Multitouch doesn't work with X #80

npeacock · 2012-09-21T18:53:31Z

This is related to a previous issue, but I have been using the ft5x driver on my A10 tablet. Basically to use the touch screen in Linux you have to disable multitouch. Also the driver did not honor the swap and invert settings in the .fex files once multitouch is disabled.

I have written a fix that adds a config option. I haven't done this before but I think you just need this to find the commit right? f0c9753483e965bce180dab4cbcc09705e35abc9

and followed with another commit because everyone was going to complain about the C++ style comments (that were already there) in the commit, so I cleared them out of the two files 7dda6ace3c371c742beeb0d2732277176b60b114

I should mention I found a handy function for fixing the comments, sed -i "s?//(.)?/\1 */?"

amery · 2012-09-21T19:12:29Z

why not making TOUCHSCREEN_FT5X_TS_MULTI depend on ANDROID then? ... about the cleanup, some of those should be #if 0 .. #endif

also, to start getting mainline-ish.... can you post this to linux-sunxi@googlegroups.com (https://groups.google.com/forum/#!forum/linux-sunxi) using git send-email and friends ? :)

techn · 2012-09-21T22:29:53Z

@npeacock would it be better change TOUCHSCREEN_FT5X_TS_MULTI to FT5X0X_MULTITOUCH and removing #define CONFIG_FT5X0X_MULTITOUCH?

npeacock · 2012-09-22T00:12:59Z

I want to try and come back to fix the multitouch for linux later so we can have pinch gestures and all. So I don't want it to depend on Android.

@techn I guess that would work too.

npeacock · 2012-09-22T00:17:39Z

After some hijinks I think I have sent it successfully to the mailing list.

npeacock · 2012-10-10T00:35:18Z

amery@202a72c5d1d5eaf9955ae11320c1ed39de584340\

This commit has fixed the real problem, my patch now only fixed honoring the inverted settings in single touch mode, which will probably never be used.

The changelog for commit 6a6dccb ("mm: cma: don't replace lowmem pages with highmem") mentioned that lowmem pages can be replaced by highmem pages during CMA migration. 6a6dccb fixed that issue. Quote from that changelog: : The filesystem layer expects pages in the block device's mapping to not : be in highmem (the mapping's gfp mask is set in bdget()), but CMA can : currently replace lowmem pages with highmem pages, leading to crashes in : filesystem code such as the one below: : : Unable to handle kernel NULL pointer dereference at virtual address 00000400 : pgd = c0c98000 : [00000400] *pgd=00c91831, *pte=00000000, *ppte=00000000 : Internal error: Oops: 817 [#1] PREEMPT SMP ARM : CPU: 0 Not tainted (3.5.0-rc5+ #80) : PC is at __memzero+0x24/0x80 : ... : Process fsstress (pid: 323, stack limit = 0xc0cbc2f0) : Backtrace: : [<c010e3f0>] (ext4_getblk+0x0/0x180) from [<c010e58c>] (ext4_bread+0x1c/0x98) : [<c010e570>] (ext4_bread+0x0/0x98) from [<c0117944>] (ext4_mkdir+0x160/0x3bc) : r4:c15337f0 : [<c01177e4>] (ext4_mkdir+0x0/0x3bc) from [<c00c29e0>] (vfs_mkdir+0x8c/0x98) : [<c00c2954>] (vfs_mkdir+0x0/0x98) from [<c00c2a60>] (sys_mkdirat+0x74/0xac) : r6:00000000 r5:c152eb40 r4:000001ff r3:c14b43f0 : [<c00c29ec>] (sys_mkdirat+0x0/0xac) from [<c00c2ab8>] (sys_mkdir+0x20/0x24) : r6:beccdcf0 r5:00074000 r4:beccdbbc : [<c00c2a98>] (sys_mkdir+0x0/0x24) from [<c000e3c0>] (ret_fast_syscall+0x0/0x30) Memory-hotplug has same problem as CMA has so the same fix can be applied to memory-hotplug as well. Fix it by reusing. Signed-off-by: Minchan Kim <minchan@kernel.org> Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Cc: Wen Congyang <wency@cn.fujitsu.com> Acked-by: David Rientjes <rientjes@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

amery · 2012-10-10T08:48:50Z

@npeacock the fixes in that commit were just merged into our main branch (3.0-v2), see b32a25f. can you confirm it's working all right and resubmit (to the mailing list) the parts of your patch that you consider still relevant? Thanks!

The filesystem layer expects pages in the block device's mapping to not be in highmem (the mapping's gfp mask is set in bdget()), but CMA can currently replace lowmem pages with highmem pages, leading to crashes in filesystem code such as the one below: Unable to handle kernel NULL pointer dereference at virtual address 00000400 pgd = c0c98000 [00000400] *pgd=00c91831, *pte=00000000, *ppte=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM CPU: 0 Not tainted (3.5.0-rc5+ #80) PC is at __memzero+0x24/0x80 ... Process fsstress (pid: 323, stack limit = 0xc0cbc2f0) Backtrace: [<c010e3f0>] (ext4_getblk+0x0/0x180) from [<c010e58c>] (ext4_bread+0x1c/0x98) [<c010e570>] (ext4_bread+0x0/0x98) from [<c0117944>] (ext4_mkdir+0x160/0x3bc) r4:c15337f0 [<c01177e4>] (ext4_mkdir+0x0/0x3bc) from [<c00c29e0>] (vfs_mkdir+0x8c/0x98) [<c00c2954>] (vfs_mkdir+0x0/0x98) from [<c00c2a60>] (sys_mkdirat+0x74/0xac) r6:00000000 r5:c152eb40 r4:000001ff r3:c14b43f0 [<c00c29ec>] (sys_mkdirat+0x0/0xac) from [<c00c2ab8>] (sys_mkdir+0x20/0x24) r6:beccdcf0 r5:00074000 r4:beccdbbc [<c00c2a98>] (sys_mkdir+0x0/0x24) from [<c000e3c0>] (ret_fast_syscall+0x0/0x30) Fix this by replacing only highmem pages with highmem. Reported-by: Laura Abbott <lauraa@codeaurora.org> Signed-off-by: Rabin Vincent <rabin@rab.in> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>

Turn it into (for example): [ 0.073380] x86: Booting SMP configuration: [ 0.074005] .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 [ 0.603005] .... node #1, CPUs: #8 #9 #10 #11 #12 #13 #14 #15 [ 1.200005] .... node #2, CPUs: #16 #17 #18 #19 #20 #21 #22 #23 [ 1.796005] .... node #3, CPUs: #24 #25 #26 #27 #28 #29 #30 #31 [ 2.393005] .... node #4, CPUs: #32 #33 #34 #35 #36 #37 #38 #39 [ 2.996005] .... node #5, CPUs: #40 #41 #42 #43 #44 #45 #46 #47 [ 3.600005] .... node #6, CPUs: #48 #49 #50 #51 #52 #53 #54 #55 [ 4.202005] .... node #7, CPUs: #56 #57 #58 #59 #60 #61 #62 #63 [ 4.811005] .... node #8, CPUs: #64 #65 #66 #67 #68 #69 #70 #71 [ 5.421006] .... node #9, CPUs: #72 #73 #74 #75 #76 #77 #78 #79 [ 6.032005] .... node #10, CPUs: #80 #81 #82 #83 #84 #85 #86 #87 [ 6.648006] .... node #11, CPUs: #88 #89 #90 #91 #92 #93 #94 #95 [ 7.262005] .... node #12, CPUs: #96 #97 #98 #99 #100 #101 #102 #103 [ 7.865005] .... node #13, CPUs: #104 #105 #106 #107 #108 #109 #110 #111 [ 8.466005] .... node #14, CPUs: #112 #113 #114 #115 #116 #117 #118 #119 [ 9.073006] .... node #15, CPUs: #120 #121 #122 #123 #124 #125 #126 #127 [ 9.679901] x86: Booted up 16 nodes, 128 CPUs and drop useless elements. Change num_digits() to hpa's division-avoiding, cell-phone-typed version which he went at great lengths and pains to submit on a Saturday evening. Signed-off-by: Borislav Petkov <bp@suse.de> Cc: huawei.libin@huawei.com Cc: wangyijing@huawei.com Cc: fenghua.yu@intel.com Cc: guohanjun@huawei.com Cc: paul.gortmaker@windriver.com Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20130930095624.GB16383@pd.tnic Signed-off-by: Ingo Molnar <mingo@kernel.org>

commit ee1e5e7eda9d875967cd668acd8e24c68b4266ba Merge: 2bbc8e6 2aee149 Author: Siarhei Siamashka <siarhei.siamashka@gmail.com> Date: Wed Dec 25 03:22:16 2013 +0200 Merge branch 'v3.4.46-ltsi-cma' into stage/sunxi-3.4 This is a merge of CMA patches from LTSI: http://ltsi.linuxfoundation.org/releases/ltsi-tree/3.4.46-ltsi/stable-release Conflicts: arch/arm/mm/mmu.c drivers/base/Kconfig mm/page_alloc.c commit 2aee14906cf931ca542fff2157107d1a7621f20c Author: Sachin Kamat <sachin.kamat@linaro.org> Date: Mon Oct 29 16:51:15 2012 +0900 ARM: dma-mapping: Fix potential memory leak in atomic_pool_init() When either of __alloc_from_contiguous or __alloc_remap_buffer fails to provide a valid pointer, allocated memory is freed up and an error is returned. 'pages' was however not freed before returning error. Cc: Arnd Bergmann <arnd@arndb.de> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit ec10665cbf271fb1f60daeb194ad4f2cdcdc59d9) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e7086478542d07eda0017258eb5137a050f15b08 Author: Hiroshi Doyu <hdoyu@nvidia.com> Date: Mon Oct 29 16:51:14 2012 +0900 ARM: dma-mapping: atomic_pool with struct page **pages struct page **pages is necessary to align with non atomic path in __iommu_get_pages(). atomic_pool() has the intialized **pages instead of just *page. Signed-off-by: Hiroshi Doyu <hdoyu@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 6b3fe47264262fa082897ebe8ae01041eae65e14) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e4a9d193c2501ecc66307eae49e2f8826556e712 Author: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Date: Mon Oct 29 16:51:13 2012 +0900 arm: mm: fix DMA pool affiliation check The __free_from_pool() function was changed in e9da6e9905e639b0f842a244bc770b48ad0523e9. Unfortunately, the test that checks whether the provided (start,size) is within the DMA pool has been improperly modified. It used to be: if (start < coherent_head.vm_start || end > coherent_head.vm_end) Where coherent_head.vm_end was non-inclusive (i.e, it did not include the first byte after the pool). The test has been changed to: if (start < pool->vaddr || start > pool->vaddr + pool->size) So now pool->vaddr + pool->size is inclusive (i.e, it includes the first byte after the pool), so the test should be >= instead of >. This bug causes the following message when freeing the *first* DMA coherent buffer that has been allocated, because its virtual address is exactly equal to pool->vaddr + pool->size : WARNING: at /home/thomas/projets/linux-2.6/arch/arm/mm/dma-mapping.c:463 __free_from_pool+0xa4/0xc0() freeing wrong coherent size from pool Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Cc: Russell King <linux@arm.linux.org.uk> Cc: Lior Amsalem <alior@marvell.com> Cc: Maen Suleiman <maen@marvell.com> Cc: Tawfik Bayouk <tawfik@marvell.com> Cc: Shadi Ammouri <shadi@marvell.com> Cc: Eran Ben-Avi <benavi@marvell.com> Cc: Yehuda Yitschak <yehuday@marvell.com> Cc: Nadav Haklai <nadavh@marvell.com> [m.szyprowski: rebased onto v3.6-rc5 and resolved conflict] Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit f3d87524975f01b885fc3d009c6ab6afd0d00746) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 00d276cb10360235df524a3573ccf09b8810dbc1 Author: Hiroshi Doyu <hdoyu@nvidia.com> Date: Mon Oct 29 16:51:12 2012 +0900 ARM: dma-mapping: Refactor out to introduce __in_atomic_pool Check the given range("start", "size") is included in "atomic_pool" or not. Signed-off-by: Hiroshi Doyu <hdoyu@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 21d0a75951ccf71f671eb24b61a8ad2b497be4b4) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 9c0f200b6f590fc4d998bc224714ed21d73b68c3 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:11 2012 +0900 ARM: DMA-Mapping: print warning when atomic coherent allocation fails Print a loud warning when system runs out of memory from atomic DMA coherent pool to let users notice the potential problem. Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit fb71285f0c1633a85544784aae7577502274b77a) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 6aa629fe5cec4b2bf7735c7340e7c3ae11083b02 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:10 2012 +0900 ARM: DMA-Mapping: add function for setting coherent pool size from platform code Some platforms might require to increase atomic coherent pool to make sure that their device will be able to allocate all their buffers from atomic context. This function can be also used to decrease atomic coherent pool size if coherent allocations are not used for the given sub-platform. Suggested-by: Josh Coombs <josh.coombs@gmail.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 6e5267aa543817015edb4a65c66e15f9809f92bd) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit c3389701658cbc49db34efb345dc3361cf09e0b3 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:09 2012 +0900 mm: cma: fix alignment requirements for contiguous regions Contiguous Memory Allocator requires each of its regions to be aligned in such a way that it is possible to change migration type for all pageblocks holding it and then isolate page of largest possible order from the buddy allocator (which is MAX_ORDER-1). This patch relaxes alignment requirements by one order, because MAX_ORDER alignment is not really needed. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> (cherry picked from commit 7ce9bf1f4785dab0598a19a7fcb0733a18193e4e) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 82fe63726f86dede0037e5c2d188930128ede637 Author: Aaro Koskinen <aaro.koskinen@iki.fi> Date: Mon Oct 29 16:51:08 2012 +0900 ARM: dma-mapping: fix incorrect freeing of atomic allocations Commit e9da6e9905e639b0f842a244bc770b48ad0523e9 (ARM: dma-mapping: remove custom consistent dma region) changed the way atomic allocations are handled. However, arm_dma_free() was not modified accordingly, and as a result freeing of atomic allocations does not work correctly when CMA is disabled. Memory is leaked and following WARNINGs are seen: [ 57.698911] ------------[ cut here ]------------ [ 57.753518] WARNING: at arch/arm/mm/dma-mapping.c:263 arm_dma_free+0x88/0xe4() [ 57.811473] trying to free invalid coherent area: e0848000 [ 57.867398] Modules linked in: sata_mv(-) [ 57.921373] [<c000d270>] (unwind_backtrace+0x0/0xf0) from [<c0015430>] (warn_slowpath_common+0x50/0x68) [ 58.033924] [<c0015430>] (warn_slowpath_common+0x50/0x68) from [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) [ 58.152024] [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) from [<c000dc18>] (arm_dma_free+0x88/0xe4) [ 58.219592] [<c000dc18>] (arm_dma_free+0x88/0xe4) from [<c008fa30>] (dma_pool_destroy+0x100/0x148) [ 58.345526] [<c008fa30>] (dma_pool_destroy+0x100/0x148) from [<c019a64c>] (release_nodes+0x144/0x218) [ 58.475782] [<c019a64c>] (release_nodes+0x144/0x218) from [<c0197e10>] (__device_release_driver+0x60/0xb8) [ 58.614260] [<c0197e10>] (__device_release_driver+0x60/0xb8) from [<c0198608>] (driver_detach+0xd8/0xec) [ 58.756527] [<c0198608>] (driver_detach+0xd8/0xec) from [<c0197c54>] (bus_remove_driver+0x7c/0xc4) [ 58.901648] [<c0197c54>] (bus_remove_driver+0x7c/0xc4) from [<c004bfac>] (sys_delete_module+0x19c/0x220) [ 59.051447] [<c004bfac>] (sys_delete_module+0x19c/0x220) from [<c0009140>] (ret_fast_syscall+0x0/0x2c) [ 59.207996] ---[ end trace 0745420412c0325a ]--- [ 59.287110] ------------[ cut here ]------------ [ 59.366324] WARNING: at arch/arm/mm/dma-mapping.c:263 arm_dma_free+0x88/0xe4() [ 59.450511] trying to free invalid coherent area: e0847000 [ 59.534357] Modules linked in: sata_mv(-) [ 59.616785] [<c000d270>] (unwind_backtrace+0x0/0xf0) from [<c0015430>] (warn_slowpath_common+0x50/0x68) [ 59.790030] [<c0015430>] (warn_slowpath_common+0x50/0x68) from [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) [ 59.972322] [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) from [<c000dc18>] (arm_dma_free+0x88/0xe4) [ 60.070701] [<c000dc18>] (arm_dma_free+0x88/0xe4) from [<c008fa30>] (dma_pool_destroy+0x100/0x148) [ 60.256817] [<c008fa30>] (dma_pool_destroy+0x100/0x148) from [<c019a64c>] (release_nodes+0x144/0x218) [ 60.445201] [<c019a64c>] (release_nodes+0x144/0x218) from [<c0197e10>] (__device_release_driver+0x60/0xb8) [ 60.634148] [<c0197e10>] (__device_release_driver+0x60/0xb8) from [<c0198608>] (driver_detach+0xd8/0xec) [ 60.823623] [<c0198608>] (driver_detach+0xd8/0xec) from [<c0197c54>] (bus_remove_driver+0x7c/0xc4) [ 61.013268] [<c0197c54>] (bus_remove_driver+0x7c/0xc4) from [<c004bfac>] (sys_delete_module+0x19c/0x220) [ 61.203472] [<c004bfac>] (sys_delete_module+0x19c/0x220) from [<c0009140>] (ret_fast_syscall+0x0/0x2c) [ 61.393390] ---[ end trace 0745420412c0325b ]--- The patch fixes this. Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit d9e0d149b5dcc2ef4688afc572b9906bcda941ef) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit bb2718c695c0aa15cd0fd9a4847ff67937cd4c56 Author: Aaro Koskinen <aaro.koskinen@iki.fi> Date: Mon Oct 29 16:51:07 2012 +0900 ARM: dma-mapping: fix atomic allocation alignment The alignment mask is calculated incorrectly. Fixing the calculation makes strange hangs/lockups disappear during the boot with Amstrad E3 and 3.6-rc1 kernel. Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit e4ea6918c93b9f59d34e8ca2124b2b64b1afe73b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 57861a305627c98801780014e4f7782dee3c5714 Author: Russell King <rmk+kernel@arm.linux.org.uk> Date: Mon Oct 29 16:51:06 2012 +0900 ARM: fix warning caused by wrongly typed arm_dma_limit arch/arm/mm/init.c: In function 'arm_memblock_init': arch/arm/mm/init.c:380: warning: comparison of distinct pointer types lacks a cast by fixing the typecast in its definition when DMA_ZONE is disabled. This was missed in 4986e5c7c (ARM: mm: fix type of the arm_dma_limit global variable). Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> (cherry picked from commit 09b2ad13da3ac7c717dd86bfca7072d9b36f7449) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e7fc0512ee0dc45d8df8a59f5a9b54169596db7f Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:05 2012 +0900 ARM: dma-mapping: fix buffer chunk allocation order IOMMU-aware dma_alloc_attrs() implementation allocates buffers in power-of-two chunks to improve performance and take advantage of large page mappings provided by some IOMMU hardware. However current code, due to a subtle bug, allocated those chunks in the smallest-to-largest order, what completely killed all the advantages of using larger than page chunks. If a 4KiB chunk has been mapped as a first chunk, the consecutive chunks are not aligned correctly to the power-of-two which match their size and IOMMU drivers were not able to use internal mappings of size other than the 4KiB (largest common denominator of alignment and chunk size). This patch fixes this issue by changing to the correct largest-to-smallest chunk size allocation sequence. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 593f47355467b9ef44293698817e2bdb347e2d11) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit ec7459b02995094ef0d01037b80b0ba7c9fbb7c6 Author: Randy Dunlap <rdunlap@xenotime.net> Date: Mon Oct 29 16:51:04 2012 +0900 driver core: fix some kernel-doc warnings in dma*.c Fix kernel-doc warnings in drivers/base/dma*.c: Warning(drivers/base/dma-buf.c:498): No description found for parameter 'vaddr' Warning(drivers/base/dma-coherent.c:199): No description found for parameter 'ret' Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6e7b4a59b3d7bb2dcd11c019354bf0c91037dadd) Conflicts: drivers/base/dma-buf.c Backported patch only addresses dma-coherent.c warning, as dma-buf.c warning is not present in 3.4 kernel. Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 4f02add73d3ec9e814cc53b10fea42513ab71f22 Author: Minchan Kim <minchan@kernel.org> Date: Mon Oct 29 16:51:03 2012 +0900 mm: factor out memory isolate functions mm/page_alloc.c has some memory isolation functions but they are used only when we enable CONFIG_{CMA|MEMORY_HOTPLUG|MEMORY_FAILURE}. So let's make it configurable by new CONFIG_MEMORY_ISOLATION so that it can reduce binary size and we can check it simple by CONFIG_MEMORY_ISOLATION, not if defined CONFIG_{CMA|MEMORY_HOTPLUG|MEMORY_FAILURE}. Signed-off-by: Minchan Kim <minchan@kernel.org> Cc: Andi Kleen <andi@firstfloor.org> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Michal Hocko <mhocko@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit ee6f509c3274014d1f52e7a7a10aee9f85393c5e) Conflicts: mm/Makefile Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 63d767819e6fcf472f9535d1b4628913ddcc5d64 Author: Minchan Kim <minchan@kernel.org> Date: Mon Oct 29 16:51:02 2012 +0900 mm: clean up __count_immobile_pages() The __count_immobile_pages() naming is rather awkward. Choose a more clear name and add a comment. Signed-off-by: Minchan Kim <minchan@kernel.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Michal Hocko <mhocko@suse.cz> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 80934513b230bfcf70265f2ef0fdae89fb391633) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 21086e13604d5a72a8cd75a6062b55762317b748 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:01 2012 +0900 common: dma-mapping: add support for generic dma_mmap_* calls Commit 9adc5374 ('common: dma-mapping: introduce mmap method') added a generic method for implementing mmap user call to dma_map_ops structure. This patch converts ARM and PowerPC architectures (the only providers of dma_mmap_coherent/dma_mmap_writecombine calls) to use this generic dma_map_ops based call and adds a generic cross architecture definition for dma_mmap_attrs, dma_mmap_coherent, dma_mmap_writecombine functions. The generic mmap virt_to_page-based fallback implementation is provided for architectures which don't provide their own implementation for mmap method. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com> (cherry picked from commit 64ccc9c033c6089b2d426dad3c56477ab066c999) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e6877b7aaa30541e2f2601032f48c8216076eac6 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:00 2012 +0900 ARM: dma-mapping: fix error path for memory allocation failure This patch fixes incorrect check in error path. When the allocation of first page fails, the kernel ops appears due to accessing -1 element of the pages array. Reported-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 9fa8af91f0679f2abbebe1382b937264f3a8b981) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e49dcb5b0ae74c85aca81d33aad8f3b8e8bcdad1 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:59 2012 +0900 ARM: dma-mapping: add more sanity checks in arm_dma_mmap() Add some sanity checks and forbid mmaping of buffers into vma areas larger than allocated dma buffer. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 50262a4bf38dd70486e9fce2b8235d5ae3e0f627) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit a683c6762033c9c40292fc00813e8f51d0630945 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:58 2012 +0900 ARM: dma-mapping: remove custom consistent dma region This patch changes dma-mapping subsystem to use generic vmalloc areas for all consistent dma allocations. This increases the total size limit of the consistent allocations and removes platform hacks and a lot of duplicated code. Atomic allocations are served from special pool preallocated on boot, because vmalloc areas cannot be reliably created in atomic context. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com> Reviewed-by: Minchan Kim <minchan@kernel.org> (cherry picked from commit e9da6e9905e639b0f842a244bc770b48ad0523e9) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 8a7d1dd986d8a25885b8d50b53f1c71d2d6130b3 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:57 2012 +0900 mm: vmalloc: use const void * for caller argument 'const void *' is a safer type for caller function type. This patch updates all references to caller function type. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com> Reviewed-by: Minchan Kim <minchan@kernel.org> (cherry picked from commit 5e6cafc83e30f0f70c79a2b7aef237dc57e29f02) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit f056881b91c8b256cc9d2e16b99ba520782ec0bc Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:56 2012 +0900 ARM: relax conditions required for enabling Contiguous Memory Allocator Contiguous Memory Allocator requires only paging and MMU enabled not particular CPU architectures, so there is no need for strict dependency on CPU type. This enables to use CMA on some older ARM v5 systems which also might need large contiguous blocks for the multimedia processing hw modules. Reported-by: Prabhakar Lad <prabhakar.lad@ti.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Tested-by: Prabhakar Lad <prabhakar.lad@ti.com> (cherry picked from commit e092705bcd53de3bafc3053b0b55bf83e5d6711f) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 65ffaed254e6c2d6d37a99313b06b3dcdc8de611 Author: Chris Brand <cbrand@broadcom.com> Date: Mon Oct 29 16:50:55 2012 +0900 ARM: mm: fix MMU mapping of CMA regions Fix dma_contiguous_remap() so that it continues through all the regions, even after encountering one that is outside lowmem. Without this change, if you have two CMA regions, the first outside lowmem and the seocnd inside lowmem, only the second one will get set up in the MMU. Data written to that region then doesn't get automatically flushed from the cache into memory. Signed-off-by: Chris Brand <cbrand@broadcom.com> [extended patch subject with 'fix' word] Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 39f78e70567a07a6fc0d7a4ca9e3331e44dd400d) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 0399c3b81c049913debe2bef12b53b961a6e46a9 Author: Prathyush K <prathyush.k@samsung.com> Date: Mon Oct 29 16:50:54 2012 +0900 ARM: dma-mapping: modify condition check while freeing pages WARNING: at mm/vmalloc.c:1471 __iommu_free_buffer+0xcc/0xd0() Trying to vfree() nonexistent vm area (ef095000) Modules linked in: [<c0015a18>] (unwind_backtrace+0x0/0xfc) from [<c0025a94>] (warn_slowpath_common+0x54/0x64) [<c0025a94>] (warn_slowpath_common+0x54/0x64) from [<c0025b38>] (warn_slowpath_fmt+0x30/0x40) [<c0025b38>] (warn_slowpath_fmt+0x30/0x40) from [<c0016de0>] (__iommu_free_buffer+0xcc/0xd0) [<c0016de0>] (__iommu_free_buffer+0xcc/0xd0) from [<c0229a5c>] (exynos_drm_free_buf+0xe4/0x138) [<c0229a5c>] (exynos_drm_free_buf+0xe4/0x138) from [<c022b358>] (exynos_drm_gem_destroy+0x80/0xfc) [<c022b358>] (exynos_drm_gem_destroy+0x80/0xfc) from [<c0211230>] (drm_gem_object_free+0x28/0x34) [<c0211230>] (drm_gem_object_free+0x28/0x34) from [<c0211bd0>] (drm_gem_object_release_handle+0xcc/0xd8) [<c0211bd0>] (drm_gem_object_release_handle+0xcc/0xd8) from [<c01abe10>] (idr_for_each+0x74/0xb8) [<c01abe10>] (idr_for_each+0x74/0xb8) from [<c02114e4>] (drm_gem_release+0x1c/0x30) [<c02114e4>] (drm_gem_release+0x1c/0x30) from [<c0210ae8>] (drm_release+0x608/0x694) [<c0210ae8>] (drm_release+0x608/0x694) from [<c00b75a0>] (fput+0xb8/0x228) [<c00b75a0>] (fput+0xb8/0x228) from [<c00b40c4>] (filp_close+0x64/0x84) [<c00b40c4>] (filp_close+0x64/0x84) from [<c0029d54>] (put_files_struct+0xe8/0x104) [<c0029d54>] (put_files_struct+0xe8/0x104) from [<c002b930>] (do_exit+0x608/0x774) [<c002b930>] (do_exit+0x608/0x774) from [<c002bae4>] (do_group_exit+0x48/0xb4) [<c002bae4>] (do_group_exit+0x48/0xb4) from [<c002bb60>] (sys_exit_group+0x10/0x18) [<c002bb60>] (sys_exit_group+0x10/0x18) from [<c000ee80>] (ret_fast_syscall+0x0/0x30) This patch modifies the condition while freeing to match the condition used while allocation. This fixes the above warning which arises when array size is equal to PAGE_SIZE where allocation is done using kzalloc but free is done using vfree. Signed-off-by: Prathyush K <prathyush.k@samsung.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 46c87852e99cf8ce97e207b11cde19085837e39c) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit e26a2e078e5483a54b9531868c1d18177b6382b8 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:53 2012 +0900 mm: cma: fix condition check when setting global cma area dev_set_cma_area incorrectly assigned cma to global area on first call due to incorrect check. This patch fixes this issue. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit cc2caea5b6152b8ce66dc2bbe83dc72b60612da8) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 037af057ec4b8dc147ecce464e6cbb3be92510fd Author: Rabin Vincent <rabin@rab.in> Date: Mon Oct 29 16:50:52 2012 +0900 mm: cma: don't replace lowmem pages with highmem The filesystem layer expects pages in the block device's mapping to not be in highmem (the mapping's gfp mask is set in bdget()), but CMA can currently replace lowmem pages with highmem pages, leading to crashes in filesystem code such as the one below: Unable to handle kernel NULL pointer dereference at virtual address 00000400 pgd = c0c98000 [00000400] *pgd=00c91831, *pte=00000000, *ppte=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM CPU: 0 Not tainted (3.5.0-rc5+ #80) PC is at __memzero+0x24/0x80 ... Process fsstress (pid: 323, stack limit = 0xc0cbc2f0) Backtrace: [<c010e3f0>] (ext4_getblk+0x0/0x180) from [<c010e58c>] (ext4_bread+0x1c/0x98) [<c010e570>] (ext4_bread+0x0/0x98) from [<c0117944>] (ext4_mkdir+0x160/0x3bc) r4:c15337f0 [<c01177e4>] (ext4_mkdir+0x0/0x3bc) from [<c00c29e0>] (vfs_mkdir+0x8c/0x98) [<c00c2954>] (vfs_mkdir+0x0/0x98) from [<c00c2a60>] (sys_mkdirat+0x74/0xac) r6:00000000 r5:c152eb40 r4:000001ff r3:c14b43f0 [<c00c29ec>] (sys_mkdirat+0x0/0xac) from [<c00c2ab8>] (sys_mkdir+0x20/0x24) r6:beccdcf0 r5:00074000 r4:beccdbbc [<c00c2a98>] (sys_mkdir+0x0/0x24) from [<c000e3c0>] (ret_fast_syscall+0x0/0x30) Fix this by replacing only highmem pages with highmem. Reported-by: Laura Abbott <lauraa@codeaurora.org> Signed-off-by: Rabin Vincent <rabin@rab.in> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 6a6dccba2fdc2a69f1f36b8f1c0acc8598e7221b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 56792e85bc2f8c14c4f64f46fde3afb4fd10cd61 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:51 2012 +0900 x86: dma-mapping: fix broken allocation when dma_mask has been provided Commit 0a2b9a6ea93 ("X86: integrate CMA with DMA-mapping subsystem") broke memory allocation with dma_mask. This patch fixes possible kernel ops caused by lack of resetting page variable when jumping to 'again' label. Reported-by: Konrad Rzeszutek Wilk <konrad@darnok.org> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> (cherry picked from commit c080e26edc3a2a3cdfa4c430c663ee1c3bbd8fae) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 136dac72225ac4399522b8a42b29bb39c2e94b97 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:50 2012 +0900 ARM: dma-mapping: fix debug messages in dmabounce code This patch fixes the usage of uninitialized variables in dmabounce code intoduced by commit a227fb92 ('ARM: dma-mapping: remove offset parameter to prepare for generic dma_ops'): arch/arm/common/dmabounce.c: In function ‘dmabounce_sync_for_device’: arch/arm/common/dmabounce.c:409: warning: ‘off’ may be used uninitialized in this function arch/arm/common/dmabounce.c:407: note: ‘off’ was declared here arch/arm/common/dmabounce.c: In function ‘dmabounce_sync_for_cpu’: arch/arm/common/dmabounce.c:369: warning: ‘off’ may be used uninitialized in this function arch/arm/common/dmabounce.c:367: note: ‘off’ was declared here Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit fdb1117325ad719dc39e81209bc622d511db70e0) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 825d00daacd8c2ee76e297c9ce0dfc17d8a2bb85 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:49 2012 +0900 ARM: mm: fix type of the arm_dma_limit global variable arm_dma_limit stores physical address of maximal address accessible by DMA, so the phys_addr_t type makes much more sense for it instead of u32. This patch fixes the following build warning: arch/arm/mm/init.c:380: warning: comparison of distinct pointer types lacks a cast Reported-by: Russell King <linux@arm.linux.org.uk> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 4986e5c7cd91817d0f58dd15073c9080d47980cf) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 5d6075133b365ae6a34dba6c0a108445d99e4a3c Author: Sachin Kamat <sachin.kamat@linaro.org> Date: Mon Oct 29 16:50:48 2012 +0900 ARM: dma-mapping: Add missing static storage class specifier Fixes the following sparse warnings: arch/arm/mm/dma-mapping.c:231:15: warning: symbol 'consistent_base' was not declared. Should it be static? arch/arm/mm/dma-mapping.c:326:8: warning: symbol 'coherent_pool_size' was not declared. Should it be static? Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit e53f517ff236a0ec5413ff3935c53406b69bc1e2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit b53b5181a0d2683f2f5de207136410e785eff85c Author: Ohad Ben-Cohen <ohad@wizery.com> Date: Mon Oct 29 16:50:47 2012 +0900 iommu/core: pass a user-provided token to fault handlers Sometimes a single IOMMU user may have to deal with several different IOMMU devices (e.g. remoteproc). When an IOMMU fault happens, such users have to regain their context in order to deal with the fault. Users can't use the private fields of neither the iommu_domain nor the IOMMU device, because those are already used by the IOMMU core and low level driver (respectively). This patch just simply allows users to pass a private token (most notably their own context pointer) to iommu_set_fault_handler(), and then makes sure it is provided back to the users whenever an IOMMU fault happens. The patch also adopts remoteproc to the new fault handling interface, but the real functionality using this (recovery of remote processors) will only be added later in a subsequent patch set. Cc: Fernando Guzman Lugo <fernando.lugo@ti.com> Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com> Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> (cherry picked from commit 77ca23323594589ac8cba1c8d59bfe7e85d3cb8b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 95f907b4158975160624b86ea7575298148c51db Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:46 2012 +0900 ARM: dma-mapping: remove unconditional dependency on CMA CMA has been enabled unconditionally on all ARMv6+ systems to solve the long standing issue of double kernel mappings for all dma coherent buffers. This however created a dependency on CONFIG_EXPERIMENTAL for the whole ARM architecture what should be really avoided. This patch removes this dependency and lets one use old, well-tested dma-mapping implementation also on ARMv6+ systems without the need to use EXPERIMENTAL stuff. Reported-by: Russell King <linux@arm.linux.org.uk> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit f1ae98da8525c6b8b1c301c3a2b0bd2b6515cca2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 53195e721e0e6106325417acd91d274095d210b1 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:45 2012 +0900 ARM: dma-mapping: add support for IOMMU mapper This patch add a complete implementation of DMA-mapping API for devices which have IOMMU support. This implementation tries to optimize dma address space usage by remapping all possible physical memory chunks into a single dma address space chunk. DMA address space is managed on top of the bitmap stored in the dma_iommu_mapping structure stored in device->archdata. Platform setup code has to initialize parameters of the dma address space (base address, size, allocation precision order) with arm_iommu_create_mapping() function. To reduce the size of the bitmap, all allocations are aligned to the specified order of base 4 KiB pages. dma_alloc_* functions allocate physical memory in chunks, each with alloc_pages() function to avoid failing if the physical memory gets fragmented. In worst case the allocated buffer is composed of 4 KiB page chunks. dma_map_sg() function minimizes the total number of dma address space chunks by merging of physical memory chunks into one larger dma address space chunk. If requested chunk (scatter list entry) boundaries match physical page boundaries, most calls to dma_map_sg() requests will result in creating only one chunk in dma address space. dma_map_page() simply creates a mapping for the given page(s) in the dma address space. All dma functions also perform required cache operation like their counterparts from the arm linear physical memory mapping version. This patch contains code and fixes kindly provided by: - Krishna Reddy <vdumpa@nvidia.com>, - Andrzej Pietrasiewicz <andrzej.p@samsung.com>, - Hiroshi DOYU <hdoyu@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 4ce63fcd919c32d22528e54dcd89506962933719) Conflicts: arch/arm/mm/dma-mapping.c Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit dba04c0f43513f07d3d4e7f5869111e92e885c37 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:44 2012 +0900 ARM: dma-mapping: use alloc, mmap, free from dma_ops This patch converts dma_alloc/free/mmap_{coherent,writecombine} functions to use generic alloc/free/mmap methods from dma_map_ops structure. A new DMA_ATTR_WRITE_COMBINE DMA attribute have been introduced to implement writecombine methods. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit f99d60341238fe73fc514129cd9ae4e44e1b2c47) Conflicts: arch/arm/mm/dma-mapping.c Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 242efb8681142625d1776c0d2a8d257e98b10eee Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:43 2012 +0900 ARM: dma-mapping: remove redundant code and do the cleanup This patch just performs a global cleanup in DMA mapping implementation for ARM architecture. Some of the tiny helper functions have been moved to the caller code, some have been merged together. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 51fde3499b531d4cf278f4d2eaa6c45b2865b16b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 099faed3a8826eb7d3b7adc795cdcc19b52e9c70 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:42 2012 +0900 ARM: dma-mapping: move all dma bounce code to separate dma ops structure This patch removes dma bounce hooks from the common dma mapping implementation on ARM architecture and creates a separate set of dma_map_ops for dma bounce devices. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 15237e1f505b3e5c2276f240b01cd2133e110cbc) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit ae47af4cf52b478f5e37d4aa4ed0bd7ff50f8a07 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:41 2012 +0900 ARM: dma-mapping: implement dma sg methods on top of any generic dma ops This patch converts all dma_sg methods to be generic (independent of the current DMA mapping implementation for ARM architecture). All dma sg operations are now implemented on top of respective dma_map_page/dma_sync_single_for* operations from dma_map_ops structure. Before this patch there were custom methods for all scatter/gather related operations. They iterated over the whole scatter list and called cache related operations directly (which in turn checked if we use dma bounce code or not and called respective version). This patch changes them not to use such shortcut. Instead it provides similar loop over scatter list and calls methods from the device's dma_map_ops structure. This enables us to use device dependent implementations of cache related operations (direct linear or dma bounce) depending on the provided dma_map_ops structure. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 2a550e73d3e5f040a3e8eb733c942ab352eafb36) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 3eda90191d76d3fe2cb2a09bb8ce03b686b61d38 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:40 2012 +0900 ARM: dma-mapping: use asm-generic/dma-mapping-common.h This patch modifies dma-mapping implementation on ARM architecture to use common dma_map_ops structure and asm-generic/dma-mapping-common.h helpers. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 2dc6a016bbedf18f18ad73997e5338307d6dbde9) Conflicts: arch/arm/Kconfig Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 93bb1a72f475b0cd7422fcfd9a130210ab32a6a5 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:39 2012 +0900 ARM: dma-mapping: remove offset parameter to prepare for generic dma_ops This patch removes the need for the offset parameter in dma bounce functions. This is required to let dma-mapping framework on ARM architecture to use common, generic dma_map_ops based dma-mapping helpers. Background and more detailed explaination: dma_*_range_* functions are available from the early days of the dma mapping api. They are the correct way of doing a partial syncs on the buffer (usually used by the network device drivers). This patch changes only the internal implementation of the dma bounce functions to let them tunnel through dma_map_ops structure. The driver api stays unchanged, so driver are obliged to call dma_*_range_* functions to keep code clean and easy to understand. The only drawback from this patch is reduced detection of the dma api abuse. Let us consider the following code: dma_addr = dma_map_single(dev, ptr, 64, DMA_TO_DEVICE); dma_sync_single_range_for_cpu(dev, dma_addr+16, 0, 32, DMA_TO_DEVICE); Without the patch such code fails, because dma bounce code is unable to find the bounce buffer for the given dma_address. After the patch the above sync call will be equivalent to: dma_sync_single_range_for_cpu(dev, dma_addr, 16, 32, DMA_TO_DEVICE); which succeeds. I don't consider this as a real problem, because DMA API abuse should be caught by debug_dma_* function family. This patch lets us to simplify the internal low-level implementation without chaning the driver visible API. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit a227fb92a0f5f0dd8282719386e9b3a29f0d16b2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 79a80f4e467558717c6ac76302a31e0c69af738a Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:38 2012 +0900 ARM: dma-mapping: introduce DMA_ERROR_CODE constant Replace all uses of ~0 with DMA_ERROR_CODE, what should make the code easier to read. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 553ac78877242b6d8b591323731df304140d0f99) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit b8aca1f7638ae019015546e91b0a741200cd0236 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:37 2012 +0900 ARM: dma-mapping: use pr_* instread of printk Replace all calls to printk with pr_* functions family. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 6b6f770b573903f8a7d1cfab1fc662685653f413) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 6632fab348a3322f9324b41d0733272eb5d39f16 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:36 2012 +0900 ARM: dma-mapping: use dma_mmap_from_coherent() Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 47142f07eea32e9c108f548a4b06c28bec7df6e4) Conflicts: arch/arm/mm/dma-mapping.c Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 67527009619d1015b075a53502cb184db483c655 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:35 2012 +0900 common: add dma_mmap_from_coherent() function Add a common helper for dma-mapping core for mapping a coherent buffer to userspace. Reported-by: Subash Patel <subashrp@gmail.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit bca0fa5f12a6744a2b2e53154af65a51402b3426) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 5428b0199de7881667896f6ef126c4887af4a2c3 Author: Vitaly Andrianov <vitalya@ti.com> Date: Mon Oct 29 16:50:34 2012 +0900 ARM: dma-mapping: use PMD size for section unmap The dma_contiguous_remap() function clears existing section maps using the wrong size (PGDIR_SIZE instead of PMD_SIZE). This is a bug which does not affect non-LPAE systems, where PGDIR_SIZE and PMD_SIZE are the same. On LPAE systems, however, this bug causes the kernel to hang at this point. This fix has been tested on both LPAE and non-LPAE kernel builds. Signed-off-by: Vitaly Andrianov <vitalya@ti.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 61f6c7a47a2f84b7ba4b65240ffe9247df772b06) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 0245439393f82996f3cf4b8271cb1939fd8df951 Author: Minchan Kim <minchan.kim@gmail.com> Date: Mon Oct 29 16:50:33 2012 +0900 cma: fix migration mode __alloc_contig_migrate_range calls migrate_pages with wrong argument for migrate_mode. Fix it. Cc: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 58f42fd54144346898e6dc6d6ae3acd4c591b42f) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit f3655d25bcd287bfb62a1b202b1019c321900335 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:32 2012 +0900 ARM: integrate CMA with DMA-mapping subsystem This patch adds support for CMA to dma-mapping subsystem for ARM architecture. By default a global CMA area is used, but specific devices are allowed to have their private memory areas if required (they can be created with dma_declare_contiguous() function during board initialisation). Contiguous memory areas reserved for DMA are remapped with 2-level page tables on boot. Once a buffer is requested, a low memory kernel mapping is updated to to match requested memory access type. GFP_ATOMIC allocations are performed from special pool which is created early during boot. This way remapping page attributes is not needed on allocation time. CMA has been enabled unconditionally for ARMv6+ systems. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit c79095092834a18ae74cfc08def1a5a101dc106c) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 0c66ce4969334b97079c4de068e7d2d812081681 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:31 2012 +0900 X86: integrate CMA with DMA-mapping subsystem This patch adds support for CMA to dma-mapping subsystem for x86 architecture that uses common pci-dma/pci-nommu implementation. This allows to test CMA on KVM/QEMU and a lot of common x86 boxes. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Acked-by: Arnd Bergmann <arnd@arndb.de> (cherry picked from commit 0a2b9a6ea93650b8a00f9fd5ee8fdd25671e2df6) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 18c54c03865092e597897815ee0aadd69b8b3754 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:30 2012 +0900 drivers: add Contiguous Memory Allocator The Contiguous Memory Allocator is a set of helper functions for DMA mapping framework that improves allocations of contiguous memory chunks. CMA grabs memory on system boot, marks it with MIGRATE_CMA migrate type and gives back to the system. Kernel is allowed to allocate only movable pages within CMA's managed memory so that it can be used for example for page cache when DMA mapping do not use it. On dma_alloc_from_contiguous() request such pages are migrated out of CMA area to free required contiguous block and fulfill the request. This allows to allocate large contiguous chunks of memory at any time assuming that there is enough free memory available in the system. This code is heavily based on earlier works by Michal Nazarewicz. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit c64be2bb1c6eb43c838b2c6d57b074078be208dd) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 92b0e095dc5a0367c6be5e24842ce670d10367fa Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:29 2012 +0900 mm: trigger page reclaim in alloc_contig_range() to stabilise watermarks alloc_contig_range() performs memory allocation so it also should keep track on keeping the correct level of memory watermarks. This commit adds a call to *_slowpath style reclaim to grab enough pages to make sure that the final collection of contiguous pages from freelists will not starve the system. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 49f223a9cd96c7293d7258ff88c2bdf83065f69c) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 130d5a94aa9a38cb0c389a7b16614e31d6e91373 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:28 2012 +0900 mm: extract reclaim code from __alloc_pages_direct_reclaim() This patch extracts common reclaim code from __alloc_pages_direct_reclaim() function to separate function: __perform_reclaim() which can be later used by alloc_contig_range(). Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Cc: Michal Nazarewicz <mina86@mina86.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit bba9071087108d3de70bea274e35064cc480487b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 6f59300ba9e7e4dd1b46767ba8d705227a0e3df5 Author: Mel Gorman <mgorman@suse.de> Date: Mon Oct 29 16:50:27 2012 +0900 mm: Serialize access to min_free_kbytes There is a race between the min_free_kbytes sysctl, memory hotplug and transparent hugepage support enablement. Memory hotplug uses a zonelists_mutex to avoid a race when building zonelists. Reuse it to serialise watermark updates. [a.p.zijlstra@chello.nl: Older patch fixed the race with spinlock] Signed-off-by: Mel Gorman <mgorman@suse.de> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit cfd3da1e49bb95c355c01c0f502d657deb3d34a4) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 297403e910814abed263194dc6bce58a0bedb300 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:26 2012 +0900 mm: page_isolation: MIGRATE_CMA isolation functions added This commit changes various functions that change pages and pageblocks migrate type between MIGRATE_ISOLATE and MIGRATE_MOVABLE in such a way as to allow to work with MIGRATE_CMA migrate type. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 0815f3d81d76dfbf2abcfd93a85ff0a6008fe4c0) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 4b1c9f454608e87e1924226913b284dfd8cbffce Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:25 2012 +0900 mm: mmzone: MIGRATE_CMA migration type added The MIGRATE_CMA migration type has two main characteristics: (i) only movable pages can be allocated from MIGRATE_CMA pageblocks and (ii) page allocator will never change migration type of MIGRATE_CMA pageblocks. This guarantees (to some degree) that page in a MIGRATE_CMA page block can always be migrated somewhere else (unless there's no memory left in the system). It is designed to be used for allocating big chunks (eg. 10MiB) of physically contiguous memory. Once driver requests contiguous memory, pages from MIGRATE_CMA pageblocks may be migrated away to create a contiguous block. To minimise number of migrations, MIGRATE_CMA migration type is the last type tried when page allocator falls back to other migration types when requested. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 47118af076f64844b4f423bc2f545b2da9dab50d) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit e3148a6a302d737cb0a469984a959d6e6432b8d1 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:24 2012 +0900 mm: page_alloc: change fallbacks array handling This commit adds a row for MIGRATE_ISOLATE type to the fallbacks array which was missing from it. It also, changes the array traversal logic a little making MIGRATE_RESERVE an end marker. The letter change, removes the implicit MIGRATE_UNMOVABLE from the end of each row which was read by __rmqueue_fallback() function. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 6d4a49160de2c684fb59fa627bce80e200224331) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 3254c033faf3461b6292463e31f852379da1f662 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:23 2012 +0900 mm: page_alloc: introduce alloc_contig_range() This commit adds the alloc_contig_range() function which tries to allocate given range of pages. It tries to migrate all already allocated pages that fall in the range thus freeing them. Once all pages in the range are freed they are removed from the buddy system thus allocated for the caller to use. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 041d3a8cdc18dc375a128d90bbb753949a81b1fb) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 64dc481111efa88074521b73399c7aea1da58b0c Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:22 2012 +0900 mm: compaction: export some of the functions This commit exports some of the functions from compaction.c file outside of it adding their declaration into internal.h header file so that other mm related code can use them. This forced compaction.c to always be compiled (as opposed to being compiled only if CONFIG_COMPACTION is defined) but as to avoid introducing code that user did not ask for, part of the compaction.c is now wrapped in on #ifdef. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit ff9543fd32060917beb080b1eb2d1d41ec7f39e0) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 4a9146950d6c41d522b06d9134d55ff06ea5a4c6 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:21 2012 +0900 mm: compaction: introduce isolate_freepages_range() This commit introduces isolate_freepages_range() function which generalises isolate_freepages_block() so that it can be used on arbitrary PFN ranges. isolate_freepages_block() is left with only minor changes. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 85aa125f001f87f96a72e9e6ee515490843b1202) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 200926c2bd77f1e240f648a28bb8cbc794c04d9e Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:20 2012 +0900 mm: compaction: introduce map_pages() This commit creates a map_pages() function which map pages freed using split_free_pages(). This merely moves some code from isolate_freepages() so that it can be reused in other places. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 03d44192f69a45d780ba124f691e76020a44ebae) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 7500c34c9b094308107176ccbc79e2104a972eb3 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:19 2012 +0900 mm: compaction: introduce isolate_migratepages_range() This commit introduces isolate_migratepages_range() function which extracts functionality from isolate_migratepages() so that it can be used on arbitrary PFN ranges. isolate_migratepages() function is implemented as a simple wrapper around isolate_migratepages_range(). Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 2fe86e0004076128f05d5a774b5c9c03d9dc3de2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 936e23ee1a0cf7323f5f9d20d6f885eacb2008a7 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:18 2012 +0900 mm: page_alloc: remove trailing whitespace Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> (cherry picked from commit 5f63b720b62925ef3c6a85473dcd547b0fd90616) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

0-DAY kernel build testing backend reports the following. scripts/checkpatch.pl 0001-ARM-imx-add-support-code-for-IMX50-based-machines.patch # many are suggestions rather than must-fix ERROR: Use of const init definition must use __initconst #80: arch/arm/mach-imx/mach-imx50.c:26: +static const char *imx50_dt_board_compat[] __initdata = { While at it, fix the error globally for IMX platform. Reported-by: Fengguang Wu <fengguang.wu@intel.com> Acked-by: Greg Ungerer <gerg@uclinux.org> Signed-off-by: Shawn Guo <shawn.guo@linaro.org>

commit ee1e5e7eda9d875967cd668acd8e24c68b4266ba Merge: 2bbc8e6 2aee149 Author: Siarhei Siamashka <siarhei.siamashka@gmail.com> Date: Wed Dec 25 03:22:16 2013 +0200 Merge branch 'v3.4.46-ltsi-cma' into stage/sunxi-3.4 This is a merge of CMA patches from LTSI: http://ltsi.linuxfoundation.org/releases/ltsi-tree/3.4.46-ltsi/stable-release Conflicts: arch/arm/mm/mmu.c drivers/base/Kconfig mm/page_alloc.c commit 2aee14906cf931ca542fff2157107d1a7621f20c Author: Sachin Kamat <sachin.kamat@linaro.org> Date: Mon Oct 29 16:51:15 2012 +0900 ARM: dma-mapping: Fix potential memory leak in atomic_pool_init() When either of __alloc_from_contiguous or __alloc_remap_buffer fails to provide a valid pointer, allocated memory is freed up and an error is returned. 'pages' was however not freed before returning error. Cc: Arnd Bergmann <arnd@arndb.de> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit ec10665cbf271fb1f60daeb194ad4f2cdcdc59d9) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e7086478542d07eda0017258eb5137a050f15b08 Author: Hiroshi Doyu <hdoyu@nvidia.com> Date: Mon Oct 29 16:51:14 2012 +0900 ARM: dma-mapping: atomic_pool with struct page **pages struct page **pages is necessary to align with non atomic path in __iommu_get_pages(). atomic_pool() has the intialized **pages instead of just *page. Signed-off-by: Hiroshi Doyu <hdoyu@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 6b3fe47264262fa082897ebe8ae01041eae65e14) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e4a9d193c2501ecc66307eae49e2f8826556e712 Author: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Date: Mon Oct 29 16:51:13 2012 +0900 arm: mm: fix DMA pool affiliation check The __free_from_pool() function was changed in e9da6e9905e639b0f842a244bc770b48ad0523e9. Unfortunately, the test that checks whether the provided (start,size) is within the DMA pool has been improperly modified. It used to be: if (start < coherent_head.vm_start || end > coherent_head.vm_end) Where coherent_head.vm_end was non-inclusive (i.e, it did not include the first byte after the pool). The test has been changed to: if (start < pool->vaddr || start > pool->vaddr + pool->size) So now pool->vaddr + pool->size is inclusive (i.e, it includes the first byte after the pool), so the test should be >= instead of >. This bug causes the following message when freeing the *first* DMA coherent buffer that has been allocated, because its virtual address is exactly equal to pool->vaddr + pool->size : WARNING: at /home/thomas/projets/linux-2.6/arch/arm/mm/dma-mapping.c:463 __free_from_pool+0xa4/0xc0() freeing wrong coherent size from pool Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Cc: Russell King <linux@arm.linux.org.uk> Cc: Lior Amsalem <alior@marvell.com> Cc: Maen Suleiman <maen@marvell.com> Cc: Tawfik Bayouk <tawfik@marvell.com> Cc: Shadi Ammouri <shadi@marvell.com> Cc: Eran Ben-Avi <benavi@marvell.com> Cc: Yehuda Yitschak <yehuday@marvell.com> Cc: Nadav Haklai <nadavh@marvell.com> [m.szyprowski: rebased onto v3.6-rc5 and resolved conflict] Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit f3d87524975f01b885fc3d009c6ab6afd0d00746) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 00d276cb10360235df524a3573ccf09b8810dbc1 Author: Hiroshi Doyu <hdoyu@nvidia.com> Date: Mon Oct 29 16:51:12 2012 +0900 ARM: dma-mapping: Refactor out to introduce __in_atomic_pool Check the given range("start", "size") is included in "atomic_pool" or not. Signed-off-by: Hiroshi Doyu <hdoyu@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 21d0a75951ccf71f671eb24b61a8ad2b497be4b4) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 9c0f200b6f590fc4d998bc224714ed21d73b68c3 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:11 2012 +0900 ARM: DMA-Mapping: print warning when atomic coherent allocation fails Print a loud warning when system runs out of memory from atomic DMA coherent pool to let users notice the potential problem. Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit fb71285f0c1633a85544784aae7577502274b77a) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 6aa629fe5cec4b2bf7735c7340e7c3ae11083b02 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:10 2012 +0900 ARM: DMA-Mapping: add function for setting coherent pool size from platform code Some platforms might require to increase atomic coherent pool to make sure that their device will be able to allocate all their buffers from atomic context. This function can be also used to decrease atomic coherent pool size if coherent allocations are not used for the given sub-platform. Suggested-by: Josh Coombs <josh.coombs@gmail.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 6e5267aa543817015edb4a65c66e15f9809f92bd) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit c3389701658cbc49db34efb345dc3361cf09e0b3 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:09 2012 +0900 mm: cma: fix alignment requirements for contiguous regions Contiguous Memory Allocator requires each of its regions to be aligned in such a way that it is possible to change migration type for all pageblocks holding it and then isolate page of largest possible order from the buddy allocator (which is MAX_ORDER-1). This patch relaxes alignment requirements by one order, because MAX_ORDER alignment is not really needed. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> (cherry picked from commit 7ce9bf1f4785dab0598a19a7fcb0733a18193e4e) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 82fe63726f86dede0037e5c2d188930128ede637 Author: Aaro Koskinen <aaro.koskinen@iki.fi> Date: Mon Oct 29 16:51:08 2012 +0900 ARM: dma-mapping: fix incorrect freeing of atomic allocations Commit e9da6e9905e639b0f842a244bc770b48ad0523e9 (ARM: dma-mapping: remove custom consistent dma region) changed the way atomic allocations are handled. However, arm_dma_free() was not modified accordingly, and as a result freeing of atomic allocations does not work correctly when CMA is disabled. Memory is leaked and following WARNINGs are seen: [ 57.698911] ------------[ cut here ]------------ [ 57.753518] WARNING: at arch/arm/mm/dma-mapping.c:263 arm_dma_free+0x88/0xe4() [ 57.811473] trying to free invalid coherent area: e0848000 [ 57.867398] Modules linked in: sata_mv(-) [ 57.921373] [<c000d270>] (unwind_backtrace+0x0/0xf0) from [<c0015430>] (warn_slowpath_common+0x50/0x68) [ 58.033924] [<c0015430>] (warn_slowpath_common+0x50/0x68) from [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) [ 58.152024] [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) from [<c000dc18>] (arm_dma_free+0x88/0xe4) [ 58.219592] [<c000dc18>] (arm_dma_free+0x88/0xe4) from [<c008fa30>] (dma_pool_destroy+0x100/0x148) [ 58.345526] [<c008fa30>] (dma_pool_destroy+0x100/0x148) from [<c019a64c>] (release_nodes+0x144/0x218) [ 58.475782] [<c019a64c>] (release_nodes+0x144/0x218) from [<c0197e10>] (__device_release_driver+0x60/0xb8) [ 58.614260] [<c0197e10>] (__device_release_driver+0x60/0xb8) from [<c0198608>] (driver_detach+0xd8/0xec) [ 58.756527] [<c0198608>] (driver_detach+0xd8/0xec) from [<c0197c54>] (bus_remove_driver+0x7c/0xc4) [ 58.901648] [<c0197c54>] (bus_remove_driver+0x7c/0xc4) from [<c004bfac>] (sys_delete_module+0x19c/0x220) [ 59.051447] [<c004bfac>] (sys_delete_module+0x19c/0x220) from [<c0009140>] (ret_fast_syscall+0x0/0x2c) [ 59.207996] ---[ end trace 0745420412c0325a ]--- [ 59.287110] ------------[ cut here ]------------ [ 59.366324] WARNING: at arch/arm/mm/dma-mapping.c:263 arm_dma_free+0x88/0xe4() [ 59.450511] trying to free invalid coherent area: e0847000 [ 59.534357] Modules linked in: sata_mv(-) [ 59.616785] [<c000d270>] (unwind_backtrace+0x0/0xf0) from [<c0015430>] (warn_slowpath_common+0x50/0x68) [ 59.790030] [<c0015430>] (warn_slowpath_common+0x50/0x68) from [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) [ 59.972322] [<c00154dc>] (warn_slowpath_fmt+0x30/0x40) from [<c000dc18>] (arm_dma_free+0x88/0xe4) [ 60.070701] [<c000dc18>] (arm_dma_free+0x88/0xe4) from [<c008fa30>] (dma_pool_destroy+0x100/0x148) [ 60.256817] [<c008fa30>] (dma_pool_destroy+0x100/0x148) from [<c019a64c>] (release_nodes+0x144/0x218) [ 60.445201] [<c019a64c>] (release_nodes+0x144/0x218) from [<c0197e10>] (__device_release_driver+0x60/0xb8) [ 60.634148] [<c0197e10>] (__device_release_driver+0x60/0xb8) from [<c0198608>] (driver_detach+0xd8/0xec) [ 60.823623] [<c0198608>] (driver_detach+0xd8/0xec) from [<c0197c54>] (bus_remove_driver+0x7c/0xc4) [ 61.013268] [<c0197c54>] (bus_remove_driver+0x7c/0xc4) from [<c004bfac>] (sys_delete_module+0x19c/0x220) [ 61.203472] [<c004bfac>] (sys_delete_module+0x19c/0x220) from [<c0009140>] (ret_fast_syscall+0x0/0x2c) [ 61.393390] ---[ end trace 0745420412c0325b ]--- The patch fixes this. Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit d9e0d149b5dcc2ef4688afc572b9906bcda941ef) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit bb2718c695c0aa15cd0fd9a4847ff67937cd4c56 Author: Aaro Koskinen <aaro.koskinen@iki.fi> Date: Mon Oct 29 16:51:07 2012 +0900 ARM: dma-mapping: fix atomic allocation alignment The alignment mask is calculated incorrectly. Fixing the calculation makes strange hangs/lockups disappear during the boot with Amstrad E3 and 3.6-rc1 kernel. Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit e4ea6918c93b9f59d34e8ca2124b2b64b1afe73b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 57861a305627c98801780014e4f7782dee3c5714 Author: Russell King <rmk+kernel@arm.linux.org.uk> Date: Mon Oct 29 16:51:06 2012 +0900 ARM: fix warning caused by wrongly typed arm_dma_limit arch/arm/mm/init.c: In function 'arm_memblock_init': arch/arm/mm/init.c:380: warning: comparison of distinct pointer types lacks a cast by fixing the typecast in its definition when DMA_ZONE is disabled. This was missed in 4986e5c7c (ARM: mm: fix type of the arm_dma_limit global variable). Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> (cherry picked from commit 09b2ad13da3ac7c717dd86bfca7072d9b36f7449) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e7fc0512ee0dc45d8df8a59f5a9b54169596db7f Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:05 2012 +0900 ARM: dma-mapping: fix buffer chunk allocation order IOMMU-aware dma_alloc_attrs() implementation allocates buffers in power-of-two chunks to improve performance and take advantage of large page mappings provided by some IOMMU hardware. However current code, due to a subtle bug, allocated those chunks in the smallest-to-largest order, what completely killed all the advantages of using larger than page chunks. If a 4KiB chunk has been mapped as a first chunk, the consecutive chunks are not aligned correctly to the power-of-two which match their size and IOMMU drivers were not able to use internal mappings of size other than the 4KiB (largest common denominator of alignment and chunk size). This patch fixes this issue by changing to the correct largest-to-smallest chunk size allocation sequence. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 593f47355467b9ef44293698817e2bdb347e2d11) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit ec7459b02995094ef0d01037b80b0ba7c9fbb7c6 Author: Randy Dunlap <rdunlap@xenotime.net> Date: Mon Oct 29 16:51:04 2012 +0900 driver core: fix some kernel-doc warnings in dma*.c Fix kernel-doc warnings in drivers/base/dma*.c: Warning(drivers/base/dma-buf.c:498): No description found for parameter 'vaddr' Warning(drivers/base/dma-coherent.c:199): No description found for parameter 'ret' Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6e7b4a59b3d7bb2dcd11c019354bf0c91037dadd) Conflicts: drivers/base/dma-buf.c Backported patch only addresses dma-coherent.c warning, as dma-buf.c warning is not present in 3.4 kernel. Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 4f02add73d3ec9e814cc53b10fea42513ab71f22 Author: Minchan Kim <minchan@kernel.org> Date: Mon Oct 29 16:51:03 2012 +0900 mm: factor out memory isolate functions mm/page_alloc.c has some memory isolation functions but they are used only when we enable CONFIG_{CMA|MEMORY_HOTPLUG|MEMORY_FAILURE}. So let's make it configurable by new CONFIG_MEMORY_ISOLATION so that it can reduce binary size and we can check it simple by CONFIG_MEMORY_ISOLATION, not if defined CONFIG_{CMA|MEMORY_HOTPLUG|MEMORY_FAILURE}. Signed-off-by: Minchan Kim <minchan@kernel.org> Cc: Andi Kleen <andi@firstfloor.org> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Michal Hocko <mhocko@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit ee6f509c3274014d1f52e7a7a10aee9f85393c5e) Conflicts: mm/Makefile Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 63d767819e6fcf472f9535d1b4628913ddcc5d64 Author: Minchan Kim <minchan@kernel.org> Date: Mon Oct 29 16:51:02 2012 +0900 mm: clean up __count_immobile_pages() The __count_immobile_pages() naming is rather awkward. Choose a more clear name and add a comment. Signed-off-by: Minchan Kim <minchan@kernel.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Michal Hocko <mhocko@suse.cz> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 80934513b230bfcf70265f2ef0fdae89fb391633) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 21086e13604d5a72a8cd75a6062b55762317b748 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:01 2012 +0900 common: dma-mapping: add support for generic dma_mmap_* calls Commit 9adc5374 ('common: dma-mapping: introduce mmap method') added a generic method for implementing mmap user call to dma_map_ops structure. This patch converts ARM and PowerPC architectures (the only providers of dma_mmap_coherent/dma_mmap_writecombine calls) to use this generic dma_map_ops based call and adds a generic cross architecture definition for dma_mmap_attrs, dma_mmap_coherent, dma_mmap_writecombine functions. The generic mmap virt_to_page-based fallback implementation is provided for architectures which don't provide their own implementation for mmap method. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com> (cherry picked from commit 64ccc9c033c6089b2d426dad3c56477ab066c999) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e6877b7aaa30541e2f2601032f48c8216076eac6 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:51:00 2012 +0900 ARM: dma-mapping: fix error path for memory allocation failure This patch fixes incorrect check in error path. When the allocation of first page fails, the kernel ops appears due to accessing -1 element of the pages array. Reported-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 9fa8af91f0679f2abbebe1382b937264f3a8b981) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit e49dcb5b0ae74c85aca81d33aad8f3b8e8bcdad1 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:59 2012 +0900 ARM: dma-mapping: add more sanity checks in arm_dma_mmap() Add some sanity checks and forbid mmaping of buffers into vma areas larger than allocated dma buffer. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 50262a4bf38dd70486e9fce2b8235d5ae3e0f627) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit a683c6762033c9c40292fc00813e8f51d0630945 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:58 2012 +0900 ARM: dma-mapping: remove custom consistent dma region This patch changes dma-mapping subsystem to use generic vmalloc areas for all consistent dma allocations. This increases the total size limit of the consistent allocations and removes platform hacks and a lot of duplicated code. Atomic allocations are served from special pool preallocated on boot, because vmalloc areas cannot be reliably created in atomic context. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com> Reviewed-by: Minchan Kim <minchan@kernel.org> (cherry picked from commit e9da6e9905e639b0f842a244bc770b48ad0523e9) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit 8a7d1dd986d8a25885b8d50b53f1c71d2d6130b3 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:57 2012 +0900 mm: vmalloc: use const void * for caller argument 'const void *' is a safer type for caller function type. This patch updates all references to caller function type. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com> Reviewed-by: Minchan Kim <minchan@kernel.org> (cherry picked from commit 5e6cafc83e30f0f70c79a2b7aef237dc57e29f02) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> commit f056881b91c8b256cc9d2e16b99ba520782ec0bc Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:56 2012 +0900 ARM: relax conditions required for enabling Contiguous Memory Allocator Contiguous Memory Allocator requires only paging and MMU enabled not particular CPU architectures, so there is no need for strict dependency on CPU type. This enables to use CMA on some older ARM v5 systems which also might need large contiguous blocks for the multimedia processing hw modules. Reported-by: Prabhakar Lad <prabhakar.lad@ti.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Tested-by: Prabhakar Lad <prabhakar.lad@ti.com> (cherry picked from commit e092705bcd53de3bafc3053b0b55bf83e5d6711f) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 65ffaed254e6c2d6d37a99313b06b3dcdc8de611 Author: Chris Brand <cbrand@broadcom.com> Date: Mon Oct 29 16:50:55 2012 +0900 ARM: mm: fix MMU mapping of CMA regions Fix dma_contiguous_remap() so that it continues through all the regions, even after encountering one that is outside lowmem. Without this change, if you have two CMA regions, the first outside lowmem and the seocnd inside lowmem, only the second one will get set up in the MMU. Data written to that region then doesn't get automatically flushed from the cache into memory. Signed-off-by: Chris Brand <cbrand@broadcom.com> [extended patch subject with 'fix' word] Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 39f78e70567a07a6fc0d7a4ca9e3331e44dd400d) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 0399c3b81c049913debe2bef12b53b961a6e46a9 Author: Prathyush K <prathyush.k@samsung.com> Date: Mon Oct 29 16:50:54 2012 +0900 ARM: dma-mapping: modify condition check while freeing pages WARNING: at mm/vmalloc.c:1471 __iommu_free_buffer+0xcc/0xd0() Trying to vfree() nonexistent vm area (ef095000) Modules linked in: [<c0015a18>] (unwind_backtrace+0x0/0xfc) from [<c0025a94>] (warn_slowpath_common+0x54/0x64) [<c0025a94>] (warn_slowpath_common+0x54/0x64) from [<c0025b38>] (warn_slowpath_fmt+0x30/0x40) [<c0025b38>] (warn_slowpath_fmt+0x30/0x40) from [<c0016de0>] (__iommu_free_buffer+0xcc/0xd0) [<c0016de0>] (__iommu_free_buffer+0xcc/0xd0) from [<c0229a5c>] (exynos_drm_free_buf+0xe4/0x138) [<c0229a5c>] (exynos_drm_free_buf+0xe4/0x138) from [<c022b358>] (exynos_drm_gem_destroy+0x80/0xfc) [<c022b358>] (exynos_drm_gem_destroy+0x80/0xfc) from [<c0211230>] (drm_gem_object_free+0x28/0x34) [<c0211230>] (drm_gem_object_free+0x28/0x34) from [<c0211bd0>] (drm_gem_object_release_handle+0xcc/0xd8) [<c0211bd0>] (drm_gem_object_release_handle+0xcc/0xd8) from [<c01abe10>] (idr_for_each+0x74/0xb8) [<c01abe10>] (idr_for_each+0x74/0xb8) from [<c02114e4>] (drm_gem_release+0x1c/0x30) [<c02114e4>] (drm_gem_release+0x1c/0x30) from [<c0210ae8>] (drm_release+0x608/0x694) [<c0210ae8>] (drm_release+0x608/0x694) from [<c00b75a0>] (fput+0xb8/0x228) [<c00b75a0>] (fput+0xb8/0x228) from [<c00b40c4>] (filp_close+0x64/0x84) [<c00b40c4>] (filp_close+0x64/0x84) from [<c0029d54>] (put_files_struct+0xe8/0x104) [<c0029d54>] (put_files_struct+0xe8/0x104) from [<c002b930>] (do_exit+0x608/0x774) [<c002b930>] (do_exit+0x608/0x774) from [<c002bae4>] (do_group_exit+0x48/0xb4) [<c002bae4>] (do_group_exit+0x48/0xb4) from [<c002bb60>] (sys_exit_group+0x10/0x18) [<c002bb60>] (sys_exit_group+0x10/0x18) from [<c000ee80>] (ret_fast_syscall+0x0/0x30) This patch modifies the condition while freeing to match the condition used while allocation. This fixes the above warning which arises when array size is equal to PAGE_SIZE where allocation is done using kzalloc but free is done using vfree. Signed-off-by: Prathyush K <prathyush.k@samsung.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 46c87852e99cf8ce97e207b11cde19085837e39c) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit e26a2e078e5483a54b9531868c1d18177b6382b8 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:53 2012 +0900 mm: cma: fix condition check when setting global cma area dev_set_cma_area incorrectly assigned cma to global area on first call due to incorrect check. This patch fixes this issue. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit cc2caea5b6152b8ce66dc2bbe83dc72b60612da8) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 037af057ec4b8dc147ecce464e6cbb3be92510fd Author: Rabin Vincent <rabin@rab.in> Date: Mon Oct 29 16:50:52 2012 +0900 mm: cma: don't replace lowmem pages with highmem The filesystem layer expects pages in the block device's mapping to not be in highmem (the mapping's gfp mask is set in bdget()), but CMA can currently replace lowmem pages with highmem pages, leading to crashes in filesystem code such as the one below: Unable to handle kernel NULL pointer dereference at virtual address 00000400 pgd = c0c98000 [00000400] *pgd=00c91831, *pte=00000000, *ppte=00000000 Internal error: Oops: 817 [#1] PREEMPT SMP ARM CPU: 0 Not tainted (3.5.0-rc5+ #80) PC is at __memzero+0x24/0x80 ... Process fsstress (pid: 323, stack limit = 0xc0cbc2f0) Backtrace: [<c010e3f0>] (ext4_getblk+0x0/0x180) from [<c010e58c>] (ext4_bread+0x1c/0x98) [<c010e570>] (ext4_bread+0x0/0x98) from [<c0117944>] (ext4_mkdir+0x160/0x3bc) r4:c15337f0 [<c01177e4>] (ext4_mkdir+0x0/0x3bc) from [<c00c29e0>] (vfs_mkdir+0x8c/0x98) [<c00c2954>] (vfs_mkdir+0x0/0x98) from [<c00c2a60>] (sys_mkdirat+0x74/0xac) r6:00000000 r5:c152eb40 r4:000001ff r3:c14b43f0 [<c00c29ec>] (sys_mkdirat+0x0/0xac) from [<c00c2ab8>] (sys_mkdir+0x20/0x24) r6:beccdcf0 r5:00074000 r4:beccdbbc [<c00c2a98>] (sys_mkdir+0x0/0x24) from [<c000e3c0>] (ret_fast_syscall+0x0/0x30) Fix this by replacing only highmem pages with highmem. Reported-by: Laura Abbott <lauraa@codeaurora.org> Signed-off-by: Rabin Vincent <rabin@rab.in> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 6a6dccba2fdc2a69f1f36b8f1c0acc8598e7221b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 56792e85bc2f8c14c4f64f46fde3afb4fd10cd61 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:51 2012 +0900 x86: dma-mapping: fix broken allocation when dma_mask has been provided Commit 0a2b9a6ea93 ("X86: integrate CMA with DMA-mapping subsystem") broke memory allocation with dma_mask. This patch fixes possible kernel ops caused by lack of resetting page variable when jumping to 'again' label. Reported-by: Konrad Rzeszutek Wilk <konrad@darnok.org> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> (cherry picked from commit c080e26edc3a2a3cdfa4c430c663ee1c3bbd8fae) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 136dac72225ac4399522b8a42b29bb39c2e94b97 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:50 2012 +0900 ARM: dma-mapping: fix debug messages in dmabounce code This patch fixes the usage of uninitialized variables in dmabounce code intoduced by commit a227fb92 ('ARM: dma-mapping: remove offset parameter to prepare for generic dma_ops'): arch/arm/common/dmabounce.c: In function ‘dmabounce_sync_for_device’: arch/arm/common/dmabounce.c:409: warning: ‘off’ may be used uninitialized in this function arch/arm/common/dmabounce.c:407: note: ‘off’ was declared here arch/arm/common/dmabounce.c: In function ‘dmabounce_sync_for_cpu’: arch/arm/common/dmabounce.c:369: warning: ‘off’ may be used uninitialized in this function arch/arm/common/dmabounce.c:367: note: ‘off’ was declared here Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit fdb1117325ad719dc39e81209bc622d511db70e0) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 825d00daacd8c2ee76e297c9ce0dfc17d8a2bb85 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:49 2012 +0900 ARM: mm: fix type of the arm_dma_limit global variable arm_dma_limit stores physical address of maximal address accessible by DMA, so the phys_addr_t type makes much more sense for it instead of u32. This patch fixes the following build warning: arch/arm/mm/init.c:380: warning: comparison of distinct pointer types lacks a cast Reported-by: Russell King <linux@arm.linux.org.uk> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 4986e5c7cd91817d0f58dd15073c9080d47980cf) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 5d6075133b365ae6a34dba6c0a108445d99e4a3c Author: Sachin Kamat <sachin.kamat@linaro.org> Date: Mon Oct 29 16:50:48 2012 +0900 ARM: dma-mapping: Add missing static storage class specifier Fixes the following sparse warnings: arch/arm/mm/dma-mapping.c:231:15: warning: symbol 'consistent_base' was not declared. Should it be static? arch/arm/mm/dma-mapping.c:326:8: warning: symbol 'coherent_pool_size' was not declared. Should it be static? Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit e53f517ff236a0ec5413ff3935c53406b69bc1e2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit b53b5181a0d2683f2f5de207136410e785eff85c Author: Ohad Ben-Cohen <ohad@wizery.com> Date: Mon Oct 29 16:50:47 2012 +0900 iommu/core: pass a user-provided token to fault handlers Sometimes a single IOMMU user may have to deal with several different IOMMU devices (e.g. remoteproc). When an IOMMU fault happens, such users have to regain their context in order to deal with the fault. Users can't use the private fields of neither the iommu_domain nor the IOMMU device, because those are already used by the IOMMU core and low level driver (respectively). This patch just simply allows users to pass a private token (most notably their own context pointer) to iommu_set_fault_handler(), and then makes sure it is provided back to the users whenever an IOMMU fault happens. The patch also adopts remoteproc to the new fault handling interface, but the real functionality using this (recovery of remote processors) will only be added later in a subsequent patch set. Cc: Fernando Guzman Lugo <fernando.lugo@ti.com> Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com> Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> (cherry picked from commit 77ca23323594589ac8cba1c8d59bfe7e85d3cb8b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 95f907b4158975160624b86ea7575298148c51db Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:46 2012 +0900 ARM: dma-mapping: remove unconditional dependency on CMA CMA has been enabled unconditionally on all ARMv6+ systems to solve the long standing issue of double kernel mappings for all dma coherent buffers. This however created a dependency on CONFIG_EXPERIMENTAL for the whole ARM architecture what should be really avoided. This patch removes this dependency and lets one use old, well-tested dma-mapping implementation also on ARMv6+ systems without the need to use EXPERIMENTAL stuff. Reported-by: Russell King <linux@arm.linux.org.uk> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit f1ae98da8525c6b8b1c301c3a2b0bd2b6515cca2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 53195e721e0e6106325417acd91d274095d210b1 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:45 2012 +0900 ARM: dma-mapping: add support for IOMMU mapper This patch add a complete implementation of DMA-mapping API for devices which have IOMMU support. This implementation tries to optimize dma address space usage by remapping all possible physical memory chunks into a single dma address space chunk. DMA address space is managed on top of the bitmap stored in the dma_iommu_mapping structure stored in device->archdata. Platform setup code has to initialize parameters of the dma address space (base address, size, allocation precision order) with arm_iommu_create_mapping() function. To reduce the size of the bitmap, all allocations are aligned to the specified order of base 4 KiB pages. dma_alloc_* functions allocate physical memory in chunks, each with alloc_pages() function to avoid failing if the physical memory gets fragmented. In worst case the allocated buffer is composed of 4 KiB page chunks. dma_map_sg() function minimizes the total number of dma address space chunks by merging of physical memory chunks into one larger dma address space chunk. If requested chunk (scatter list entry) boundaries match physical page boundaries, most calls to dma_map_sg() requests will result in creating only one chunk in dma address space. dma_map_page() simply creates a mapping for the given page(s) in the dma address space. All dma functions also perform required cache operation like their counterparts from the arm linear physical memory mapping version. This patch contains code and fixes kindly provided by: - Krishna Reddy <vdumpa@nvidia.com>, - Andrzej Pietrasiewicz <andrzej.p@samsung.com>, - Hiroshi DOYU <hdoyu@nvidia.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 4ce63fcd919c32d22528e54dcd89506962933719) Conflicts: arch/arm/mm/dma-mapping.c Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit dba04c0f43513f07d3d4e7f5869111e92e885c37 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:44 2012 +0900 ARM: dma-mapping: use alloc, mmap, free from dma_ops This patch converts dma_alloc/free/mmap_{coherent,writecombine} functions to use generic alloc/free/mmap methods from dma_map_ops structure. A new DMA_ATTR_WRITE_COMBINE DMA attribute have been introduced to implement writecombine methods. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit f99d60341238fe73fc514129cd9ae4e44e1b2c47) Conflicts: arch/arm/mm/dma-mapping.c Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 242efb8681142625d1776c0d2a8d257e98b10eee Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:43 2012 +0900 ARM: dma-mapping: remove redundant code and do the cleanup This patch just performs a global cleanup in DMA mapping implementation for ARM architecture. Some of the tiny helper functions have been moved to the caller code, some have been merged together. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 51fde3499b531d4cf278f4d2eaa6c45b2865b16b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 099faed3a8826eb7d3b7adc795cdcc19b52e9c70 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:42 2012 +0900 ARM: dma-mapping: move all dma bounce code to separate dma ops structure This patch removes dma bounce hooks from the common dma mapping implementation on ARM architecture and creates a separate set of dma_map_ops for dma bounce devices. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 15237e1f505b3e5c2276f240b01cd2133e110cbc) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit ae47af4cf52b478f5e37d4aa4ed0bd7ff50f8a07 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:41 2012 +0900 ARM: dma-mapping: implement dma sg methods on top of any generic dma ops This patch converts all dma_sg methods to be generic (independent of the current DMA mapping implementation for ARM architecture). All dma sg operations are now implemented on top of respective dma_map_page/dma_sync_single_for* operations from dma_map_ops structure. Before this patch there were custom methods for all scatter/gather related operations. They iterated over the whole scatter list and called cache related operations directly (which in turn checked if we use dma bounce code or not and called respective version). This patch changes them not to use such shortcut. Instead it provides similar loop over scatter list and calls methods from the device's dma_map_ops structure. This enables us to use device dependent implementations of cache related operations (direct linear or dma bounce) depending on the provided dma_map_ops structure. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 2a550e73d3e5f040a3e8eb733c942ab352eafb36) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 3eda90191d76d3fe2cb2a09bb8ce03b686b61d38 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:40 2012 +0900 ARM: dma-mapping: use asm-generic/dma-mapping-common.h This patch modifies dma-mapping implementation on ARM architecture to use common dma_map_ops structure and asm-generic/dma-mapping-common.h helpers. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 2dc6a016bbedf18f18ad73997e5338307d6dbde9) Conflicts: arch/arm/Kconfig Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 93bb1a72f475b0cd7422fcfd9a130210ab32a6a5 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:39 2012 +0900 ARM: dma-mapping: remove offset parameter to prepare for generic dma_ops This patch removes the need for the offset parameter in dma bounce functions. This is required to let dma-mapping framework on ARM architecture to use common, generic dma_map_ops based dma-mapping helpers. Background and more detailed explaination: dma_*_range_* functions are available from the early days of the dma mapping api. They are the correct way of doing a partial syncs on the buffer (usually used by the network device drivers). This patch changes only the internal implementation of the dma bounce functions to let them tunnel through dma_map_ops structure. The driver api stays unchanged, so driver are obliged to call dma_*_range_* functions to keep code clean and easy to understand. The only drawback from this patch is reduced detection of the dma api abuse. Let us consider the following code: dma_addr = dma_map_single(dev, ptr, 64, DMA_TO_DEVICE); dma_sync_single_range_for_cpu(dev, dma_addr+16, 0, 32, DMA_TO_DEVICE); Without the patch such code fails, because dma bounce code is unable to find the bounce buffer for the given dma_address. After the patch the above sync call will be equivalent to: dma_sync_single_range_for_cpu(dev, dma_addr, 16, 32, DMA_TO_DEVICE); which succeeds. I don't consider this as a real problem, because DMA API abuse should be caught by debug_dma_* function family. This patch lets us to simplify the internal low-level implementation without chaning the driver visible API. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit a227fb92a0f5f0dd8282719386e9b3a29f0d16b2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 79a80f4e467558717c6ac76302a31e0c69af738a Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:38 2012 +0900 ARM: dma-mapping: introduce DMA_ERROR_CODE constant Replace all uses of ~0 with DMA_ERROR_CODE, what should make the code easier to read. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 553ac78877242b6d8b591323731df304140d0f99) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit b8aca1f7638ae019015546e91b0a741200cd0236 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:37 2012 +0900 ARM: dma-mapping: use pr_* instread of printk Replace all calls to printk with pr_* functions family. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit 6b6f770b573903f8a7d1cfab1fc662685653f413) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 6632fab348a3322f9324b41d0733272eb5d39f16 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:36 2012 +0900 ARM: dma-mapping: use dma_mmap_from_coherent() Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 47142f07eea32e9c108f548a4b06c28bec7df6e4) Conflicts: arch/arm/mm/dma-mapping.c Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 67527009619d1015b075a53502cb184db483c655 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:35 2012 +0900 common: add dma_mmap_from_coherent() function Add a common helper for dma-mapping core for mapping a coherent buffer to userspace. Reported-by: Subash Patel <subashrp@gmail.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Tested-By: Subash Patel <subash.ramaswamy@linaro.org> (cherry picked from commit bca0fa5f12a6744a2b2e53154af65a51402b3426) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 5428b0199de7881667896f6ef126c4887af4a2c3 Author: Vitaly Andrianov <vitalya@ti.com> Date: Mon Oct 29 16:50:34 2012 +0900 ARM: dma-mapping: use PMD size for section unmap The dma_contiguous_remap() function clears existing section maps using the wrong size (PGDIR_SIZE instead of PMD_SIZE). This is a bug which does not affect non-LPAE systems, where PGDIR_SIZE and PMD_SIZE are the same. On LPAE systems, however, this bug causes the kernel to hang at this point. This fix has been tested on both LPAE and non-LPAE kernel builds. Signed-off-by: Vitaly Andrianov <vitalya@ti.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 61f6c7a47a2f84b7ba4b65240ffe9247df772b06) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 0245439393f82996f3cf4b8271cb1939fd8df951 Author: Minchan Kim <minchan.kim@gmail.com> Date: Mon Oct 29 16:50:33 2012 +0900 cma: fix migration mode __alloc_contig_migrate_range calls migrate_pages with wrong argument for migrate_mode. Fix it. Cc: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> (cherry picked from commit 58f42fd54144346898e6dc6d6ae3acd4c591b42f) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit f3655d25bcd287bfb62a1b202b1019c321900335 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:32 2012 +0900 ARM: integrate CMA with DMA-mapping subsystem This patch adds support for CMA to dma-mapping subsystem for ARM architecture. By default a global CMA area is used, but specific devices are allowed to have their private memory areas if required (they can be created with dma_declare_contiguous() function during board initialisation). Contiguous memory areas reserved for DMA are remapped with 2-level page tables on boot. Once a buffer is requested, a low memory kernel mapping is updated to to match requested memory access type. GFP_ATOMIC allocations are performed from special pool which is created early during boot. This way remapping page attributes is not needed on allocation time. CMA has been enabled unconditionally for ARMv6+ systems. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit c79095092834a18ae74cfc08def1a5a101dc106c) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 0c66ce4969334b97079c4de068e7d2d812081681 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:31 2012 +0900 X86: integrate CMA with DMA-mapping subsystem This patch adds support for CMA to dma-mapping subsystem for x86 architecture that uses common pci-dma/pci-nommu implementation. This allows to test CMA on KVM/QEMU and a lot of common x86 boxes. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Acked-by: Arnd Bergmann <arnd@arndb.de> (cherry picked from commit 0a2b9a6ea93650b8a00f9fd5ee8fdd25671e2df6) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 18c54c03865092e597897815ee0aadd69b8b3754 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:30 2012 +0900 drivers: add Contiguous Memory Allocator The Contiguous Memory Allocator is a set of helper functions for DMA mapping framework that improves allocations of contiguous memory chunks. CMA grabs memory on system boot, marks it with MIGRATE_CMA migrate type and gives back to the system. Kernel is allowed to allocate only movable pages within CMA's managed memory so that it can be used for example for page cache when DMA mapping do not use it. On dma_alloc_from_contiguous() request such pages are migrated out of CMA area to free required contiguous block and fulfill the request. This allows to allocate large contiguous chunks of memory at any time assuming that there is enough free memory available in the system. This code is heavily based on earlier works by Michal Nazarewicz. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit c64be2bb1c6eb43c838b2c6d57b074078be208dd) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 92b0e095dc5a0367c6be5e24842ce670d10367fa Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:29 2012 +0900 mm: trigger page reclaim in alloc_contig_range() to stabilise watermarks alloc_contig_range() performs memory allocation so it also should keep track on keeping the correct level of memory watermarks. This commit adds a call to *_slowpath style reclaim to grab enough pages to make sure that the final collection of contiguous pages from freelists will not starve the system. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> CC: Michal Nazarewicz <mina86@mina86.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 49f223a9cd96c7293d7258ff88c2bdf83065f69c) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 130d5a94aa9a38cb0c389a7b16614e31d6e91373 Author: Marek Szyprowski <m.szyprowski@samsung.com> Date: Mon Oct 29 16:50:28 2012 +0900 mm: extract reclaim code from __alloc_pages_direct_reclaim() This patch extracts common reclaim code from __alloc_pages_direct_reclaim() function to separate function: __perform_reclaim() which can be later used by alloc_contig_range(). Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Cc: Michal Nazarewicz <mina86@mina86.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit bba9071087108d3de70bea274e35064cc480487b) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 6f59300ba9e7e4dd1b46767ba8d705227a0e3df5 Author: Mel Gorman <mgorman@suse.de> Date: Mon Oct 29 16:50:27 2012 +0900 mm: Serialize access to min_free_kbytes There is a race between the min_free_kbytes sysctl, memory hotplug and transparent hugepage support enablement. Memory hotplug uses a zonelists_mutex to avoid a race when building zonelists. Reuse it to serialise watermark updates. [a.p.zijlstra@chello.nl: Older patch fixed the race with spinlock] Signed-off-by: Mel Gorman <mgorman@suse.de> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit cfd3da1e49bb95c355c01c0f502d657deb3d34a4) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 297403e910814abed263194dc6bce58a0bedb300 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:26 2012 +0900 mm: page_isolation: MIGRATE_CMA isolation functions added This commit changes various functions that change pages and pageblocks migrate type between MIGRATE_ISOLATE and MIGRATE_MOVABLE in such a way as to allow to work with MIGRATE_CMA migrate type. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 0815f3d81d76dfbf2abcfd93a85ff0a6008fe4c0) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 4b1c9f454608e87e1924226913b284dfd8cbffce Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:25 2012 +0900 mm: mmzone: MIGRATE_CMA migration type added The MIGRATE_CMA migration type has two main characteristics: (i) only movable pages can be allocated from MIGRATE_CMA pageblocks and (ii) page allocator will never change migration type of MIGRATE_CMA pageblocks. This guarantees (to some degree) that page in a MIGRATE_CMA page block can always be migrated somewhere else (unless there's no memory left in the system). It is designed to be used for allocating big chunks (eg. 10MiB) of physically contiguous memory. Once driver requests contiguous memory, pages from MIGRATE_CMA pageblocks may be migrated away to create a contiguous block. To minimise number of migrations, MIGRATE_CMA migration type is the last type tried when page allocator falls back to other migration types when requested. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 47118af076f64844b4f423bc2f545b2da9dab50d) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit e3148a6a302d737cb0a469984a959d6e6432b8d1 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:24 2012 +0900 mm: page_alloc: change fallbacks array handling This commit adds a row for MIGRATE_ISOLATE type to the fallbacks array which was missing from it. It also, changes the array traversal logic a little making MIGRATE_RESERVE an end marker. The letter change, removes the implicit MIGRATE_UNMOVABLE from the end of each row which was read by __rmqueue_fallback() function. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 6d4a49160de2c684fb59fa627bce80e200224331) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 3254c033faf3461b6292463e31f852379da1f662 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:23 2012 +0900 mm: page_alloc: introduce alloc_contig_range() This commit adds the alloc_contig_range() function which tries to allocate given range of pages. It tries to migrate all already allocated pages that fall in the range thus freeing them. Once all pages in the range are freed they are removed from the buddy system thus allocated for the caller to use. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 041d3a8cdc18dc375a128d90bbb753949a81b1fb) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 64dc481111efa88074521b73399c7aea1da58b0c Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:22 2012 +0900 mm: compaction: export some of the functions This commit exports some of the functions from compaction.c file outside of it adding their declaration into internal.h header file so that other mm related code can use them. This forced compaction.c to always be compiled (as opposed to being compiled only if CONFIG_COMPACTION is defined) but as to avoid introducing code that user did not ask for, part of the compaction.c is now wrapped in on #ifdef. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit ff9543fd32060917beb080b1eb2d1d41ec7f39e0) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 4a9146950d6c41d522b06d9134d55ff06ea5a4c6 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:21 2012 +0900 mm: compaction: introduce isolate_freepages_range() This commit introduces isolate_freepages_range() function which generalises isolate_freepages_block() so that it can be used on arbitrary PFN ranges. isolate_freepages_block() is left with only minor changes. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 85aa125f001f87f96a72e9e6ee515490843b1202) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 200926c2bd77f1e240f648a28bb8cbc794c04d9e Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:20 2012 +0900 mm: compaction: introduce map_pages() This commit creates a map_pages() function which map pages freed using split_free_pages(). This merely moves some code from isolate_freepages() so that it can be reused in other places. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 03d44192f69a45d780ba124f691e76020a44ebae) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 7500c34c9b094308107176ccbc79e2104a972eb3 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:19 2012 +0900 mm: compaction: introduce isolate_migratepages_range() This commit introduces isolate_migratepages_range() function which extracts functionality from isolate_migratepages() so that it can be used on arbitrary PFN ranges. isolate_migratepages() function is implemented as a simple wrapper around isolate_migratepages_range(). Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Tested-by: Rob Clark <rob.clark@linaro.org> Tested-by: Ohad Ben-Cohen <ohad@wizery.com> Tested-by: Benjamin Gaignard <benjamin.gaignard@linaro.org> Tested-by: Robert Nelson <robertcnelson@gmail.com> Tested-by: Barry Song <Baohua.Song@csr.com> (cherry picked from commit 2fe86e0004076128f05d5a774b5c9c03d9dc3de2) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> commit 936e23ee1a0cf7323f5f9d20d6f885eacb2008a7 Author: Michal Nazarewicz <mina86@mina86.com> Date: Mon Oct 29 16:50:18 2012 +0900 mm: page_alloc: remove trailing whitespace Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Mel Gorman <mel@csn.ul.ie> (cherry picked from commit 5f63b720b62925ef3c6a85473dcd547b0fd90616) Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

This commit fixes the following checkpatch warnings: WARNING: externs should be avoided in .c files linux-sunxi#80: FILE: drivers/staging/dgnc/dgnc_driver.c:80: +int dgnc_init_module(void); linux-sunxi#81: FILE: drivers/staging/dgnc/dgnc_driver.c:81: +void dgnc_cleanup_module(void); This was caused by putting the declarations for module init and module exit fucntions on the top of the file. The fix removes these declarations plus it also corrects the type of the init/exit functions. Due to the dependency between init and exit functions the dgnc_cleanup_module had to be put first. Signed-off-by: Konrad Zapalowicz <bergo.torino@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

https://bugzilla.kernel.org/show_bug.cgi?id=86831 Markus reported that when shutting down mysqld (with AIO support, on a ext3 formatted Harddrive) leads to a negative number of dirty pages (underrun to the counter). The negative number results in a drastic reduction of the write performance because the page cache is not used, because the kernel thinks it is still 2 ^ 32 dirty pages open. Add a warn trace in __dec_zone_state will catch this easily: static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item) { atomic_long_dec(&zone->vm_stat[item]); + WARN_ON_ONCE(item == NR_FILE_DIRTY && atomic_long_read(&zone->vm_stat[item]) < 0); atomic_long_dec(&vm_stat[item]); } [ 21.341632] ------------[ cut here ]------------ [ 21.346294] WARNING: CPU: 0 PID: 309 at include/linux/vmstat.h:242 cancel_dirty_page+0x164/0x224() [ 21.355296] Modules linked in: wutbox_cp sata_mv [ 21.359968] CPU: 0 PID: 309 Comm: kworker/0:1 Not tainted 3.14.21-WuT #80 [ 21.366793] Workqueue: events free_ioctx [ 21.370760] [<c0016a64>] (unwind_backtrace) from [<c0012f88>] (show_stack+0x20/0x24) [ 21.378562] [<c0012f88>] (show_stack) from [<c03f8ccc>] (dump_stack+0x24/0x28) [ 21.385840] [<c03f8ccc>] (dump_stack) from [<c0023ae4>] (warn_slowpath_common+0x84/0x9c) [ 21.393976] [<c0023ae4>] (warn_slowpath_common) from [<c0023bb8>] (warn_slowpath_null+0x2c/0x34) [ 21.402800] [<c0023bb8>] (warn_slowpath_null) from [<c00c0688>] (cancel_dirty_page+0x164/0x224) [ 21.411524] [<c00c0688>] (cancel_dirty_page) from [<c00c080c>] (truncate_inode_page+0x8c/0x158) [ 21.420272] [<c00c080c>] (truncate_inode_page) from [<c00c0a94>] (truncate_inode_pages_range+0x11c/0x53c) [ 21.429890] [<c00c0a94>] (truncate_inode_pages_range) from [<c00c0f6c>] (truncate_pagecache+0x88/0xac) [ 21.439252] [<c00c0f6c>] (truncate_pagecache) from [<c00c0fec>] (truncate_setsize+0x5c/0x74) [ 21.447731] [<c00c0fec>] (truncate_setsize) from [<c013b3a8>] (put_aio_ring_file.isra.14+0x34/0x90) [ 21.456826] [<c013b3a8>] (put_aio_ring_file.isra.14) from [<c013b424>] (aio_free_ring+0x20/0xcc) [ 21.465660] [<c013b424>] (aio_free_ring) from [<c013b4f4>] (free_ioctx+0x24/0x44) [ 21.473190] [<c013b4f4>] (free_ioctx) from [<c003d8d8>] (process_one_work+0x134/0x47c) [ 21.481132] [<c003d8d8>] (process_one_work) from [<c003e988>] (worker_thread+0x130/0x414) [ 21.489350] [<c003e988>] (worker_thread) from [<c00448ac>] (kthread+0xd4/0xec) [ 21.496621] [<c00448ac>] (kthread) from [<c000ec18>] (ret_from_fork+0x14/0x20) [ 21.503884] ---[ end trace 79c4bf42c038c9a1 ]--- The cause is that we set the aio ring file pages as *DIRTY* via SetPageDirty (bypasses the VFS dirty pages increment) when init, and aio fs uses *default_backing_dev_info* as the backing dev, which does not disable the dirty pages accounting capability. So truncating aio ring file will contribute to accounting dirty pages (VFS dirty pages decrement), then error occurs. The original goal is keeping these pages in memory (can not be reclaimed or swapped) in life-time via marking it dirty. But thinking more, we have already pinned pages via elevating the page's refcount, which can already achieve the goal, so the SetPageDirty seems unnecessary. In order to fix the issue, using the __set_page_dirty_no_writeback instead of the nop .set_page_dirty, and dropped the SetPageDirty (don't manually set the dirty flags, don't disable set_page_dirty(), rely on default behaviour). With the above change, the dirty pages accounting can work well. But as we known, aio fs is an anonymous one, which should never cause any real write-back, we can ignore the dirty pages (write back) accounting by disabling the dirty pages (write back) accounting capability. So we introduce an aio private backing dev info (disabled the ACCT_DIRTY/WRITEBACK/ACCT_WB capabilities) to replace the default one. Reported-by: Markus Königshaus <m.koenigshaus@wut.de> Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com> Cc: stable <stable@vger.kernel.org> Acked-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>

Izumi found the following oops when hot re-adding a node: BUG: unable to handle kernel paging request at ffffc90008963690 IP: __wake_up_bit+0x20/0x70 Oops: 0000 [linux-sunxi#1] SMP CPU: 68 PID: 1237 Comm: rs:main Q:Reg Not tainted 4.1.0-rc5 linux-sunxi#80 Hardware name: FUJITSU PRIMEQUEST2800E/SB, BIOS PRIMEQUEST 2000 Series BIOS Version 1.87 04/28/2015 task: ffff880838df8000 ti: ffff880017b94000 task.ti: ffff880017b94000 RIP: 0010:[<ffffffff810dff80>] [<ffffffff810dff80>] __wake_up_bit+0x20/0x70 RSP: 0018:ffff880017b97be8 EFLAGS: 00010246 RAX: ffffc90008963690 RBX: 00000000003c0000 RCX: 000000000000a4c9 RDX: 0000000000000000 RSI: ffffea101bffd500 RDI: ffffc90008963648 RBP: ffff880017b97c08 R08: 0000000002000020 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a0797c73800 R13: ffffea101bffd500 R14: 0000000000000001 R15: 00000000003c0000 FS: 00007fcc7ffff700(0000) GS:ffff880874800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90008963690 CR3: 0000000836761000 CR4: 00000000001407e0 Call Trace: unlock_page+0x6d/0x70 generic_write_end+0x53/0xb0 xfs_vm_write_end+0x29/0x80 [xfs] generic_perform_write+0x10a/0x1e0 xfs_file_buffered_aio_write+0x14d/0x3e0 [xfs] xfs_file_write_iter+0x79/0x120 [xfs] __vfs_write+0xd4/0x110 vfs_write+0xac/0x1c0 SyS_write+0x58/0xd0 system_call_fastpath+0x12/0x76 Code: 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 45 f8 31 c0 48 8d 47 48 <48> 39 47 48 48 c7 45 e8 00 00 00 00 48 c7 45 f0 00 00 00 00 48 RIP [<ffffffff810dff80>] __wake_up_bit+0x20/0x70 RSP <ffff880017b97be8> CR2: ffffc90008963690 Reproduce method (re-add a node):: Hot-add nodeA --> remove nodeA --> hot-add nodeA (panic) This seems an use-after-free problem, and the root cause is zone->wait_table was not set to *NULL* after free it in try_offline_node. When hot re-add a node, we will reuse the pgdat of it, so does the zone struct, and when add pages to the target zone, it will init the zone first (including the wait_table) if the zone is not initialized. The judgement of zone initialized is based on zone->wait_table: static inline bool zone_is_initialized(struct zone *zone) { return !!zone->wait_table; } so if we do not set the zone->wait_table to *NULL* after free it, the memory hotplug routine will skip the init of new zone when hot re-add the node, and the wait_table still points to the freed memory, then we will access the invalid address when trying to wake up the waiting people after the i/o operation with the page is done, such as mentioned above. Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com> Reported-by: Taku Izumi <izumi.taku@jp.fujitsu.com> Reviewed by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Tang Chen <tangchen@cn.fujitsu.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

[ Upstream commit 85bd839 ] Izumi found the following oops when hot re-adding a node: BUG: unable to handle kernel paging request at ffffc90008963690 IP: __wake_up_bit+0x20/0x70 Oops: 0000 [#1] SMP CPU: 68 PID: 1237 Comm: rs:main Q:Reg Not tainted 4.1.0-rc5 #80 Hardware name: FUJITSU PRIMEQUEST2800E/SB, BIOS PRIMEQUEST 2000 Series BIOS Version 1.87 04/28/2015 task: ffff880838df8000 ti: ffff880017b94000 task.ti: ffff880017b94000 RIP: 0010:[<ffffffff810dff80>] [<ffffffff810dff80>] __wake_up_bit+0x20/0x70 RSP: 0018:ffff880017b97be8 EFLAGS: 00010246 RAX: ffffc90008963690 RBX: 00000000003c0000 RCX: 000000000000a4c9 RDX: 0000000000000000 RSI: ffffea101bffd500 RDI: ffffc90008963648 RBP: ffff880017b97c08 R08: 0000000002000020 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a0797c73800 R13: ffffea101bffd500 R14: 0000000000000001 R15: 00000000003c0000 FS: 00007fcc7ffff700(0000) GS:ffff880874800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90008963690 CR3: 0000000836761000 CR4: 00000000001407e0 Call Trace: unlock_page+0x6d/0x70 generic_write_end+0x53/0xb0 xfs_vm_write_end+0x29/0x80 [xfs] generic_perform_write+0x10a/0x1e0 xfs_file_buffered_aio_write+0x14d/0x3e0 [xfs] xfs_file_write_iter+0x79/0x120 [xfs] __vfs_write+0xd4/0x110 vfs_write+0xac/0x1c0 SyS_write+0x58/0xd0 system_call_fastpath+0x12/0x76 Code: 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 45 f8 31 c0 48 8d 47 48 <48> 39 47 48 48 c7 45 e8 00 00 00 00 48 c7 45 f0 00 00 00 00 48 RIP [<ffffffff810dff80>] __wake_up_bit+0x20/0x70 RSP <ffff880017b97be8> CR2: ffffc90008963690 Reproduce method (re-add a node):: Hot-add nodeA --> remove nodeA --> hot-add nodeA (panic) This seems an use-after-free problem, and the root cause is zone->wait_table was not set to *NULL* after free it in try_offline_node. When hot re-add a node, we will reuse the pgdat of it, so does the zone struct, and when add pages to the target zone, it will init the zone first (including the wait_table) if the zone is not initialized. The judgement of zone initialized is based on zone->wait_table: static inline bool zone_is_initialized(struct zone *zone) { return !!zone->wait_table; } so if we do not set the zone->wait_table to *NULL* after free it, the memory hotplug routine will skip the init of new zone when hot re-add the node, and the wait_table still points to the freed memory, then we will access the invalid address when trying to wake up the waiting people after the i/o operation with the page is done, such as mentioned above. Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com> Reported-by: Taku Izumi <izumi.taku@jp.fujitsu.com> Reviewed by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Tang Chen <tangchen@cn.fujitsu.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

The path_max parameter determines the max size of buffers allocated but it should not be setable at run time. If can be used to cause an oops root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max Killed [ 122.141911] BUG: unable to handle kernel paging request at ffff880080945fff [ 122.143497] IP: [<ffffffff81228844>] d_absolute_path+0x44/0xa0 [ 122.144742] PGD 220c067 PUD 0 [ 122.145453] Oops: 0002 [#1] SMP [ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect [ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes [ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu [ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000 [ 122.170018] RIP: 0010:[<ffffffff81228844>] [<ffffffff81228844>] d_absolute_path+0x44/0xa0 [ 122.171525] RSP: 0018:ffff880076477b90 EFLAGS: 00010206 [ 122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000 [ 122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010 [ 122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000 [ 122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000 [ 122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400 [ 122.178745] FS: 00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000 [ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0 [ 122.182469] Stack: [ 122.182843] 00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000 [ 122.184409] 00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58 [ 122.185810] 0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000 [ 122.187231] Call Trace: [ 122.187680] [<ffffffff81385671>] aa_path_name+0x81/0x370 [ 122.188637] [<ffffffff813875dd>] profile_transition+0xbd/0xb80 [ 122.190181] [<ffffffff811af9bc>] ? zone_statistics+0x7c/0xa0 [ 122.191674] [<ffffffff81389b20>] apparmor_bprm_set_creds+0x9b0/0xac0 [ 122.193288] [<ffffffff812e1971>] ? ext4_xattr_get+0x81/0x220 [ 122.194793] [<ffffffff812e800c>] ? ext4_xattr_security_get+0x1c/0x30 [ 122.196392] [<ffffffff813449b9>] ? get_vfs_caps_from_disk+0x69/0x110 [ 122.198004] [<ffffffff81232d4f>] ? mnt_may_suid+0x3f/0x50 [ 122.199737] [<ffffffff81344b03>] ? cap_bprm_set_creds+0xa3/0x600 [ 122.201377] [<ffffffff81346e53>] security_bprm_set_creds+0x33/0x50 [ 122.203024] [<ffffffff81214ce5>] prepare_binprm+0x85/0x190 [ 122.204515] [<ffffffff81216545>] do_execveat_common.isra.33+0x485/0x710 [ 122.206200] [<ffffffff81216a6a>] SyS_execve+0x3a/0x50 [ 122.207615] [<ffffffff81838795>] stub_execve+0x5/0x5 [ 122.208978] [<ffffffff818384f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71 [ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8 [ 122.217320] RIP [<ffffffff81228844>] d_absolute_path+0x44/0xa0 [ 122.218860] RSP <ffff880076477b90> [ 122.219919] CR2: ffff880080945fff [ 122.220936] ---[ end trace 506cdbd85eb6c55e ]--- Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>

syzkaller found another bug in DCCP/TCP stacks [1] For the reasons explained in commit ce10500 ("tcp/dccp: fix ireq->pktopts race"), we need to make sure we do not access ireq->opt unless we own the request sock. Note the opt field is renamed to ireq_opt to ease grep games. [1] BUG: KASAN: use-after-free in ip_queue_xmit+0x1687/0x18e0 net/ipv4/ip_output.c:474 Read of size 1 at addr ffff8801c951039c by task syz-executor5/3295 CPU: 1 PID: 3295 Comm: syz-executor5 Not tainted 4.14.0-rc4+ #80 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 ip_queue_xmit+0x1687/0x18e0 net/ipv4/ip_output.c:474 tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1135 tcp_send_ack.part.37+0x3bb/0x650 net/ipv4/tcp_output.c:3587 tcp_send_ack+0x49/0x60 net/ipv4/tcp_output.c:3557 __tcp_ack_snd_check+0x2c6/0x4b0 net/ipv4/tcp_input.c:5072 tcp_ack_snd_check net/ipv4/tcp_input.c:5085 [inline] tcp_rcv_state_process+0x2eff/0x4850 net/ipv4/tcp_input.c:6071 tcp_child_process+0x342/0x990 net/ipv4/tcp_minisocks.c:816 tcp_v4_rcv+0x1827/0x2f80 net/ipv4/tcp_ipv4.c:1682 ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:249 [inline] ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:464 [inline] ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:249 [inline] ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587 netif_receive_skb+0xae/0x390 net/core/dev.c:4611 tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372 tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766 tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792 call_write_iter include/linux/fs.h:1770 [inline] new_sync_write fs/read_write.c:468 [inline] __vfs_write+0x68a/0x970 fs/read_write.c:481 vfs_write+0x18f/0x510 fs/read_write.c:543 SYSC_write fs/read_write.c:588 [inline] SyS_write+0xef/0x220 fs/read_write.c:580 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x40c341 RSP: 002b:00007f469523ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 000000000040c341 RDX: 0000000000000037 RSI: 0000000020004000 RDI: 0000000000000015 RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000f4240 R11: 0000000000000293 R12: 00000000004b7fd1 R13: 00000000ffffffff R14: 0000000020000000 R15: 0000000000025000 Allocated by task 3295: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3725 [inline] __kmalloc+0x162/0x760 mm/slab.c:3734 kmalloc include/linux/slab.h:498 [inline] tcp_v4_save_options include/net/tcp.h:1962 [inline] tcp_v4_init_req+0x2d3/0x3e0 net/ipv4/tcp_ipv4.c:1271 tcp_conn_request+0xf6d/0x3410 net/ipv4/tcp_input.c:6283 tcp_v4_conn_request+0x157/0x210 net/ipv4/tcp_ipv4.c:1313 tcp_rcv_state_process+0x8ea/0x4850 net/ipv4/tcp_input.c:5857 tcp_v4_do_rcv+0x55c/0x7d0 net/ipv4/tcp_ipv4.c:1482 tcp_v4_rcv+0x2d10/0x2f80 net/ipv4/tcp_ipv4.c:1711 ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:249 [inline] ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:464 [inline] ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:249 [inline] ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587 netif_receive_skb+0xae/0x390 net/core/dev.c:4611 tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372 tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766 tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792 call_write_iter include/linux/fs.h:1770 [inline] new_sync_write fs/read_write.c:468 [inline] __vfs_write+0x68a/0x970 fs/read_write.c:481 vfs_write+0x18f/0x510 fs/read_write.c:543 SYSC_write fs/read_write.c:588 [inline] SyS_write+0xef/0x220 fs/read_write.c:580 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 3306: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xca/0x250 mm/slab.c:3820 inet_sock_destruct+0x59d/0x950 net/ipv4/af_inet.c:157 __sk_destruct+0xfd/0x910 net/core/sock.c:1560 sk_destruct+0x47/0x80 net/core/sock.c:1595 __sk_free+0x57/0x230 net/core/sock.c:1603 sk_free+0x2a/0x40 net/core/sock.c:1614 sock_put include/net/sock.h:1652 [inline] inet_csk_complete_hashdance+0xd5/0xf0 net/ipv4/inet_connection_sock.c:959 tcp_check_req+0xf4d/0x1620 net/ipv4/tcp_minisocks.c:765 tcp_v4_rcv+0x17f6/0x2f80 net/ipv4/tcp_ipv4.c:1675 ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:249 [inline] ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:464 [inline] ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:249 [inline] ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587 netif_receive_skb+0xae/0x390 net/core/dev.c:4611 tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372 tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766 tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792 call_write_iter include/linux/fs.h:1770 [inline] new_sync_write fs/read_write.c:468 [inline] __vfs_write+0x68a/0x970 fs/read_write.c:481 vfs_write+0x18f/0x510 fs/read_write.c:543 SYSC_write fs/read_write.c:588 [inline] SyS_write+0xef/0x220 fs/read_write.c:580 entry_SYSCALL_64_fastpath+0x1f/0xbe Fixes: e994b2f ("tcp: do not lock listener to process SYN packets") Fixes: 079096f ("tcp/dccp: install syn_recv requests into ehash table") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>

[ Upstream commit 622f6e3 ] The path_max parameter determines the max size of buffers allocated but it should not be setable at run time. If can be used to cause an oops root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max Killed [ 122.141911] BUG: unable to handle kernel paging request at ffff880080945fff [ 122.143497] IP: [<ffffffff81228844>] d_absolute_path+0x44/0xa0 [ 122.144742] PGD 220c067 PUD 0 [ 122.145453] Oops: 0002 [#1] SMP [ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect [ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes [ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu [ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000 [ 122.170018] RIP: 0010:[<ffffffff81228844>] [<ffffffff81228844>] d_absolute_path+0x44/0xa0 [ 122.171525] RSP: 0018:ffff880076477b90 EFLAGS: 00010206 [ 122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000 [ 122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010 [ 122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000 [ 122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000 [ 122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400 [ 122.178745] FS: 00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000 [ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0 [ 122.182469] Stack: [ 122.182843] 00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000 [ 122.184409] 00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58 [ 122.185810] 0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000 [ 122.187231] Call Trace: [ 122.187680] [<ffffffff81385671>] aa_path_name+0x81/0x370 [ 122.188637] [<ffffffff813875dd>] profile_transition+0xbd/0xb80 [ 122.190181] [<ffffffff811af9bc>] ? zone_statistics+0x7c/0xa0 [ 122.191674] [<ffffffff81389b20>] apparmor_bprm_set_creds+0x9b0/0xac0 [ 122.193288] [<ffffffff812e1971>] ? ext4_xattr_get+0x81/0x220 [ 122.194793] [<ffffffff812e800c>] ? ext4_xattr_security_get+0x1c/0x30 [ 122.196392] [<ffffffff813449b9>] ? get_vfs_caps_from_disk+0x69/0x110 [ 122.198004] [<ffffffff81232d4f>] ? mnt_may_suid+0x3f/0x50 [ 122.199737] [<ffffffff81344b03>] ? cap_bprm_set_creds+0xa3/0x600 [ 122.201377] [<ffffffff81346e53>] security_bprm_set_creds+0x33/0x50 [ 122.203024] [<ffffffff81214ce5>] prepare_binprm+0x85/0x190 [ 122.204515] [<ffffffff81216545>] do_execveat_common.isra.33+0x485/0x710 [ 122.206200] [<ffffffff81216a6a>] SyS_execve+0x3a/0x50 [ 122.207615] [<ffffffff81838795>] stub_execve+0x5/0x5 [ 122.208978] [<ffffffff818384f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71 [ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8 [ 122.217320] RIP [<ffffffff81228844>] d_absolute_path+0x44/0xa0 [ 122.218860] RSP <ffff880076477b90> [ 122.219919] CR2: ffff880080945fff [ 122.220936] ---[ end trace 506cdbd85eb6c55e ]--- Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Trivial fix to remove the following sparse warnings: arch/powerpc/kernel/module_32.c:112:74: warning: Using plain integer as NULL pointer arch/powerpc/kernel/module_32.c:117:74: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1155:28: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1230:20: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1385:36: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:1752:23: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2084:19: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2110:32: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2167:19: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:2183:19: warning: Using plain integer as NULL pointer drivers/macintosh/via-pmu.c:277:20: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:155:67: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:247:27: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:249:27: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/setup.c:252:37: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:127:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:148:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:44:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:57:21: warning: Using plain integer as NULL pointer arch/powerpc/mm/tlb_hash32.c:87:21: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:160:31: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:167:22: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:274:21: warning: Using plain integer as NULL pointer arch/powerpc/kernel/btext.c:285:31: warning: Using plain integer as NULL pointer arch/powerpc/include/asm/hugetlb.h:204:16: warning: Using plain integer as NULL pointer arch/powerpc/mm/ppc_mmu_32.c:170:21: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/pci.c:1227:23: warning: Using plain integer as NULL pointer arch/powerpc/platforms/powermac/pci.c:65:24: warning: Using plain integer as NULL pointer Also use `--fix` command line option from `script/checkpatch --strict` to remove the following: CHECK: Comparison to NULL could be written "!dispDeviceBase" #72: FILE: arch/powerpc/kernel/btext.c:160: + if (dispDeviceBase == NULL) CHECK: Comparison to NULL could be written "!vbase" #80: FILE: arch/powerpc/kernel/btext.c:167: + if (vbase == NULL) CHECK: Comparison to NULL could be written "!base" #89: FILE: arch/powerpc/kernel/btext.c:274: + if (base == NULL) CHECK: Comparison to NULL could be written "!dispDeviceBase" #98: FILE: arch/powerpc/kernel/btext.c:285: + if (dispDeviceBase == NULL) CHECK: Comparison to NULL could be written "strstr" #117: FILE: arch/powerpc/kernel/module_32.c:117: + if (strstr(secstrings + sechdrs[i].sh_name, ".debug") != NULL) CHECK: Comparison to NULL could be written "!Hash" #130: FILE: arch/powerpc/mm/ppc_mmu_32.c:170: + if (Hash == NULL) CHECK: Comparison to NULL could be written "Hash" #143: FILE: arch/powerpc/mm/tlb_hash32.c:44: + if (Hash != NULL) { CHECK: Comparison to NULL could be written "!Hash" #152: FILE: arch/powerpc/mm/tlb_hash32.c:57: + if (Hash == NULL) { CHECK: Comparison to NULL could be written "!Hash" #161: FILE: arch/powerpc/mm/tlb_hash32.c:87: + if (Hash == NULL) { CHECK: Comparison to NULL could be written "!Hash" #170: FILE: arch/powerpc/mm/tlb_hash32.c:127: + if (Hash == NULL) { CHECK: Comparison to NULL could be written "!Hash" #179: FILE: arch/powerpc/mm/tlb_hash32.c:148: + if (Hash == NULL) { ERROR: space required after that ';' (ctx:VxV) #192: FILE: arch/powerpc/platforms/powermac/pci.c:65: + for (; node != NULL;node = node->sibling) { CHECK: Comparison to NULL could be written "node" #192: FILE: arch/powerpc/platforms/powermac/pci.c:65: + for (; node != NULL;node = node->sibling) { CHECK: Comparison to NULL could be written "!region" #201: FILE: arch/powerpc/platforms/powermac/pci.c:1227: + if (region == NULL) CHECK: Comparison to NULL could be written "of_get_property" #214: FILE: arch/powerpc/platforms/powermac/setup.c:155: + if (of_get_property(np, "cache-unified", NULL) != NULL && dc) { CHECK: Comparison to NULL could be written "!np" #223: FILE: arch/powerpc/platforms/powermac/setup.c:247: + if (np == NULL) CHECK: Comparison to NULL could be written "np" #226: FILE: arch/powerpc/platforms/powermac/setup.c:249: + if (np != NULL) { CHECK: Comparison to NULL could be written "l2cr" #230: FILE: arch/powerpc/platforms/powermac/setup.c:252: + if (l2cr != NULL) { CHECK: Comparison to NULL could be written "via" #243: FILE: drivers/macintosh/via-pmu.c:277: + if (via != NULL) CHECK: Comparison to NULL could be written "current_req" #252: FILE: drivers/macintosh/via-pmu.c:1155: + if (current_req != NULL) { CHECK: Comparison to NULL could be written "!req" #261: FILE: drivers/macintosh/via-pmu.c:1230: + if (req == NULL || pmu_state != idle CHECK: Comparison to NULL could be written "!req" #270: FILE: drivers/macintosh/via-pmu.c:1385: + if (req == NULL) { CHECK: Comparison to NULL could be written "!pp" #288: FILE: drivers/macintosh/via-pmu.c:2084: + if (pp == NULL) CHECK: Comparison to NULL could be written "!pp" #297: FILE: drivers/macintosh/via-pmu.c:2110: + if (count < 1 || pp == NULL) CHECK: Comparison to NULL could be written "!pp" #306: FILE: drivers/macintosh/via-pmu.c:2167: + if (pp == NULL) CHECK: Comparison to NULL could be written "pp" torvalds#315: FILE: drivers/macintosh/via-pmu.c:2183: + if (pp != NULL) { Link: https://github.com/linuxppc/linux/issues/37 Signed-off-by: Mathieu Malaterre <malat@debian.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

The SSIF driver was removing any client that came in through the platform interface, but it should only remove clients that it added. On a failure in the probe function, this could result in the following oops when the driver is removed and the client gets unregistered twice: CPU: 107 PID: 30266 Comm: rmmod Not tainted 4.18.0+ #80 Hardware name: Cavium Inc. Saber/Saber, BIOS Cavium reference firmware version 7.0 08/04/2018 pstate: 60400009 (nZCv daif +PAN -UAO) pc : kernfs_find_ns+0x28/0x120 lr : kernfs_find_and_get_ns+0x40/0x60 sp : ffff00002310fb50 x29: ffff00002310fb50 x28: ffff800a8240f800 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000056000000 x24: ffff000009073000 x23: ffff000008998b38 x22: 0000000000000000 x21: ffff800ed86de820 x20: 0000000000000000 x19: ffff00000913a1d8 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 5300737265766972 x13: 643d4d4554535953 x12: 0000000000000030 x11: 0000000000000030 x10: 0101010101010101 x9 : ffff800ea06cc3f9 x8 : 0000000000000000 x7 : 0000000000000141 x6 : ffff000009073000 x5 : ffff800adb706b00 x4 : 0000000000000000 x3 : 00000000ffffffff x2 : 0000000000000000 x1 : ffff000008998b38 x0 : ffff000008356760 Process rmmod (pid: 30266, stack limit = 0x00000000e218418d) Call trace: kernfs_find_ns+0x28/0x120 kernfs_find_and_get_ns+0x40/0x60 sysfs_unmerge_group+0x2c/0x6c dpm_sysfs_remove+0x34/0x70 device_del+0x58/0x30c device_unregister+0x30/0x7c i2c_unregister_device+0x84/0x90 [i2c_core] ssif_platform_remove+0x38/0x98 [ipmi_ssif] platform_drv_remove+0x2c/0x6c device_release_driver_internal+0x168/0x1f8 driver_detach+0x50/0xbc bus_remove_driver+0x74/0xe8 driver_unregister+0x34/0x5c platform_driver_unregister+0x20/0x2c cleanup_ipmi_ssif+0x50/0xd82c [ipmi_ssif] __arm64_sys_delete_module+0x1b4/0x220 el0_svc_handler+0x104/0x160 el0_svc+0x8/0xc Code: aa1e03e0 aa0203f6 aa0103f7 d503201f (7940e280) ---[ end trace 09f0e34cce8e2d8c ]--- Kernel panic - not syncing: Fatal exception SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x23800c38 So track the clients that the SSIF driver adds and only remove those. Reported-by: George Cherian <george.cherian@cavium.com> Signed-off-by: Corey Minyard <cminyard@mvista.com> Tested-by: George Cherian <george.cherian@cavium.com> Cc: <stable@vger.kernel.org> # 4.14.x

commit 0745dde upstream. The SSIF driver was removing any client that came in through the platform interface, but it should only remove clients that it added. On a failure in the probe function, this could result in the following oops when the driver is removed and the client gets unregistered twice: CPU: 107 PID: 30266 Comm: rmmod Not tainted 4.18.0+ linux-sunxi#80 Hardware name: Cavium Inc. Saber/Saber, BIOS Cavium reference firmware version 7.0 08/04/2018 pstate: 60400009 (nZCv daif +PAN -UAO) pc : kernfs_find_ns+0x28/0x120 lr : kernfs_find_and_get_ns+0x40/0x60 sp : ffff00002310fb50 x29: ffff00002310fb50 x28: ffff800a8240f800 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000056000000 x24: ffff000009073000 x23: ffff000008998b38 x22: 0000000000000000 x21: ffff800ed86de820 x20: 0000000000000000 x19: ffff00000913a1d8 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 5300737265766972 x13: 643d4d4554535953 x12: 0000000000000030 x11: 0000000000000030 x10: 0101010101010101 x9 : ffff800ea06cc3f9 x8 : 0000000000000000 x7 : 0000000000000141 x6 : ffff000009073000 x5 : ffff800adb706b00 x4 : 0000000000000000 x3 : 00000000ffffffff x2 : 0000000000000000 x1 : ffff000008998b38 x0 : ffff000008356760 Process rmmod (pid: 30266, stack limit = 0x00000000e218418d) Call trace: kernfs_find_ns+0x28/0x120 kernfs_find_and_get_ns+0x40/0x60 sysfs_unmerge_group+0x2c/0x6c dpm_sysfs_remove+0x34/0x70 device_del+0x58/0x30c device_unregister+0x30/0x7c i2c_unregister_device+0x84/0x90 [i2c_core] ssif_platform_remove+0x38/0x98 [ipmi_ssif] platform_drv_remove+0x2c/0x6c device_release_driver_internal+0x168/0x1f8 driver_detach+0x50/0xbc bus_remove_driver+0x74/0xe8 driver_unregister+0x34/0x5c platform_driver_unregister+0x20/0x2c cleanup_ipmi_ssif+0x50/0xd82c [ipmi_ssif] __arm64_sys_delete_module+0x1b4/0x220 el0_svc_handler+0x104/0x160 el0_svc+0x8/0xc Code: aa1e03e0 aa0203f6 aa0103f7 d503201f (7940e280) ---[ end trace 09f0e34cce8e2d8c ]--- Kernel panic - not syncing: Fatal exception SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x23800c38 So track the clients that the SSIF driver adds and only remove those. Reported-by: George Cherian <george.cherian@cavium.com> Signed-off-by: Corey Minyard <cminyard@mvista.com> Tested-by: George Cherian <george.cherian@cavium.com> Cc: <stable@vger.kernel.org> # 4.14.x Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Improve the prologue code sequence to be able to take advantage of 64-bit stores, changing the code from: push {r4, r5, r6, r7, r8, r9, fp, lr} mov fp, sp sub ip, sp, #80 ; 0x50 sub sp, sp, torvalds#600 ; 0x258 str ip, [fp, #-100] ; 0xffffff9c mov r6, #0 str r6, [fp, #-96] ; 0xffffffa0 mov r4, #0 mov r3, r4 mov r2, r0 str r4, [fp, #-104] ; 0xffffff98 str r4, [fp, #-108] ; 0xffffff94 to the tighter: push {r4, r5, r6, r7, r8, r9, fp, lr} mov fp, sp mov r3, #0 sub r2, sp, #80 ; 0x50 sub sp, sp, torvalds#600 ; 0x258 strd r2, [fp, #-100] ; 0xffffff9c mov r2, #0 strd r2, [fp, #-108] ; 0xffffff94 mov r2, r0 resulting in a saving of three instructions. Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/E1ieH2g-0004ih-Rb@rmk-PC.armlinux.org.uk

syzkaller found its way into setsockopt with TCP_CONGESTION "cdg". tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock just copies all the memory, the allocated pointer will be copied as well, if the app called setsockopt(..., TCP_CONGESTION) on the listener. If now the socket will be destroyed before the congestion-control has properly been initialized (through a call to tcp_init_transfer), we will end up freeing memory that does not belong to that particular socket, opening the door to a double-free: [ 11.413102] ================================================================== [ 11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0 [ 11.415329] [ 11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 linux-sunxi#80 [ 11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 11.418148] Call Trace: [ 11.418534] <IRQ> [ 11.418834] dump_stack+0x7d/0xb0 [ 11.419297] print_address_description.constprop.0+0x1a/0x210 [ 11.422079] kasan_report_invalid_free+0x51/0x80 [ 11.423433] __kasan_slab_free+0x15e/0x170 [ 11.424761] kfree+0x8c/0x230 [ 11.425157] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.425872] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.426493] inet_csk_destroy_sock+0x153/0x2c0 [ 11.427093] tcp_v4_syn_recv_sock+0xb29/0x1100 [ 11.427731] tcp_get_cookie_sock+0xc3/0x4a0 [ 11.429457] cookie_v4_check+0x13d0/0x2500 [ 11.433189] tcp_v4_do_rcv+0x60e/0x780 [ 11.433727] tcp_v4_rcv+0x2869/0x2e10 [ 11.437143] ip_protocol_deliver_rcu+0x23/0x190 [ 11.437810] ip_local_deliver+0x294/0x350 [ 11.439566] __netif_receive_skb_one_core+0x15d/0x1a0 [ 11.441995] process_backlog+0x1b1/0x6b0 [ 11.443148] net_rx_action+0x37e/0xc40 [ 11.445361] __do_softirq+0x18c/0x61a [ 11.445881] asm_call_on_stack+0x12/0x20 [ 11.446409] </IRQ> [ 11.446716] do_softirq_own_stack+0x34/0x40 [ 11.447259] do_softirq.part.0+0x26/0x30 [ 11.447827] __local_bh_enable_ip+0x46/0x50 [ 11.448406] ip_finish_output2+0x60f/0x1bc0 [ 11.450109] __ip_queue_xmit+0x71c/0x1b60 [ 11.451861] __tcp_transmit_skb+0x1727/0x3bb0 [ 11.453789] tcp_rcv_state_process+0x3070/0x4d3a [ 11.456810] tcp_v4_do_rcv+0x2ad/0x780 [ 11.457995] __release_sock+0x14b/0x2c0 [ 11.458529] release_sock+0x4a/0x170 [ 11.459005] __inet_stream_connect+0x467/0xc80 [ 11.461435] inet_stream_connect+0x4e/0xa0 [ 11.462043] __sys_connect+0x204/0x270 [ 11.465515] __x64_sys_connect+0x6a/0xb0 [ 11.466088] do_syscall_64+0x3e/0x70 [ 11.466617] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.467341] RIP: 0033:0x7f56046dc469 [ 11.467844] Code: Bad RIP value. [ 11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469 [ 11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004 [ 11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000 [ 11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003 [ 11.474321] [ 11.474527] Allocated by task 4884: [ 11.475031] save_stack+0x1b/0x40 [ 11.475548] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 11.476182] tcp_cdg_init+0xf0/0x150 [ 11.476744] tcp_init_congestion_control+0x9b/0x3a0 [ 11.477435] tcp_set_congestion_control+0x270/0x32f [ 11.478088] do_tcp_setsockopt.isra.0+0x521/0x1a00 [ 11.478744] __sys_setsockopt+0xff/0x1e0 [ 11.479259] __x64_sys_setsockopt+0xb5/0x150 [ 11.479895] do_syscall_64+0x3e/0x70 [ 11.480395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.481097] [ 11.481321] Freed by task 4872: [ 11.481783] save_stack+0x1b/0x40 [ 11.482230] __kasan_slab_free+0x12c/0x170 [ 11.482839] kfree+0x8c/0x230 [ 11.483240] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.483948] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.484502] inet_csk_destroy_sock+0x153/0x2c0 [ 11.485144] tcp_close+0x932/0xfe0 [ 11.485642] inet_release+0xc1/0x1c0 [ 11.486131] __sock_release+0xc0/0x270 [ 11.486697] sock_close+0xc/0x10 [ 11.487145] __fput+0x277/0x780 [ 11.487632] task_work_run+0xeb/0x180 [ 11.488118] __prepare_exit_to_usermode+0x15a/0x160 [ 11.488834] do_syscall_64+0x4a/0x70 [ 11.489326] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Wei Wang fixed a part of these CDG-malloc issues with commit c120144 ("tcp: memset ca_priv data to 0 properly"). This patch here fixes the listener-scenario: We make sure that listeners setting the congestion-control through setsockopt won't initialize it (thus CDG never allocates on listeners). For those who use AF_UNSPEC to reuse a socket, tcp_disconnect() is changed to cleanup afterwards. (The issue can be reproduced at least down to v4.4.x.) Cc: Wei Wang <weiwan@google.com> Cc: Eric Dumazet <edumazet@google.com> Fixes: 2b0a8c9 ("tcp: add CDG congestion control") Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>

[ Upstream commit ce69e56 ] syzkaller found its way into setsockopt with TCP_CONGESTION "cdg". tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock just copies all the memory, the allocated pointer will be copied as well, if the app called setsockopt(..., TCP_CONGESTION) on the listener. If now the socket will be destroyed before the congestion-control has properly been initialized (through a call to tcp_init_transfer), we will end up freeing memory that does not belong to that particular socket, opening the door to a double-free: [ 11.413102] ================================================================== [ 11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0 [ 11.415329] [ 11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 linux-sunxi#80 [ 11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 11.418148] Call Trace: [ 11.418534] <IRQ> [ 11.418834] dump_stack+0x7d/0xb0 [ 11.419297] print_address_description.constprop.0+0x1a/0x210 [ 11.422079] kasan_report_invalid_free+0x51/0x80 [ 11.423433] __kasan_slab_free+0x15e/0x170 [ 11.424761] kfree+0x8c/0x230 [ 11.425157] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.425872] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.426493] inet_csk_destroy_sock+0x153/0x2c0 [ 11.427093] tcp_v4_syn_recv_sock+0xb29/0x1100 [ 11.427731] tcp_get_cookie_sock+0xc3/0x4a0 [ 11.429457] cookie_v4_check+0x13d0/0x2500 [ 11.433189] tcp_v4_do_rcv+0x60e/0x780 [ 11.433727] tcp_v4_rcv+0x2869/0x2e10 [ 11.437143] ip_protocol_deliver_rcu+0x23/0x190 [ 11.437810] ip_local_deliver+0x294/0x350 [ 11.439566] __netif_receive_skb_one_core+0x15d/0x1a0 [ 11.441995] process_backlog+0x1b1/0x6b0 [ 11.443148] net_rx_action+0x37e/0xc40 [ 11.445361] __do_softirq+0x18c/0x61a [ 11.445881] asm_call_on_stack+0x12/0x20 [ 11.446409] </IRQ> [ 11.446716] do_softirq_own_stack+0x34/0x40 [ 11.447259] do_softirq.part.0+0x26/0x30 [ 11.447827] __local_bh_enable_ip+0x46/0x50 [ 11.448406] ip_finish_output2+0x60f/0x1bc0 [ 11.450109] __ip_queue_xmit+0x71c/0x1b60 [ 11.451861] __tcp_transmit_skb+0x1727/0x3bb0 [ 11.453789] tcp_rcv_state_process+0x3070/0x4d3a [ 11.456810] tcp_v4_do_rcv+0x2ad/0x780 [ 11.457995] __release_sock+0x14b/0x2c0 [ 11.458529] release_sock+0x4a/0x170 [ 11.459005] __inet_stream_connect+0x467/0xc80 [ 11.461435] inet_stream_connect+0x4e/0xa0 [ 11.462043] __sys_connect+0x204/0x270 [ 11.465515] __x64_sys_connect+0x6a/0xb0 [ 11.466088] do_syscall_64+0x3e/0x70 [ 11.466617] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.467341] RIP: 0033:0x7f56046dc469 [ 11.467844] Code: Bad RIP value. [ 11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469 [ 11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004 [ 11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000 [ 11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003 [ 11.474321] [ 11.474527] Allocated by task 4884: [ 11.475031] save_stack+0x1b/0x40 [ 11.475548] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 11.476182] tcp_cdg_init+0xf0/0x150 [ 11.476744] tcp_init_congestion_control+0x9b/0x3a0 [ 11.477435] tcp_set_congestion_control+0x270/0x32f [ 11.478088] do_tcp_setsockopt.isra.0+0x521/0x1a00 [ 11.478744] __sys_setsockopt+0xff/0x1e0 [ 11.479259] __x64_sys_setsockopt+0xb5/0x150 [ 11.479895] do_syscall_64+0x3e/0x70 [ 11.480395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.481097] [ 11.481321] Freed by task 4872: [ 11.481783] save_stack+0x1b/0x40 [ 11.482230] __kasan_slab_free+0x12c/0x170 [ 11.482839] kfree+0x8c/0x230 [ 11.483240] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.483948] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.484502] inet_csk_destroy_sock+0x153/0x2c0 [ 11.485144] tcp_close+0x932/0xfe0 [ 11.485642] inet_release+0xc1/0x1c0 [ 11.486131] __sock_release+0xc0/0x270 [ 11.486697] sock_close+0xc/0x10 [ 11.487145] __fput+0x277/0x780 [ 11.487632] task_work_run+0xeb/0x180 [ 11.488118] __prepare_exit_to_usermode+0x15a/0x160 [ 11.488834] do_syscall_64+0x4a/0x70 [ 11.489326] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Wei Wang fixed a part of these CDG-malloc issues with commit c120144 ("tcp: memset ca_priv data to 0 properly"). This patch here fixes the listener-scenario: We make sure that listeners setting the congestion-control through setsockopt won't initialize it (thus CDG never allocates on listeners). For those who use AF_UNSPEC to reuse a socket, tcp_disconnect() is changed to cleanup afterwards. (The issue can be reproduced at least down to v4.4.x.) Cc: Wei Wang <weiwan@google.com> Cc: Eric Dumazet <edumazet@google.com> Fixes: 2b0a8c9 ("tcp: add CDG congestion control") Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 3fed9e5 ] If a compat process tries to execute an unknown system call above the __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the offending process. Information about the error is printed to dmesg in compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -> arm64_show_signal(). arm64_show_signal() interprets a non-zero value for current->thread.fault_code as an exception syndrome and displays the message associated with the ESR_ELx.EC field (bits 31:26). current->thread.fault_code is set in compat_arm_syscall() -> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx value. This means that the ESR_ELx.EC field has the value that the user set for the syscall number and the kernel can end up printing bogus exception messages*. For example, for the syscall number 0x68000000, which evaluates to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error: [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 linux-sunxi#79 [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which is misleading, as the bad compat syscall has nothing to do with pointer authentication. Stop arm64_show_signal() from printing exception syndrome information by having compat_arm_syscall() set the ESR_ELx value to 0, as it has no meaning for an invalid system call number. The example above now becomes: [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 linux-sunxi#80 [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which although shows less information because the syscall number, wrongfully advertised as the ESR value, is missing, it is better than showing plainly wrong information. The syscall number can be easily obtained with strace. *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END evaluates to true; the syscall will exit to userspace in this case with the ENOSYS error code instead of arm64_notify_die() being called. Signed-off-by: Alexandru Elisei <alexandru.elisei@arm.com> Reviewed-by: Marc Zyngier <maz@kernel.org> Link: https://lore.kernel.org/r/20220425114444.368693-3-alexandru.elisei@arm.com Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

As interrupts are Level-triggered,unless and until we deassert the register the interrupts are generated which causes spurious interrupts unhandled. Now we deasserted the interrupt at top half which solved the below "nobody cared" warning. warning reported in dmesg: irq 80: nobody cared (try booting with the "irqpoll" option) CPU: 5 PID: 2735 Comm: irq/80-AudioDSP Not tainted 5.15.86-15817-g4c19f3e06d49 #1 1bd3fd932cf58caacc95b0504d6ea1e3eab22289 Hardware name: Google Skyrim/Skyrim, BIOS Google_Skyrim.15303.0.0 01/03/2023 Call Trace: <IRQ> dump_stack_lvl+0x69/0x97 __report_bad_irq+0x3a/0xae note_interrupt+0x1a9/0x1e3 handle_irq_event_percpu+0x4b/0x6e handle_irq_event+0x36/0x5b handle_fasteoi_irq+0xae/0x171 __common_interrupt+0x48/0xc4 </IRQ> handlers: acp_irq_handler [snd_sof_amd_acp] threaded [<000000007e089f34>] acp_irq_thread [snd_sof_amd_acp] Disabling IRQ linux-sunxi#80 Signed-off-by: V sujith kumar Reddy <Vsujithkumar.Reddy@amd.com> Link: https://lore.kernel.org/r/20230203123254.1898794-1-Vsujithkumar.Reddy@amd.com Signed-off-by: Mark Brown <broonie@kernel.org>

[ Upstream commit 2e7c665 ] As interrupts are Level-triggered,unless and until we deassert the register the interrupts are generated which causes spurious interrupts unhandled. Now we deasserted the interrupt at top half which solved the below "nobody cared" warning. warning reported in dmesg: irq 80: nobody cared (try booting with the "irqpoll" option) CPU: 5 PID: 2735 Comm: irq/80-AudioDSP Not tainted 5.15.86-15817-g4c19f3e06d49 jwrdegoede#1 1bd3fd932cf58caacc95b0504d6ea1e3eab22289 Hardware name: Google Skyrim/Skyrim, BIOS Google_Skyrim.15303.0.0 01/03/2023 Call Trace: <IRQ> dump_stack_lvl+0x69/0x97 __report_bad_irq+0x3a/0xae note_interrupt+0x1a9/0x1e3 handle_irq_event_percpu+0x4b/0x6e handle_irq_event+0x36/0x5b handle_fasteoi_irq+0xae/0x171 __common_interrupt+0x48/0xc4 </IRQ> handlers: acp_irq_handler [snd_sof_amd_acp] threaded [<000000007e089f34>] acp_irq_thread [snd_sof_amd_acp] Disabling IRQ linux-sunxi#80 Signed-off-by: V sujith kumar Reddy <Vsujithkumar.Reddy@amd.com> Link: https://lore.kernel.org/r/20230203123254.1898794-1-Vsujithkumar.Reddy@amd.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit e2b706c ] When I perform the following test operations: 1.ip link add br0 type bridge 2.brctl addif br0 eth0 3.ip addr add 239.0.0.1/32 dev eth0 4.ip addr add 239.0.0.1/32 dev br0 5.ip addr add 224.0.0.1/32 dev br0 6.while ((1)) do ifconfig br0 up ifconfig br0 down done 7.send IGMPv2 query packets to port eth0 continuously. For example, ./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00 1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00" The preceding tests may trigger the refcnt uaf issue of the mc list. The stack is as follows: refcount_t: addition on 0; use-after-free. WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25) CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty linux-sunxi#80 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:refcount_warn_saturate (lib/refcount.c:25) RSP: 0018:ffffb68f00657910 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900 RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680 R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00 FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0 Call Trace: <TASK> igmp_heard_query (net/ipv4/igmp.c:1068) igmp_rcv (net/ipv4/igmp.c:1132) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) netif_receive_skb_internal (net/core/dev.c:5729) netif_receive_skb (net/core/dev.c:5788) br_handle_frame_finish (net/bridge/br_input.c:216) nf_hook_bridge_pre (net/bridge/br_input.c:294) __netif_receive_skb_core (net/core/dev.c:5423) __netif_receive_skb_list_core (net/core/dev.c:5606) __netif_receive_skb_list (net/core/dev.c:5674) netif_receive_skb_list_internal (net/core/dev.c:5764) napi_gro_receive (net/core/gro.c:609) e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6735) __do_softirq (kernel/softirq.c:554) run_ksoftirqd (kernel/softirq.c:913) smpboot_thread_fn (kernel/smpboot.c:164) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:250) </TASK> The root causes are as follows: Thread A Thread B ... netif_receive_skb br_dev_stop ... br_multicast_leave_snoopers ... __ip_mc_dec_group ... __igmp_group_dropped igmp_rcv igmp_stop_timer igmp_heard_query //ref = 1 ip_ma_put igmp_mod_timer refcount_dec_and_test igmp_start_timer //ref = 0 ... refcount_inc //ref increases from 0 When the device receives an IGMPv2 Query message, it starts the timer immediately, regardless of whether the device is running. If the device is down and has left the multicast group, it will cause the mc list refcount uaf issue. Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>

npeacock closed this as completed Oct 10, 2012

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Multitouch doesn't work with X #80

Multitouch doesn't work with X #80

npeacock commented Sep 21, 2012

amery commented Sep 21, 2012

techn commented Sep 21, 2012

npeacock commented Sep 22, 2012

npeacock commented Sep 22, 2012

npeacock commented Oct 10, 2012

amery commented Oct 10, 2012

Multitouch doesn't work with X #80

Multitouch doesn't work with X #80

Comments

npeacock commented Sep 21, 2012

amery commented Sep 21, 2012

techn commented Sep 21, 2012

npeacock commented Sep 22, 2012

npeacock commented Sep 22, 2012

npeacock commented Oct 10, 2012

amery commented Oct 10, 2012