293b58 100644 --- a/drivers/watchdog/f71808e_wdt.c +++ b/drivers/watchdog/f71808e_wdt.c @@ -690,7 +690,8 @@ static int __init watchdog_init(int sioaddr) watchdog.sioaddr = sioaddr; watchdog.ident.options = WDIOC_SETTIMEOUT | WDIOF_MAGICCLOSE - | WDIOF_KEEPALIVEPING; + | WDIOF_KEEPALIVEPING + | WDIOF_CARDRESET; snprintf(watchdog.ident.identity, sizeof(watchdog.ident.identity), "%s watchdog", From 7aea136711435d20656761e9b83a2cec5fe37c9b Mon Sep 17 00:00:00 2001 From: Ahmad Fatoum Date: Thu, 11 Jun 2020 21:17:44 +0200 Subject: [PATCH 347/386] watchdog: f71808e_wdt: remove use of wrong watchdog_info option commit 802141462d844f2e6a4d63a12260d79b7afc4c34 upstream. The flags that should be or-ed into the watchdog_info.options by drivers all start with WDIOF_, e.g. WDIOF_SETTIMEOUT, which indicates that the driver's watchdog_ops has a usable set_timeout. WDIOC_SETTIMEOUT was used instead, which expands to 0xc0045706, which equals: WDIOF_FANFAULT | WDIOF_EXTERN1 | WDIOF_PRETIMEOUT | WDIOF_ALARMONLY | WDIOF_MAGICCLOSE | 0xc0045000 These were so far indicated to userspace on WDIOC_GETSUPPORT. As the driver has not yet been migrated to the new watchdog kernel API, the constant can just be dropped without substitute. Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG") Cc: stable@vger.kernel.org Signed-off-by: Ahmad Fatoum Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200611191750.28096-4-a.fatoum@pengutronix.de Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman --- drivers/watchdog/f71808e_wdt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c index 2ad84c293b58..49192b167fb4 100644 --- a/drivers/watchdog/f71808e_wdt.c +++ b/drivers/watchdog/f71808e_wdt.c @@ -688,8 +688,7 @@ static int __init watchdog_init(int sioaddr) * into the module have been registered yet. */ watchdog.sioaddr = sioaddr; - watchdog.ident.options = WDIOC_SETTIMEOUT - | WDIOF_MAGICCLOSE + watchdog.ident.options = WDIOF_MAGICCLOSE | WDIOF_KEEPALIVEPING | WDIOF_CARDRESET; From 88679b3b529101d43d0f9c6ec69f85adb46a60be Mon Sep 17 00:00:00 2001 From: Ahmad Fatoum Date: Thu, 11 Jun 2020 21:17:45 +0200 Subject: [PATCH 348/386] watchdog: f71808e_wdt: clear watchdog timeout occurred flag commit 4f39d575844148fbf3081571a1f3b4ae04150958 upstream. The flag indicating a watchdog timeout having occurred normally persists till Power-On Reset of the Fintek Super I/O chip. The user can clear it by writing a `1' to the bit. The driver doesn't offer a restart method, so regular system reboot might not reset the Super I/O and if the watchdog isn't enabled, we won't touch the register containing the bit on the next boot. In this case all subsequent regular reboots will be wrongly flagged by the driver as being caused by the watchdog. Fix this by having the flag cleared after read. This is also done by other drivers like those for the i6300esb and mpc8xxx_wdt. Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read") Cc: stable@vger.kernel.org Signed-off-by: Ahmad Fatoum Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200611191750.28096-5-a.fatoum@pengutronix.de Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman --- drivers/watchdog/f71808e_wdt.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c index 49192b167fb4..ae4974701e5c 100644 --- a/drivers/watchdog/f71808e_wdt.c +++ b/drivers/watchdog/f71808e_wdt.c @@ -704,6 +704,13 @@ static int __init watchdog_init(int sioaddr) wdt_conf = superio_inb(sioaddr, F71808FG_REG_WDT_CONF); watchdog.caused_reboot = wdt_conf & BIT(F71808FG_FLAG_WDTMOUT_STS); + /* + * We don't want WDTMOUT_STS to stick around till regular reboot. + * Write 1 to the bit to clear it to zero. + */ + superio_outb(sioaddr, F71808FG_REG_WDT_CONF, + wdt_conf | BIT(F71808FG_FLAG_WDTMOUT_STS)); + superio_exit(sioaddr); err = watchdog_set_timeout(timeout); From b8e3a27c37f887a5abc89a387f6a977722ce9cf5 Mon Sep 17 00:00:00 2001 From: Anton Blanchard Date: Wed, 15 Jul 2020 10:08:20 +1000 Subject: [PATCH 349/386] pseries: Fix 64 bit logical memory block panic commit 89c140bbaeee7a55ed0360a88f294ead2b95201b upstream. Booting with a 4GB LMB size causes us to panic: qemu-system-ppc64: OS terminated: OS panic: Memory block size not suitable: 0x0 Fix pseries_memory_block_size() to handle 64 bit LMBs. Cc: stable@vger.kernel.org Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200715000820.1255764-1-anton@ozlabs.org Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c index a0847be0b035..1a3cffdaa1e8 100644 --- a/arch/powerpc/platforms/pseries/hotplug-memory.c +++ b/arch/powerpc/platforms/pseries/hotplug-memory.c @@ -30,7 +30,7 @@ static bool rtas_hp_event; unsigned long pseries_memory_block_size(void) { struct device_node *np; - unsigned int memblock_size = MIN_MEMORY_BLOCK_SIZE; + u64 memblock_size = MIN_MEMORY_BLOCK_SIZE; struct resource r; np = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory"); From f3513136ffe0aa1c1a8b7f04a1ad09766414cbc7 Mon Sep 17 00:00:00 2001 From: Adrian Hunter Date: Fri, 10 Jul 2020 18:10:53 +0300 Subject: [PATCH 350/386] perf intel-pt: Fix FUP packet state commit 401136bb084fd021acd9f8c51b52fe0a25e326b2 upstream. While walking code towards a FUP ip, the packet state is INTEL_PT_STATE_FUP or INTEL_PT_STATE_FUP_NO_TIP. That was mishandled resulting in the state becoming INTEL_PT_STATE_IN_SYNC prematurely. The result was an occasional lost EXSTOP event. Signed-off-by: Adrian Hunter Reviewed-by: Andi Kleen Cc: Jiri Olsa Cc: stable@vger.kernel.org Link: http://lore.kernel.org/lkml/20200710151104.15137-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman --- .../util/intel-pt-decoder/intel-pt-decoder.c | 21 +++++++------------ 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c index 4357141c7c92..6522b6513895 100644 --- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c @@ -1129,6 +1129,7 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder) return 0; if (err == -EAGAIN || intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) { + decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; if (intel_pt_fup_event(decoder)) return 0; return -EAGAIN; @@ -1780,17 +1781,13 @@ next: } if (decoder->set_fup_mwait) no_tip = true; + if (no_tip) + decoder->pkt_state = INTEL_PT_STATE_FUP_NO_TIP; + else + decoder->pkt_state = INTEL_PT_STATE_FUP; err = intel_pt_walk_fup(decoder); - if (err != -EAGAIN) { - if (err) - return err; - if (no_tip) - decoder->pkt_state = - INTEL_PT_STATE_FUP_NO_TIP; - else - decoder->pkt_state = INTEL_PT_STATE_FUP; - return 0; - } + if (err != -EAGAIN) + return err; if (no_tip) { no_tip = false; break; @@ -2375,15 +2372,11 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder) err = intel_pt_walk_tip(decoder); break; case INTEL_PT_STATE_FUP: - decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; err = intel_pt_walk_fup(decoder); if (err == -EAGAIN) err = intel_pt_walk_fup_tip(decoder); - else if (!err) - decoder->pkt_state = INTEL_PT_STATE_FUP; break; case INTEL_PT_STATE_FUP_NO_TIP: - decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; err = intel_pt_walk_fup(decoder); if (err == -EAGAIN) err = intel_pt_walk_trace(decoder); From 81c62cae5e0a93f5e4fc618a28a22ef700a5eebd Mon Sep 17 00:00:00 2001 From: Liu Ying Date: Thu, 9 Jul 2020 10:28:52 +0800 Subject: [PATCH 351/386] drm/imx: imx-ldb: Disable both channels for split mode in enc->disable() commit 3b2a999582c467d1883716b37ffcc00178a13713 upstream. Both of the two LVDS channels should be disabled for split mode in the encoder's ->disable() callback, because they are enabled in the encoder's ->enable() callback. Fixes: 6556f7f82b9c ("drm: imx: Move imx-drm driver out of staging") Cc: Philipp Zabel Cc: Sascha Hauer Cc: Pengutronix Kernel Team Cc: NXP Linux Team Cc: Signed-off-by: Liu Ying Signed-off-by: Philipp Zabel Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/imx/imx-ldb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c index 4f2e6c7e04c1..d38648a7ef2d 100644 --- a/drivers/gpu/drm/imx/imx-ldb.c +++ b/drivers/gpu/drm/imx/imx-ldb.c @@ -311,18 +311,19 @@ static void imx_ldb_encoder_disable(struct drm_encoder *encoder) { struct imx_ldb_channel *imx_ldb_ch = enc_to_imx_ldb_ch(encoder); struct imx_ldb *ldb = imx_ldb_ch->ldb; + int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN; int mux, ret; drm_panel_disable(imx_ldb_ch->panel); - if (imx_ldb_ch == &ldb->channel[0]) + if (imx_ldb_ch == &ldb->channel[0] || dual) ldb->ldb_ctrl &= ~LDB_CH0_MODE_EN_MASK; - else if (imx_ldb_ch == &ldb->channel[1]) + if (imx_ldb_ch == &ldb->channel[1] || dual) ldb->ldb_ctrl &= ~LDB_CH1_MODE_EN_MASK; regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl); - if (ldb->ldb_ctrl & LDB_SPLIT_MODE_EN) { + if (dual) { clk_disable_unprepare(ldb->clk[0]); clk_disable_unprepare(ldb->clk[1]); } From 545017c9c8c46a04236c964336a4bcea853b590c Mon Sep 17 00:00:00 2001 From: Charles Keepax Date: Mon, 15 Jun 2020 14:53:21 +0100 Subject: [PATCH 352/386] mfd: arizona: Ensure 32k clock is put on driver unbind and error [ Upstream commit ddff6c45b21d0437ce0c85f8ac35d7b5480513d7 ] Whilst it doesn't matter if the internal 32k clock register settings are cleaned up on exit, as the part will be turned off losing any settings, hence the driver hasn't historially bothered. The external clock should however be cleaned up, as it could cause clocks to be left on, and will at best generate a warning on unbind. Add clean up on both the probe error path and unbind for the 32k clock. Fixes: cdd8da8cc66b ("mfd: arizona: Add gating of external MCLKn clocks") Signed-off-by: Charles Keepax Signed-off-by: Lee Jones Signed-off-by: Sasha Levin --- drivers/mfd/arizona-core.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c index ad8a5296c50b..9aa33141e7f1 100644 --- a/drivers/mfd/arizona-core.c +++ b/drivers/mfd/arizona-core.c @@ -1528,6 +1528,15 @@ err_irq: arizona_irq_exit(arizona); err_pm: pm_runtime_disable(arizona->dev); + + switch (arizona->pdata.clk32k_src) { + case ARIZONA_32KZ_MCLK1: + case ARIZONA_32KZ_MCLK2: + arizona_clk32k_disable(arizona); + break; + default: + break; + } err_reset: arizona_enable_reset(arizona); regulator_disable(arizona->dcvdd); @@ -1550,6 +1559,15 @@ int arizona_dev_exit(struct arizona *arizona) regulator_disable(arizona->dcvdd); regulator_put(arizona->dcvdd); + switch (arizona->pdata.clk32k_src) { + case ARIZONA_32KZ_MCLK1: + case ARIZONA_32KZ_MCLK2: + arizona_clk32k_disable(arizona); + break; + default: + break; + } + mfd_remove_devices(arizona->dev); arizona_free_irq(arizona, ARIZONA_IRQ_UNDERCLOCKED, arizona); arizona_free_irq(arizona, ARIZONA_IRQ_OVERCLOCKED, arizona); From 198f9960a740be4cf66a995a41f8c56260cd3a61 Mon Sep 17 00:00:00 2001 From: Kamal Heib Date: Tue, 23 Jun 2020 13:52:36 +0300 Subject: [PATCH 353/386] RDMA/ipoib: Return void from ipoib_ib_dev_stop() [ Upstream commit 95a5631f6c9f3045f26245e6045244652204dfdb ] The return value from ipoib_ib_dev_stop() is always 0 - change it to be void. Link: https://lore.kernel.org/r/20200623105236.18683-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin --- drivers/infiniband/ulp/ipoib/ipoib.h | 2 +- drivers/infiniband/ulp/ipoib/ipoib_ib.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h index 4a5c7a07a631..268e23ba4a63 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib.h +++ b/drivers/infiniband/ulp/ipoib/ipoib.h @@ -509,7 +509,7 @@ void ipoib_ib_dev_cleanup(struct net_device *dev); int ipoib_ib_dev_open_default(struct net_device *dev); int ipoib_ib_dev_open(struct net_device *dev); -int ipoib_ib_dev_stop(struct net_device *dev); +void ipoib_ib_dev_stop(struct net_device *dev); void ipoib_ib_dev_up(struct net_device *dev); void ipoib_ib_dev_down(struct net_device *dev); int ipoib_ib_dev_stop_default(struct net_device *dev); diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c index d77e8e2ae05f..8e1f48fe6f2e 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c @@ -809,7 +809,7 @@ timeout: return 0; } -int ipoib_ib_dev_stop(struct net_device *dev) +void ipoib_ib_dev_stop(struct net_device *dev) { struct ipoib_dev_priv *priv = ipoib_priv(dev); @@ -817,8 +817,6 @@ int ipoib_ib_dev_stop(struct net_device *dev) clear_bit(IPOIB_FLAG_INITIALIZED, &priv->flags); ipoib_flush_ah(dev); - - return 0; } void ipoib_ib_tx_timer_func(unsigned long ctx) From abb9d1a281c6249aff4a144252f3176c5b1f8bc1 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Wed, 8 Jul 2020 14:49:51 +0200 Subject: [PATCH 354/386] USB: serial: ftdi_sio: make process-packet buffer unsigned [ Upstream commit ab4cc4ef6724ea588e835fc1e764c4b4407a70b7 ] Use an unsigned type for the process-packet buffer argument and give it a more apt name. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin --- drivers/usb/serial/ftdi_sio.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c index a962065227c4..4959fcac5e03 100644 --- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -2042,12 +2042,12 @@ static int ftdi_prepare_write_buffer(struct usb_serial_port *port, #define FTDI_RS_ERR_MASK (FTDI_RS_BI | FTDI_RS_PE | FTDI_RS_FE | FTDI_RS_OE) static int ftdi_process_packet(struct usb_serial_port *port, - struct ftdi_private *priv, char *packet, int len) + struct ftdi_private *priv, unsigned char *buf, int len) { + unsigned char status; + unsigned char *ch; int i; - char status; char flag; - char *ch; if (len < 2) { dev_dbg(&port->dev, "malformed packet\n"); @@ -2057,7 +2057,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, /* Compare new line status to the old one, signal if different/ N.B. packet may be processed more than once, but differences are only processed once. */ - status = packet[0] & FTDI_STATUS_B0_MASK; + status = buf[0] & FTDI_STATUS_B0_MASK; if (status != priv->prev_status) { char diff_status = status ^ priv->prev_status; @@ -2083,7 +2083,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, } /* save if the transmitter is empty or not */ - if (packet[1] & FTDI_RS_TEMT) + if (buf[1] & FTDI_RS_TEMT) priv->transmit_empty = 1; else priv->transmit_empty = 0; @@ -2097,29 +2097,29 @@ static int ftdi_process_packet(struct usb_serial_port *port, * data payload to avoid over-reporting. */ flag = TTY_NORMAL; - if (packet[1] & FTDI_RS_ERR_MASK) { + if (buf[1] & FTDI_RS_ERR_MASK) { /* Break takes precedence over parity, which takes precedence * over framing errors */ - if (packet[1] & FTDI_RS_BI) { + if (buf[1] & FTDI_RS_BI) { flag = TTY_BREAK; port->icount.brk++; usb_serial_handle_break(port); - } else if (packet[1] & FTDI_RS_PE) { + } else if (buf[1] & FTDI_RS_PE) { flag = TTY_PARITY; port->icount.parity++; - } else if (packet[1] & FTDI_RS_FE) { + } else if (buf[1] & FTDI_RS_FE) { flag = TTY_FRAME; port->icount.frame++; } /* Overrun is special, not associated with a char */ - if (packet[1] & FTDI_RS_OE) { + if (buf[1] & FTDI_RS_OE) { port->icount.overrun++; tty_insert_flip_char(&port->port, 0, TTY_OVERRUN); } } port->icount.rx += len; - ch = packet + 2; + ch = buf + 2; if (port->port.console && port->sysrq) { for (i = 0; i < len; i++, ch++) { From 4e4eaf895b5217e8933f0c3536bbc9e12d049e2f Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Wed, 8 Jul 2020 14:49:52 +0200 Subject: [PATCH 355/386] USB: serial: ftdi_sio: clean up receive processing [ Upstream commit ce054039ba5e47b75a3be02a00274e52b06a6456 ] Clean up receive processing by dropping the character pointer and keeping the length argument unchanged throughout the function. Also make it more apparent that sysrq processing can consume a characters by adding an explicit continue. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Sasha Levin --- drivers/usb/serial/ftdi_sio.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c index 4959fcac5e03..8abb30c797d3 100644 --- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -2045,7 +2045,6 @@ static int ftdi_process_packet(struct usb_serial_port *port, struct ftdi_private *priv, unsigned char *buf, int len) { unsigned char status; - unsigned char *ch; int i; char flag; @@ -2088,8 +2087,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, else priv->transmit_empty = 0; - len -= 2; - if (!len) + if (len == 2) return 0; /* status only */ /* @@ -2118,19 +2116,20 @@ static int ftdi_process_packet(struct usb_serial_port *port, } } - port->icount.rx += len; - ch = buf + 2; + port->icount.rx += len - 2; if (port->port.console && port->sysrq) { - for (i = 0; i < len; i++, ch++) { - if (!usb_serial_handle_sysrq_char(port, *ch)) - tty_insert_flip_char(&port->port, *ch, flag); + for (i = 2; i < len; i++) { + if (usb_serial_handle_sysrq_char(port, buf[i])) + continue; + tty_insert_flip_char(&port->port, buf[i], flag); } } else { - tty_insert_flip_string_fixed_flag(&port->port, ch, flag, len); + tty_insert_flip_string_fixed_flag(&port->port, buf + 2, flag, + len - 2); } - return len; + return len - 2; } static void ftdi_process_read_urb(struct urb *urb) From 24e014e194b66d5535163e3efc25da650a0120d8 Mon Sep 17 00:00:00 2001 From: Steve Longerbeam Date: Wed, 17 Jun 2020 15:40:37 -0700 Subject: [PATCH 356/386] gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers [ Upstream commit 0f6245f42ce9b7e4d20f2cda8d5f12b55a44d7d1 ] Combine the rotate_irq() and norotate_irq() handlers into a single eof_irq() handler. Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin --- drivers/gpu/ipu-v3/ipu-image-convert.c | 60 +++++++++----------------- 1 file changed, 21 insertions(+), 39 deletions(-) diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c index a5e33d58e02f..d2f9e6552267 100644 --- a/drivers/gpu/ipu-v3/ipu-image-convert.c +++ b/drivers/gpu/ipu-v3/ipu-image-convert.c @@ -992,38 +992,7 @@ done: return IRQ_WAKE_THREAD; } -static irqreturn_t norotate_irq(int irq, void *data) -{ - struct ipu_image_convert_chan *chan = data; - struct ipu_image_convert_ctx *ctx; - struct ipu_image_convert_run *run; - unsigned long flags; - irqreturn_t ret; - - spin_lock_irqsave(&chan->irqlock, flags); - - /* get current run and its context */ - run = chan->current_run; - if (!run) { - ret = IRQ_NONE; - goto out; - } - - ctx = run->ctx; - - if (ipu_rot_mode_is_irt(ctx->rot_mode)) { - /* this is a rotation operation, just ignore */ - spin_unlock_irqrestore(&chan->irqlock, flags); - return IRQ_HANDLED; - } - - ret = do_irq(run); -out: - spin_unlock_irqrestore(&chan->irqlock, flags); - return ret; -} - -static irqreturn_t rotate_irq(int irq, void *data) +static irqreturn_t eof_irq(int irq, void *data) { struct ipu_image_convert_chan *chan = data; struct ipu_image_convert_priv *priv = chan->priv; @@ -1043,11 +1012,24 @@ static irqreturn_t rotate_irq(int irq, void *data) ctx = run->ctx; - if (!ipu_rot_mode_is_irt(ctx->rot_mode)) { - /* this was NOT a rotation operation, shouldn't happen */ - dev_err(priv->ipu->dev, "Unexpected rotation interrupt\n"); - spin_unlock_irqrestore(&chan->irqlock, flags); - return IRQ_HANDLED; + if (irq == chan->out_eof_irq) { + if (ipu_rot_mode_is_irt(ctx->rot_mode)) { + /* this is a rotation op, just ignore */ + ret = IRQ_HANDLED; + goto out; + } + } else if (irq == chan->rot_out_eof_irq) { + if (!ipu_rot_mode_is_irt(ctx->rot_mode)) { + /* this was NOT a rotation op, shouldn't happen */ + dev_err(priv->ipu->dev, + "Unexpected rotation interrupt\n"); + ret = IRQ_HANDLED; + goto out; + } + } else { + dev_err(priv->ipu->dev, "Received unknown irq %d\n", irq); + ret = IRQ_NONE; + goto out; } ret = do_irq(run); @@ -1142,7 +1124,7 @@ static int get_ipu_resources(struct ipu_image_convert_chan *chan) chan->out_chan, IPU_IRQ_EOF); - ret = request_threaded_irq(chan->out_eof_irq, norotate_irq, do_bh, + ret = request_threaded_irq(chan->out_eof_irq, eof_irq, do_bh, 0, "ipu-ic", chan); if (ret < 0) { dev_err(priv->ipu->dev, "could not acquire irq %d\n", @@ -1155,7 +1137,7 @@ static int get_ipu_resources(struct ipu_image_convert_chan *chan) chan->rotation_out_chan, IPU_IRQ_EOF); - ret = request_threaded_irq(chan->rot_out_eof_irq, rotate_irq, do_bh, + ret = request_threaded_irq(chan->rot_out_eof_irq, eof_irq, do_bh, 0, "ipu-ic", chan); if (ret < 0) { dev_err(priv->ipu->dev, "could not acquire irq %d\n", From b0a52e5dbb0e731d4b069eacab91d737201a90f2 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Fri, 19 Jun 2020 16:42:14 +0800 Subject: [PATCH 357/386] dm rq: don't call blk_mq_queue_stopped() in dm_stop_queue() [ Upstream commit e766668c6cd49d741cfb49eaeb38998ba34d27bc ] dm_stop_queue() only uses blk_mq_quiesce_queue() so it doesn't formally stop the blk-mq queue; therefore there is no point making the blk_mq_queue_stopped() check -- it will never be stopped. In addition, even though dm_stop_queue() actually tries to quiesce hw queues via blk_mq_quiesce_queue(), checking with blk_queue_quiesced() to avoid unnecessary queue quiesce isn't reliable because: the QUEUE_FLAG_QUIESCED flag is set before synchronize_rcu() and dm_stop_queue() may be called when synchronize_rcu() from another blk_mq_quiesce_queue() is in-progress. Fixes: 7b17c2f7292ba ("dm: Fix a race condition related to stopping and starting queues") Signed-off-by: Ming Lei Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin --- drivers/md/dm-rq.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c index eadfcfd106ff..cac8ec16e603 100644 --- a/drivers/md/dm-rq.c +++ b/drivers/md/dm-rq.c @@ -95,9 +95,6 @@ static void dm_old_stop_queue(struct request_queue *q) static void dm_mq_stop_queue(struct request_queue *q) { - if (blk_mq_queue_stopped(q)) - return; - blk_mq_quiesce_queue(q); } From 6b3916435f76fd092e0a14dfc968a7ed45e6e9d5 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Tue, 14 Jul 2020 20:22:11 +0100 Subject: [PATCH 358/386] iommu/omap: Check for failure of a call to omap_iommu_dump_ctx [ Upstream commit dee9d154f40c58d02f69acdaa5cfd1eae6ebc28b ] It is possible for the call to omap_iommu_dump_ctx to return a negative error number, so check for the failure and return the error number rather than pass the negative value to simple_read_from_buffer. Fixes: 14e0e6796a0d ("OMAP: iommu: add initial debugfs support") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200714192211.744776-1-colin.king@canonical.com Addresses-Coverity: ("Improper use of negative value") Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/omap-iommu-debug.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c index 505548aafeff..cec33e90e399 100644 --- a/drivers/iommu/omap-iommu-debug.c +++ b/drivers/iommu/omap-iommu-debug.c @@ -101,8 +101,11 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf, mutex_lock(&iommu_debug_lock); bytes = omap_iommu_dump_ctx(obj, p, count); + if (bytes < 0) + goto err; bytes = simple_read_from_buffer(userbuf, count, ppos, buf, bytes); +err: mutex_unlock(&iommu_debug_lock); kfree(buf); From 40f782ead6b1d0bcebff304a6a55d10d7ebcb275 Mon Sep 17 00:00:00 2001 From: Liu Yi L Date: Fri, 24 Jul 2020 09:49:14 +0800 Subject: [PATCH 359/386] iommu/vt-d: Enforce PASID devTLB field mask [ Upstream commit 5f77d6ca5ca74e4b4a5e2e010f7ff50c45dea326 ] Set proper masks to avoid invalid input spillover to reserved bits. Signed-off-by: Liu Yi L Signed-off-by: Jacob Pan Signed-off-by: Lu Baolu Reviewed-by: Eric Auger Link: https://lore.kernel.org/r/20200724014925.15523-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- include/linux/intel-iommu.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h index 4def15c32a01..d2364ba99f6c 100644 --- a/include/linux/intel-iommu.h +++ b/include/linux/intel-iommu.h @@ -304,8 +304,8 @@ enum { #define QI_DEV_EIOTLB_ADDR(a) ((u64)(a) & VTD_PAGE_MASK) #define QI_DEV_EIOTLB_SIZE (((u64)1) << 11) -#define QI_DEV_EIOTLB_GLOB(g) ((u64)g) -#define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) +#define QI_DEV_EIOTLB_GLOB(g) ((u64)(g) & 0x1) +#define QI_DEV_EIOTLB_PASID(p) ((u64)((p) & 0xfffff) << 32) #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) #define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \ From b52fc176607f1f4607bf5a23ae64334474938baa Mon Sep 17 00:00:00 2001 From: Wolfram Sang Date: Mon, 29 Jun 2020 17:38:07 +0200 Subject: [PATCH 360/386] i2c: rcar: slave: only send STOP event when we have been addressed [ Upstream commit 314139f9f0abdba61ed9a8463bbcb0bf900ac5a2 ] When the SSR interrupt is activated, it will detect every STOP condition on the bus, not only the ones after we have been addressed. So, enable this interrupt only after we have been addressed, and disable it otherwise. Fixes: de20d1857dd6 ("i2c: rcar: add slave support") Signed-off-by: Wolfram Sang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/busses/i2c-rcar.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c index db9ca8e926ca..07305304712e 100644 --- a/drivers/i2c/busses/i2c-rcar.c +++ b/drivers/i2c/busses/i2c-rcar.c @@ -538,13 +538,14 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) rcar_i2c_write(priv, ICSIER, SDR | SSR | SAR); } - rcar_i2c_write(priv, ICSSR, ~SAR & 0xff); + /* Clear SSR, too, because of old STOPs to other clients than us */ + rcar_i2c_write(priv, ICSSR, ~(SAR | SSR) & 0xff); } /* master sent stop */ if (ssr_filtered & SSR) { i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value); - rcar_i2c_write(priv, ICSIER, SAR | SSR); + rcar_i2c_write(priv, ICSIER, SAR); rcar_i2c_write(priv, ICSSR, ~SSR & 0xff); } @@ -802,7 +803,7 @@ static int rcar_reg_slave(struct i2c_client *slave) priv->slave = slave; rcar_i2c_write(priv, ICSAR, slave->addr); rcar_i2c_write(priv, ICSSR, 0); - rcar_i2c_write(priv, ICSIER, SAR | SSR); + rcar_i2c_write(priv, ICSIER, SAR); rcar_i2c_write(priv, ICSCR, SIE | SDBS); return 0; From f8d95b2ac42e76967e635bc1d6e0855b22369310 Mon Sep 17 00:00:00 2001 From: Xu Wang Date: Mon, 13 Jul 2020 03:21:43 +0000 Subject: [PATCH 361/386] clk: clk-atlas6: fix return value check in atlas6_clk_init() [ Upstream commit 12b90b40854a8461a02ef19f6f4474cc88d64b66 ] In case of error, the function clk_register() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Signed-off-by: Xu Wang Link: https://lore.kernel.org/r/20200713032143.21362-1-vulab@iscas.ac.cn Acked-by: Barry Song Fixes: 7bf21bc81f28 ("clk: sirf: re-arch to make the codes support both prima2 and atlas6") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin --- drivers/clk/sirf/clk-atlas6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/sirf/clk-atlas6.c b/drivers/clk/sirf/clk-atlas6.c index 665fa681b2e1..1e6bdf22c3b6 100644 --- a/drivers/clk/sirf/clk-atlas6.c +++ b/drivers/clk/sirf/clk-atlas6.c @@ -136,7 +136,7 @@ static void __init atlas6_clk_init(struct device_node *np) for (i = pll1; i < maxclk; i++) { atlas6_clks[i] = clk_register(NULL, atlas6_clk_hw_array[i]); - BUG_ON(!atlas6_clks[i]); + BUG_ON(IS_ERR(atlas6_clks[i])); } clk_register_clkdev(atlas6_clks[cpu], NULL, "cpu"); clk_register_clkdev(atlas6_clks[io], NULL, "io"); From b215b29ca28c4b9e909662c2443e0477b0d19bd9 Mon Sep 17 00:00:00 2001 From: Rayagonda Kokatanur Date: Fri, 17 Jul 2020 21:46:06 -0700 Subject: [PATCH 362/386] pwm: bcm-iproc: handle clk_get_rate() return MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 6ced5ff0be8e94871ba846dfbddf69d21363f3d7 ] Handle clk_get_rate() returning 0 to avoid possible division by zero. Fixes: daa5abc41c80 ("pwm: Add support for Broadcom iProc PWM controller") Signed-off-by: Rayagonda Kokatanur Signed-off-by: Scott Branden Reviewed-by: Ray Jui Reviewed-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin --- drivers/pwm/pwm-bcm-iproc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/pwm/pwm-bcm-iproc.c b/drivers/pwm/pwm-bcm-iproc.c index 31b01035d0ab..8cfba3614e60 100644 --- a/drivers/pwm/pwm-bcm-iproc.c +++ b/drivers/pwm/pwm-bcm-iproc.c @@ -85,8 +85,6 @@ static void iproc_pwmc_get_state(struct pwm_chip *chip, struct pwm_device *pwm, u64 tmp, multi, rate; u32 value, prescale; - rate = clk_get_rate(ip->clk); - value = readl(ip->base + IPROC_PWM_CTRL_OFFSET); if (value & BIT(IPROC_PWM_CTRL_EN_SHIFT(pwm->hwpwm))) @@ -99,6 +97,13 @@ static void iproc_pwmc_get_state(struct pwm_chip *chip, struct pwm_device *pwm, else state->polarity = PWM_POLARITY_INVERSED; + rate = clk_get_rate(ip->clk); + if (rate == 0) { + state->period = 0; + state->duty_cycle = 0; + return; + } + value = readl(ip->base + IPROC_PWM_PRESCALE_OFFSET); prescale = value >> IPROC_PWM_PRESCALE_SHIFT(pwm->hwpwm); prescale &= IPROC_PWM_PRESCALE_MAX; From 0999f2835cd4ecb5e6374d86d57a2e041333a504 Mon Sep 17 00:00:00 2001 From: Thomas Hebb Date: Sun, 26 Jul 2020 21:08:14 -0700 Subject: [PATCH 363/386] tools build feature: Use CC and CXX from parent [ Upstream commit e3232c2f39acafd5a29128425bc30b9884642cfa ] commit c8c188679ccf ("tools build: Use the same CC for feature detection and actual build") changed these assignments from unconditional (:=) to conditional (?=) so that they wouldn't clobber values from the environment. However, conditional assignment does not work properly for variables that Make implicitly sets, among which are CC and CXX. To quote tools/scripts/Makefile.include, which handles this properly: # Makefiles suck: This macro sets a default value of $(2) for the # variable named by $(1), unless the variable has been set by # environment or command line. This is necessary for CC and AR # because make sets default values, so the simpler ?= approach # won't work as expected. In other words, the conditional assignments will not run even if the variables are not overridden in the environment; Make will set CC to "cc" and CXX to "g++" when it starts[1], meaning the variables are not empty by the time the conditional assignments are evaluated. This breaks cross-compilation when CROSS_COMPILE is set but CC isn't, since "cc" gets used for feature detection instead of the cross compiler (and likewise for CXX). To fix the issue, just pass down the values of CC and CXX computed by the parent Makefile, which gets included by the Makefile that actually builds whatever we're detecting features for and so is guaranteed to have good values. This is a better solution anyway, since it means we aren't trying to replicate the logic of the parent build system and so don't risk it getting out of sync. Leave PKG_CONFIG alone, since 1) there's no common logic to compute it in Makefile.include, and 2) it's not an implicit variable, so conditional assignment works properly. [1] https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html Fixes: c8c188679ccf ("tools build: Use the same CC for feature detection and actual build") Signed-off-by: Thomas Hebb Acked-by: Jiri Olsa Cc: David Carrillo-Cisneros Cc: Ian Rogers Cc: Igor Lubashev Cc: Namhyung Kim Cc: Quentin Monnet Cc: Song Liu Cc: Stephane Eranian Cc: thomas hebb Link: http://lore.kernel.org/lkml/0a6e69d1736b0fa231a648f50b0cce5d8a6734ef.1595822871.git.tommyhebb@gmail.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin --- tools/build/Makefile.feature | 2 +- tools/build/feature/Makefile | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature index c71a05b9c984..a2389f0c0b1c 100644 --- a/tools/build/Makefile.feature +++ b/tools/build/Makefile.feature @@ -7,7 +7,7 @@ endif feature_check = $(eval $(feature_check_code)) define feature_check_code - feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) + feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC=$(CC) CXX=$(CXX) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) endef feature_set = $(eval $(feature_set_code)) diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile index 96982640fbf8..26316749e594 100644 --- a/tools/build/feature/Makefile +++ b/tools/build/feature/Makefile @@ -55,8 +55,6 @@ FILES= \ FILES := $(addprefix $(OUTPUT),$(FILES)) -CC ?= $(CROSS_COMPILE)gcc -CXX ?= $(CROSS_COMPILE)g++ PKG_CONFIG ?= $(CROSS_COMPILE)pkg-config LLVM_CONFIG ?= llvm-config From 104f1552c137aa53401d5ef9d8b83f1741fee9bf Mon Sep 17 00:00:00 2001 From: Wolfram Sang Date: Sun, 26 Jul 2020 18:16:06 +0200 Subject: [PATCH 364/386] i2c: rcar: avoid race when unregistering slave MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit c7c9e914f9a0478fba4dc6f227cfd69cf84a4063 ] Due to the lockless design of the driver, it is theoretically possible to access a NULL pointer, if a slave interrupt was running while we were unregistering the slave. To make this rock solid, disable the interrupt for a short time while we are clearing the interrupt_enable register. This patch is purely based on code inspection. The OOPS is super-hard to trigger because clearing SAR (the address) makes interrupts even more unlikely to happen as well. While here, reinit SCR to SDBS because this bit should always be set according to documentation. There is no effect, though, because the interface is disabled. Fixes: 7b814d852af6 ("i2c: rcar: avoid race when unregistering slave client") Signed-off-by: Wolfram Sang Reviewed-by: Niklas Söderlund Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/busses/i2c-rcar.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c index 07305304712e..ed0f06810978 100644 --- a/drivers/i2c/busses/i2c-rcar.c +++ b/drivers/i2c/busses/i2c-rcar.c @@ -815,12 +815,14 @@ static int rcar_unreg_slave(struct i2c_client *slave) WARN_ON(!priv->slave); - /* disable irqs and ensure none is running before clearing ptr */ + /* ensure no irq is running before clearing ptr */ + disable_irq(priv->irq); rcar_i2c_write(priv, ICSIER, 0); - rcar_i2c_write(priv, ICSCR, 0); + rcar_i2c_write(priv, ICSSR, 0); + enable_irq(priv->irq); + rcar_i2c_write(priv, ICSCR, SDBS); rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ - synchronize_irq(priv->irq); priv->slave = NULL; pm_runtime_put(rcar_i2c_priv_to_dev(priv)); From 52fd3aad73a2eee08f3ef40ae25787896ba72b52 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Thu, 6 Aug 2020 15:35:34 -0700 Subject: [PATCH 365/386] Input: sentelic - fix error return when fsp_reg_write fails [ Upstream commit ea38f06e0291986eb93beb6d61fd413607a30ca4 ] Currently when the call to fsp_reg_write fails -EIO is not being returned because the count is being returned instead of the return value in retval. Fix this by returning the value in retval instead of count. Addresses-Coverity: ("Unused value") Fixes: fc69f4a6af49 ("Input: add new driver for Sentelic Finger Sensing Pad") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200603141218.131663-1-colin.king@canonical.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin --- drivers/input/mouse/sentelic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/mouse/sentelic.c b/drivers/input/mouse/sentelic.c index 11c32ac8234b..779d0b9341c0 100644 --- a/drivers/input/mouse/sentelic.c +++ b/drivers/input/mouse/sentelic.c @@ -454,7 +454,7 @@ static ssize_t fsp_attr_set_setreg(struct psmouse *psmouse, void *data, fsp_reg_write_enable(psmouse, false); - return count; + return retval; } PSMOUSE_DEFINE_WO_ATTR(setreg, S_IWUSR, NULL, fsp_attr_set_setreg); From 9c8cd977d4752b43635b0e656d78745822c8c594 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 26 Jun 2020 13:34:37 +0300 Subject: [PATCH 366/386] drm/vmwgfx: Use correct vmw_legacy_display_unit pointer [ Upstream commit 1d2c0c565bc0da25f5e899a862fb58e612b222df ] The "entry" pointer is an offset from the list head and it doesn't point to a valid vmw_legacy_display_unit struct. Presumably the intent was to point to the last entry. Also the "i++" wasn't used so I have removed that as well. Fixes: d7e1958dbe4a ("drm/vmwgfx: Support older hardware.") Signed-off-by: Dan Carpenter Reviewed-by: Roland Scheidegger Signed-off-by: Roland Scheidegger Signed-off-by: Sasha Levin --- drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c index 3824595fece1..39f4ad0dab8d 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c @@ -79,7 +79,7 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv) struct vmw_legacy_display_unit *entry; struct drm_framebuffer *fb = NULL; struct drm_crtc *crtc = NULL; - int i = 0; + int i; /* If there is no display topology the host just assumes * that the guest will set the same layout as the host. @@ -90,12 +90,11 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv) crtc = &entry->base.crtc; w = max(w, crtc->x + crtc->mode.hdisplay); h = max(h, crtc->y + crtc->mode.vdisplay); - i++; } if (crtc == NULL) return 0; - fb = entry->base.crtc.primary->state->fb; + fb = crtc->primary->state->fb; return vmw_kms_write_svga(dev_priv, w, h, fb->pitches[0], fb->format->cpp[0] * 8, From f77fe42f1515de78a65fb3365b987207bfb84103 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 26 Jun 2020 13:39:59 +0300 Subject: [PATCH 367/386] drm/vmwgfx: Fix two list_for_each loop exit tests [ Upstream commit 4437c1152ce0e57ab8f401aa696ea6291cc07ab1 ] These if statements are supposed to be true if we ended the list_for_each_entry() loops without hitting a break statement but they don't work. In the first loop, we increment "i" after the "if (i == unit)" condition so we don't necessarily know that "i" is not equal to unit at the end of the loop. In the second loop we exit when mode is not pointing to a valid drm_display_mode struct so it doesn't make sense to check "mode->type". Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2") Signed-off-by: Dan Carpenter Reviewed-by: Roland Scheidegger Signed-off-by: Roland Scheidegger Signed-off-by: Sasha Levin --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 11f1c30ead54..848c9d009be2 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -2707,7 +2707,7 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, ++i; } - if (i != unit) { + if (&con->head == &dev_priv->dev->mode_config.connector_list) { DRM_ERROR("Could not find initial display unit.\n"); return -EINVAL; } @@ -2729,13 +2729,13 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, break; } - if (mode->type & DRM_MODE_TYPE_PREFERRED) - *p_mode = mode; - else { + if (&mode->head == &con->modes) { WARN_ONCE(true, "Could not find initial preferred mode.\n"); *p_mode = list_first_entry(&con->modes, struct drm_display_mode, head); + } else { + *p_mode = mode; } return 0; From d9836942b4388a07e06b4adab253b8cb381ef385 Mon Sep 17 00:00:00 2001 From: Wang Hai Date: Mon, 10 Aug 2020 10:57:05 +0800 Subject: [PATCH 368/386] net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init [ Upstream commit 50caa777a3a24d7027748e96265728ce748b41ef ] Fix the missing clk_disable_unprepare() before return from emac_clks_phase1_init() in the error handling case. Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Timur Tabi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/qualcomm/emac/emac.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c index 759543512117..5ab83751a471 100644 --- a/drivers/net/ethernet/qualcomm/emac/emac.c +++ b/drivers/net/ethernet/qualcomm/emac/emac.c @@ -493,13 +493,24 @@ static int emac_clks_phase1_init(struct platform_device *pdev, ret = clk_prepare_enable(adpt->clk[EMAC_CLK_CFG_AHB]); if (ret) - return ret; + goto disable_clk_axi; ret = clk_set_rate(adpt->clk[EMAC_CLK_HIGH_SPEED], 19200000); if (ret) - return ret; + goto disable_clk_cfg_ahb; - return clk_prepare_enable(adpt->clk[EMAC_CLK_HIGH_SPEED]); + ret = clk_prepare_enable(adpt->clk[EMAC_CLK_HIGH_SPEED]); + if (ret) + goto disable_clk_cfg_ahb; + + return 0; + +disable_clk_cfg_ahb: + clk_disable_unprepare(adpt->clk[EMAC_CLK_CFG_AHB]); +disable_clk_axi: + clk_disable_unprepare(adpt->clk[EMAC_CLK_AXI]); + + return ret; } /* Enable clocks; needs emac_clks_phase1_init to be called before */ From e4ddf4e58946c7dfe8568a21ee3d27b03d96bc56 Mon Sep 17 00:00:00 2001 From: Jeffrey Mitchell Date: Wed, 5 Aug 2020 12:23:19 -0500 Subject: [PATCH 369/386] nfs: Fix getxattr kernel panic and memory overflow [ Upstream commit b4487b93545214a9db8cbf32e86411677b0cca21 ] Move the buffer size check to decode_attr_security_label() before memcpy() Only call memcpy() if the buffer is large enough Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") Signed-off-by: Jeffrey Mitchell [Trond: clean up duplicate test of label->len != 0] Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin --- fs/nfs/nfs4proc.c | 2 -- fs/nfs/nfs4xdr.c | 6 +++++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index a19bbcfab7c5..4cfb84119e01 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -5323,8 +5323,6 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, return ret; if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) return -ENOENT; - if (buflen < label.len) - return -ERANGE; return 0; } diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index 0b2d051990e9..3cd04c98da6b 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c @@ -4258,7 +4258,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, goto out_overflow; if (len < NFS4_MAXLABELLEN) { if (label) { - memcpy(label->label, p, len); + if (label->len) { + if (label->len < len) + return -ERANGE; + memcpy(label->label, p, len); + } label->len = len; label->pi = pi; label->lfs = lfs; From 50d3cd6fedfc40345b018cc0552bb62a47e1a155 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Tue, 11 Aug 2020 18:35:53 -0700 Subject: [PATCH 370/386] fs/ufs: avoid potential u32 multiplication overflow [ Upstream commit 88b2e9b06381551b707d980627ad0591191f7a2d ] The 64 bit ino is being compared to the product of two u32 values, however, the multiplication is being performed using a 32 bit multiply so there is a potential of an overflow. To be fully safe, cast uspi->s_ncg to a u64 to ensure a 64 bit multiplication occurs to avoid any chance of overflow. Fixes: f3e2a520f5fb ("ufs: NFS support") Signed-off-by: Colin Ian King Signed-off-by: Andrew Morton Cc: Evgeniy Dushistov Cc: Alexey Dobriyan Link: http://lkml.kernel.org/r/20200715170355.1081713-1-colin.king@canonical.com Addresses-Coverity: ("Unintentional integer overflow") Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- fs/ufs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ufs/super.c b/fs/ufs/super.c index 6440003f8ddc..e3f3a0df6027 100644 --- a/fs/ufs/super.c +++ b/fs/ufs/super.c @@ -99,7 +99,7 @@ static struct inode *ufs_nfs_get_inode(struct super_block *sb, u64 ino, u32 gene struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi; struct inode *inode; - if (ino < UFS_ROOTINO || ino > uspi->s_ncg * uspi->s_ipg) + if (ino < UFS_ROOTINO || ino > (u64)uspi->s_ncg * uspi->s_ipg) return ERR_PTR(-ESTALE); inode = ufs_iget(sb, ino); From 40e009db0712ff065471950990be766eddd2d53e Mon Sep 17 00:00:00 2001 From: Tiezhu Yang Date: Tue, 11 Aug 2020 18:36:16 -0700 Subject: [PATCH 371/386] test_kmod: avoid potential double free in trigger_config_run_type() [ Upstream commit 0776d1231bec0c7ab43baf440a3f5ef5f49dd795 ] Reset the member "test_fs" of the test configuration after a call of the function "kfree_const" to a null pointer so that a double memory release will not be performed. Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") Signed-off-by: Tiezhu Yang Signed-off-by: Luis Chamberlain Signed-off-by: Andrew Morton Acked-by: Luis Chamberlain Cc: Alexei Starovoitov Cc: Al Viro Cc: Christian Brauner Cc: Chuck Lever Cc: David Howells Cc: David S. Miller Cc: Greg Kroah-Hartman Cc: Jakub Kicinski Cc: James Morris Cc: Jarkko Sakkinen Cc: J. Bruce Fields Cc: Jens Axboe Cc: Josh Triplett Cc: Kees Cook Cc: Lars Ellenberg Cc: Nikolay Aleksandrov Cc: Philipp Reisner Cc: Roopa Prabhu Cc: "Serge E. Hallyn" Cc: Sergei Trofimovich Cc: Sergey Kvachonok Cc: Shuah Khan Cc: Tony Vroon Cc: Christoph Hellwig Link: http://lkml.kernel.org/r/20200610154923.27510-4-mcgrof@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- lib/test_kmod.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/test_kmod.c b/lib/test_kmod.c index cf619795a182..c0ce0156d54b 100644 --- a/lib/test_kmod.c +++ b/lib/test_kmod.c @@ -747,7 +747,7 @@ static int trigger_config_run_type(struct kmod_test_device *test_dev, break; case TEST_KMOD_FS_TYPE: kfree_const(config->test_fs); - config->test_driver = NULL; + config->test_fs = NULL; copied = config_copy_test_fs(config, test_str, strlen(test_str)); break; From d4c83f8e6490f2454dfc029dbdedb6bc7773d549 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Thu, 23 Jul 2020 16:02:46 +0300 Subject: [PATCH 372/386] mfd: dln2: Run event handler loop under spinlock [ Upstream commit 3d858942250820b9adc35f963a257481d6d4c81d ] The event handler loop must be run with interrupts disabled. Otherwise we will have a warning: [ 1970.785649] irq 31 handler lineevent_irq_handler+0x0/0x20 enabled interrupts [ 1970.792739] WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x162/0x170 [ 1970.860732] RIP: 0010:__handle_irq_event_percpu+0x162/0x170 ... [ 1970.946994] Call Trace: [ 1970.949446] [ 1970.951471] handle_irq_event_percpu+0x2c/0x80 [ 1970.955921] handle_irq_event+0x23/0x43 [ 1970.959766] handle_simple_irq+0x57/0x70 [ 1970.963695] generic_handle_irq+0x42/0x50 [ 1970.967717] dln2_rx+0xc1/0x210 [dln2] [ 1970.971479] ? usb_hcd_unmap_urb_for_dma+0xa6/0x1c0 [ 1970.976362] __usb_hcd_giveback_urb+0x77/0xe0 [ 1970.980727] usb_giveback_urb_bh+0x8e/0xe0 [ 1970.984837] tasklet_action_common.isra.0+0x4a/0xe0 ... Recently xHCI driver switched to tasklets in the commit 36dc01657b49 ("usb: host: xhci: Support running urb giveback in tasklet context"). The handle_irq_event_* functions are expected to be called with interrupts disabled and they rightfully complain here because we run in tasklet context with interrupts enabled. Use a event spinlock to protect event handler from being interrupted. Note, that there are only two users of this GPIO and ADC drivers and both of them are using generic_handle_irq() which makes above happen. Fixes: 338a12814297 ("mfd: Add support for Diolan DLN-2 devices") Signed-off-by: Andy Shevchenko Signed-off-by: Lee Jones Signed-off-by: Sasha Levin --- drivers/mfd/dln2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c index 672831d5ee32..97a69cd6f127 100644 --- a/drivers/mfd/dln2.c +++ b/drivers/mfd/dln2.c @@ -294,7 +294,11 @@ static void dln2_rx(struct urb *urb) len = urb->actual_length - sizeof(struct dln2_header); if (handle == DLN2_HANDLE_EVENT) { + unsigned long flags; + + spin_lock_irqsave(&dln2->event_cb_lock, flags); dln2_run_event_callbacks(dln2, id, echo, data, len); + spin_unlock_irqrestore(&dln2->event_cb_lock, flags); } else { /* URB will be re-submitted in _dln2_transfer (free_rx_slot) */ if (dln2_transfer_complete(dln2, urb, handle, echo)) From 8ef79789689b7c1126cc8c279c50738b0c01506a Mon Sep 17 00:00:00 2001 From: Dinghao Liu Date: Thu, 13 Aug 2020 15:46:30 +0800 Subject: [PATCH 373/386] ALSA: echoaudio: Fix potential Oops in snd_echo_resume() [ Upstream commit 5a25de6df789cc805a9b8ba7ab5deef5067af47e ] Freeing chip on error may lead to an Oops at the next time the system goes to resume. Fix this by removing all snd_echo_free() calls on error. Fixes: 47b5d028fdce8 ("ALSA: Echoaudio - Add suspend support #2") Signed-off-by: Dinghao Liu Link: https://lore.kernel.org/r/20200813074632.17022-1-dinghao.liu@zju.edu.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/pci/echoaudio/echoaudio.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c index e1f0bcd45c37..b58a098a7270 100644 --- a/sound/pci/echoaudio/echoaudio.c +++ b/sound/pci/echoaudio/echoaudio.c @@ -2215,7 +2215,6 @@ static int snd_echo_resume(struct device *dev) if (err < 0) { kfree(commpage_bak); dev_err(dev, "resume init_hw err=%d\n", err); - snd_echo_free(chip); return err; } @@ -2242,7 +2241,6 @@ static int snd_echo_resume(struct device *dev) if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, KBUILD_MODNAME, chip)) { dev_err(chip->card->dev, "cannot grab irq\n"); - snd_echo_free(chip); return -EBUSY; } chip->irq = pci->irq; From 23e444f93405e0fce23795d4f64bae4c08d8a156 Mon Sep 17 00:00:00 2001 From: Vincent Whitchurch Date: Mon, 10 Aug 2020 15:34:04 +0200 Subject: [PATCH 374/386] perf bench mem: Always memset source before memcpy [ Upstream commit 1beaef29c34154ccdcb3f1ae557f6883eda18840 ] For memcpy, the source pages are memset to zero only when --cycles is used. This leads to wildly different results with or without --cycles, since all sources pages are likely to be mapped to the same zero page without explicit writes. Before this fix: $ export cmd="./perf stat -e LLC-loads -- ./perf bench \ mem memcpy -s 1024MB -l 100 -f default" $ $cmd 2,935,826 LLC-loads 3.821677452 seconds time elapsed $ $cmd --cycles 217,533,436 LLC-loads 8.616725985 seconds time elapsed After this fix: $ $cmd 214,459,686 LLC-loads 8.674301124 seconds time elapsed $ $cmd --cycles 214,758,651 LLC-loads 8.644480006 seconds time elapsed Fixes: 47b5757bac03c338 ("perf bench mem: Move boilerplate memory allocation to the infrastructure") Signed-off-by: Vincent Whitchurch Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: kernel@axis.com Link: http://lore.kernel.org/lkml/20200810133404.30829-1-vincent.whitchurch@axis.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin --- tools/perf/bench/mem-functions.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tools/perf/bench/mem-functions.c b/tools/perf/bench/mem-functions.c index 0251dd348124..4864fc67d01b 100644 --- a/tools/perf/bench/mem-functions.c +++ b/tools/perf/bench/mem-functions.c @@ -222,12 +222,8 @@ static int bench_mem_common(int argc, const char **argv, struct bench_mem_info * return 0; } -static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, void *dst) +static void memcpy_prefault(memcpy_t fn, size_t size, void *src, void *dst) { - u64 cycle_start = 0ULL, cycle_end = 0ULL; - memcpy_t fn = r->fn.memcpy; - int i; - /* Make sure to always prefault zero pages even if MMAP_THRESH is crossed: */ memset(src, 0, size); @@ -236,6 +232,15 @@ static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, vo * to not measure page fault overhead: */ fn(dst, src, size); +} + +static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, void *dst) +{ + u64 cycle_start = 0ULL, cycle_end = 0ULL; + memcpy_t fn = r->fn.memcpy; + int i; + + memcpy_prefault(fn, size, src, dst); cycle_start = get_cycles(); for (i = 0; i < nr_loops; ++i) @@ -251,11 +256,7 @@ static double do_memcpy_gettimeofday(const struct function *r, size_t size, void memcpy_t fn = r->fn.memcpy; int i; - /* - * We prefault the freshly allocated memory range here, - * to not measure page fault overhead: - */ - fn(dst, src, size); + memcpy_prefault(fn, size, src, dst); BUG_ON(gettimeofday(&tv_start, NULL)); for (i = 0; i < nr_loops; ++i) From 364c02263a1831075c967e9245165243a82ba851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20D=C3=ADaz?= Date: Wed, 12 Aug 2020 17:15:17 -0500 Subject: [PATCH 375/386] tools build feature: Quote CC and CXX for their arguments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit fa5c893181ed2ca2f96552f50073786d2cfce6c0 ] When using a cross-compilation environment, such as OpenEmbedded, the CC an CXX variables are set to something more than just a command: there are arguments (such as --sysroot) that need to be passed on to the compiler so that the right set of headers and libraries are used. For the particular case that our systems detected, CC is set to the following: export CC="aarch64-linaro-linux-gcc --sysroot=/oe/build/tmp/work/machine/perf/1.0-r9/recipe-sysroot" Without quotes, detection is as follows: Auto-detecting system features: ... dwarf: [ OFF ] ... dwarf_getlocations: [ OFF ] ... glibc: [ OFF ] ... gtk2: [ OFF ] ... libbfd: [ OFF ] ... libcap: [ OFF ] ... libelf: [ OFF ] ... libnuma: [ OFF ] ... numa_num_possible_cpus: [ OFF ] ... libperl: [ OFF ] ... libpython: [ OFF ] ... libcrypto: [ OFF ] ... libunwind: [ OFF ] ... libdw-dwarf-unwind: [ OFF ] ... zlib: [ OFF ] ... lzma: [ OFF ] ... get_cpuid: [ OFF ] ... bpf: [ OFF ] ... libaio: [ OFF ] ... libzstd: [ OFF ] ... disassembler-four-args: [ OFF ] Makefile.config:414: *** No gnu/libc-version.h found, please install glibc-dev[el]. Stop. Makefile.perf:230: recipe for target 'sub-make' failed make[1]: *** [sub-make] Error 2 Makefile:69: recipe for target 'all' failed make: *** [all] Error 2 With CC and CXX quoted, some of those features are now detected. Fixes: e3232c2f39ac ("tools build feature: Use CC and CXX from parent") Signed-off-by: Daniel Díaz Reviewed-by: Thomas Hebb Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Daniel Borkmann Cc: Jiri Olsa Cc: John Fastabend Cc: KP Singh Cc: Martin KaFai Lau Cc: Namhyung Kim Cc: Song Liu Cc: Stephane Eranian Cc: Yonghong Song Link: http://lore.kernel.org/lkml/20200812221518.2869003-1-daniel.diaz@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin --- tools/build/Makefile.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature index a2389f0c0b1c..79427b09590c 100644 --- a/tools/build/Makefile.feature +++ b/tools/build/Makefile.feature @@ -7,7 +7,7 @@ endif feature_check = $(eval $(feature_check_code)) define feature_check_code - feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC=$(CC) CXX=$(CXX) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) + feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC="$(CC)" CXX="$(CXX)" CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) endef feature_set = $(eval $(feature_set_code)) From 22c900e6ffa62b5ae3679a9853e9690f32676e34 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Fri, 14 Aug 2020 14:42:45 +0200 Subject: [PATCH 376/386] sh: landisk: Add missing initialization of sh_io_port_base [ Upstream commit 0c64a0dce51faa9c706fdf1f957d6f19878f4b81 ] The Landisk setup code maps the CF IDE area using ioremap_prot(), and passes the resulting virtual addresses to the pata_platform driver, disguising them as I/O port addresses. Hence the pata_platform driver translates them again using ioport_map(). As CONFIG_GENERIC_IOMAP=n, and CONFIG_HAS_IOPORT_MAP=y, the SuperH-specific mapping code in arch/sh/kernel/ioport.c translates I/O port addresses to virtual addresses by adding sh_io_port_base, which defaults to -1, thus breaking the assumption of an identity mapping. Fix this by setting sh_io_port_base to zero. Fixes: 37b7a97884ba64bf ("sh: machvec IO death.") Signed-off-by: Geert Uytterhoeven Signed-off-by: Rich Felker Signed-off-by: Sasha Levin --- arch/sh/boards/mach-landisk/setup.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/sh/boards/mach-landisk/setup.c b/arch/sh/boards/mach-landisk/setup.c index f1147caebacf..af69fb7fef7c 100644 --- a/arch/sh/boards/mach-landisk/setup.c +++ b/arch/sh/boards/mach-landisk/setup.c @@ -85,6 +85,9 @@ device_initcall(landisk_devices_setup); static void __init landisk_setup(char **cmdline_p) { + /* I/O port identity mapping */ + __set_io_port_base(0); + /* LED ON */ __raw_writeb(__raw_readb(PA_LED) | 0x03, PA_LED); From 463af34829c9d1bd25a82210c502a3009807d9fb Mon Sep 17 00:00:00 2001 From: Hugh Dickins Date: Thu, 6 Aug 2020 23:26:22 -0700 Subject: [PATCH 377/386] khugepaged: retract_page_tables() remember to test exit commit 18e77600f7a1ed69f8ce46c9e11cad0985712dfa upstream. Only once have I seen this scenario (and forgot even to notice what forced the eventual crash): a sequence of "BUG: Bad page map" alerts from vm_normal_page(), from zap_pte_range() servicing exit_mmap(); pmd:00000000, pte values corresponding to data in physical page 0. The pte mappings being zapped in this case were supposed to be from a huge page of ext4 text (but could as well have been shmem): my belief is that it was racing with collapse_file()'s retract_page_tables(), found *pmd pointing to a page table, locked it, but *pmd had become 0 by the time start_pte was decided. In most cases, that possibility is excluded by holding mmap lock; but exit_mmap() proceeds without mmap lock. Most of what's run by khugepaged checks khugepaged_test_exit() after acquiring mmap lock: khugepaged_collapse_pte_mapped_thps() and hugepage_vma_revalidate() do so, for example. But retract_page_tables() did not: fix that. The fix is for retract_page_tables() to check khugepaged_test_exit(), after acquiring mmap lock, before doing anything to the page table. Getting the mmap lock serializes with __mmput(), which briefly takes and drops it in __khugepaged_exit(); then the khugepaged_test_exit() check on mm_users makes sure we don't touch the page table once exit_mmap() might reach it, since exit_mmap() will be proceeding without mmap lock, not expecting anyone to be racing with it. Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Acked-by: Kirill A. Shutemov Cc: Andrea Arcangeli Cc: Mike Kravetz Cc: Song Liu Cc: [4.8+] Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021215400.27773@eggly.anvils Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/khugepaged.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index acf66c5dc9bd..04b4c38d0c18 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1252,6 +1252,7 @@ static void collect_mm_slot(struct mm_slot *mm_slot) static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) { struct vm_area_struct *vma; + struct mm_struct *mm; unsigned long addr; pmd_t *pmd, _pmd; @@ -1265,7 +1266,8 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) continue; if (vma->vm_end < addr + HPAGE_PMD_SIZE) continue; - pmd = mm_find_pmd(vma->vm_mm, addr); + mm = vma->vm_mm; + pmd = mm_find_pmd(mm, addr); if (!pmd) continue; /* @@ -1274,14 +1276,16 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) * re-fault. Not ideal, but it's more important to not disturb * the system too much. */ - if (down_write_trylock(&vma->vm_mm->mmap_sem)) { - spinlock_t *ptl = pmd_lock(vma->vm_mm, pmd); - /* assume page table is clear */ - _pmd = pmdp_collapse_flush(vma, addr, pmd); - spin_unlock(ptl); - up_write(&vma->vm_mm->mmap_sem); - atomic_long_dec(&vma->vm_mm->nr_ptes); - pte_free(vma->vm_mm, pmd_pgtable(_pmd)); + if (down_write_trylock(&mm->mmap_sem)) { + if (!khugepaged_test_exit(mm)) { + spinlock_t *ptl = pmd_lock(mm, pmd); + /* assume page table is clear */ + _pmd = pmdp_collapse_flush(vma, addr, pmd); + spin_unlock(ptl); + atomic_long_dec(&mm->nr_ptes); + pte_free(mm, pmd_pgtable(_pmd)); + } + up_write(&mm->mmap_sem); } } i_mmap_unlock_write(mapping); From da54edbe563866eb2bd57a12bc8f76ddc88fc369 Mon Sep 17 00:00:00 2001 From: Thomas Gleixner Date: Fri, 17 Jul 2020 18:00:02 +0200 Subject: [PATCH 378/386] genirq/affinity: Handle affinity setting on inactive interrupts correctly commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream. Setting interrupt affinity on inactive interrupts is inconsistent when hierarchical irq domains are enabled. The core code should just store the affinity and not call into the irq chip driver for inactive interrupts because the chip drivers may not be in a state to handle such requests. X86 has a hacky workaround for that but all other irq chips have not which causes problems e.g. on GIC V3 ITS. Instead of adding more ugly hacks all over the place, solve the problem in the core code. If the affinity is set on an inactive interrupt then: - Store it in the irq descriptors affinity mask - Update the effective affinity to reflect that so user space has a consistent view - Don't call into the irq chip driver This is the core equivalent of the X86 workaround and works correctly because the affinity setting is established in the irq chip when the interrupt is activated later on. Note, that this is only effective when hierarchical irq domains are enabled by the architecture. Doing it unconditionally would break legacy irq chip implementations. For hierarchial irq domains this works correctly as none of the drivers can have a dependency on affinity setting in inactive state by design. Remove the X86 workaround as it is not longer required. Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts") Reported-by: Ali Saidi Signed-off-by: Thomas Gleixner Tested-by: Ali Saidi Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de [fllinden@amazon.com - 4.14 never had the x86 workaround, so skip x86 changes] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman --- kernel/irq/manage.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c index 5277949e82e0..ce6fba446814 100644 --- a/kernel/irq/manage.c +++ b/kernel/irq/manage.c @@ -168,9 +168,9 @@ void irq_set_thread_affinity(struct irq_desc *desc) set_bit(IRQTF_AFFINITY, &action->thread_flags); } +#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK static void irq_validate_effective_affinity(struct irq_data *data) { -#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK const struct cpumask *m = irq_data_get_effective_affinity_mask(data); struct irq_chip *chip = irq_data_get_irq_chip(data); @@ -178,9 +178,19 @@ static void irq_validate_effective_affinity(struct irq_data *data) return; pr_warn_once("irq_chip %s did not update eff. affinity mask of irq %u\n", chip->name, data->irq); -#endif } +static inline void irq_init_effective_affinity(struct irq_data *data, + const struct cpumask *mask) +{ + cpumask_copy(irq_data_get_effective_affinity_mask(data), mask); +} +#else +static inline void irq_validate_effective_affinity(struct irq_data *data) { } +static inline void irq_init_effective_affinity(struct irq_data *data, + const struct cpumask *mask) { } +#endif + int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask, bool force) { @@ -205,6 +215,26 @@ int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask, return ret; } +static bool irq_set_affinity_deactivated(struct irq_data *data, + const struct cpumask *mask, bool force) +{ + struct irq_desc *desc = irq_data_to_desc(data); + + /* + * If the interrupt is not yet activated, just store the affinity + * mask and do not call the chip driver at all. On activation the + * driver has to make sure anyway that the interrupt is in a + * useable state so startup works. + */ + if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || irqd_is_activated(data)) + return false; + + cpumask_copy(desc->irq_common_data.affinity, mask); + irq_init_effective_affinity(data, mask); + irqd_set(data, IRQD_AFFINITY_SET); + return true; +} + int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask, bool force) { @@ -215,6 +245,9 @@ int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask, if (!chip || !chip->irq_set_affinity) return -EINVAL; + if (irq_set_affinity_deactivated(data, mask, force)) + return 0; + if (irq_can_move_pcntxt(data)) { ret = irq_do_set_affinity(data, mask, force); } else { From 6a7a29935d98567331ae26b183422e22f4d0ae90 Mon Sep 17 00:00:00 2001 From: Thomas Gleixner Date: Fri, 24 Jul 2020 22:44:41 +0200 Subject: [PATCH 379/386] genirq/affinity: Make affinity setting if activated opt-in commit f0c7baca180046824e07fc5f1326e83a8fd150c7 upstream. John reported that on a RK3288 system the perf per CPU interrupts are all affine to CPU0 and provided the analysis: "It looks like what happens is that because the interrupts are not per-CPU in the hardware, armpmu_request_irq() calls irq_force_affinity() while the interrupt is deactivated and then request_irq() with IRQF_PERCPU | IRQF_NOBALANCING. Now when irq_startup() runs with IRQ_STARTUP_NORMAL, it calls irq_setup_affinity() which returns early because IRQF_PERCPU and IRQF_NOBALANCING are set, leaving the interrupt on its original CPU." This was broken by the recent commit which blocked interrupt affinity setting in hardware before activation of the interrupt. While this works in general, it does not work for this particular case. As contrary to the initial analysis not all interrupt chip drivers implement an activate callback, the safe cure is to make the deferred interrupt affinity setting at activation time opt-in. Implement the necessary core logic and make the two irqchip implementations for which this is required opt-in. In hindsight this would have been the right thing to do, but ... Fixes: baedb87d1b53 ("genirq/affinity: Handle affinity setting on inactive interrupts correctly") Reported-by: John Keeping Signed-off-by: Thomas Gleixner Tested-by: Marc Zyngier Acked-by: Marc Zyngier Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/87blk4tzgm.fsf@nanos.tec.linutronix.de [fllinden@amazon.com - backported to 4.14] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/apic/vector.c | 4 ++++ drivers/irqchip/irq-gic-v3-its.c | 5 ++++- include/linux/irq.h | 12 ++++++++++++ kernel/irq/manage.c | 6 +++++- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c index 36cd34524ac1..637cf4dfccc9 100644 --- a/arch/x86/kernel/apic/vector.c +++ b/arch/x86/kernel/apic/vector.c @@ -368,6 +368,10 @@ static int x86_vector_alloc_irqs(struct irq_domain *domain, unsigned int virq, irq_data->chip = &lapic_controller; irq_data->chip_data = data; irq_data->hwirq = virq + i; + + /* Don't invoke affinity setter on deactivated interrupts */ + irqd_set_affinity_on_activate(irq_data); + err = assign_irq_vector_policy(virq + i, node, data, info, irq_data); if (err) { diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 84b23d902d5b..1d2267c6d31a 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -2199,6 +2199,7 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq, { msi_alloc_info_t *info = args; struct its_device *its_dev = info->scratchpad[0].ptr; + struct irq_data *irqd; irq_hw_number_t hwirq; int err; int i; @@ -2214,7 +2215,9 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq, irq_domain_set_hwirq_and_chip(domain, virq + i, hwirq + i, &its_irq_chip, its_dev); - irqd_set_single_target(irq_desc_get_irq_data(irq_to_desc(virq + i))); + irqd = irq_get_irq_data(virq + i); + irqd_set_single_target(irqd); + irqd_set_affinity_on_activate(irqd); pr_debug("ID:%d pID:%d vID:%d\n", (int)(hwirq + i - its_dev->event_map.lpi_base), (int)(hwirq + i), virq + i); diff --git a/include/linux/irq.h b/include/linux/irq.h index 0d53626405bf..c08758a63d26 100644 --- a/include/linux/irq.h +++ b/include/linux/irq.h @@ -212,6 +212,8 @@ struct irq_data { * mask. Applies only to affinity managed irqs. * IRQD_SINGLE_TARGET - IRQ allows only a single affinity target * IRQD_DEFAULT_TRIGGER_SET - Expected trigger already been set + * IRQD_AFFINITY_ON_ACTIVATE - Affinity is set on activation. Don't call + * irq_chip::irq_set_affinity() when deactivated. */ enum { IRQD_TRIGGER_MASK = 0xf, @@ -233,6 +235,7 @@ enum { IRQD_MANAGED_SHUTDOWN = (1 << 23), IRQD_SINGLE_TARGET = (1 << 24), IRQD_DEFAULT_TRIGGER_SET = (1 << 25), + IRQD_AFFINITY_ON_ACTIVATE = (1 << 29), }; #define __irqd_to_state(d) ACCESS_PRIVATE((d)->common, state_use_accessors) @@ -377,6 +380,15 @@ static inline bool irqd_is_managed_and_shutdown(struct irq_data *d) return __irqd_to_state(d) & IRQD_MANAGED_SHUTDOWN; } +static inline void irqd_set_affinity_on_activate(struct irq_data *d) +{ + __irqd_to_state(d) |= IRQD_AFFINITY_ON_ACTIVATE; +} + +static inline bool irqd_affinity_on_activate(struct irq_data *d) +{ + return __irqd_to_state(d) & IRQD_AFFINITY_ON_ACTIVATE; +} #undef __irqd_to_state static inline irq_hw_number_t irqd_to_hwirq(struct irq_data *d) diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c index ce6fba446814..3193be58805c 100644 --- a/kernel/irq/manage.c +++ b/kernel/irq/manage.c @@ -221,12 +221,16 @@ static bool irq_set_affinity_deactivated(struct irq_data *data, struct irq_desc *desc = irq_data_to_desc(data); /* + * Handle irq chips which can handle affinity only in activated + * state correctly + * * If the interrupt is not yet activated, just store the affinity * mask and do not call the chip driver at all. On activation the * driver has to make sure anyway that the interrupt is in a * useable state so startup works. */ - if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || irqd_is_activated(data)) + if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || + irqd_is_activated(data) || !irqd_affinity_on_activate(data)) return false; cpumask_copy(desc->irq_common_data.affinity, mask); From 755b4e83e11cfc530e426e1f717e97dc8af31d3d Mon Sep 17 00:00:00 2001 From: Mike Snitzer Date: Thu, 19 Oct 2017 21:01:04 -0400 Subject: [PATCH 380/386] dm cache: pass cache structure to mode functions commit 8e3c3827776fc93728c0c8d7c7b731226dc6ee23 upstream. No functional changes, just a bit cleaner than passing cache_features structure. Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman --- drivers/md/dm-cache-target.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 69cdb29ef6be..36b43a484e56 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -515,19 +515,19 @@ struct dm_cache_migration { /*----------------------------------------------------------------*/ -static bool writethrough_mode(struct cache_features *f) +static bool writethrough_mode(struct cache *cache) { - return f->io_mode == CM_IO_WRITETHROUGH; + return cache->features.io_mode == CM_IO_WRITETHROUGH; } -static bool writeback_mode(struct cache_features *f) +static bool writeback_mode(struct cache *cache) { - return f->io_mode == CM_IO_WRITEBACK; + return cache->features.io_mode == CM_IO_WRITEBACK; } -static inline bool passthrough_mode(struct cache_features *f) +static inline bool passthrough_mode(struct cache *cache) { - return unlikely(f->io_mode == CM_IO_PASSTHROUGH); + return unlikely(cache->features.io_mode == CM_IO_PASSTHROUGH); } /*----------------------------------------------------------------*/ @@ -544,7 +544,7 @@ static void wake_deferred_writethrough_worker(struct cache *cache) static void wake_migration_worker(struct cache *cache) { - if (passthrough_mode(&cache->features)) + if (passthrough_mode(cache)) return; queue_work(cache->wq, &cache->migration_worker); @@ -626,7 +626,7 @@ static unsigned lock_level(struct bio *bio) static size_t get_per_bio_data_size(struct cache *cache) { - return writethrough_mode(&cache->features) ? PB_DATA_SIZE_WT : PB_DATA_SIZE_WB; + return writethrough_mode(cache) ? PB_DATA_SIZE_WT : PB_DATA_SIZE_WB; } static struct per_bio_data *get_per_bio_data(struct bio *bio, size_t data_size) @@ -1209,7 +1209,7 @@ static bool bio_writes_complete_block(struct cache *cache, struct bio *bio) static bool optimisable_bio(struct cache *cache, struct bio *bio, dm_oblock_t block) { - return writeback_mode(&cache->features) && + return writeback_mode(cache) && (is_discarded_oblock(cache, block) || bio_writes_complete_block(cache, bio)); } @@ -1862,7 +1862,7 @@ static int map_bio(struct cache *cache, struct bio *bio, dm_oblock_t block, * Passthrough always maps to the origin, invalidating any * cache blocks that are written to. */ - if (passthrough_mode(&cache->features)) { + if (passthrough_mode(cache)) { if (bio_data_dir(bio) == WRITE) { bio_drop_shared_lock(cache, bio); atomic_inc(&cache->stats.demotion); @@ -1871,7 +1871,7 @@ static int map_bio(struct cache *cache, struct bio *bio, dm_oblock_t block, remap_to_origin_clear_discard(cache, bio, block); } else { - if (bio_data_dir(bio) == WRITE && writethrough_mode(&cache->features) && + if (bio_data_dir(bio) == WRITE && writethrough_mode(cache) && !is_dirty(cache, cblock)) { remap_to_origin_then_cache(cache, bio, block, cblock); accounted_begin(cache, bio); @@ -2649,7 +2649,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) goto bad; } - if (passthrough_mode(&cache->features)) { + if (passthrough_mode(cache)) { bool all_clean; r = dm_cache_metadata_all_clean(cache->cmd, &all_clean); @@ -3279,13 +3279,13 @@ static void cache_status(struct dm_target *ti, status_type_t type, else DMEMIT("1 "); - if (writethrough_mode(&cache->features)) + if (writethrough_mode(cache)) DMEMIT("writethrough "); - else if (passthrough_mode(&cache->features)) + else if (passthrough_mode(cache)) DMEMIT("passthrough "); - else if (writeback_mode(&cache->features)) + else if (writeback_mode(cache)) DMEMIT("writeback "); else { @@ -3451,7 +3451,7 @@ static int process_invalidate_cblocks_message(struct cache *cache, unsigned coun unsigned i; struct cblock_range range; - if (!passthrough_mode(&cache->features)) { + if (!passthrough_mode(cache)) { DMERR("%s: cache has to be in passthrough mode for invalidation", cache_device_name(cache)); return -EPERM; From 8036335f8f4feddcdc118c4442e6e7af9c8116d8 Mon Sep 17 00:00:00 2001 From: Mike Snitzer Date: Thu, 19 Oct 2017 17:16:54 -0400 Subject: [PATCH 381/386] dm cache: submit writethrough writes in parallel to origin and cache commit 2df3bae9a6543e90042291707b8db0cbfbae9ee9 upstream. Discontinue issuing writethrough write IO in series to the origin and then cache. Use bio_clone_fast() to create a new origin clone bio that will be mapped to the origin device and then bio_chain() it to the bio that gets remapped to the cache device. The origin clone bio does _not_ have a copy of the per_bio_data -- as such check_if_tick_bio_needed() will not be called. The cache bio (parent bio) will not complete until the origin bio has completed -- this fulfills bio_clone_fast()'s requirements as well as the requirement to not complete the original IO until the write IO has completed to both the origin and cache device. Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman --- drivers/md/dm-cache-target.c | 54 ++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 36b43a484e56..2b107b579c2a 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -450,6 +450,7 @@ struct cache { struct work_struct migration_worker; struct delayed_work waker; struct dm_bio_prison_v2 *prison; + struct bio_set *bs; mempool_t *migration_pool; @@ -868,16 +869,23 @@ static void check_if_tick_bio_needed(struct cache *cache, struct bio *bio) spin_unlock_irqrestore(&cache->lock, flags); } -static void remap_to_origin_clear_discard(struct cache *cache, struct bio *bio, - dm_oblock_t oblock) +static void __remap_to_origin_clear_discard(struct cache *cache, struct bio *bio, + dm_oblock_t oblock, bool bio_has_pbd) { - // FIXME: this is called way too much. - check_if_tick_bio_needed(cache, bio); + if (bio_has_pbd) + check_if_tick_bio_needed(cache, bio); remap_to_origin(cache, bio); if (bio_data_dir(bio) == WRITE) clear_discard(cache, oblock_to_dblock(cache, oblock)); } +static void remap_to_origin_clear_discard(struct cache *cache, struct bio *bio, + dm_oblock_t oblock) +{ + // FIXME: check_if_tick_bio_needed() is called way too much through this interface + __remap_to_origin_clear_discard(cache, bio, oblock, true); +} + static void remap_to_cache_dirty(struct cache *cache, struct bio *bio, dm_oblock_t oblock, dm_cblock_t cblock) { @@ -971,23 +979,25 @@ static void writethrough_endio(struct bio *bio) } /* - * FIXME: send in parallel, huge latency as is. * When running in writethrough mode we need to send writes to clean blocks - * to both the cache and origin devices. In future we'd like to clone the - * bio and send them in parallel, but for now we're doing them in - * series as this is easier. + * to both the cache and origin devices. Clone the bio and send them in parallel. */ -static void remap_to_origin_then_cache(struct cache *cache, struct bio *bio, - dm_oblock_t oblock, dm_cblock_t cblock) +static void remap_to_origin_and_cache(struct cache *cache, struct bio *bio, + dm_oblock_t oblock, dm_cblock_t cblock) { - struct per_bio_data *pb = get_per_bio_data(bio, PB_DATA_SIZE_WT); + struct bio *origin_bio = bio_clone_fast(bio, GFP_NOIO, cache->bs); - pb->cache = cache; - pb->cblock = cblock; - dm_hook_bio(&pb->hook_info, bio, writethrough_endio, NULL); - dm_bio_record(&pb->bio_details, bio); + BUG_ON(!origin_bio); - remap_to_origin_clear_discard(pb->cache, bio, oblock); + bio_chain(origin_bio, bio); + /* + * Passing false to __remap_to_origin_clear_discard() skips + * all code that might use per_bio_data (since clone doesn't have it) + */ + __remap_to_origin_clear_discard(cache, origin_bio, oblock, false); + submit_bio(origin_bio); + + remap_to_cache(cache, bio, cblock); } /*---------------------------------------------------------------- @@ -1873,7 +1883,7 @@ static int map_bio(struct cache *cache, struct bio *bio, dm_oblock_t block, } else { if (bio_data_dir(bio) == WRITE && writethrough_mode(cache) && !is_dirty(cache, cblock)) { - remap_to_origin_then_cache(cache, bio, block, cblock); + remap_to_origin_and_cache(cache, bio, block, cblock); accounted_begin(cache, bio); } else remap_to_cache_dirty(cache, bio, block, cblock); @@ -2132,6 +2142,9 @@ static void destroy(struct cache *cache) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); + if (cache->bs) + bioset_free(cache->bs); + kfree(cache); } @@ -2589,6 +2602,13 @@ static int cache_create(struct cache_args *ca, struct cache **result) cache->features = ca->features; ti->per_io_data_size = get_per_bio_data_size(cache); + if (writethrough_mode(cache)) { + /* Create bioset for writethrough bios issued to origin */ + cache->bs = bioset_create(BIO_POOL_SIZE, 0, 0); + if (!cache->bs) + goto bad; + } + cache->callbacks.congested_fn = cache_is_congested; dm_table_add_target_callbacks(ti->table, &cache->callbacks); From b61727de55249d2754a93f4ea617ade1e329b22a Mon Sep 17 00:00:00 2001 From: Mike Snitzer Date: Thu, 19 Oct 2017 17:30:20 -0400 Subject: [PATCH 382/386] dm cache: remove all obsolete writethrough-specific code commit 9958f1d9a04efb3db19134482b3f4c6897e0e7b8 upstream. Now that the writethrough code is much simpler there is no need to track so much state or cascade bio submission (as was done, via writethrough_endio(), to issue origin then cache IO in series). As such the obsolete writethrough list and workqueue is also removed. Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman --- drivers/md/dm-cache-target.c | 82 +----------------------------------- 1 file changed, 1 insertion(+), 81 deletions(-) diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 2b107b579c2a..280873b13e74 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -410,7 +410,6 @@ struct cache { spinlock_t lock; struct list_head deferred_cells; struct bio_list deferred_bios; - struct bio_list deferred_writethrough_bios; sector_t migration_threshold; wait_queue_head_t migration_wait; atomic_t nr_allocated_migrations; @@ -446,7 +445,6 @@ struct cache { struct dm_kcopyd_client *copier; struct workqueue_struct *wq; struct work_struct deferred_bio_worker; - struct work_struct deferred_writethrough_worker; struct work_struct migration_worker; struct delayed_work waker; struct dm_bio_prison_v2 *prison; @@ -491,15 +489,6 @@ struct per_bio_data { struct dm_bio_prison_cell_v2 *cell; struct dm_hook_info hook_info; sector_t len; - - /* - * writethrough fields. These MUST remain at the end of this - * structure and the 'cache' member must be the first as it - * is used to determine the offset of the writethrough fields. - */ - struct cache *cache; - dm_cblock_t cblock; - struct dm_bio_details bio_details; }; struct dm_cache_migration { @@ -538,11 +527,6 @@ static void wake_deferred_bio_worker(struct cache *cache) queue_work(cache->wq, &cache->deferred_bio_worker); } -static void wake_deferred_writethrough_worker(struct cache *cache) -{ - queue_work(cache->wq, &cache->deferred_writethrough_worker); -} - static void wake_migration_worker(struct cache *cache) { if (passthrough_mode(cache)) @@ -619,15 +603,9 @@ static unsigned lock_level(struct bio *bio) * Per bio data *--------------------------------------------------------------*/ -/* - * If using writeback, leave out struct per_bio_data's writethrough fields. - */ -#define PB_DATA_SIZE_WB (offsetof(struct per_bio_data, cache)) -#define PB_DATA_SIZE_WT (sizeof(struct per_bio_data)) - static size_t get_per_bio_data_size(struct cache *cache) { - return writethrough_mode(cache) ? PB_DATA_SIZE_WT : PB_DATA_SIZE_WB; + return sizeof(struct per_bio_data); } static struct per_bio_data *get_per_bio_data(struct bio *bio, size_t data_size) @@ -945,39 +923,6 @@ static void issue_op(struct bio *bio, void *context) accounted_request(cache, bio); } -static void defer_writethrough_bio(struct cache *cache, struct bio *bio) -{ - unsigned long flags; - - spin_lock_irqsave(&cache->lock, flags); - bio_list_add(&cache->deferred_writethrough_bios, bio); - spin_unlock_irqrestore(&cache->lock, flags); - - wake_deferred_writethrough_worker(cache); -} - -static void writethrough_endio(struct bio *bio) -{ - struct per_bio_data *pb = get_per_bio_data(bio, PB_DATA_SIZE_WT); - - dm_unhook_bio(&pb->hook_info, bio); - - if (bio->bi_status) { - bio_endio(bio); - return; - } - - dm_bio_restore(&pb->bio_details, bio); - remap_to_cache(pb->cache, bio, pb->cblock); - - /* - * We can't issue this bio directly, since we're in interrupt - * context. So it gets put on a bio list for processing by the - * worker thread. - */ - defer_writethrough_bio(pb->cache, bio); -} - /* * When running in writethrough mode we need to send writes to clean blocks * to both the cache and origin devices. Clone the bio and send them in parallel. @@ -2013,28 +1958,6 @@ static void process_deferred_bios(struct work_struct *ws) schedule_commit(&cache->committer); } -static void process_deferred_writethrough_bios(struct work_struct *ws) -{ - struct cache *cache = container_of(ws, struct cache, deferred_writethrough_worker); - - unsigned long flags; - struct bio_list bios; - struct bio *bio; - - bio_list_init(&bios); - - spin_lock_irqsave(&cache->lock, flags); - bio_list_merge(&bios, &cache->deferred_writethrough_bios); - bio_list_init(&cache->deferred_writethrough_bios); - spin_unlock_irqrestore(&cache->lock, flags); - - /* - * These bios have already been through accounted_begin() - */ - while ((bio = bio_list_pop(&bios))) - generic_make_request(bio); -} - /*---------------------------------------------------------------- * Main worker loop *--------------------------------------------------------------*/ @@ -2690,7 +2613,6 @@ static int cache_create(struct cache_args *ca, struct cache **result) spin_lock_init(&cache->lock); INIT_LIST_HEAD(&cache->deferred_cells); bio_list_init(&cache->deferred_bios); - bio_list_init(&cache->deferred_writethrough_bios); atomic_set(&cache->nr_allocated_migrations, 0); atomic_set(&cache->nr_io_migrations, 0); init_waitqueue_head(&cache->migration_wait); @@ -2729,8 +2651,6 @@ static int cache_create(struct cache_args *ca, struct cache **result) goto bad; } INIT_WORK(&cache->deferred_bio_worker, process_deferred_bios); - INIT_WORK(&cache->deferred_writethrough_worker, - process_deferred_writethrough_bios); INIT_WORK(&cache->migration_worker, check_migrations); INIT_DELAYED_WORK(&cache->waker, do_waker); From 6a24ca2506d64598eac5d5219e99acca9bde4ca5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 21 Aug 2020 09:48:24 +0200 Subject: [PATCH 383/386] Linux 4.14.194 Tested-by: Jon Hunter Tested-by: Guenter Roeck Tested-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b30927f29e2b..8e2a1418c5ae 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 193 +SUBLEVEL = 194 EXTRAVERSION = NAME = Petit Gorille From 7b50ce1d3fb15a737a4f7d7d19a33ee25d56810e Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Fri, 21 Aug 2020 17:37:33 +0530 Subject: [PATCH 384/386] ARM64: dts: raphael: update from 20.7.16-release - there's also new stuff called qcom,cold-thermal-support and qcom,shutdown-delay-enable but no public code available Signed-off-by: UtsavBalar1231 --- arch/arm64/boot/dts/qcom/raphael-sm8150.dtsi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/raphael-sm8150.dtsi b/arch/arm64/boot/dts/qcom/raphael-sm8150.dtsi index 1b63c10408f4..cd0a11582675 100644 --- a/arch/arm64/boot/dts/qcom/raphael-sm8150.dtsi +++ b/arch/arm64/boot/dts/qcom/raphael-sm8150.dtsi @@ -23,10 +23,11 @@ And public attribution of xiaomi platforms(like F1 and so and) &pm8150b_fg { qcom,battery-data = <&mtp_batterydata>; qcom,rapid-soc-dec-en; + qcom,soc-scale-mode-en; qcom,fg-sys-term-current = <(-300)>; qcom,fg-cutoff-voltage = <3400>; qcom,fg-cutoff-current = <200>; - qcom,fg-empty-voltage = <3100>; + qcom,fg-empty-voltage = <3000>; qcom,fg-batt-temp-delta = <6>; qcom,fg-force-load-profile; qcom,five-pin-battery; From 07e8148e44179231ca948d14ed2362f4777b7cdf Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Fri, 21 Aug 2020 17:39:18 +0530 Subject: [PATCH 385/386] ARM64: dts: ea8076: update from 20.7.16-release Signed-off-by: UtsavBalar1231 --- .../dts/qcom/dsi-panel-ss-fhd-ea8076-cmd.dtsi | 29 +++++++++++++++---- .../dsi-panel-ss-fhd-ea8076-global-cmd.dtsi | 29 +++++++++++++++---- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-cmd.dtsi b/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-cmd.dtsi index 37270d7e99a8..16e14b307205 100644 --- a/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-cmd.dtsi +++ b/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-cmd.dtsi @@ -83,19 +83,38 @@ 39 00 00 00 00 00 02 B0 07 39 00 00 00 00 00 02 B7 91 39 01 00 00 01 00 03 F0 A5 A5]; - qcom,mdss-dsi-dispparam-hbm-fod-off-command-state = "dsi_hs_mode"; + qcom,mdss-dsi-dispparam-hbm-fod-off-command-state = "dsi_lp_mode"; qcom,mdss-dsi-dispparam-hbm-fod-on-command = [ 39 00 00 00 00 00 03 F0 5A 5A 39 00 00 00 00 00 02 B0 03 39 00 00 00 00 00 02 B7 C9 39 00 00 00 00 00 02 B0 07 39 00 00 00 00 00 02 B7 91 - 39 00 00 00 00 00 03 F0 A5 A5 - 39 01 00 00 01 00 02 53 E0 - 39 00 00 00 00 00 03 F0 5A 5A 39 00 00 00 00 00 03 B7 01 43 + 39 00 00 00 00 00 03 F0 A5 A5 + 39 01 00 00 01 00 02 53 E0]; + qcom,mdss-dsi-dispparam-hbm-fod-on-command-state = "dsi_lp_mode"; + + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-hbm-on-command = [ + 39 01 00 00 00 00 02 53 22 + 39 00 00 00 00 00 03 F0 5A 5A + 39 00 00 00 00 00 03 B7 01 4B + 39 00 00 00 00 00 02 B0 03 + 39 00 00 00 00 00 02 B7 49 + 39 00 00 00 00 00 02 B0 07 + 39 00 00 00 00 00 02 B7 91 39 01 00 00 01 00 03 F0 A5 A5]; - qcom,mdss-dsi-dispparam-hbm-fod-on-command-state = "dsi_hs_mode"; + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-hbm-on-command-state = "dsi_lp_mode"; + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-lbm-on-command = [ + 39 01 00 00 00 00 02 53 23 + 39 00 00 00 00 00 03 F0 5A 5A + 39 00 00 00 00 00 03 B7 01 4B + 39 00 00 00 00 00 02 B0 03 + 39 00 00 00 00 00 02 B7 49 + 39 00 00 00 00 00 02 B0 07 + 39 00 00 00 00 00 02 B7 91 + 39 01 00 00 01 00 03 F0 A5 A5]; + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-lbm-on-command-state = "dsi_lp_mode"; qcom,mdss-dsi-display-timings { timing@0{ diff --git a/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-global-cmd.dtsi b/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-global-cmd.dtsi index 8013263c2fec..74d1c11d06e5 100644 --- a/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-global-cmd.dtsi +++ b/arch/arm64/boot/dts/qcom/dsi-panel-ss-fhd-ea8076-global-cmd.dtsi @@ -83,19 +83,38 @@ 39 00 00 00 00 00 02 B0 07 39 00 00 00 00 00 02 B7 91 39 01 00 00 01 00 03 F0 A5 A5]; - qcom,mdss-dsi-dispparam-hbm-fod-off-command-state = "dsi_hs_mode"; + qcom,mdss-dsi-dispparam-hbm-fod-off-command-state = "dsi_lp_mode"; qcom,mdss-dsi-dispparam-hbm-fod-on-command = [ 39 00 00 00 00 00 03 F0 5A 5A 39 00 00 00 00 00 02 B0 03 39 00 00 00 00 00 02 B7 C9 39 00 00 00 00 00 02 B0 07 39 00 00 00 00 00 02 B7 91 - 39 00 00 00 00 00 03 F0 A5 A5 - 39 01 00 00 01 00 02 53 E0 - 39 00 00 00 00 00 03 F0 5A 5A 39 00 00 00 00 00 03 B7 01 43 + 39 00 00 00 00 00 03 F0 A5 A5 + 39 01 00 00 01 00 02 53 E0]; + qcom,mdss-dsi-dispparam-hbm-fod-on-command-state = "dsi_lp_mode"; + + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-hbm-on-command = [ + 39 01 00 00 00 00 02 53 22 + 39 00 00 00 00 00 03 F0 5A 5A + 39 00 00 00 00 00 03 B7 01 4B + 39 00 00 00 00 00 02 B0 03 + 39 00 00 00 00 00 02 B7 49 + 39 00 00 00 00 00 02 B0 07 + 39 00 00 00 00 00 02 B7 91 39 01 00 00 01 00 03 F0 A5 A5]; - qcom,mdss-dsi-dispparam-hbm-fod-on-command-state = "dsi_hs_mode"; + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-hbm-on-command-state = "dsi_lp_mode"; + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-lbm-on-command = [ + 39 01 00 00 00 00 02 53 23 + 39 00 00 00 00 00 03 F0 5A 5A + 39 00 00 00 00 00 03 B7 01 4B + 39 00 00 00 00 00 02 B0 03 + 39 00 00 00 00 00 02 B7 49 + 39 00 00 00 00 00 02 B0 07 + 39 00 00 00 00 00 02 B7 91 + 39 01 00 00 01 00 03 F0 A5 A5]; + qcom,mdss-dsi-dispparam-hbm-fod-off-doze-lbm-on-command-state = "dsi_lp_mode"; qcom,mdss-dsi-display-timings { timing@0{ From 8fe5a927175ce1b958ef6b2a1f0bb7913e417352 Mon Sep 17 00:00:00 2001 From: UtsavBalar1231 Date: Fri, 21 Aug 2020 18:00:40 +0530 Subject: [PATCH 386/386] drm: msm: add SET_DISP_HBM_FOD_OFF_DOZE_HBM/LBM_ON changes Signed-off-by: UtsavBalar1231 --- drivers/gpu/drm/msm/dsi-staging/dsi_defs.h | 2 ++ drivers/gpu/drm/msm/dsi-staging/dsi_panel.c | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_defs.h b/drivers/gpu/drm/msm/dsi-staging/dsi_defs.h index c0f256c6da85..7a3018dc1e8a 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_defs.h +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_defs.h @@ -324,6 +324,8 @@ enum dsi_cmd_set_type { DSI_CMD_SET_DISP_HBM_OFF, DSI_CMD_SET_DISP_HBM_FOD_ON, DSI_CMD_SET_DISP_HBM_FOD_OFF, + DSI_CMD_SET_DISP_HBM_FOD_OFF_DOZE_HBM_ON, + DSI_CMD_SET_DISP_HBM_FOD_OFF_DOZE_LBM_ON, DSI_CMD_SET_DISP_HBM_FOD2NORM, DSI_CMD_SET_DISP_OFF_MODE, DSI_CMD_SET_DISP_ON_MODE, diff --git a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c index 4c516fe328a6..4423ca7ff981 100644 --- a/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c +++ b/drivers/gpu/drm/msm/dsi-staging/dsi_panel.c @@ -1919,6 +1919,8 @@ const char *cmd_set_prop_map[DSI_CMD_SET_MAX] = { "qcom,mdss-dsi-dispparam-hbm-off-command", "qcom,mdss-dsi-dispparam-hbm-fod-on-command", "qcom,mdss-dsi-dispparam-hbm-fod-off-command", + "qcom,mdss-dsi-dispparam-hbm-fod-off-doze-hbm-on-command", + "qcom,mdss-dsi-dispparam-hbm-fod-off-doze-lbm-on-command", "qcom,mdss-dsi-dispparam-hbm-fod2norm-command", "qcom,mdss-dsi-displayoff-command", "qcom,mdss-dsi-displayon-command", @@ -1993,6 +1995,8 @@ const char *cmd_set_state_map[DSI_CMD_SET_MAX] = { "qcom,mdss-dsi-dispparam-hbm-off-command-state", "qcom,mdss-dsi-dispparam-hbm-fod-on-command-state", "qcom,mdss-dsi-dispparam-hbm-fod-off-command-state", + "qcom,mdss-dsi-dispparam-hbm-fod-off-doze-hbm-on-command", + "qcom,mdss-dsi-dispparam-hbm-fod-off-doze-lbm-on-command", "qcom,mdss-dsi-dispparam-hbm-fod2norm-command-state", "qcom,mdss-dsi-displayoff-command-state", "qcom,mdss-dsi-displayon-command-state",