In case timers are not in sync when cpus start (i.e. hot plug / offset
resets) we need to synchronize the secondary cpus internal timer with
the main cpu. This is needed as in OpenRISC SMP there is only one
clocksource registered which reads from the same ttcr register on each
cpu.
This synchronization routine heavily borrows from mips implementation that
does something similar.
Signed-off-by: Stafford Horne <shorne@gmail.com>
Lockdep is needed for proving the spinlocks and rwlocks work fine on our
platform. It also requires calling the trace_hardirqs_off() and
trace_hardirqs_on() pair of routines when entering and exiting an
interrupt.
For OpenRISC the interrupt stack frame does not support frame pointers,
so to call trace_hardirqs_on() and trace_hardirqs_off() here the macro's
build up a stack frame each time.
There is one necessary small change in _sys_call_handler to move
interrupt enabling later so they can get re-enabled during syscall
restart. This was done to fix lockdep warnings that are now possible due
to this
patch.
Signed-off-by: Stafford Horne <shorne@gmail.com>
For lockdep support a reliable stack trace mechanism is needed. This
patch adds support in OpenRISC for the stacktrace framework, implemented
by a simple unwinder api. The unwinder api supports both framepointer
and basic stack tracing.
The unwinder is now used to replace the stack_dump() implementation as
well. The new traces are inline with other architectures trace format:
Call trace:
[<c0004448>] show_stack+0x3c/0x58
[<c031c940>] dump_stack+0xa8/0xe4
[<c0008104>] __cpu_up+0x64/0x130
[<c000d268>] bringup_cpu+0x3c/0x178
[<c000d038>] cpuhp_invoke_callback+0xa8/0x1fc
[<c000d680>] cpuhp_up_callbacks+0x44/0x14c
[<c000e400>] cpu_up+0x14c/0x1bc
[<c041da60>] smp_init+0x104/0x15c
[<c033843c>] ? kernel_init+0x0/0x140
[<c0415e04>] kernel_init_freeable+0xbc/0x25c
[<c033843c>] ? kernel_init+0x0/0x140
[<c0338458>] kernel_init+0x1c/0x140
[<c003a174>] ? schedule_tail+0x18/0xa0
[<c0006b80>] ret_from_fork+0x1c/0x9c
Signed-off-by: Stafford Horne <shorne@gmail.com>
Simple enough to be compatible with simulation environments,
such as verilated systems, QEMU and other targets supporting OpenRISC
SMP. This also supports our base FPGA SoC's if the cpu frequency is
upped to 50Mhz.
Signed-off-by: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
[shorne@gmail.com: Added defconfig]
Signed-off-by: Stafford Horne <shorne@gmail.com>
On OpenRISC the icache does not snoop data stores. This can cause
aliasing as reported by Jan. This patch fixes the issue to ensure icache
is properly synchronized when code is written to memory. It supports both
SMP and UP flushing.
This supports dcache flush as well for architectures that do not support
write-through caches; most OpenRISC implementations do implement
write-through cache however. Dcache flushes are done only on a single
core as OpenRISC dcaches all support snooping of bus stores.
Signed-off-by: Jan Henrik Weinstock <jan.weinstock@ice.rwth-aachen.de>
[shorne@gmail.com: Squashed patches and wrote commit message]
Signed-off-by: Stafford Horne <shorne@gmail.com>
Currently we do a spin on secondary cpus when waiting to boot. This
theoretically causes issues with power consumption and does cause issues
with qemu cycle burning (it starves cpu 0 from actually being able to
boot.)
This change puts each secondary cpu to sleep if they have a power
management unit, then signals them to wake via IPI when its time to boot.
If the cpus have no power management unit they will loop as before.
Note: The wakeup IPI requires a special interrupt handler as on secondary
cpu's the interrupt infrastructure is not yet established. This
interrupt handler is set and reset by updating SPR_EVBAR.
Signed-off-by: Stafford Horne <shorne@gmail.com>
During SMP testing we were getting the below warning after booting the
secondary cpu:
[ 0.060000] BUG: scheduling while atomic: swapper/1/0/0x00000000
This change follows similar patterns from other architectures to start
the schduler with preempt disabled.
Signed-off-by: Stafford Horne <shorne@gmail.com>
This patch introduces the SMP support for the OpenRISC architecture.
The SMP architecture requires cores which have multi-core features which
have been introduced a few years back including:
- New SPRS SPR_COREID SPR_NUMCORES
- Shadow SPRs
- Atomic Instructions
- Cache Coherency
- A wired in IPI controller
This patch adds all of the SMP specific changes to core infrastructure,
it looks big but it needs to go all together as its hard to split this
one up.
Boot loader spinning of second cpu is not supported yet, it's assumed
that Linux is booted straight after cpu reset.
The bulk of these changes are trivial changes to refactor to use per cpu
data structures throughout. The addition of the smp.c and changes in
time.c are the changes. Some specific notes:
MM changes
----------
The reason why this is created as an array, and not with DEFINE_PER_CPU
is that doing it this way, we'll save a load in the tlb-miss handler
(the load from __per_cpu_offset).
TLB Flush
---------
The SMP implementation of flush_tlb_* works by sending out a
function-call IPI to all the non-local cpus by using the generic
on_each_cpu() function.
Currently, all flush_tlb_* functions will result in a flush_tlb_all(),
which has always been the behaviour in the UP case.
CPU INFO
--------
This creates a per cpu cpuinfo struct and fills it out accordingly for
each activated cpu. show_cpuinfo is also updated to reflect new version
information in later versions of the spec.
SMP API
-------
This imitates the arm64 implementation by having a smp_cross_call
callback that can be set by set_smp_cross_call to initiate an IPI and a
handle_IPI function that is expected to be called from an IPI irqchip
driver.
Signed-off-by: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
[shorne@gmail.com: added cpu stop, checkpatch fixes, wrote commit message]
Signed-off-by: Stafford Horne <shorne@gmail.com>
IPI driver for the Open Multi-Processor Interrupt Controller (ompic) as
described in the Multi-core support section of the OpenRISC 1.2
architecture specification:
https://github.com/openrisc/doc/raw/master/openrisc-arch-1.2-rev0.pdf
Each OpenRISC core contains a full interrupt controller which is used in
the SMP architecture for interrupt balancing. This IPI device, the
ompic, is the only external device required for enabling SMP on
OpenRISC.
Pending ops are stored in a memory bit mask which can allow multiple
pending operations to be set and serviced at a time. This is mostly
borrowed from the alpha IPI implementation.
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
[shorne@gmail.com: converted ops to bitmask, wrote commit message]
Signed-off-by: Stafford Horne <shorne@gmail.com>
Add OpenRISC.io to vendor prefixes. This is reserved for softcores
developed by the OpenRISC community. The OpenRISC community has
separated from OpenCores.org requiring a new prefix.
Reviewed-by: Andreas Färber <afaerber@suse.de>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Stafford Horne <shorne@gmail.com>
OpenRISC only supports hardware instructions that perform 4 byte atomic
operations. For enabling qrwlocks for upcoming SMP support 1 and 2 byte
implementations are needed. To do this we leverage the 4 byte atomic
operations and shift/mask the 1 and 2 byte areas as needed.
This heavily borrows ideas and routines from sh and mips, which do
something similar.
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Stafford Horne <shorne@gmail.com>
Previously, the area between 0x0-0x100 have been used as a "scratch"
memory area to temporarily store regs during exception entry. In a
multi-core environment, this will not work.
This change is to use shadow registers for nested context.
Currently only the "critical" temp load/stores are covered, the
EMERGENCY_PRINT ones are left as is (when they are used, it's game over
anyway), they need to be handled as well in the future.
Signed-off-by: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
Signed-off-by: Stafford Horne <shorne@gmail.com>
Add devicetree binding documentation for the OpenRISC platform
opencores,or1ksim. This is the main OpenRISC reference platform
supporting multiple FPGA SoC's.
This format is based on some of the mips binding docs as we have
similar requirements.
Also, update maintainers so openrisc related binding changes are visible
to the openrisc team.
Acked-by: Rob Herring <robh@kernel.org>
Suggested-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Stafford Horne <shorne@gmail.com>
Update the OpenRISC readme to provide some more up-to-date information
on how to get started with OpenRISC. This includes:
- remove references to southpole who no longer are consulting for
OpenRISC (confirmed with Jonas)
- suggested QEMU instead of the old or1ksim as QEMU is well supported
- include instructions on how to get an FPGA board running
Suggested-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Stafford Horne <shorne@gmail.com>
The OpenRISC docs have traditionally been in arch/ but that does not
seem like the correct place to be. Move them so they will be more
visible to others. Also update MAINTAINERS to make sure we get
notifications of changes.
Signed-off-by: Stafford Horne <shorne@gmail.com>
During reviews of the OpenRISC SMP patch series it was suggested to add
stdout-path to the SMP dts file. Add stdout-path to our other dts files
to be a good example.
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Stafford Horne <shorne@gmail.com>
Here are a small number of patches to resolve some reported IIO and a
staging driver problem. Nothing major here, full details are in the
shortlog below.
All have been in linux-next with no reported issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCWe2ZWg8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ymZqgCbB3My5ciPpAlZFnuNFYrXZIvT/PoAnR9amLJM
jwlRLHQPFQ7/Ue2zD9jc
=aaFo
-----END PGP SIGNATURE-----
Merge tag 'staging-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging and IIO fixes from Greg KH:
"Here are a small number of patches to resolve some reported IIO and a
staging driver problem. Nothing major here, full details are in the
shortlog below.
All have been in linux-next with no reported issues"
* tag 'staging-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: bcm2835-audio: Fix memory corruption
iio: adc: at91-sama5d2_adc: fix probe error on missing trigger property
iio: adc: dln2-adc: fix build error
iio: dummy: events: Add missing break
staging: iio: ade7759: fix signed extension bug on shift of a u8
iio: pressure: zpa2326: Remove always-true check which confuses gcc
iio: proximity: as3935: noise detection + threshold changes
Here are 4 small fixes for 4.14-rc6.
3 of them are binder driver fixes for reported issues, and the last one
is a hyperv driver bugfix. Nothing major, but good fixes to get into
4.14-final.
All of these have been in linux-next with no reported issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCWe2YnQ8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ynN0ACdEfXVOyAcxhfxZzMBGL75sZhoh7IAnjGujCET
+MxZZKMNFD76V0Zply+2
=C8Pu
-----END PGP SIGNATURE-----
Merge tag 'char-misc-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc driver fixes from Greg KH:
"Here are four small fixes for 4.14-rc6.
Three of them are binder driver fixes for reported issues, and the
last one is a hyperv driver bugfix. Nothing major, but good fixes to
get into 4.14-final.
All of these have been in linux-next with no reported issues"
* tag 'char-misc-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
android: binder: Fix null ptr dereference in debug msg
android: binder: Don't get mm from task
vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister()
binder: call poll_wait() unconditionally.
Here are a small number of USB and PHY driver fixes for 4.14-rc6
There is the usual musb and xhci fixes in here, as well as some needed
phy patches. Also is a nasty regression fix for usbfs that has started
to hit a lot of people using virtual machines.
All of these have been in linux-next with no reported problems.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCWe2XgA8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ynFUwCeNkG6DErmFmdpRkz38rjqLDpK6kAAoIT14/S8
rmDxu0VfFBY2TWIPqyDA
=7MDm
-----END PGP SIGNATURE-----
Merge tag 'usb-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB/PHY fixes from Greg KH:
"Here are a small number of USB and PHY driver fixes for 4.14-rc6
There is the usual musb and xhci fixes in here, as well as some needed
phy patches. Also is a nasty regression fix for usbfs that has started
to hit a lot of people using virtual machines.
All of these have been in linux-next with no reported problems"
* tag 'usb-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits)
usb: hub: Allow reset retry for USB2 devices on connect bounce
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
MAINTAINERS: fix git tree url for musb module
usb: quirks: add quirk for WORLDE MINI MIDI keyboard
usb: musb: sunxi: Explicitly release USB PHY on exit
usb: musb: Check for host-mode using is_host_active() on reset interrupt
usb: musb: musb_cppi41: Configure the number of channels for DA8xx
usb: musb: musb_cppi41: Fix cppi41_set_dma_mode() for DA8xx
usb: musb: musb_cppi41: Fix the address of teardown and autoreq registers
USB: musb: fix late external abort on suspend
USB: musb: fix session-bit runtime-PM quirk
usb: cdc_acm: Add quirk for Elatec TWN3
USB: devio: Revert "USB: devio: Don't corrupt user memory"
usb: xhci: Handle error condition in xhci_stop_device()
usb: xhci: Reset halted endpoint if trb is noop
xhci: Cleanup current_cmd in xhci_cleanup_command_queue()
xhci: Identify USB 3.1 capable hosts by their port protocol capability
USB: serial: metro-usb: add MS7820 device id
phy: rockchip-typec: Check for errors from tcphy_phy_init()
phy: rockchip-typec: Don't set the aux voltage swing to 400 mV
...
Pull input fix from Dmitry Torokhov:
"A fix for a broken commit in the previous pull breaking automatic
module loading of input handlers, such ad evdev"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: do not use property bits when generating module alias
The commit 8724ecb072 ("Input: allow matching device IDs on property
bits") started using property bits when generating module aliases for input
handlers, but did not adjust the generation of MODALIAS attribute on input
device uevents, breaking automatic module loading. Given that no handler
currently uses property bits in their module tables, let's revert this part
of the commit for now.
Reported-by: Damien Wyart <damien.wyart@gmail.com>
Tested-by: Damien Wyart <damien.wyart@gmail.com>
Fixes: 8724ecb072 ("Input: allow matching device IDs on property bits")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Pull x86 fixes from Thomas Gleixner:
"A couple of fixes addressing the following issues:
- The last polishing for the TLB code, removing the last BUG_ON() and
the debug file along with tidying up the lazy TLB code.
- Prevent triple fault on 1st Gen. 486 caused by stupidly calling the
early IDT setup after the first function which causes a fault which
should be caught by the exception table.
- Limit the mmap of /dev/mem to valid addresses
- Prevent late microcode loading on Broadwell X
- Remove a redundant assignment in the cache info code"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mm: Limit mmap() of /dev/mem to valid physical addresses
x86/mm: Remove debug/x86/tlb_defer_switch_to_init_mm
x86/mm: Tidy up "x86/mm: Flush more aggressively in lazy TLB mode"
x86/mm/64: Remove the last VM_BUG_ON() from the TLB code
x86/microcode/intel: Disable late loading on model 79
x86/idt: Initialize early IDT before cr4_init_shadow()
x86/cpu/intel_cacheinfo: Remove redundant assignment to 'this_leaf'
Pull timer fix from Thomas Gleixner:
"A single fix to make the cs5535 clock event driver robust agaist
spurious interrupts"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
clockevents/drivers/cs5535: Improve resilience to spurious interrupts
Pull smp/hotplug fix from Thomas Gleixner:
"The recent rework of the callback invocation missed to cleanup the
leftovers of the operation, so under certain circumstances a
subsequent CPU hotplug operation accesses stale data and crashes.
Clean it up."
* 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
cpu/hotplug: Reset node state after operation
Pull perf fixes from Thomas Gleixner:
"A series of fixes for perf tooling:
- Make xyarray return the X/Y size correctly which fixes a crash in
the exit code.
- Fix the libc path in test so it works not only on Debian/Ubuntu
correctly
- Check for eBPF file existance and output a useful error message
instead of failing to compile a non existant file
- Make sure perf_hpp_fmt is not longer references before freeing it
- Use list_del_init() in the histogram code to prevent a crash when
the already deleted element is deleted again
- Remove the leftovers of the removed '-l' option
- Add reviewer entries to the MAINTAINERS file"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf test shell trace+probe_libc_inet_pton.sh: Be compatible with Debian/Ubuntu
perf xyarray: Fix wrong processing when closing evsel fd
perf buildid-list: Fix crash when processing PERF_RECORD_NAMESPACE
perf record: Fix documentation for a inexistent option '-l'
perf tools: Add long time reviewers to MAINTAINERS
perf tools: Check wether the eBPF file exists in event parsing
perf hists: Add extra integrity checks to fmt_free()
perf hists: Fix crash in perf_hpp__reset_output_field()
Pull irq fixes from Thomas Gleixner:
"A set of small fixes mostly in the irq drivers area:
- Make the tango irq chip work correctly, which requires a new
function in the generiq irq chip implementation
- A set of updates to the GIC-V3 ITS driver removing a bogus BUG_ON()
and parsing the VCPU table size correctly"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
genirq: generic chip: remove irq_gc_mask_disable_reg_and_ack()
irqchip/tango: Use irq_gc_mask_disable_and_ack_set
genirq: generic chip: Add irq_gc_mask_disable_and_ack_set()
irqchip/gic-v3-its: Add missing changes to support 52bit physical address
irqchip/gic-v3-its: Fix the incorrect parsing of VCPU table size
irqchip/gic-v3-its: Fix the incorrect BUG_ON in its_init_vpe_domain()
DT: arm,gic-v3: Update the ITS size in the examples
Pull objtool fix from Thomas Gleixner:
"Plug a memory leak in the instruction decoder"
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
objtool: Fix memory leak in decode_instructions()
Pull networking fixes from David Miller:
"A little more than usual this time around. Been travelling, so that is
part of it.
Anyways, here are the highlights:
1) Deal with memcontrol races wrt. listener dismantle, from Eric
Dumazet.
2) Handle page allocation failures properly in nfp driver, from Jaku
Kicinski.
3) Fix memory leaks in macsec, from Sabrina Dubroca.
4) Fix crashes in pppol2tp_session_ioctl(), from Guillaume Nault.
5) Several fixes in bnxt_en driver, including preventing potential
NVRAM parameter corruption from Michael Chan.
6) Fix for KRACK attacks in wireless, from Johannes Berg.
7) rtnetlink event generation fixes from Xin Long.
8) Deadlock in mlxsw driver, from Ido Schimmel.
9) Disallow arithmetic operations on context pointers in bpf, from
Jakub Kicinski.
10) Missing sock_owned_by_user() check in sctp_icmp_redirect(), from
Xin Long.
11) Only TCP is supported for sockmap, make that explicit with a
check, from John Fastabend.
12) Fix IP options state races in DCCP and TCP, from Eric Dumazet.
13) Fix panic in packet_getsockopt(), also from Eric Dumazet.
14) Add missing locked in hv_sock layer, from Dexuan Cui.
15) Various aquantia bug fixes, including several statistics handling
cures. From Igor Russkikh et al.
16) Fix arithmetic overflow in devmap code, from John Fastabend.
17) Fix busted socket memory accounting when we get a fault in the tcp
zero copy paths. From Willem de Bruijn.
18) Don't leave opt->tot_len uninitialized in ipv6, from Eric Dumazet"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (106 commits)
stmmac: Don't access tx_q->dirty_tx before netif_tx_lock
ipv6: flowlabel: do not leave opt->tot_len with garbage
of_mdio: Fix broken PHY IRQ in case of probe deferral
textsearch: fix typos in library helpers
rxrpc: Don't release call mutex on error pointer
net: stmmac: Prevent infinite loop in get_rx_timestamp_status()
net: stmmac: Fix stmmac_get_rx_hwtstamp()
net: stmmac: Add missing call to dev_kfree_skb()
mlxsw: spectrum_router: Configure TIGCR on init
mlxsw: reg: Add Tunneling IPinIP General Configuration Register
net: ethtool: remove error check for legacy setting transceiver type
soreuseport: fix initialization race
net: bridge: fix returning of vlan range op errors
sock: correct sk_wmem_queued accounting on efault in tcp zerocopy
bpf: add test cases to bpf selftests to cover all access tests
bpf: fix pattern matches for direct packet access
bpf: fix off by one for range markings with L{T, E} patterns
bpf: devmap fix arithmetic overflow in bitmap_size calculation
net: aquantia: Bad udp rate on default interrupt coalescing
net: aquantia: Enable coalescing management via ethtool interface
...
This is the possible reason for different hard to reproduce
problems on my ARMv7-SMP test system.
The symptoms are in recent kernels imprecise external aborts,
and in older kernels various kinds of network stalls and
unexpected page allocation failures.
My testing indicates that the trouble started between v4.5 and v4.6
and prevails up to v4.14.
Using the dirty_tx before acquiring the spin lock is clearly
wrong and was first introduced with v4.6.
Fixes: e3ad57c967 ("stmmac: review RX/TX ring management")
Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
When syzkaller team brought us a C repro for the crash [1] that
had been reported many times in the past, I finally could find
the root cause.
If FlowLabel info is merged by fl6_merge_options(), we leave
part of the opt_space storage provided by udp/raw/l2tp with random value
in opt_space.tot_len, unless a control message was provided at sendmsg()
time.
Then ip6_setup_cork() would use this random value to perform a kzalloc()
call. Undefined behavior and crashes.
Fix is to properly set tot_len in fl6_merge_options()
At the same time, we can also avoid consuming memory and cpu cycles
to clear it, if every option is copied via a kmemdup(). This is the
change in ip6_setup_cork().
[1]
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 6613 Comm: syz-executor0 Not tainted 4.14.0-rc4+ #127
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cb64a100 task.stack: ffff8801cc350000
RIP: 0010:ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168
RSP: 0018:ffff8801cc357550 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff8801cc357748 RCX: 0000000000000010
RDX: 0000000000000002 RSI: ffffffff842bd1d9 RDI: 0000000000000014
RBP: ffff8801cc357620 R08: ffff8801cb17f380 R09: ffff8801cc357b10
R10: ffff8801cb64a100 R11: 0000000000000000 R12: ffff8801cc357ab0
R13: ffff8801cc357b10 R14: 0000000000000000 R15: ffff8801c3bbf0c0
FS: 00007f9c5c459700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020324000 CR3: 00000001d1cf2000 CR4: 00000000001406f0
DR0: 0000000020001010 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
ip6_make_skb+0x282/0x530 net/ipv6/ip6_output.c:1729
udpv6_sendmsg+0x2769/0x3380 net/ipv6/udp.c:1340
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
SYSC_sendto+0x358/0x5a0 net/socket.c:1750
SyS_sendto+0x40/0x50 net/socket.c:1718
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f9c5c458c08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 0000000000000001 RSI: 0000000020fd1000 RDI: 0000000000000016
RBP: 0000000000000086 R08: 0000000020e0afe4 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb1ee
R13: 00000000ffffffff R14: 0000000000000016 R15: 0000000000000029
Code: e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ea 0f 00 00 48 8d 79 04 48 b8 00 00 00 00 00 fc ff df 45 8b 74 24 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP: ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168 RSP: ffff8801cc357550
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If an Ethernet PHY is initialized before the interrupt controller it is
connected to, a message like the following is printed:
irq: no irq domain found for /interrupt-controller@e61c0000 !
However, the actual error is ignored, leading to a non-functional (POLL)
PHY interrupt later:
Micrel KSZ8041RNLI ee700000.ethernet-ffffffff:01: attached PHY driver [Micrel KSZ8041RNLI] (mii_bus:phy_addr=ee700000.ethernet-ffffffff:01, irq=POLL)
Depending on whether the PHY driver will fall back to polling, Ethernet
may or may not work.
To fix this:
1. Switch of_mdiobus_register_phy() from irq_of_parse_and_map() to
of_irq_get().
Unlike the former, the latter returns -EPROBE_DEFER if the
interrupt controller is not yet available, so this condition can be
detected.
Other errors are handled the same as before, i.e. use the passed
mdio->irq[addr] as interrupt.
2. Propagate and handle errors from of_mdiobus_register_phy() and
of_mdiobus_register_device().
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix spellos (typos) in textsearch library helpers.
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Don't release call mutex at the end of rxrpc_kernel_begin_call() if the
call pointer actually holds an error value.
Fixes: 540b1c48c3 ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jose Abreu says:
====================
net: stmmac: Fix HW timestamping
Three fixes for HW timestamping feature, all of them for RX side.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Prevent infinite loop by correctly setting the loop condition to
break when i == 10.
Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Joao Pinto <jpinto@synopsys.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Alexandre Torgue <alexandre.torgue@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When using GMAC4 the valid timestamp is from CTX next desc but
we are passing the previous desc to get_rx_timestamp_status()
callback.
Fix this and while at it rework a little bit the function logic.
Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Joao Pinto <jpinto@synopsys.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Alexandre Torgue <alexandre.torgue@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When RX HW timestamp is enabled and a frame is discarded we are
not freeing the skb but instead only setting to NULL the entry.
Add a call to dev_kfree_skb_any() so that skb entry is correctly
freed.
Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Joao Pinto <jpinto@synopsys.com>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Alexandre Torgue <alexandre.torgue@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull input fixes from Dmitry Torokhov:
- joydev now implements a blacklist to avoid creating joystick nodes
for accelerometers found in composite devices such as PlaStation
controllers
- assorted driver fixes
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: ims-psu - check if CDC union descriptor is sane
Input: joydev - blacklist ds3/ds4/udraw motion sensors
Input: allow matching device IDs on property bits
Input: factor out and export input_device_id matching code
Input: goodix - poll the 'buffer status' bit before reading data
Input: axp20x-pek - fix module not auto-loading for axp221 pek
Input: tca8418 - enable interrupt after it has been requested
Input: stmfts - fix setting ABS_MT_POSITION_* maximum size
Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen
Input: synaptics - disable kernel tracking on SMBus devices
Pull vfs fixes from Al Viro:
"MS_I_VERSION fixes - Mimi's fix + missing bits picked from Matthew
(his patch contained a duplicate of the fs/namespace.c fix as well,
but by that point the original fix had already been applied)"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
Convert fs/*/* to SB_I_VERSION
vfs: fix mounting a filesystem with i_version
Jiri Pirko says:
====================
mlxsw: spectrum: Configure TTL of "inherit" for offloaded tunnels
Petr says:
Currently mlxsw only offloads tunnels that are configured with TTL of "inherit"
(which is the default). However, Spectrum defaults to 255 and the driver
neglects to change the configuration. Thus the tunnel packets from offloaded
tunnels always have TTL of 255, even though tunnels with explicit TTL of 255 are
never actually offloaded.
To fix this, introduce support for TIGCR, the register that keeps the related
bits of global tunnel configuration, and use it on first offload to properly
configure inheritance of TTL of tunnel packets from overlay packets.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Spectrum tunnels do not default to ttl of "inherit" like the Linux ones
do. Configure TIGCR on router init so that the TTL of tunnel packets is
copied from the overlay packets.
Fixes: ee954d1a91 ("mlxsw: spectrum_router: Support GRE tunnels")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The TIGCR register is used for setting up the IPinIP Tunnel
configuration.
Fixes: ee954d1a91 ("mlxsw: spectrum_router: Support GRE tunnels")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 9cab88726929605 ("net: ethtool: Add back transceiver type")
restores the transceiver type to struct ethtool_link_settings and
convert_link_ksettings_to_legacy_settings() but forgets to remove the
error check for the same in convert_legacy_settings_to_link_ksettings().
This prevents older versions of ethtool to change link settings.
# ethtool --version
ethtool version 3.16
# ethtool -s eth0 autoneg on speed 100 duplex full
Cannot set new settings: Invalid argument
not setting speed
not setting duplex
not setting autoneg
While newer versions of ethtool works.
# ethtool --version
ethtool version 4.10
# ethtool -s eth0 autoneg on speed 100 duplex full
[ 57.703268] sh-eth ee700000.ethernet eth0: Link is Down
[ 59.618227] sh-eth ee700000.ethernet eth0: Link is Up - 100Mbps/Full - flow control rx/tx
Fixes: 19cab88726 ("net: ethtool: Add back transceiver type")
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reported-by: Renjith R V <renjith.rv@quest-global.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Syzkaller stumbled upon a way to trigger
WARNING: CPU: 1 PID: 13881 at net/core/sock_reuseport.c:41
reuseport_alloc+0x306/0x3b0 net/core/sock_reuseport.c:39
There are two initialization paths for the sock_reuseport structure in a
socket: Through the udp/tcp bind paths of SO_REUSEPORT sockets or through
SO_ATTACH_REUSEPORT_[CE]BPF before bind. The existing implementation
assumedthat the socket lock protected both of these paths when it actually
only protects the SO_ATTACH_REUSEPORT path. Syzkaller triggered this
double allocation by running these paths concurrently.
This patch moves the check for double allocation into the reuseport_alloc
function which is protected by a global spin lock.
Fixes: e32ea7e747 ("soreuseport: fast reuseport UDP socket selection")
Fixes: c125e80b88 ("soreuseport: fast reuseport TCP socket selection")
Signed-off-by: Craig Gallek <kraig@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When vlan tunnels were introduced, vlan range errors got silently
dropped and instead 0 was returned always. Restore the previous
behaviour and return errors to user-space.
Fixes: efa5356b0d ("bridge: per vlan dst_metadata netlink support")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Syzkaller hits WARN_ON(sk->sk_wmem_queued) in sk_stream_kill_queues
after triggering an EFAULT in __zerocopy_sg_from_iter.
On this error, skb_zerocopy_stream_iter resets the skb to its state
before the operation with __pskb_trim. It cannot kfree_skb like
datagram callers, as the skb may have data from a previous send call.
__pskb_trim calls skb_condense for unowned skbs, which adjusts their
truesize. These tcp skbuffs are owned and their truesize must add up
to sk_wmem_queued. But they match because their skb->sk is NULL until
tcp_transmit_skb.
Temporarily set skb->sk when calling __pskb_trim to signal that the
skbuffs are owned and avoid the skb_condense path.
Fixes: 52267790ef ("sock: add MSG_ZEROCOPY")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann says:
====================
Two BPF fixes for range marking
The set contains two fixes for direct packet access range
markings and test cases for all direct packet access patterns
that the verifier matches on.
They are targeted for net tree, note that once net gets merged
into net-next, there will be a minor merge conflict due to
signature change of the function find_good_pkt_pointers() as
well as data_meta patterns present in net-next tree. You can
just add bool false to the data_meta patterns and I will
follow-up with properly converting the patterns for data_meta
in a similar way.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>