KASAN: use-after-free Read in seq_escape

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:17b57b1883c1 Linux 4.19-rc6
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1672d71140
kernel config:  https://syzkaller.appspot.com/x/.config?x=c0af03fe452b65fb
dashboard link: https://syzkaller.appspot.com/bug?extid=a2872d6feea6918008a9
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a2872d6feea691800...@syzkaller.appspotmail.com

(unnamed net_device) (uninitialized): option active_slave: mode dependency  
failed, not supported in mode balance-rr(0)

IPVS: ftp: loaded support on port[0] = 21
EXT4-fs (sda1): journaled quota format not specified
==
BUG: KASAN: use-after-free in strlen+0x83/0xa0 lib/string.c:482
Read of size 1 at addr 8801ce9a9540 by task syz-executor2/486

CPU: 1 PID: 486 Comm: syz-executor2 Not tainted 4.19.0-rc6+ #39
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
(unnamed net_device) (uninitialized): option active_slave: mode dependency  
failed, not supported in mode balance-rr(0)

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 strlen+0x83/0xa0 lib/string.c:482
 strlen include/linux/string.h:267 [inline]
 string_escape_str include/linux/string_helpers.h:66 [inline]
 seq_escape+0xd5/0x240 fs/seq_file.c:381
 seq_show_option include/linux/seq_file.h:185 [inline]
 ext4_show_quota_options fs/ext4/super.c:2051 [inline]
 _ext4_show_options+0xcef/0x18f0 fs/ext4/super.c:2151
 ext4_show_options+0x41/0x50 fs/ext4/super.c:2157
 show_mountinfo+0x674/0x9b0 fs/proc_namespace.c:187
 m_show+0x65/0x80 fs/namespace.c:1280
 seq_read+0x4af/0x1150 fs/seq_file.c:229
 do_loop_readv_writev fs/read_write.c:700 [inline]
 do_iter_read+0x4a3/0x650 fs/read_write.c:924
 vfs_readv+0x175/0x1c0 fs/read_write.c:986
 do_preadv+0x1cc/0x280 fs/read_write.c:1070
 __do_sys_preadv fs/read_write.c:1120 [inline]
 __se_sys_preadv fs/read_write.c:1115 [inline]
 __x64_sys_preadv+0x9a/0xf0 fs/read_write.c:1115
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457579
Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7f8a6dc50c78 EFLAGS: 0246 ORIG_RAX: 0127
RAX: ffda RBX: 0004 RCX: 00457579
RDX: 1181 RSI: 2480 RDI: 0005
RBP: 0072bf00 R08:  R09: 
R10:  R11: 0246 R12: 7f8a6dc516d4
R13: 004c309c R14: 004d4a40 R15: 

Allocated by task 493:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x760 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 match_strdup+0x5e/0xa0 lib/parser.c:331
 set_qf_name+0x14b/0x3e0 fs/ext4/super.c:1548
 handle_mount_opt fs/ext4/super.c:1718 [inline]
 parse_options+0xd3e/0x29c0 fs/ext4/super.c:1979
 ext4_remount+0x693/0x2640 fs/ext4/super.c:5139
 do_remount_sb+0x350/0x7b0 fs/super.c:888
 do_remount fs/namespace.c:2278 [inline]
 do_mount+0x1513/0x31f0 fs/namespace.c:2778
 ksys_mount+0x12d/0x140 fs/namespace.c:3003
 __do_sys_mount fs/namespace.c:3017 [inline]
 __se_sys_mount fs/namespace.c:3014 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3014
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 493:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3813
 ext4_remount+0x11ec/0x2640 fs/ext4/super.c:5355
 do_remount_sb+0x350/0x7b0 fs/super.c:888
 do_remount fs/namespace.c:2278 [inline]
 do_mount+0x1513/0x31f0 fs/namespace.c:2778
 ksys_mount+0x12d/0x140 fs/namespace.c:3003
 __do_sys_mount fs/namespace.c:3017 [inline]
 __se_sys_mount fs/namespace.c:3014 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3014
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at 8801ce9a9540
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes insi

[PATCH 01/19] perf scripts python: call-graph-from-sql.py: Use SPDX license identifier

[Adrian Hunter]

Use SPDX license identifier in call-graph-from-sql.py.

Signed-off-by: Adrian Hunter 
---
 tools/perf/scripts/python/call-graph-from-sql.py | 14 +++---
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index b494a67a1c67..ce1b91fcd6b8 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -1,15 +1,7 @@
 #!/usr/bin/python2
-# call-graph-from-sql.py: create call-graph from sql database
-# Copyright (c) 2014-2017, Intel Corporation.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms and conditions of the GNU General Public License,
-# version 2, as published by the Free Software Foundation.
-#
-# This program is distributed in the hope it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-# more details.
+# SPDX-License-Identifier: GPL-2.0
+# exported-sql-viewer.py: view data from sql database
+# Copyright (c) 2014-2018, Intel Corporation.
 
 # To use this script you will need to have exported data using either the
 # export-to-sqlite.py or the export-to-postgresql.py script.  Refer to those
-- 
2.17.1

[PATCH 03/19] perf scripts python: call-graph-from-sql.py: Set a minimum window size

[Adrian Hunter]

Prevent weirdly small window size.

Signed-off-by: Adrian Hunter 
---
 tools/perf/scripts/python/call-graph-from-sql.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index e1014f2628a7..68153fa1b4d1 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -274,6 +274,7 @@ class MainWindow(QMainWindow):
style = self.style()
icon = style.standardIcon(QStyle.SP_MessageBoxInformation)
self.setWindowIcon(icon);
+   self.setMinimumSize(200, 100)
 
self.model = TreeModel(db)
 
-- 
2.17.1

[PATCH 05/19] perf scripts python: call-graph-from-sql.py: Make a "Main" function

[Adrian Hunter]

Make a "Main" function so that the variables used do not pollute the global
namespace.

Signed-off-by: Adrian Hunter 
---
 tools/perf/scripts/python/call-graph-from-sql.py | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 2e33540f3de0..2b74b94eeccc 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -284,7 +284,9 @@ class MainWindow(QMainWindow):
 
self.setCentralWidget(self.view)
 
-if __name__ == '__main__':
+# Main
+
+def Main():
if (len(sys.argv) < 2):
print >> sys.stderr, "Usage is: call-graph-from-sql.py 
"
raise Exception("Too few arguments")
@@ -331,3 +333,6 @@ if __name__ == '__main__':
err = app.exec_()
db.close()
sys.exit(err)
+
+if __name__ == "__main__":
+   Main()
-- 
2.17.1

[PATCH 06/19] perf scripts python: call-graph-from-sql.py: Separate the database details into a class

[Adrian Hunter]

Separate the database details into a class that can provide different
connections using the same connection information.  That paves the way for
sub-processes that require their own connection.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/call-graph-from-sql.py | 63 +++
 1 file changed, 38 insertions(+), 25 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 2b74b94eeccc..9d056deab2b1 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -284,6 +284,42 @@ class MainWindow(QMainWindow):
 
self.setCentralWidget(self.view)
 
+# Database reference
+
+class DBRef():
+
+   def __init__(self, is_sqlite3, dbname):
+   self.is_sqlite3 = is_sqlite3
+   self.dbname = dbname
+
+   def Open(self, connection_name):
+   dbname = self.dbname
+   if self.is_sqlite3:
+   db = QSqlDatabase.addDatabase("QSQLITE", 
connection_name)
+   else:
+   db = QSqlDatabase.addDatabase("QPSQL", connection_name)
+   opts = dbname.split()
+   for opt in opts:
+   if "=" in opt:
+   opt = opt.split("=")
+   if opt[0] == "hostname":
+   db.setHostName(opt[1])
+   elif opt[0] == "port":
+   db.setPort(int(opt[1]))
+   elif opt[0] == "username":
+   db.setUserName(opt[1])
+   elif opt[0] == "password":
+   db.setPassword(opt[1])
+   elif opt[0] == "dbname":
+   dbname = opt[1]
+   else:
+   dbname = opt
+
+   db.setDatabaseName(dbname)
+   if not db.open():
+   raise Exception("Failed to open database " + dbname + " 
error: " + db.lastError().text())
+   return db, dbname
+
 # Main
 
 def Main():
@@ -302,31 +338,8 @@ def Main():
except:
pass
 
-   if is_sqlite3:
-   db = QSqlDatabase.addDatabase('QSQLITE')
-   else:
-   db = QSqlDatabase.addDatabase('QPSQL')
-   opts = dbname.split()
-   for opt in opts:
-   if '=' in opt:
-   opt = opt.split('=')
-   if opt[0] == 'hostname':
-   db.setHostName(opt[1])
-   elif opt[0] == 'port':
-   db.setPort(int(opt[1]))
-   elif opt[0] == 'username':
-   db.setUserName(opt[1])
-   elif opt[0] == 'password':
-   db.setPassword(opt[1])
-   elif opt[0] == 'dbname':
-   dbname = opt[1]
-   else:
-   dbname = opt
-
-   db.setDatabaseName(dbname)
-   if not db.open():
-   raise Exception("Failed to open database " + dbname + " error: 
" + db.lastError().text())
-
+   dbref = DBRef(is_sqlite3, dbname)
+   db, dbname = dbref.Open("main")
app = QApplication(sys.argv)
window = MainWindow(db, dbname)
window.show()
-- 
2.17.1

[PATCH 02/19] perf scripts python: call-graph-from-sql.py: Provide better default column sizes

[Adrian Hunter]

Set initial column sizes to improve initial display.

Signed-off-by: Adrian Hunter 
---
 tools/perf/scripts/python/call-graph-from-sql.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index ce1b91fcd6b8..e1014f2628a7 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -280,6 +280,9 @@ class MainWindow(QMainWindow):
self.view = QTreeView()
self.view.setModel(self.model)
 
+   for c, w in ((0, 250), (1, 100), (2, 60), (3, 70), (4, 70), (5, 
100)):
+   self.view.setColumnWidth(c, w)
+
self.setCentralWidget(self.view)
 
 if __name__ == '__main__':
-- 
2.17.1

[PATCH 00/19] perf scripts python: call-graph-from-sql.py / exported-sql-viewer.py disassembly

[Adrian Hunter]

Hi

Here are some patches to the call-graph-from-sql.py script which is renamed
exported-sql-viewer.py in patch 12 "perf scripts python: 
call-graph-from-sql.py: Rename to exported-sql-viewer.py".  The purpose of
these patches is to add support for disassembly - refer patch 23 "perf
scripts python: exported-sql-viewer.py: Add All branches report"


Adrian Hunter (19):
  perf scripts python: call-graph-from-sql.py: Use SPDX license identifier
  perf scripts python: call-graph-from-sql.py: Provide better default 
column sizes
  perf scripts python: call-graph-from-sql.py: Set a minimum window size
  perf scripts python: call-graph-from-sql.py: Change icon
  perf scripts python: call-graph-from-sql.py: Make a "Main" function
  perf scripts python: call-graph-from-sql.py: Separate the database 
details into a class
  perf scripts python: call-graph-from-sql.py: Add a class for global data
  perf scripts python: call-graph-from-sql.py: Remove use of setObjectName()
  perf scripts python: call-graph-from-sql.py: Factor out CallGraphModel 
from TreeModel
  perf scripts python: call-graph-from-sql.py: Add data helper functions
  perf scripts python: call-graph-from-sql.py: Refactor TreeItem class
  perf scripts python: call-graph-from-sql.py: Rename to 
exported-sql-viewer.py
  perf scripts python: exported-sql-viewer.py: Add support for multiple 
sub-windows
  perf scripts python: exported-sql-viewer.py: Add ability to find symbols 
in the call-graph
  perf scripts python: exported-sql-viewer.py: Add ability to shrink / 
enlarge font
  perf scripts python: exported-sql-viewer.py: Add ability to display all 
the database tables
  perf scripts python: exported-sql-viewer.py: Add All branches report
  perf scripts python: exported-sql-viewer.py: Add Selected branches report
  perf scripts python: exported-sql-viewer.py: Add help window

 tools/perf/Documentation/intel-pt.txt |2 +-
 tools/perf/scripts/python/call-graph-from-sql.py  |  339 ---
 tools/perf/scripts/python/export-to-postgresql.py |2 +-
 tools/perf/scripts/python/export-to-sqlite.py |2 +-
 tools/perf/scripts/python/exported-sql-viewer.py  | 2536 +
 5 files changed, 2539 insertions(+), 342 deletions(-)
 delete mode 100644 tools/perf/scripts/python/call-graph-from-sql.py
 create mode 100755 tools/perf/scripts/python/exported-sql-viewer.py


Regards
Adrian

[PATCH 04/19] perf scripts python: call-graph-from-sql.py: Change icon

[Adrian Hunter]

There are not many standard icons, but the computer icon looks slightly
better than the information icon.

Signed-off-by: Adrian Hunter 
---
 tools/perf/scripts/python/call-graph-from-sql.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 68153fa1b4d1..2e33540f3de0 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -271,9 +271,7 @@ class MainWindow(QMainWindow):
self.setWindowTitle("Call Graph: " + dbname)
self.move(100, 100)
self.resize(800, 600)
-   style = self.style()
-   icon = style.standardIcon(QStyle.SP_MessageBoxInformation)
-   self.setWindowIcon(icon);
+   
self.setWindowIcon(self.style().standardIcon(QStyle.SP_ComputerIcon))
self.setMinimumSize(200, 100)
 
self.model = TreeModel(db)
-- 
2.17.1

[PATCH 18/19] perf scripts python: exported-sql-viewer.py: Add Selected branches report

[Adrian Hunter]

Fetching data from the database can be slow. Add a report that provides the
ability to select a subset of branches.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 268 ++
 1 file changed, 268 insertions(+)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index 47de923655e9..933066ee26bd 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -1464,6 +1464,266 @@ class BranchWindow(QMdiSubWindow):
else:
self.find_bar.NotFound()
 
+# Dialog data item converted and validated using a SQL table
+
+class SQLTableDialogDataItem():
+
+   def __init__(self, glb, label, placeholder_text, table_name, 
match_column, column_name1, column_name2, parent):
+   self.glb = glb
+   self.label = label
+   self.placeholder_text = placeholder_text
+   self.table_name = table_name
+   self.match_column = match_column
+   self.column_name1 = column_name1
+   self.column_name2 = column_name2
+   self.parent = parent
+
+   self.value = ""
+
+   self.widget = QLineEdit()
+   self.widget.editingFinished.connect(self.Validate)
+   self.widget.textChanged.connect(self.Invalidate)
+   self.red = False
+   self.error = ""
+   self.validated = True
+
+   self.last_id = 0
+   self.first_time = 0
+   self.last_time = 2 ** 64
+   if self.column_name1 == "samples.id":
+   query = QSqlQuery(self.glb.db)
+   QueryExec(query, "SELECT id, time FROM samples ORDER BY 
id DESC LIMIT 1")
+   if query.next():
+   self.last_id = int(query.value(0))
+   self.last_time = int(query.value(1))
+   QueryExec(query, "SELECT time FROM samples WHERE time 
!= 0 ORDER BY id LIMIT 1")
+   if query.next():
+   self.first_time = int(query.value(0))
+   if placeholder_text:
+   placeholder_text += ", between " + 
str(self.first_time) + " and " + str(self.last_time)
+
+   if placeholder_text:
+   self.widget.setPlaceholderText(placeholder_text)
+
+   def ValueToIds(self, value):
+   ids = []
+   query = QSqlQuery(self.glb.db)
+   stmt = "SELECT id FROM " + self.table_name + " WHERE " + 
self.match_column + " = '" + value + "'"
+   ret = query.exec_(stmt)
+   if ret:
+   while query.next():
+   ids.append(str(query.value(0)))
+   return ids
+
+   def IdBetween(self, query, lower_id, higher_id, order):
+   QueryExec(query, "SELECT id FROM samples WHERE id > " + 
str(lower_id) + " AND id < " + str(higher_id) + " ORDER BY id " + order + " 
LIMIT 1")
+   if query.next():
+   return True, int(query.value(0))
+   else:
+   return False, 0
+
+   def BinarySearchTime(self, lower_id, higher_id, target_time, get_floor):
+   query = QSqlQuery(self.glb.db)
+   while True:
+   next_id = int((lower_id + higher_id) / 2)
+   QueryExec(query, "SELECT time FROM samples WHERE id = " 
+ str(next_id))
+   if not query.next():
+   ok, dbid = self.IdBetween(query, lower_id, 
next_id, "DESC")
+   if not ok:
+   ok, dbid = self.IdBetween(query, 
next_id, higher_id, "")
+   if not ok:
+   return str(higher_id)
+   next_id = dbid
+   QueryExec(query, "SELECT time FROM samples 
WHERE id = " + str(next_id))
+   next_time = int(query.value(0))
+   if get_floor:
+   if target_time > next_time:
+   lower_id = next_id
+   else:
+   higher_id = next_id
+   if higher_id <= lower_id + 1:
+   return str(higher_id)
+   else:
+   if target_time >= next_time:
+   lower_id = next_id
+   else:
+   higher_id = next_id
+   if higher_id <= lower_id + 1:
+   return

[PATCH 15/19] perf scripts python: exported-sql-viewer.py: Add ability to shrink / enlarge font

[Adrian Hunter]

Shrinking the font allows more information to display.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 24 +++
 1 file changed, 24 insertions(+)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index 0386a600ffc7..310ba7147583 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -706,6 +706,20 @@ class WindowMenu():
def setActiveSubWindow(self, nr):

self.mdi_area.setActiveSubWindow(self.mdi_area.subWindowList()[nr - 1])
 
+# Font resize
+
+def ResizeFont(widget, diff):
+   font = widget.font()
+   sz = font.pointSize()
+   font.setPointSize(sz + diff)
+   widget.setFont(font)
+
+def ShrinkFont(widget):
+   ResizeFont(widget, -1)
+
+def EnlargeFont(widget):
+   ResizeFont(widget, 1)
+
 # Unique name for sub-windows
 
 def NumberedWindowName(name, nr):
@@ -765,6 +779,8 @@ class MainWindow(QMainWindow):
 
edit_menu = menu.addMenu("&Edit")
edit_menu.addAction(CreateAction("&Find...", "Find items", 
self.Find, self, QKeySequence.Find))
+   edit_menu.addAction(CreateAction("&Shrink Font", "Make text 
smaller", self.ShrinkFont, self, [QKeySequence("Ctrl+-")]))
+   edit_menu.addAction(CreateAction("&Enlarge Font", "Make text 
bigger", self.EnlargeFont, self, [QKeySequence("Ctrl++")]))
 
reports_menu = menu.addMenu("&Reports")
reports_menu.addAction(CreateAction("Context-Sensitive Call 
&Graph", "Create a new window containing a context-sensitive call graph", 
self.NewCallGraph, self))
@@ -779,6 +795,14 @@ class MainWindow(QMainWindow):
except:
pass
 
+   def ShrinkFont(self):
+   win = self.mdi_area.activeSubWindow()
+   ShrinkFont(win.view)
+
+   def EnlargeFont(self):
+   win = self.mdi_area.activeSubWindow()
+   EnlargeFont(win.view)
+
def NewCallGraph(self):
CallGraphWindow(self.glb, self)
 
-- 
2.17.1

[PATCH 07/19] perf scripts python: call-graph-from-sql.py: Add a class for global data

[Adrian Hunter]

Keep global data in a single object that is easy to pass around as needed,
without polluting the global namespace.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/call-graph-from-sql.py | 26 +++
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 9d056deab2b1..0a4dc13d4818 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -264,17 +264,19 @@ class TreeModel(QAbstractItemModel):
 
 class MainWindow(QMainWindow):
 
-   def __init__(self, db, dbname, parent=None):
+   def __init__(self, glb, parent=None):
super(MainWindow, self).__init__(parent)
 
+   self.glb = glb
+
self.setObjectName("MainWindow")
-   self.setWindowTitle("Call Graph: " + dbname)
+   self.setWindowTitle("Call Graph: " + glb.dbname)
self.move(100, 100)
self.resize(800, 600)

self.setWindowIcon(self.style().standardIcon(QStyle.SP_ComputerIcon))
self.setMinimumSize(200, 100)
 
-   self.model = TreeModel(db)
+   self.model = TreeModel(glb.db)
 
self.view = QTreeView()
self.view.setModel(self.model)
@@ -284,6 +286,17 @@ class MainWindow(QMainWindow):
 
self.setCentralWidget(self.view)
 
+# Global data
+
+class Glb():
+
+   def __init__(self, dbref, db, dbname):
+   self.dbref = dbref
+   self.db = db
+   self.dbname = dbname
+   self.app = None
+   self.mainwindow = None
+
 # Database reference
 
 class DBRef():
@@ -340,9 +353,12 @@ def Main():
 
dbref = DBRef(is_sqlite3, dbname)
db, dbname = dbref.Open("main")
+   glb = Glb(dbref, db, dbname)
app = QApplication(sys.argv)
-   window = MainWindow(db, dbname)
-   window.show()
+   glb.app = app
+   mainwindow = MainWindow(glb)
+   glb.mainwindow = mainwindow
+   mainwindow.show()
err = app.exec_()
db.close()
sys.exit(err)
-- 
2.17.1

[PATCH 17/19] perf scripts python: exported-sql-viewer.py: Add All branches report

[Adrian Hunter]

Add a report to display branches in a similar fashion to perf script. The
main purpose of this report is to display disassembly, however, presently,
the only supported disassembler is Intel XED, and additionally the object
code must be present in perf build ID cache.

To use Intel XED, libxed.so must be present. To build and install
libxed.so:
git clone https://github.com/intelxed/mbuild.git mbuild
git clone https://github.com/intelxed/xed
cd xed
./mfile.py --share
sudo ./mfile.py --prefix=/usr/local install
sudo ldconfig

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 545 ++
 1 file changed, 545 insertions(+)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index ef822d850109..47de923655e9 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -46,6 +46,48 @@
 #  'Branch Count' is the total number of branches for that function and all
 #   functions that it calls
 
+# There is also a "All branches" report, which displays branches and
+# possibly disassembly.  However, presently, the only supported disassembler is
+# Intel XED, and additionally the object code must be present in perf build ID
+# cache. To use Intel XED, libxed.so must be present. To build and install
+# libxed.so:
+#git clone https://github.com/intelxed/mbuild.git mbuild
+#git clone https://github.com/intelxed/xed
+#cd xed
+#./mfile.py --share
+#sudo ./mfile.py --prefix=/usr/local install
+#sudo ldconfig
+#
+# Example report:
+#
+# Time   CPU  Command  PIDTIDBranch TypeIn Tx  
Branch
+# 8107675239590  2ls   22011  22011  return from interrupt  No 
86a00a67 native_irq_return_iret ([kernel]) -> 7fab593ea260 _start 
(ld-2.19.so)
+#  
7fab593ea260 48 89 e7mov %rsp, %rdi
+# 8107675239899  2ls   22011  22011  hardware interrupt No 
7fab593ea260 _start (ld-2.19.so) -> 86a012e0 page_fault ([kernel])
+# 8107675241900  2ls   22011  22011  return from interrupt  No 
86a00a67 native_irq_return_iret ([kernel]) -> 7fab593ea260 _start 
(ld-2.19.so)
+#  
7fab593ea260 48 89 e7mov %rsp, %rdi
+#  
7fab593ea263 e8 c8 06 00 00  callq  
0x7fab593ea930
+# 8107675241900  2ls   22011  22011  call   No 
7fab593ea263 _start+0x3 (ld-2.19.so) -> 7fab593ea930 _dl_start (ld-2.19.so)
+#  
7fab593ea930 55  pushq  %rbp
+#  
7fab593ea931 48 89 e5mov %rsp, %rbp
+#  
7fab593ea934 41 57   pushq  %r15
+#  
7fab593ea936 41 56   pushq  %r14
+#  
7fab593ea938 41 55   pushq  %r13
+#  
7fab593ea93a 41 54   pushq  %r12
+#  
7fab593ea93c 53  pushq  %rbx
+#  
7fab593ea93d 48 89 fbmov %rdi, %rbx
+#  
7fab593ea940 48 83 ec 68 sub $0x68, %rsp
+#  
7fab593ea944 0f 31   rdtsc
+#  
7fab593ea946 48 c1 e2 20 shl $0x20, %rdx
+#  
7fab593ea94a 89 c0   mov %eax, %eax
+#  
7fab593ea94c 48 09 c2or %rax, %rdx
+#  

[PATCH 10/19] perf scripts python: call-graph-from-sql.py: Add data helper functions

[Adrian Hunter]

Add helper functions for a few common cases.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/call-graph-from-sql.py | 54 ++-
 1 file changed, 29 insertions(+), 25 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index ada486048ad8..7f2eabe7dacd 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -52,6 +52,28 @@ from PySide.QtGui import *
 from PySide.QtSql import *
 from decimal import *
 
+# Data formatting helpers
+
+def dsoname(name):
+   if name == "[kernel.kallsyms]":
+   return "[kernel]"
+   return name
+
+# Percent to one decimal place
+
+def PercentToOneDP(n, d):
+   if not d:
+   return "0.0"
+   x = (n * Decimal(100)) / d
+   return str(x.quantize(Decimal(".1"), rounding=ROUND_HALF_UP))
+
+# Helper for queries that must not fail
+
+def QueryExec(query, stmt):
+   ret = query.exec_(stmt)
+   if not ret:
+   raise Exception("Query failed: " + query.lastError().text())
+
 class TreeItem():
 
def __init__(self, db, row, parent_item):
@@ -73,9 +95,7 @@ class TreeItem():
def setUpRoot(self):
self.query_done = True
query = QSqlQuery(self.db)
-   ret = query.exec_('SELECT id, comm FROM comms')
-   if not ret:
-   raise Exception("Query failed: " + 
query.lastError().text())
+   QueryExec(query, 'SELECT id, comm FROM comms')
while query.next():
if not query.value(0):
continue
@@ -91,9 +111,7 @@ class TreeItem():
self.child_items = []
self.child_count = 0
query = QSqlQuery(self.db)
-   ret = query.exec_('SELECT thread_id, ( SELECT pid FROM threads 
WHERE id = thread_id ), ( SELECT tid FROM threads WHERE id = thread_id ) FROM 
comm_threads WHERE comm_id = ' + str(comm_id))
-   if not ret:
-   raise Exception("Query failed: " + 
query.lastError().text())
+   QueryExec(query, 'SELECT thread_id, ( SELECT pid FROM threads 
WHERE id = thread_id ), ( SELECT tid FROM threads WHERE id = thread_id ) FROM 
comm_threads WHERE comm_id = ' + str(comm_id))
while query.next():
child_item = TreeItem(self.db, self.child_count, self)
self.child_items.append(child_item)
@@ -114,18 +132,6 @@ class TreeItem():
def getRow(self):
return self.row
 
-   def timePercent(self, b):
-   if not self.time:
-   return "0.0"
-   x = (b * Decimal(100)) / self.time
-   return str(x.quantize(Decimal('.1'), rounding=ROUND_HALF_UP))
-
-   def branchPercent(self, b):
-   if not self.branch_count:
-   return "0.0"
-   x = (b * Decimal(100)) / self.branch_count
-   return str(x.quantize(Decimal('.1'), rounding=ROUND_HALF_UP))
-
def addChild(self, call_path_id, name, dso, count, time, branch_count):
child_item = TreeItem(self.db, self.child_count, self)
child_item.comm_id = self.comm_id
@@ -134,14 +140,12 @@ class TreeItem():
child_item.branch_count = branch_count
child_item.time = time
child_item.data[0] = name
-   if dso == "[kernel.kallsyms]":
-   dso = "[kernel]"
-   child_item.data[1] = dso
+   child_item.data[1] = dsoname(dso)
child_item.data[2] = str(count)
child_item.data[3] = str(time)
-   child_item.data[4] = self.timePercent(time)
+   child_item.data[4] = PercentToOneDP(time, self.time)
child_item.data[5] = str(branch_count)
-   child_item.data[6] = self.branchPercent(branch_count)
+   child_item.data[6] = PercentToOneDP(branch_count, 
self.branch_count)
self.child_items.append(child_item)
self.child_count += 1
 
@@ -189,12 +193,12 @@ class TreeItem():
self.branch_count = total_branch_count
if self.branch_count:
for child_item in self.child_items:
-   child_item.data[6] = 
self.branchPercent(child_item.branch_count)
+   child_item.data[6] = 
PercentToOneDP(child_item.branch_count, self.branch_count)
if total_time > self.time:
self.time = total_time
if self.time:
for child_item in self.child_items:
-   child_item.data[4] = 
self.timePercent(child_item.time)
+  

[PATCH 14/19] perf scripts python: exported-sql-viewer.py: Add ability to find symbols in the call-graph

[Adrian Hunter]

Add a Find bar that appears at the bottom of the call-graph window.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 306 +-
 1 file changed, 305 insertions(+), 1 deletion(-)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index c2f44351821e..0386a600ffc7 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -49,6 +49,7 @@
 import sys
 import weakref
 import threading
+import string
 from PySide.QtCore import *
 from PySide.QtGui import *
 from PySide.QtSql import *
@@ -76,6 +77,27 @@ def QueryExec(query, stmt):
if not ret:
raise Exception("Query failed: " + query.lastError().text())
 
+# Background thread
+
+class Thread(QThread):
+
+   done = Signal(object)
+
+   def __init__(self, task, param=None, parent=None):
+   super(Thread, self).__init__(parent)
+   self.task = task
+   self.param = param
+
+   def run(self):
+   while True:
+   if self.param is None:
+   done, result = self.task()
+   else:
+   done, result = self.task(self.param)
+   self.done.emit(result)
+   if done:
+   break
+
 # Tree data model
 
 class TreeModel(QAbstractItemModel):
@@ -157,6 +179,125 @@ def LookupCreateModel(model_name, create_fn):
model_cache_lock.release()
return model
 
+# Find bar
+
+class FindBar():
+
+   def __init__(self, parent, finder, is_reg_expr=False):
+   self.finder = finder
+   self.context = []
+   self.last_value = None
+   self.last_pattern = None
+
+   label = QLabel("Find:")
+   label.setSizePolicy(QSizePolicy.Fixed, QSizePolicy.Fixed)
+
+   self.textbox = QComboBox()
+   self.textbox.setEditable(True)
+   self.textbox.currentIndexChanged.connect(self.ValueChanged)
+
+   self.progress = QProgressBar()
+   self.progress.setRange(0, 0)
+   self.progress.hide()
+
+   if is_reg_expr:
+   self.pattern = QCheckBox("Regular Expression")
+   else:
+   self.pattern = QCheckBox("Pattern")
+   self.pattern.setSizePolicy(QSizePolicy.Fixed, QSizePolicy.Fixed)
+
+   self.next_button = QToolButton()
+   
self.next_button.setIcon(parent.style().standardIcon(QStyle.SP_ArrowDown))
+   self.next_button.released.connect(lambda: self.NextPrev(1))
+
+   self.prev_button = QToolButton()
+   
self.prev_button.setIcon(parent.style().standardIcon(QStyle.SP_ArrowUp))
+   self.prev_button.released.connect(lambda: self.NextPrev(-1))
+
+   self.close_button = QToolButton()
+   
self.close_button.setIcon(parent.style().standardIcon(QStyle.SP_DockWidgetCloseButton))
+   self.close_button.released.connect(self.Deactivate)
+
+   self.hbox = QHBoxLayout()
+   self.hbox.setContentsMargins(0, 0, 0, 0)
+
+   self.hbox.addWidget(label)
+   self.hbox.addWidget(self.textbox)
+   self.hbox.addWidget(self.progress)
+   self.hbox.addWidget(self.pattern)
+   self.hbox.addWidget(self.next_button)
+   self.hbox.addWidget(self.prev_button)
+   self.hbox.addWidget(self.close_button)
+
+   self.bar = QWidget()
+   self.bar.setLayout(self.hbox);
+   self.bar.hide()
+
+   def Widget(self):
+   return self.bar
+
+   def Activate(self):
+   self.bar.show()
+   self.textbox.setFocus()
+
+   def Deactivate(self):
+   self.bar.hide()
+
+   def Busy(self):
+   self.textbox.setEnabled(False)
+   self.pattern.hide()
+   self.next_button.hide()
+   self.prev_button.hide()
+   self.progress.show()
+
+   def Idle(self):
+   self.textbox.setEnabled(True)
+   self.progress.hide()
+   self.pattern.show()
+   self.next_button.show()
+   self.prev_button.show()
+
+   def Find(self, direction):
+   value = self.textbox.currentText()
+   pattern = self.pattern.isChecked()
+   self.last_value = value
+   self.last_pattern = pattern
+   self.finder.Find(value, direction, pattern, self.context)
+
+   def ValueChanged(self):
+   value = self.textbox.currentText()
+   pattern = self.pattern.isChecked()
+   index = self.textbox.currentIndex()
+   data = self.textbox.itemDa

[PATCH 09/19] perf scripts python: call-graph-from-sql.py: Factor out CallGraphModel from TreeModel

[Adrian Hunter]

Factor out CallGraphModel from TreeModel, which paves the way to reuse
TreeModel in future reports.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/call-graph-from-sql.py | 90 +--
 1 file changed, 61 insertions(+), 29 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 65c18e351bc4..ada486048ad8 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -201,42 +201,47 @@ class TreeItem():
self.selectCalls()
return self.child_count
 
-   def columnCount(self):
-   return 7
-
-   def columnHeader(self, column):
-   headers = ["Call Path", "Object", "Count ", "Time (ns) ", "Time 
(%) ", "Branch Count ", "Branch Count (%) "]
-   return headers[column]
+   def hasChildren(self):
+   if not self.query_done:
+   return True
+   return self.child_count > 0
 
def getData(self, column):
return self.data[column]
 
+# Tree data model
+
 class TreeModel(QAbstractItemModel):
 
-   def __init__(self, db, parent=None):
+   def __init__(self, root, parent=None):
super(TreeModel, self).__init__(parent)
-   self.db = db
-   self.root = TreeItem(db, 0, None)
+   self.root = root
+   self.last_row_read = 0
 
-   def columnCount(self, parent):
-   return self.root.columnCount()
-
-   def rowCount(self, parent):
+   def Item(self, parent):
if parent.isValid():
-   parent_item = parent.internalPointer()
+   return parent.internalPointer()
else:
-   parent_item = self.root
-   return parent_item.childCount()
+   return self.root
+
+   def rowCount(self, parent):
+   result = self.Item(parent).childCount()
+   if result < 0:
+   result = 0
+   self.dataChanged.emit(parent, parent)
+   return result
+
+   def hasChildren(self, parent):
+   return self.Item(parent).hasChildren()
 
def headerData(self, section, orientation, role):
if role == Qt.TextAlignmentRole:
-   if section > 1:
-   return Qt.AlignRight
+   return self.columnAlignment(section)
if role != Qt.DisplayRole:
return None
if orientation != Qt.Horizontal:
return None
-   return self.root.columnHeader(section)
+   return self.columnHeader(section)
 
def parent(self, child):
child_item = child.internalPointer()
@@ -246,21 +251,48 @@ class TreeModel(QAbstractItemModel):
return self.createIndex(parent_item.getRow(), 0, parent_item)
 
def index(self, row, column, parent):
-   if parent.isValid():
-   parent_item = parent.internalPointer()
-   else:
-   parent_item = self.root
-   child_item = parent_item.getChildItem(row)
+   child_item = self.Item(parent).getChildItem(row)
return self.createIndex(row, column, child_item)
 
+   def DisplayData(self, item, index):
+   return item.getData(index.column())
+
+   def columnAlignment(self, column):
+   return Qt.AlignLeft
+
+   def columnFont(self, column):
+   return None
+
def data(self, index, role):
if role == Qt.TextAlignmentRole:
-   if index.column() > 1:
-   return Qt.AlignRight
+   return self.columnAlignment(index.column())
+   if role == Qt.FontRole:
+   return self.columnFont(index.column())
if role != Qt.DisplayRole:
return None
-   index_item = index.internalPointer()
-   return index_item.getData(index.column())
+   item = index.internalPointer()
+   return self.DisplayData(item, index)
+
+# Context-sensitive call graph data model
+
+class CallGraphModel(TreeModel):
+
+   def __init__(self, glb, parent=None):
+   super(CallGraphModel, self).__init__(TreeItem(glb.db, 0, None), 
parent)
+   self.glb = glb
+
+   def columnCount(self, parent=None):
+   return 7
+
+   def columnHeader(self, column):
+   headers = ["Call Path", "Object", "Count ", "Time (ns) ", "Time 
(%) ", "Branch Count ", "Branch Count (%) "]
+   return headers[column]
+
+   def columnAlignment(self, column):
+   alignment = [ Qt.AlignLeft, 

[PATCH 16/19] perf scripts python: exported-sql-viewer.py: Add ability to display all the database tables

[Adrian Hunter]

Displaying all the database tables can help make the database easier to
understand.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 694 ++
 1 file changed, 694 insertions(+)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index 310ba7147583..ef822d850109 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -50,10 +50,15 @@ import sys
 import weakref
 import threading
 import string
+import cPickle
+import re
+import os
 from PySide.QtCore import *
 from PySide.QtGui import *
 from PySide.QtSql import *
 from decimal import *
+from ctypes import *
+from multiprocessing import Process, Array, Value, Event
 
 # Data formatting helpers
 
@@ -146,6 +151,68 @@ class TreeModel(QAbstractItemModel):
def DisplayData(self, item, index):
return item.getData(index.column())
 
+   def FetchIfNeeded(self, row):
+   if row > self.last_row_read:
+   self.last_row_read = row
+   if row + 10 >= self.root.child_count:
+   self.fetcher.Fetch(glb_chunk_sz)
+
+   def columnAlignment(self, column):
+   return Qt.AlignLeft
+
+   def columnFont(self, column):
+   return None
+
+   def data(self, index, role):
+   if role == Qt.TextAlignmentRole:
+   return self.columnAlignment(index.column())
+   if role == Qt.FontRole:
+   return self.columnFont(index.column())
+   if role != Qt.DisplayRole:
+   return None
+   item = index.internalPointer()
+   return self.DisplayData(item, index)
+
+# Table data model
+
+class TableModel(QAbstractTableModel):
+
+   def __init__(self, parent=None):
+   super(TableModel, self).__init__(parent)
+   self.child_count = 0
+   self.child_items = []
+   self.last_row_read = 0
+
+   def Item(self, parent):
+   if parent.isValid():
+   return parent.internalPointer()
+   else:
+   return self
+
+   def rowCount(self, parent):
+   return self.child_count
+
+   def headerData(self, section, orientation, role):
+   if role == Qt.TextAlignmentRole:
+   return self.columnAlignment(section)
+   if role != Qt.DisplayRole:
+   return None
+   if orientation != Qt.Horizontal:
+   return None
+   return self.columnHeader(section)
+
+   def index(self, row, column, parent):
+   return self.createIndex(row, column, self.child_items[row])
+
+   def DisplayData(self, item, index):
+   return item.getData(index.column())
+
+   def FetchIfNeeded(self, row):
+   if row > self.last_row_read:
+   self.last_row_read = row
+   if row + 10 >= self.child_count:
+   self.fetcher.Fetch(glb_chunk_sz)
+
def columnAlignment(self, column):
return Qt.AlignLeft
 
@@ -620,6 +687,601 @@ class CallGraphWindow(QMdiSubWindow):
if not found:
self.find_bar.NotFound()
 
+# Child data item  finder
+
+class ChildDataItemFinder():
+
+   def __init__(self, root):
+   self.root = root
+   self.value, self.direction, self.pattern, self.last_value, 
self.last_pattern = (None,) * 5
+   self.rows = []
+   self.pos = 0
+
+   def FindSelect(self):
+   self.rows = []
+   if self.pattern:
+   pattern = re.compile(self.value)
+   for child in self.root.child_items:
+   for column_data in child.data:
+   if re.search(pattern, str(column_data)) 
is not None:
+   self.rows.append(child.row)
+   break
+   else:
+   for child in self.root.child_items:
+   for column_data in child.data:
+   if self.value in str(column_data):
+   self.rows.append(child.row)
+   break
+
+   def FindValue(self):
+   self.pos = 0
+   if self.last_value != self.value or self.pattern != 
self.last_pattern:
+   self.FindSelect()
+   if not len(self.rows):
+   return -1
+   return self.rows[self.pos]
+
+   def FindThread(self):
+   if self.direction == 0 or self.value != se

[PATCH 11/19] perf scripts python: call-graph-from-sql.py: Refactor TreeItem class

[Adrian Hunter]

class TreeItem represents items at all levels of the call-graph tree.
However, not all the levels represent the same data i.e. the top-level is
comms, the next level is threads, and subsequent levels are functions.
Consequently it is simpler to have separate classes for different levels
with commonality in a base class. Refactor TreeItem class accordingly.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/call-graph-from-sql.py | 273 +-
 1 file changed, 133 insertions(+), 140 deletions(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 7f2eabe7dacd..ee1085169a3e 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -74,145 +74,6 @@ def QueryExec(query, stmt):
if not ret:
raise Exception("Query failed: " + query.lastError().text())
 
-class TreeItem():
-
-   def __init__(self, db, row, parent_item):
-   self.db = db
-   self.row = row
-   self.parent_item = parent_item
-   self.query_done = False;
-   self.child_count = 0
-   self.child_items = []
-   self.data = ["", "", "", "", "", "", ""]
-   self.comm_id = 0
-   self.thread_id = 0
-   self.call_path_id = 1
-   self.branch_count = 0
-   self.time = 0
-   if not parent_item:
-   self.setUpRoot()
-
-   def setUpRoot(self):
-   self.query_done = True
-   query = QSqlQuery(self.db)
-   QueryExec(query, 'SELECT id, comm FROM comms')
-   while query.next():
-   if not query.value(0):
-   continue
-   child_item = TreeItem(self.db, self.child_count, self)
-   self.child_items.append(child_item)
-   self.child_count += 1
-   child_item.setUpLevel1(query.value(0), query.value(1))
-
-   def setUpLevel1(self, comm_id, comm):
-   self.query_done = True;
-   self.comm_id = comm_id
-   self.data[0] = comm
-   self.child_items = []
-   self.child_count = 0
-   query = QSqlQuery(self.db)
-   QueryExec(query, 'SELECT thread_id, ( SELECT pid FROM threads 
WHERE id = thread_id ), ( SELECT tid FROM threads WHERE id = thread_id ) FROM 
comm_threads WHERE comm_id = ' + str(comm_id))
-   while query.next():
-   child_item = TreeItem(self.db, self.child_count, self)
-   self.child_items.append(child_item)
-   self.child_count += 1
-   child_item.setUpLevel2(comm_id, query.value(0), 
query.value(1), query.value(2))
-
-   def setUpLevel2(self, comm_id, thread_id, pid, tid):
-   self.comm_id = comm_id
-   self.thread_id = thread_id
-   self.data[0] = str(pid) + ":" + str(tid)
-
-   def getChildItem(self, row):
-   return self.child_items[row]
-
-   def getParentItem(self):
-   return self.parent_item
-
-   def getRow(self):
-   return self.row
-
-   def addChild(self, call_path_id, name, dso, count, time, branch_count):
-   child_item = TreeItem(self.db, self.child_count, self)
-   child_item.comm_id = self.comm_id
-   child_item.thread_id = self.thread_id
-   child_item.call_path_id = call_path_id
-   child_item.branch_count = branch_count
-   child_item.time = time
-   child_item.data[0] = name
-   child_item.data[1] = dsoname(dso)
-   child_item.data[2] = str(count)
-   child_item.data[3] = str(time)
-   child_item.data[4] = PercentToOneDP(time, self.time)
-   child_item.data[5] = str(branch_count)
-   child_item.data[6] = PercentToOneDP(branch_count, 
self.branch_count)
-   self.child_items.append(child_item)
-   self.child_count += 1
-
-   def selectCalls(self):
-   self.query_done = True;
-   query = QSqlQuery(self.db)
-   ret = query.exec_('SELECT id, call_path_id, branch_count, 
call_time, return_time, '
- '( SELECT name FROM symbols WHERE id = ( 
SELECT symbol_id FROM call_paths WHERE id = call_path_id ) ), '
- '( SELECT short_name FROM dsos WHERE id = ( 
SELECT dso_id FROM symbols WHERE id = ( SELECT symbol_id FROM call_paths WHERE 
id = call_path_id ) ) ), '
- '( SELECT ip FROM call_paths where id = 
call_path_id ) '
- 'FROM calls WHERE parent_call_path_id = ' + 
str(self.call_path_id) + ' AND comm_id = ' + str(self.comm_id)

[PATCH 19/19] perf scripts python: exported-sql-viewer.py: Add help window

[Adrian Hunter]

Add a window to display help. It is also possible to display the help only, by
using the option "--help-only" instead of a database name.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 144 +-
 1 file changed, 143 insertions(+), 1 deletion(-)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index 933066ee26bd..ffead063f21a 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -2025,6 +2025,136 @@ class WindowMenu():
def setActiveSubWindow(self, nr):

self.mdi_area.setActiveSubWindow(self.mdi_area.subWindowList()[nr - 1])
 
+# Help text
+
+glb_help_text = """
+Contents
+
+p.c1 {
+text-indent: 40px;
+}
+p.c2 {
+text-indent: 80px;
+}
+}
+
+1. Reports
+1.1 Context-Sensitive Call Graph
+1.2 All branches
+1.3 Selected branches
+2. Tables
+1. Reports
+1.1 Context-Sensitive Call Graph
+The result is a GUI window with a tree representing a context-sensitive
+call-graph. Expanding a couple of levels of the tree and adjusting column
+widths to suit will display something like:
+
+ Call Graph: pt_example
+Call Path  Object  Count   Time(ns)  Time(%)  
Branch Count   Branch Count(%)
+v- ls
+v- 2638:2638
+v- _start  ld-2.19.so1 10074071   100.0
 211135100.0
+  |- unknown   unknown   113198 0.1
  1  0.0
+  >- _dl_start ld-2.19.so1  140098013.9
  19637  9.3
+  >- _d_linit_internal ld-2.19.so1   448152 4.4
  11094  5.3
+  v-__libc_start_main@plt  ls1  821174181.5
 180397 85.4
+ >- _dl_fixup  ld-2.19.so1 7607 0.1
108  0.1
+ >- __cxa_atexit   libc-2.19.so  111737 0.1
 10  0.0
+ >- __libc_csu_initls110354 0.1
 10  0.0
+ |- _setjmplibc-2.19.so  10 0.0
  4  0.0
+ v- main   ls1  818204399.6
 180254 99.9
+
+Points to note:
+
+The top level is a command name (comm)
+The next level is a thread (pid:tid)
+Subsequent levels are functions
+'Count' is the number of calls
+'Time' is the elapsed time until the function returns
+Percentages are relative to the level above
+'Branch Count' is the total number of branches for that function and all 
functions that it calls
+
+Find
+Ctrl-F displays a Find bar which finds function names by either an exact match 
or a pattern match.
+The pattern matching symbols are ? for any character and * for zero or more 
characters.
+1.2 All branches
+The All branches report displays all branches in chronological order.
+Not all data is fetched immediately. More records can be fetched using the 
Fetch bar provided.
+Disassembly
+Open a branch to display disassembly. This only works if:
+
+The disassembler is available. Currently, only Intel XED is supported - 
see Intel XED Setup
+The object code is available. Currently, only the perf build ID cache is 
searched for object code.
+The default directory ~/.debug can be overridden by setting environment 
variable PERF_BUILDID_DIR.
+One exception is kcore where the DSO long name is used (refer dsos_view on the 
Tables menu),
+or alternatively, set environment variable PERF_KCORE to the kcore file 
name.
+
+Intel XED Setup
+To use Intel XED, libxed.so must be present.  To build and install libxed.so:
+
+git clone https://github.com/intelxed/mbuild.git mbuild
+git clone https://github.com/intelxed/xed
+cd xed
+./mfile.py --share
+sudo ./mfile.py --prefix=/usr/local install
+sudo ldconfig
+
+Find
+Ctrl-F displays a Find bar which finds substrings by either an exact match or 
a regular expression match.
+Refer to Python documentation for the regular expression syntax.
+All columns are searched, but only currently fetched rows are searched.
+1.3 Selected branches
+This is the same as the All branches report but with 
the data reduced
+by various selection criteria. A dialog box displays available criteria which 
are AND'ed together.
+2. Tables
+The Tables menu shows all tables and views in the database. Most tables have 
an associated view
+which displays the information in a more friendly way. Not all data for large 
tables is fetched
+immediately. More records can be fetched using the Fetch bar provided. Columns 
can be sorted,
+but that can be slow for large tables.
+There are also tables of database meta-information.
+For SQLite3 databases, the sqlite_master table is included.
+For PostgreSQL databases, information_schema.tables/v

[PATCH 08/19] perf scripts python: call-graph-from-sql.py: Remove use of setObjectName()

[Adrian Hunter]

The object name is never used, so don't bother setting it.

Signed-off-by: Adrian Hunter 
---
 tools/perf/scripts/python/call-graph-from-sql.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/call-graph-from-sql.py
index 0a4dc13d4818..65c18e351bc4 100644
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/call-graph-from-sql.py
@@ -269,7 +269,6 @@ class MainWindow(QMainWindow):
 
self.glb = glb
 
-   self.setObjectName("MainWindow")
self.setWindowTitle("Call Graph: " + glb.dbname)
self.move(100, 100)
self.resize(800, 600)
-- 
2.17.1

[PATCH 13/19] perf scripts python: exported-sql-viewer.py: Add support for multiple sub-windows

[Adrian Hunter]

Use Qt MDI (multiple document interface) to support multiple sub-windows.
Put the data model in a cache so that each sub-window can share the same
data. This allows mutiple views of the call-graph at the same time and
paves the way to add more reports.

Signed-off-by: Adrian Hunter 
---
 .../scripts/python/exported-sql-viewer.py | 182 +-
 1 file changed, 173 insertions(+), 9 deletions(-)

diff --git a/tools/perf/scripts/python/exported-sql-viewer.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
index 03e7a1de7f31..c2f44351821e 100755
--- a/tools/perf/scripts/python/exported-sql-viewer.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -47,6 +47,8 @@
 #   functions that it calls
 
 import sys
+import weakref
+import threading
 from PySide.QtCore import *
 from PySide.QtGui import *
 from PySide.QtSql import *
@@ -138,6 +140,23 @@ class TreeModel(QAbstractItemModel):
item = index.internalPointer()
return self.DisplayData(item, index)
 
+# Model cache
+
+model_cache = weakref.WeakValueDictionary()
+model_cache_lock = threading.Lock()
+
+def LookupCreateModel(model_name, create_fn):
+   model_cache_lock.acquire()
+   try:
+   model = model_cache[model_name]
+   except:
+   model = None
+   if model is None:
+   model = create_fn()
+   model_cache[model_name] = model
+   model_cache_lock.release()
+   return model
+
 # Context-sensitive call graph data model item base
 
 class CallGraphLevelItemBase(object):
@@ -289,6 +308,144 @@ class CallGraphModel(TreeModel):
alignment = [ Qt.AlignLeft, Qt.AlignLeft, Qt.AlignRight, 
Qt.AlignRight, Qt.AlignRight, Qt.AlignRight, Qt.AlignRight ]
return alignment[column]
 
+# Context-sensitive call graph window
+
+class CallGraphWindow(QMdiSubWindow):
+
+   def __init__(self, glb, parent=None):
+   super(CallGraphWindow, self).__init__(parent)
+
+   self.model = LookupCreateModel("Context-Sensitive Call Graph", 
lambda x=glb: CallGraphModel(x))
+
+   self.view = QTreeView()
+   self.view.setModel(self.model)
+
+   for c, w in ((0, 250), (1, 100), (2, 60), (3, 70), (4, 70), (5, 
100)):
+   self.view.setColumnWidth(c, w)
+
+   self.setWidget(self.view)
+
+   AddSubWindow(glb.mainwindow.mdi_area, self, "Context-Sensitive 
Call Graph")
+
+# Action Definition
+
+def CreateAction(label, tip, callback, parent=None, shortcut=None):
+   action = QAction(label, parent)
+   if shortcut != None:
+   action.setShortcuts(shortcut)
+   action.setStatusTip(tip)
+   action.triggered.connect(callback)
+   return action
+
+# Typical application actions
+
+def CreateExitAction(app, parent=None):
+   return CreateAction("&Quit", "Exit the application", 
app.closeAllWindows, parent, QKeySequence.Quit)
+
+# Typical MDI actions
+
+def CreateCloseActiveWindowAction(mdi_area):
+   return CreateAction("Cl&ose", "Close the active window", 
mdi_area.closeActiveSubWindow, mdi_area)
+
+def CreateCloseAllWindowsAction(mdi_area):
+   return CreateAction("Close &All", "Close all the windows", 
mdi_area.closeAllSubWindows, mdi_area)
+
+def CreateTileWindowsAction(mdi_area):
+   return CreateAction("&Tile", "Tile the windows", 
mdi_area.tileSubWindows, mdi_area)
+
+def CreateCascadeWindowsAction(mdi_area):
+   return CreateAction("&Cascade", "Cascade the windows", 
mdi_area.cascadeSubWindows, mdi_area)
+
+def CreateNextWindowAction(mdi_area):
+   return CreateAction("Ne&xt", "Move the focus to the next window", 
mdi_area.activateNextSubWindow, mdi_area, QKeySequence.NextChild)
+
+def CreatePreviousWindowAction(mdi_area):
+   return CreateAction("Pre&vious", "Move the focus to the previous 
window", mdi_area.activatePreviousSubWindow, mdi_area, 
QKeySequence.PreviousChild)
+
+# Typical MDI window menu
+
+class WindowMenu():
+
+   def __init__(self, mdi_area, menu):
+   self.mdi_area = mdi_area
+   self.window_menu = menu.addMenu("&Windows")
+   self.close_active_window = 
CreateCloseActiveWindowAction(mdi_area)
+   self.close_all_windows = CreateCloseAllWindowsAction(mdi_area)
+   self.tile_windows = CreateTileWindowsAction(mdi_area)
+   self.cascade_windows = CreateCascadeWindowsAction(mdi_area)
+   self.next_window = CreateNextWindowAction(mdi_area)
+   self.previous_window = CreatePreviousWindowAction(mdi_area)
+   self.window_menu.aboutToShow.connect(self.Update)
+
+   def Update(self):
+   self.window_menu.clear()
+   sub_window_count = len(self.mdi_area.subWindowList())
+   have_sub_windows = sub_window_count != 0
+   self.close_active_window.setEnabled(have_sub_windows)
+   self.close_all_windows.s

[PATCH 12/19] perf scripts python: call-graph-from-sql.py: Rename to exported-sql-viewer.py

[Adrian Hunter]

Additional reports will be added to the script so rename to reflect the
more general purpose.

Signed-off-by: Adrian Hunter 
---
 tools/perf/Documentation/intel-pt.txt   | 2 +-
 tools/perf/scripts/python/export-to-postgresql.py   | 2 +-
 tools/perf/scripts/python/export-to-sqlite.py   | 2 +-
 .../{call-graph-from-sql.py => exported-sql-viewer.py}  | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)
 rename tools/perf/scripts/python/{call-graph-from-sql.py => 
exported-sql-viewer.py} (98%)
 mode change 100644 => 100755

diff --git a/tools/perf/Documentation/intel-pt.txt 
b/tools/perf/Documentation/intel-pt.txt
index 76971d2e4164..115eaacc455f 100644
--- a/tools/perf/Documentation/intel-pt.txt
+++ b/tools/perf/Documentation/intel-pt.txt
@@ -106,7 +106,7 @@ in transaction, respectively.
 While it is possible to create scripts to analyze the data, an alternative
 approach is available to export the data to a sqlite or postgresql database.
 Refer to script export-to-sqlite.py or export-to-postgresql.py for more 
details,
-and to script call-graph-from-sql.py for an example of using the database.
+and to script exported-sql-viewer.py for an example of using the database.
 
 There is also script intel-pt-events.py which provides an example of how to
 unpack the raw data for power events and PTWRITE.
diff --git a/tools/perf/scripts/python/export-to-postgresql.py 
b/tools/perf/scripts/python/export-to-postgresql.py
index efcaf6cac2eb..ff1e8cc72938 100644
--- a/tools/perf/scripts/python/export-to-postgresql.py
+++ b/tools/perf/scripts/python/export-to-postgresql.py
@@ -59,7 +59,7 @@ import datetime
 #  pt_example=# \q
 #
 # An example of using the database is provided by the script
-# call-graph-from-sql.py.  Refer to that script for details.
+# exported-sql-viewer.py.  Refer to that script for details.
 #
 # Tables:
 #
diff --git a/tools/perf/scripts/python/export-to-sqlite.py 
b/tools/perf/scripts/python/export-to-sqlite.py
index f827bf77e9d2..709f67d89e46 100644
--- a/tools/perf/scripts/python/export-to-sqlite.py
+++ b/tools/perf/scripts/python/export-to-sqlite.py
@@ -40,7 +40,7 @@ import datetime
 #  sqlite> .quit
 #
 # An example of using the database is provided by the script
-# call-graph-from-sql.py.  Refer to that script for details.
+# exported-sql-viewer.py.  Refer to that script for details.
 #
 # The database structure is practically the same as created by the script
 # export-to-postgresql.py. Refer to that script for details.  A notable
diff --git a/tools/perf/scripts/python/call-graph-from-sql.py 
b/tools/perf/scripts/python/exported-sql-viewer.py
old mode 100644
new mode 100755
similarity index 98%
rename from tools/perf/scripts/python/call-graph-from-sql.py
rename to tools/perf/scripts/python/exported-sql-viewer.py
index ee1085169a3e..03e7a1de7f31
--- a/tools/perf/scripts/python/call-graph-from-sql.py
+++ b/tools/perf/scripts/python/exported-sql-viewer.py
@@ -10,12 +10,12 @@
 # Following on from the example in the export scripts, a
 # call-graph can be displayed for the pt_example database like this:
 #
-#  python tools/perf/scripts/python/call-graph-from-sql.py pt_example
+#  python tools/perf/scripts/python/exported-sql-viewer.py pt_example
 #
 # Note that for PostgreSQL, this script supports connecting to remote databases
 # by setting hostname, port, username, password, and dbname e.g.
 #
-#  python tools/perf/scripts/python/call-graph-from-sql.py 
"hostname=myhost username=myuser password=mypassword dbname=pt_example"
+#  python tools/perf/scripts/python/exported-sql-viewer.py 
"hostname=myhost username=myuser password=mypassword dbname=pt_example"
 #
 # The result is a GUI window with a tree representing a context-sensitive
 # call-graph.  Expanding a couple of levels of the tree and adjusting column
@@ -365,7 +365,7 @@ class DBRef():
 
 def Main():
if (len(sys.argv) < 2):
-   print >> sys.stderr, "Usage is: call-graph-from-sql.py 
"
+   print >> sys.stderr, "Usage is: exported-sql-viewer.py 
"
raise Exception("Too few arguments")
 
dbname = sys.argv[1]
-- 
2.17.1

Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)

[Alexey Budankov]

Hello Jann and Kees,

On 29.09.2018 1:02, Jann Horn wrote:

> Ah, I guess the answer is "0", since you want to see data about what
> other users are doing.
> 
> Does the i915 PMU expose sampling events, counting events, or both?
> The thing about sampling events is that they AFAIK always let the user
> pick arbitrary data to collect - like register contents, or userspace
> stack memory -, and independent of the performance counter being
> monitored, this kind of access should not be permitted to other
> contexts. (But it might be that I misunderstand how perf works - I'm
> not super familiar with its API.)
> 

Currently *core* paranoid >= 1 (per-process mode) prevents simultaneous 
sampling on CPU events (perf record) and reading of uncore HW counters 
(perf stat -I), because uncore counters count system wide and that is 
allowed only when *core* paranoid <= 0.

Uncore counts collected simultaneously with CPU event samples can be 
correlated using timestamps taken from some common system clock e.g. 
CLOCK_MONOTONIC_RAW.

Could it be secure enough to still allow reading of system wide uncore 
HW counters when sampling of CPU events is limited to specific processes 
by *core* paranoid >= 1?

Thanks,
Alexey

Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)

[Alexey Budankov]

Hello Jann,

> On Fri, Sep 28, 2018 at 11:22:37PM +0200, Jann Horn wrote:

>>
>> 
>> Is that true? IIRC if you want to use the perf tools after a kernel
>> update, you have to install a new version of perf anyway, no?

There are usages in production where perf_event_open() syscall 
accompanied with read(), mmap() etc. is embedded into application 
on per-thread basis and is used for self monitoring and dynamic 
execution tuning.

There are also other Perf tools around that, for example, are 
statically linked and then used as on Linux as on Android.

Backward compatibility does matter in these cases.

Thanks,
Alexey

Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)

[Alexey Budankov]

Hello,

On 28.09.2018 21:20, Thomas Gleixner wrote:

> Start with something like Documentation/admin-guide/perf-security.rst or
> whatever name fits better and add a proper documentation for the existing
> knob. With the infrastructure for fine grained access control add the
> general explanation for fine grained access control. With each PMU which
> opt's in for the knob, add a section with guidance about scope and risk for
> this particular one.

Sounds like a plan. Thanks!

BR,
Alexey

> 
> Thanks,
> 
>   tglx
> 
> 
> 

[PATCH v6 1/2] arm64: dts: msm8996: add prng-ee node

[Vinod Koul]

RNG hardware in 8996 features (Execution Environment) EE for
HLOS to use, add the node for prng-ee for msm8996.

Signed-off-by: Vinod Koul 
Reviewed-by: Bjorn Andersson 
---
 arch/arm64/boot/dts/qcom/msm8996.dtsi | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi 
b/arch/arm64/boot/dts/qcom/msm8996.dtsi
index cd3865e7a270..40e52a43f670 100644
--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
@@ -729,6 +729,13 @@
};
};
 
+   rng: rng@83000 {
+   compatible = "qcom,prng-ee";
+   reg = <0x00083000 0x1000>;
+   clocks = <&gcc GCC_PRNG_AHB_CLK>;
+   clock-names = "core";
+   };
+
mmcc: clock-controller@8c {
compatible = "qcom,mmcc-msm8996";
#clock-cells = <1>;
-- 
2.14.4

[PATCH v6 0/2] arm64: dts: add prng-ee nodes

[Vinod Koul]

This adds prng-ee nodes for msm8996 and sdm845

changes in v6:
 - Fix comments given by Stan

changes in v5:
 - Add more description in patch logs

changes in v4:
 - Fix node address on sdm845

changes in v3:
 - Add Bjorn's reviewed-by
 - Update patch titles to reflect that they add nodes

changes in v2:
 - rebase on v4.19-rc1

Vinod Koul (2):
  arm64: dts: msm8996: add prng-ee node
  arm64: dts: sdm845: add prng-ee node

 arch/arm64/boot/dts/qcom/msm8996.dtsi | 7 +++
 arch/arm64/boot/dts/qcom/sdm845.dtsi  | 8 
 2 files changed, 15 insertions(+)

-- 
2.14.4

[PATCH v6 2/2] arm64: dts: sdm845: add prng-ee node

[Vinod Koul]

RNG hardware in SDM845 features (Execution Environment) EE for
HLOS to use, add the node for prng-ee for sdm845.

Signed-off-by: Vinod Koul 
---
 arch/arm64/boot/dts/qcom/sdm845.dtsi | 8 
 1 file changed, 8 insertions(+)

diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi 
b/arch/arm64/boot/dts/qcom/sdm845.dtsi
index 0c9a2aa6a1b5..9d8109761fe8 100644
--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
@@ -9,6 +9,7 @@
 #include 
 #include 
 #include 
+#include 
 
 / {
interrupt-parent = <&intc>;
@@ -997,6 +998,13 @@
cell-index = <0>;
};
 
+   rng: rng@793000 {
+   compatible = "qcom,prng-ee";
+   reg = <0x00793000 0x1000>;
+   clocks = <&gcc GCC_PRNG_AHB_CLK>;
+   clock-names = "core";
+   };
+
apss_shared: mailbox@1799 {
compatible = "qcom,sdm845-apss-shared";
reg = <0x1799 0x1000>;
-- 
2.14.4

Re: [PATCH v3 1/5] spi: spi-mem: Add driver for NXP FlexSPI controller

[Frieder Schrempf]

Hi Boris,

On 29.09.2018 17:40, Boris Brezillon wrote:

Hi Yogesh,

On Fri, 21 Sep 2018 15:51:59 +0530
Yogesh Gaur  wrote:


+/* Registers used by the driver */
+#define FSPI_MCR0  0x00
+#define FSPI_MCR0_AHB_TIMEOUT_SHIFT24
+#define FSPI_MCR0_AHB_TIMEOUT_MASK (0xFF << FSPI_MCR0_AHB_TIMEOUT_SHIFT)
+#define FSPI_MCR0_IP_TIMEOUT_SHIFT 16
+#define FSPI_MCR0_IP_TIMEOUT_MASK  (0xFF << FSPI_MCR0_IP_TIMEOUT_SHIFT)
+#define FSPI_MCR0_LEARN_EN_SHIFT   15
+#define FSPI_MCR0_LEARN_EN_MASK(1 << FSPI_MCR0_LEARN_EN_SHIFT)
+#define FSPI_MCR0_SCRFRUN_EN_SHIFT 14
+#define FSPI_MCR0_SCRFRUN_EN_MASK  (1 << FSPI_MCR0_SCRFRUN_EN_SHIFT)
+#define FSPI_MCR0_OCTCOMB_EN_SHIFT 13
+#define FSPI_MCR0_OCTCOMB_EN_MASK  (1 << FSPI_MCR0_OCTCOMB_EN_SHIFT)
+#define FSPI_MCR0_DOZE_EN_SHIFT12
+#define FSPI_MCR0_DOZE_EN_MASK (1 << FSPI_MCR0_DOZE_EN_SHIFT)
+#define FSPI_MCR0_HSEN_SHIFT   11
+#define FSPI_MCR0_HSEN_MASK(1 << FSPI_MCR0_HSEN_SHIFT)
+#define FSPI_MCR0_SERCLKDIV_SHIFT  8
+#define FSPI_MCR0_SERCLKDIV_MASK   (7 << FSPI_MCR0_SERCLKDIV_SHIFT)
+#define FSPI_MCR0_ATDF_EN_SHIFT7
+#define FSPI_MCR0_ATDF_EN_MASK (1 << FSPI_MCR0_ATDF_EN_SHIFT)
+#define FSPI_MCR0_ARDF_EN_SHIFT6
+#define FSPI_MCR0_ARDF_EN_MASK (1 << FSPI_MCR0_ARDF_EN_SHIFT)
+#define FSPI_MCR0_RXCLKSRC_SHIFT   4
+#define FSPI_MCR0_RXCLKSRC_MASK(3 << FSPI_MCR0_RXCLKSRC_SHIFT)
+#define FSPI_MCR0_END_CFG_SHIFT2
+#define FSPI_MCR0_END_CFG_MASK (3 << FSPI_MCR0_END_CFG_SHIFT)
+#define FSPI_MCR0_MDIS_SHIFT   1
+#define FSPI_MCR0_MDIS_MASK(1 << FSPI_MCR0_MDIS_SHIFT)
+#define FSPI_MCR0_SWRST_SHIFT  0
+#define FSPI_MCR0_SWRST_MASK   (1 << FSPI_MCR0_SWRST_SHIFT)


Do we really need all those _SHIFT/_MASK defs? I mean

#define FSPI_MCR0_SWRST BIT(0)

or

#define FSPI_MCR0_AHB_TIMEOUT(x)((x) << 24)
#define FSPI_MCR0_AHB_TIMEOUT_MASK  GENMASK(31, 24)

are just fine.


+
+enum nxp_fspi_devtype {
+   NXP_FSPI_LX2160A,
+};


I'm pretty sure you don't need this enum if you describe all dev caps
in the nxp_fspi_devtype_data struct.


+
+struct nxp_fspi_devtype_data {
+   enum nxp_fspi_devtype devtype;
+   unsigned int rxfifo;
+   unsigned int txfifo;
+   unsigned int ahb_buf_size;
+   unsigned int quirks;
+   bool endianness;


How about renaming this variable big_endian and dropping the
{L,B}_ENDIAN macros?


+};


[...]


+struct nxp_fspi {
+   void __iomem *iobase;
+   void __iomem *ahb_addr;
+   u32 memmap_phy;
+   u32 memmap_phy_size;
+   struct clk *clk, *clk_en;
+   struct device *dev;
+   struct completion c;
+   const struct nxp_fspi_devtype_data *devtype_data;
+   struct mutex lock;
+   struct pm_qos_request pm_qos_req;
+   int selected;
+   void (*write)(u32 val, void __iomem *addr);
+   u32 (*read)(void __iomem *addr);
+};
+
+static void fspi_writel_be(u32 val, void __iomem *addr)
+{
+   iowrite32be(val, addr);
+}
+
+static void fspi_writel(u32 val, void __iomem *addr)
+{
+   iowrite32(val, addr);
+}
+
+static u32 fspi_readl_be(void __iomem *addr)
+{
+   return ioread32be(addr);
+}
+
+static u32 fspi_readl(void __iomem *addr)
+{
+   return ioread32(addr);
+}


Hm, I'd recommend dropping the ->read/write() hooks and providing the
following functions:

static void fspi_writel(struct nxp_fspi *f, u32 val, void __iomem *addr)
{
if (f->big_endian)
iowrite32be(val, addr);
else
iowrite32(val, addr);
}


static u32 fspi_readl(struct nxp_fspi *f, void __iomem *addr)
{
if (f->big_endian)
return ioread32be(addr);
else
return ioread32(addr);
}


I introduced the ->read/write() hooks in the QSPI driver because I was 
told to remove the conditional in the read/write path, but I can't 
really tell if this really makes any difference.


Regards,
Frieder




+
+static irqreturn_t nxp_fspi_irq_handler(int irq, void *dev_id)
+{
+   struct nxp_fspi *f = dev_id;
+   u32 reg;
+
+   /* clear interrupt */
+   reg = f->read(f->iobase + FSPI_INTR);
+   f->write(FSPI_INTR_IPCMDDONE_MASK, f->iobase + FSPI_INTR);
+
+   if (reg & FSPI_INTR_IPCMDDONE_MASK)
+   complete(&f->c);
+
+   return IRQ_HANDLED;
+}


[...]


+/*
+ * If the slave device content being changed by Write/Erase, need to
+ * invalidate the AHB buffer. This can be achieved by doing the reset
+ * of controller after setting MCR0[SWRESET] bit.
+ */
+static inline void nxp_fspi_invalid(struct nxp_fspi *f)
+{
+   u32 reg;
+
+   reg = f->read(f->iobase + FSPI_MCR0);
+   f->write(reg | FSPI_MCR0_SWRST_MASK, f->iobase + FSPI_MCR0);
+
+   while (f->read(f->iobase + FSPI_MCR0) & FSPI_MCR0_SWRST_MASK)
+   ;


Did you consider using readl

Re: [PATCH 0/3] namei: implement various scoping AT_* flags

[Dave Chinner]

On Mon, Oct 01, 2018 at 03:47:23PM +1000, Aleksa Sarai wrote:
> On 2018-10-01, Dave Chinner  wrote:
> > > I've added some selftests for this, but it's not clear to me whether
> > > they should live here or in xfstests (as far as I can tell there are no
> > > other VFS tests in selftests, while there are some tests that look like
> > > generic VFS tests in xfstests). If you'd prefer them to be included in
> > > xfstests, let me know.
> > 
> > xfstests, please. That way the new functionality will get immediate
> > coverage by all the main filesystem development and distro QA
> > teams
> 
> Sure, will do. Do you want me to submit them in parallel --

That's usually the way we do things, but we don't tend to commit the
fstests changes until the thing it is testing has landed upstream.

> and what is
> the correct ML to submit changes to xfstests?

fste...@vger.kernel.org

> Sorry for the silly questions. :P

You're going to have many more of them when you start moving the
tests across to fstests :P

Cheers,

Dave.
-- 
Dave Chinner
da...@fromorbit.com

Re: [PATCH 0/4] get_user_pages*() and RDMA: first steps

[Dave Chinner]

On Sat, Sep 29, 2018 at 04:46:09AM -0400, Jerome Glisse wrote:
> On Fri, Sep 28, 2018 at 07:28:16PM -0700, John Hubbard wrote:
> > On 9/28/18 2:49 PM, Jerome Glisse wrote:
> > > On Fri, Sep 28, 2018 at 12:06:12PM -0700, John Hubbard wrote:
> > >> use a non-CPU device to read and write to "pinned" memory, especially 
> > >> when
> > >> that memory is backed by a file system.

"backed by a filesystem" is the biggest problem here.

> > >> I recall there were objections to just narrowly fixing the 
> > >> set_page_dirty()
> > >> bug, because the underlying problem is large and serious. So here we are.
> > > 
> > > Except that you can not solve that issue without proper hardware. GPU are
> > > fine. RDMA are broken except the mellanox5 hardware which can invalidate
> > > at anytime its page table thus allowing to write protect the page at any
> > > time.
> > 
> > Today, people are out there using RDMA without page-fault-capable hardware.
> > And they are hitting problems, as we've seen. From the discussions so far,
> > I don't think it's impossible to solve the problems, even for "lesser", 
> > non-fault-capable hardware.

This reminds me so much of Linux mmap() in the mid-2000s - mmap()
worked for ext3 without being aware of page faults, so most mm/
developers at the time were of the opinion that all the other
filesystems should work just fine without being aware of page
faults.

But some loud-mouthed idiot at SGI kept complaining that mmap()
could never be fixed for XFS without write fault notification
because of delayed allocation, unwritten extents and ENOSPC had to
be handled before mapped writes could be posted.  Eventually
Christoph Lameter got ->page_mkwrite into the page fault path and
the loud mouthed idiot finally got mmap() to work correctly on XFS:

commit 4f57dbc6b5bae5a3978d429f45ac597ca7a3b8c6
Author: David Chinner 
Date:   Thu Jul 19 16:28:17 2007 +1000

[XFS] Implement ->page_mkwrite in XFS.

Hook XFS up to ->page_mkwrite to ensure that we know about mmap pages
being written to. This allows use to do correct delayed allocation and
ENOSPC checking as well as remap unwritten extents so that they get
converted correctly during writeback. This is done via the generic
block_page_mkwrite code.

SGI-PV: 940392
SGI-Modid: xfs-linux-melb:xfs-kern:29149a

Signed-off-by: David Chinner 
Signed-off-by: Christoph Hellwig 
Signed-off-by: Tim Shimmin 

Nowdays, ->page_mkwrite is fundamental filesystem functionality -
copy-on-write filesystems like btrfs simply don't work if they can't
trigger COW on mapped write accesses. These days all the main linux
filesystems depend on write fault notifications in some way or
another for correct operation.

The way RDMA uses GUP to take references to file backed pages to
'stop them going away' is reminiscent of mmap() back before
->page_mkwrite(). i.e. it assumes that an initial read of the page
will populate the page state correctly for all future operations,
including set_page_dirty() after write accesses.

This is not a valid assumption - filesystems can have different
private clean vs dirty page state, and may need to perform
operations to take a page from clean to dirty.  Hence calling
set_page_dirty() on a file backed mapped page without first having
called ->page_mkwrite() is a bug.

RDMA does not call ->page_mkwrite on clean file backed pages before it
writes to them and calls set_page_dirty(), and hence RDMA to file
backed pages is completely unreliable. I'm not sure this can be
solved without having page fault capable RDMA hardware

> > > With the solution put forward here you can potentialy wait _forever_ for
> > > the driver that holds a pin to drop it. This was the point i was trying to
> > > get accross during LSF/MM. 

Right, but pinning via GUP is not an option for file backed pages
because the filesystem is completely unaware of these references.
i.e. waiting forever isn't an issue here because the filesystem
never waits on them. Instead, they are a filesystem corruption
vector because the filesystem can invalidate those mappings and free
the backing store while they are still in use by RDMA.

Hence for DAX filesystems, this leaves the RDMA app with direct
access to the physical storage even though the filesystem has freed
the space it is accessing. This is a use after free of the physical
storage that the filesystem cannot control, and why DAX+RDMA is
disabled right now.

We could address these use-after-free situations via forcing RDMA to
use file layout leases and revoke the lease when we need to modify
the backing store on leased files. However, this doesn't solve the
need for filesystems to receive write fault notifications via
->page_mkwrite.

Cheers,

Dave.
-- 
Dave Chinner
da...@fromorbit.com

Re: [PATCH V2 2/2] cpufreq: imx6q: read OCOTP through nvmem for imx6ul/imx6ull

[Viresh Kumar]

On 17-09-18, 11:17, Anson Huang wrote:
> On i.MX6UL/i.MX6ULL, accessing OCOTP directly is wrong because
> the ocotp clock needs to be enabled first. Add support for reading
> OCOTP through the nvmem API, and keep the old method there to
> support old dtb.
> 
> Signed-off-by: Anson Huang 
> ---
> changes since V1:
>   add old dtb support.
>  drivers/cpufreq/imx6q-cpufreq.c | 52 
> +++--
>  1 file changed, 35 insertions(+), 17 deletions(-)
> 
> diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
> index b2ff423..518386c4 100644
> --- a/drivers/cpufreq/imx6q-cpufreq.c
> +++ b/drivers/cpufreq/imx6q-cpufreq.c
> @@ -12,6 +12,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -290,20 +291,32 @@ static void imx6q_opp_check_speed_grading(struct device 
> *dev)
>  #define OCOTP_CFG3_6ULL_SPEED_792MHZ 0x2
>  #define OCOTP_CFG3_6ULL_SPEED_900MHZ 0x3
>  
> -static void imx6ul_opp_check_speed_grading(struct device *dev)
> +static int imx6ul_opp_check_speed_grading(struct device *dev)
>  {
> - struct device_node *np;
> - void __iomem *base;
>   u32 val;
> + int ret = 0;
>  
> - np = of_find_compatible_node(NULL, NULL, "fsl,imx6ul-ocotp");
> - if (!np)
> - return;
> + if (of_find_property(dev->of_node, "nvmem-cells", NULL)) {
> + ret = nvmem_cell_read_u32(dev, "speed_grade", &val);
> + if (ret)
> + return ret;
> + } else {
> + struct device_node *np;
> + void __iomem *base;
> +
> + np = of_find_compatible_node(NULL, NULL, "fsl,imx6ul-ocotp");
> + if (!np)
> + return -ENOENT;
> +
> + base = of_iomap(np, 0);
> + if (!base) {
> + dev_err(dev, "failed to map ocotp\n");
> + of_node_put(np);
> + return -EFAULT;
> + }
>  
> - base = of_iomap(np, 0);
> - if (!base) {
> - dev_err(dev, "failed to map ocotp\n");
> - goto put_node;
> + val = readl_relaxed(base + OCOTP_CFG3);
> + iounmap(base);

Don't you need to put the node np here ?

-- 
viresh

Re: linux-next: Signed-off-by missing for commit in the parisc-hd tree

[Helge Deller]

On 01.10.2018 03:04, Stephen Rothwell wrote:
> Commit
>   f17bbdb5eea2 ("parisc: Remove PTE load and fault check from L2_ptep macro")
> is missing a Signed-off-by from its committer.

Fixed now.

Thanks!
Helge



signature.asc
Description: OpenPGP digital signature

Re: [PATCH RESEND] twl4030_charger: fix charging current out-of-bounds

[Andreas Kemnade]

Hi Pavel,

On Sun, 30 Sep 2018 22:16:42 +0200
Pavel Machek  wrote:

> On Mon 2018-09-17 07:20:35, Andreas Kemnade wrote:
> > the charging current uses unsigned int variables, if we step back
> > if the current is still low, we would run into negative which
> > means setting the target to a huge value.
> > Better add checks here.  
> 
> Do you expect this to happen in practice? Too high current while
> charging seems bad, right?

I think you need a power supply delivering < 4.75V  and > 4.3 V without load
and still > 4.3 V (so that vbusunplug detection does not trigger) at 1.6A
(the maximal charge current) including loss in cables.
I think that is really rare. It is not the standard charger you find in your
cupboard. Could probably be a lab power supply with a good cable connection.

As a side effect of some other bug (I do none like this):
If some regulators are not enabled, voltage measurement can be wrong. And
then the regulators have to be turned on right in time for the charging to
start.

But I know one way to produce that behavior:
Without my "phy: phy-twl4030-usb: fix denied runtime access"
The following steps are possible to achieve that with the gta04:
1. put your device to suspend without charger connected
2. connect charger which could provide high currents.
   phy runtime will not be resumed, usb voltage measured will be very low
   (I remember something like 1.8V), so the power ramping up will be
   stopped immediately and that step-back will set current it to an
   erroneous value but it will not start charging
3. echo auto >/sys/class/power_supply/twl4030_usb/mode
   then the charging starts with the target current set in the last step.
> 
> Cc: stable?

Rethinking it, it would be a nice idea, but I think the mentioned 
"phy: phy-twl4030-usb: fix denied runtime access"
would even be more important to have in stable, since it fixes actual
charging problems. Well, if your device does not boot because it is empty
or if there is sometimes a kernel panic is no substancial difference to me.

Regards,
Andreas


pgpSCyW2DqDUt.pgp
Description: OpenPGP digital signature

Re: [PATCH 2/2] cpufreq: imx6q: read OCOTP through nvmem for imx6ul/imx6ull

[Viresh Kumar]

On 14-09-18, 10:59, Anson Huang wrote:
> On i.MX6UL/i.MX6ULL, accessing OCOTP directly is wrong because
> the ocotp clock needs to be enabled first. Add support for reading
> OCOTP through the nvmem API instead.
> 
> Signed-off-by: Anson Huang 
> ---
>  drivers/cpufreq/imx6q-cpufreq.c | 39 +++
>  1 file changed, 19 insertions(+), 20 deletions(-)

Acked-by: Viresh Kumar 

-- 
viresh

Re: [PATCH] printk: inject caller information into the body of message

[Sergey Senozhatsky]

On (09/29/18 20:13), Sergey Senozhatsky wrote:
> We used to flush "incomplete" cont lines (fragments) from console_unlock().
> 
> void console_unlock(void)
> {
> ...
> /* flush buffered message fragment immediately to console */
> console_cont_flush(text, sizeof(text));
> again:
> for (;;) {
>   ...
>   }
> ...
> }
> 
> Unless I'm missing something, we don't anymore.
> Since 5c2992ee7fd8a29d04125dc0aa3522784c5fa5eb.
> Now we print only log_buf entries. So we either wait for a \n to flush
> a complete cont buffer, or for a race to preliminary flush cont buffer.

BTW, it just crossed my mind:

Previously, we would do console_cont_flush() for each pr_cont(),
so console_unlock() would print data:

pr_cont();
 console_lock();
 console_unlock()
  console_cont_flush(); // print cont fragment
...
pr_cont();
 console_lock();
 console_unlock()
  console_cont_flush(); // print cont fragment

We don't console_cont_flush() anymore, so when we do pr_cont()
console_unlock() does nothing (unless we flushed the cont buffer):

pr_cont();
 console_lock();
 console_unlock();  // noop
...
pr_cont();
 console_lock();
 console_unlock();  // noop
...
pr_cont();
  cont_flush();
console_lock();
console_unlock();   // print data

console_lock()/console_unlock() makes sense only when we flush cont
buffer.

We also wakeup klogd purposelessly for pr_cont() output - un-flushed
is not stored in log_buf; there is nothing to pull.

So we can console_lock()/console_unlock()/wake_up_klogd() only when we
know that we log_stor()-ed a message.

A quick-n-dirty patch (I can send a formal one) which compares log_next_seq
before and after vprintk_store(). log_next_seq is getting incremented each
time we log_store() a new log_buf message:

---

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 308497194bd4..53d9134f02a6 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1931,6 +1931,7 @@ asmlinkage int vprintk_emit(int facility, int level,
int printed_len;
bool in_sched = false;
unsigned long flags;
+   u64 curr_log_seq;
 
if (level == LOGLEVEL_SCHED) {
level = LOGLEVEL_DEFAULT;
@@ -1942,11 +1943,12 @@ asmlinkage int vprintk_emit(int facility, int level,
 
/* This stops the holder of console_sem just where we want him */
logbuf_lock_irqsave(flags);
+   curr_log_seq = log_next_seq;
printed_len = vprintk_store(facility, level, dict, dictlen, fmt, args);
logbuf_unlock_irqrestore(flags);
 
/* If called from the scheduler, we can not call up(). */
-   if (!in_sched) {
+   if (!in_sched && (curr_log_seq != log_next_seq)) {
/*
 * Disable preemption to avoid being preempted while holding
 * console_sem which would prevent anyone from printing to
@@ -1963,7 +1965,8 @@ asmlinkage int vprintk_emit(int facility, int level,
preempt_enable();
}
 
-   wake_up_klogd();
+   if (curr_log_seq != log_next_seq)
+   wake_up_klogd();
return printed_len;
 }
 EXPORT_SYMBOL(vprintk_emit);

---

-ss

Re: [PATCH 0/3] namei: implement various scoping AT_* flags

[Aleksa Sarai]

On 2018-10-01, Dave Chinner  wrote:
> > I've added some selftests for this, but it's not clear to me whether
> > they should live here or in xfstests (as far as I can tell there are no
> > other VFS tests in selftests, while there are some tests that look like
> > generic VFS tests in xfstests). If you'd prefer them to be included in
> > xfstests, let me know.
> 
> xfstests, please. That way the new functionality will get immediate
> coverage by all the main filesystem development and distro QA
> teams

Sure, will do. Do you want me to submit them in parallel -- and what is
the correct ML to submit changes to xfstests? Sorry for the silly
questions. :P

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH



signature.asc
Description: PGP signature

Re: [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution

[Aleksa Sarai]

On 2018-09-29, Jann Horn  wrote:
> The problem is what happens if a folder you are walking through is
> concurrently moved out of the chroot. Consider the following scenario:
> 
> You attempt to open "C/../../etc/passwd" under the root "/A/B".
> Something else concurrently moves /A/B/C to /A/C. This can result in
> the following:
> 
> 1. You start the path walk and reach /A/B/C.
> 2. The other process moves /A/B/C to /A/C. Your path walk is now at /A/C.
> 3. Your path walk follows the first ".." up into /A. This is outside
> the process root, but you never actually encountered the process root,
> so you don't notice.
> 4. Your path walk follows the second ".." up to /. Again, this is
> outside the process root, but you don't notice.
> 5. Your path walk walks down to /etc/passwd, and the open completes
> successfully. You now have an fd pointing outside your chroot.
> 
> If the root of your walk is below an attacker-controlled directory,
> this of course means that you lose instantly. If you point the root of
> the walk at a directory out of which a process in the container
> wouldn't be able to move the file, you're probably kinda mostly fine -
> as long as you know, for certain, that nothing else on the system
> would ever do that. But I still wouldn't feel good about that.

Please correct me if I'm wrong here (this is the first patch I've
written for VFS). Isn't the retry/LOOKUP_REVAL code meant to handle this
-- or does that only handle if a particular path component changes
*while* it's being walked through? Is it possible for a path walk to
succeed after a path component was unmounted (obviously you can't delete
a directory path component since you'd get -ENOTEMPTY)?

If this is an issue for AT_THIS_ROOT, I believe this might also be an
issue for AT_BENEATH since they are effectively both using the same
nd->root trick (so you could similarly trick AT_BENEATH to not error
out). So we'd need to figure out how to solve this problem in order for
AT_BENEATH to be safe.

Speaking naively, doesn't it make sense to invalidate the walk if a path
component was modified? Or is this something that would be far too
costly with little benefit? What if we do more aggressive nd->root
checks when resolving with AT_BENEATH or AT_THIS_ROOT (or if nd->root !=
current->mnt_ns->root)?

Regarding chroot attacks, I was aware of the trivial
chroot-open-chroot-fchdir attack but I was not aware that there was a
rename attack for chroot. Thanks for bringing this up!

> I believe that the only way to robustly use this would be to point the
> dirfd at a mount point, such that you know that being moved out of the
> chroot is impossible because the mount point limits movement of
> directories under it. (Well, technically, it doesn't, but it ensures
> that if a directory does dangerously move away, the syscall fails.) It
> might make sense to hardcode this constraint in the implementation of
> AT_THIS_ROOT, to keep people from shooting themselves in the foot.

Unless I'm missing something, would this not also affect using a
mountpoint as a dirfd-root (with MS_MOVE of an already-walked-through
path component) -- or does MS_MOVE cause a rewalk in a way that rename
does not?

I wouldn't mind tying AT_THIS_ROOT to only work on mountpoints (I
thought that bind-mounts would be an issue but you also get -EXDEV when
trying to rename across bind-mounts even if they are on the same
underlying filesystem). But AT_BENEATH might be a more bitter pill to
swallow. I'm not sure.

In the usecase of container runtimes, we wouldn't generally be doing
resolution of attacker-controlled paths but it still definitely doesn't
hurt to consider this part of the threat model -- to avoid foot-gunning
as you've said. (There also might be some nested-container cases where
you might want to do that.)

> > Currently most container runtimes try to do this resolution in
> > userspace[1], causing many potential race conditions. In addition, the
> > "obvious" alternative (actually performing a {ch,pivot_}root(2))
> > requires a fork+exec which is *very* costly if necessary for every
> > filesystem operation involving a container.
> 
> Wait. fork() I understand, but why exec? And actually, you don't need
> a full fork() either, clone() lets you do this with some process parts
> shared. And then you also shouldn't need to use SCM_RIGHTS, just keep
> the file descriptor table shared. And why chroot()/pivot_root(),
> wouldn't you want to use setns()?

You're right about this -- for C runtimes. In Go we cannot do a raw
clone() or fork() (if you do it manually with RawSyscall you'll end with
broken runtime state). So you're forced to do fork+exec (which then
means that you can't use CLONE_FILES and must use SCM_RIGHTS). Same goes
for CLONE_VFORK.

(It should be noted that multi-threaded C runtimes have somewhat similar
issues -- AFAIK you can technically only use AS-Safe glibc functions
after a fork() but that's more of a theoretical concern here. If you
just use raw syscall

Re: [PATCH 4/6] perf report: Use the offset address to find inline frames

[Ravi Bangoria]

Hi Milian, 

Seems this has a regression:

With acme/perf/urgent:

  $ ./perf record -e cycles:u --call-graph=dwarf ls
  $ ./perf script
  ls 13585 602082.534478:  28032 cycles:u: 
   1f1f4 __GI___tunables_init+0xd3dc00a4 
(/usr/lib64/ld-2.26.so)
   20e2b _dl_sysdep_start+0xd3dc04ab 
(/usr/lib64/ld-2.26.so)
1ca7 _dl_start_final+0xd3dc00f7 
(/usr/lib64/ld-2.26.so)
29b3 _dl_start+0xd3dc0553 (/usr/lib64/ld-2.26.so)
1437 _start+0xd3dc0017 (/usr/lib64/ld-2.26.so)

After reverting this patch:

  $ git revert d9c910d5f8c3a1858f115dc9d3b157df32da70a3
  [a/perf/urgent 72cada4e6b30] Revert "perf report: Use the offset address to 
find inline frames"

  $ ./perf script
  ls 13585 602082.534478:  28032 cycles:u: 
7fff9613f1f4 __GI___tunables_init+0xa4 (/usr/lib64/ld-2.26.so)
7fff96140e2b _dl_sysdep_start+0x4ab (/usr/lib64/ld-2.26.so)
7fff96121ca7 _dl_start_final+0xf7 (/usr/lib64/ld-2.26.so)
7fff961229b3 _dl_start+0x553 (/usr/lib64/ld-2.26.so)
7fff96121437 _start+0x17 (/usr/lib64/ld-2.26.so)

Thanks,
Ravi


On 09/28/2018 05:55 PM, Arnaldo Carvalho de Melo wrote:
> From: Milian Wolff 
> 
> To correctly find inlined frames, we have to use the file offset instead
> of the virtual memory address. This was already fixed for displaying
> srcline information while displaying in commit 2a9d5050dc84fa20 ("perf
> script: Show correct offsets for DWARF-based unwinding"). We just need
> to use the same corrected address also when trying to find inline
> frames.
> 
> This is another follow-up to commit 19610184693c ("perf script: Show
> virtual addresses instead of offsets").
> 
> Signed-off-by: Milian Wolff 
> Acked-by: Jiri Olsa 
> Cc: Jin Yao 
> Cc: Namhyung Kim 
> Cc: Sandipan Das 
> Fixes: 19610184693c ("perf script: Show virtual addresses instead of offsets")
> Link: http://lkml.kernel.org/r/20180926135207.30263-2-milian.wo...@kdab.com
> Signed-off-by: Arnaldo Carvalho de Melo 
> ---
>  tools/perf/util/machine.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
> index 0cb4f8bf3ca7..73a651f10a0f 100644
> --- a/tools/perf/util/machine.c
> +++ b/tools/perf/util/machine.c
> @@ -2317,9 +2317,6 @@ static int unwind_entry(struct unwind_entry *entry, 
> void *arg)
>   if (symbol_conf.hide_unresolved && entry->sym == NULL)
>   return 0;
>  
> - if (append_inlines(cursor, entry->map, entry->sym, entry->ip) == 0)
> - return 0;
> -
>   /*
>* Convert entry->ip from a virtual address to an offset in
>* its corresponding binary.
> @@ -2327,6 +2324,9 @@ static int unwind_entry(struct unwind_entry *entry, 
> void *arg)
>   if (entry->map)
>   addr = map__map_ip(entry->map, entry->ip);
>  
> + if (append_inlines(cursor, entry->map, entry->sym, addr) == 0)
> + return 0;
> +
>   srcline = callchain_srcline(entry->map, entry->sym, addr);
>   return callchain_cursor_append(cursor, entry->ip,
>  entry->map, entry->sym,
> 

[PATCH RFC 3/5] power: supply: bq24190_charger: add of_match for usb-otg-vbus regulator

[Brian Masney]

From: Jonathan Marek 

This patch adds an of_match for the usb-otg-vbus regulator to
bq24190_charger.

Signed-off-by: Jonathan Marek 
Signed-off-by: Brian Masney 
---
 drivers/power/supply/bq24190_charger.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/power/supply/bq24190_charger.c 
b/drivers/power/supply/bq24190_charger.c
index e3836145286d..933d1cded697 100644
--- a/drivers/power/supply/bq24190_charger.c
+++ b/drivers/power/supply/bq24190_charger.c
@@ -577,6 +577,7 @@ static const struct regulator_ops bq24190_vbus_ops = {
 
 static const struct regulator_desc bq24190_vbus_desc = {
.name = "usb_otg_vbus",
+   .of_match = "usb-otg-vbus",
.type = REGULATOR_VOLTAGE,
.owner = THIS_MODULE,
.ops = &bq24190_vbus_ops,
-- 
2.17.1

[PATCH RFC 1/5] dt-bindings: power: supply: bq24190_charger: add bq24192 and usb-otg-vbus

[Brian Masney]

Add support for the ti,bq24192 variant and a child node for the
usb-otg-vbus regulator.

Signed-off-by: Brian Masney 
---
 Documentation/devicetree/bindings/power/supply/bq24190.txt | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/Documentation/devicetree/bindings/power/supply/bq24190.txt 
b/Documentation/devicetree/bindings/power/supply/bq24190.txt
index 9e517d307070..8f2560824a97 100644
--- a/Documentation/devicetree/bindings/power/supply/bq24190.txt
+++ b/Documentation/devicetree/bindings/power/supply/bq24190.txt
@@ -3,6 +3,7 @@ TI BQ24190 Li-Ion Battery Charger
 Required properties:
 - compatible: contains one of the following:
 * "ti,bq24190"
+* "ti,bq24192"
 * "ti,bq24192i"
 - reg: integer, I2C address of the charger.
 - interrupts[-extended]: configuration for charger INT pin.
@@ -19,6 +20,12 @@ Optional properties:
 - ti,system-minimum-microvolt: when power is connected and the battery is below
   minimum system voltage, the system will be regulated above this setting.
 
+child nodes:
+- usb-otg-vbus:
+  Usage: optional
+  Description: Regulator that is used to control the VBUS voltage direction for
+   either USB host mode or for charging on the OTG port.
+
 Notes:
 - Some circuit boards wire the chip's "OTG" pin high (enabling 500mA default
   charge current on USB SDP ports, among other features). To simulate this on
-- 
2.17.1

[PATCH RFC 0/5] treewide: add USB OTG support for hammerhead

[Brian Masney]

This patch set adds USB OTG support for the LG Nexus 5 (hammerhead)
phone. My only question is related to patch #4 where the GPIO support
is added to bq24190_charger. Based on the information in the device tree
binding Documentation/devicetree/bindings/power/supply/bq24190.txt, I
should be using a gpio-hog. I'm not sure what my input pin would be for
this particular board since I can't find a publicly-available datasheet
for this board.

The USB OTG support works properly with this patch set. I am able to use
USB networking, and I'm also able to plug in a USB hub with a thumb
drive on the phone, and mount the drive.

All of the other msm8974-based boards in upstream use the
qcom,pm8941-charger (via the smbb node) that is defined in
qcom-pm8941.dtsi. USB networking works for me with that driver, however
I'm not able to get any devices connected to my USB hub to show up on
the phone, even when I port the GPIO code into that driver. I can see
the USB hub node with lsusb, but no devices on the hub.

Thanks in advance for any assistance that you can provide.

Brian Masney (1):
  dt-bindings: power: supply: bq24190_charger: add bq24192 and
usb-otg-vbus

Jonathan Marek (4):
  power: supply: bq24190_charger: add support for bq24192 variant
  power: supply: bq24190_charger: add of_match for usb-otg-vbus
regulator
  power: supply: bq24190_charger: add support for extcon and GPIO for
USB OTG support
  ARM: dts: qcom: msm8974-hammerhead: add USB OTG support

 .../bindings/power/supply/bq24190.txt |  7 +++
 .../qcom-msm8974-lge-nexus5-hammerhead.dts| 54 +++
 arch/arm/boot/dts/qcom-msm8974.dtsi   | 11 
 drivers/power/supply/bq24190_charger.c| 51 +-
 4 files changed, 121 insertions(+), 2 deletions(-)

-- 
2.17.1

[PATCH RFC 2/5] power: supply: bq24190_charger: add support for bq24192 variant

[Brian Masney]

From: Jonathan Marek 

This patch adds support for the bq24192 variant to bq24190_charger.

Signed-off-by: Jonathan Marek 
Signed-off-by: Brian Masney 
---
 drivers/power/supply/bq24190_charger.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/power/supply/bq24190_charger.c 
b/drivers/power/supply/bq24190_charger.c
index b58df04d03b3..e3836145286d 100644
--- a/drivers/power/supply/bq24190_charger.c
+++ b/drivers/power/supply/bq24190_charger.c
@@ -1638,7 +1638,8 @@ static int bq24190_hw_init(struct bq24190_dev_info *bdi)
return ret;
 
if (v != BQ24190_REG_VPRS_PN_24190 &&
-   v != BQ24190_REG_VPRS_PN_24192I) {
+   v != BQ24190_REG_VPRS_PN_24192 &&
+   v != BQ24190_REG_VPRS_PN_24192I) {
dev_err(bdi->dev, "Error unknown model: 0x%02x\n", v);
return -ENODEV;
}
@@ -1931,6 +1932,7 @@ static const struct dev_pm_ops bq24190_pm_ops = {
 
 static const struct i2c_device_id bq24190_i2c_ids[] = {
{ "bq24190" },
+   { "bq24192" },
{ "bq24192i" },
{ },
 };
@@ -1939,6 +1941,7 @@ MODULE_DEVICE_TABLE(i2c, bq24190_i2c_ids);
 #ifdef CONFIG_OF
 static const struct of_device_id bq24190_of_match[] = {
{ .compatible = "ti,bq24190", },
+   { .compatible = "ti,bq24192", },
{ .compatible = "ti,bq24192i", },
{ },
 };
-- 
2.17.1

[PATCH RFC 4/5] power: supply: bq24190_charger: add support for extcon and GPIO for USB OTG support

[Brian Masney]

From: Jonathan Marek 

Add extcon support so that we can notify USB drivers of cable state
changes. This also adds support for an optional GPIO that is changed
depending on the cable state.

This patch makes the USB OTG work correctly on a LG Nexus 5
(hammerhead) phone.

Signed-off-by: Jonathan Marek 
[masn...@onstation.org: Fixed EXTCON cable state and USB networking
when the cable is unplugged and plugged back in, checkpatch cleanups.]
Signed-off-by: Brian Masney 
Tested-by: Brian Masney 
---
See my cover letter for a question about how I can convert patch #5 over
to use a gpio-hog.

 drivers/power/supply/bq24190_charger.c | 45 +-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/drivers/power/supply/bq24190_charger.c 
b/drivers/power/supply/bq24190_charger.c
index 933d1cded697..36348668e48a 100644
--- a/drivers/power/supply/bq24190_charger.c
+++ b/drivers/power/supply/bq24190_charger.c
@@ -21,6 +21,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #defineBQ24190_MANUFACTURER"Texas Instruments"
 
@@ -159,6 +160,8 @@
 struct bq24190_dev_info {
struct i2c_client   *client;
struct device   *dev;
+   struct extcon_dev   *edev;
+   struct gpio_desc*gpio_otg;
struct power_supply *charger;
struct power_supply *battery;
struct delayed_work input_current_limit_work;
@@ -174,6 +177,11 @@ struct bq24190_dev_info {
u8  watchdog;
 };
 
+static const unsigned int bq24190_usb_extcon_cable[] = {
+   EXTCON_USB,
+   EXTCON_NONE,
+};
+
 /*
  * The tables below provide a 2-way mapping for the value that goes in
  * the register field and the real-world value that it represents.
@@ -1528,6 +1536,23 @@ static const struct power_supply_desc 
bq24190_battery_desc = {
.property_is_writeable  = bq24190_battery_property_is_writeable,
 };
 
+static int bq24190_configure_usb_otg(struct bq24190_dev_info *bdi, u8 ss_reg)
+{
+   bool otg_enabled;
+   int ret;
+
+   otg_enabled = !!(ss_reg & BQ24190_REG_SS_VBUS_STAT_MASK);
+   if (bdi->gpio_otg)
+   gpiod_set_value_cansleep(bdi->gpio_otg, !otg_enabled);
+
+   ret = extcon_set_state_sync(bdi->edev, EXTCON_USB, otg_enabled);
+   if (ret < 0)
+   dev_err(bdi->dev, "Can't set extcon state to %d: %d\n",
+   otg_enabled, ret);
+
+   return ret;
+}
+
 static void bq24190_check_status(struct bq24190_dev_info *bdi)
 {
const u8 battery_mask_ss = BQ24190_REG_SS_CHRG_STAT_MASK;
@@ -1597,8 +1622,10 @@ static void bq24190_check_status(struct bq24190_dev_info 
*bdi)
bdi->ss_reg = ss_reg;
}
 
-   if (alert_charger || alert_battery)
+   if (alert_charger || alert_battery) {
power_supply_changed(bdi->charger);
+   bq24190_configure_usb_otg(bdi, ss_reg);
+   }
if (alert_battery && bdi->battery)
power_supply_changed(bdi->battery);
 
@@ -1729,6 +1756,18 @@ static int bq24190_probe(struct i2c_client *client,
return -EINVAL;
}
 
+   bdi->gpio_otg = devm_gpiod_get_optional(dev, "otg-en", GPIOD_OUT_LOW);
+   if (IS_ERR(bdi->gpio_otg))
+   return PTR_ERR(bdi->gpio_otg);
+
+   bdi->edev = devm_extcon_dev_allocate(dev, bq24190_usb_extcon_cable);
+   if (IS_ERR(bdi->edev))
+   return PTR_ERR(bdi->edev);
+
+   ret = devm_extcon_dev_register(dev, bdi->edev);
+   if (ret < 0)
+   return ret;
+
pm_runtime_enable(dev);
pm_runtime_use_autosuspend(dev);
pm_runtime_set_autosuspend_delay(dev, 600);
@@ -1775,6 +1814,10 @@ static int bq24190_probe(struct i2c_client *client,
goto out_charger;
}
 
+   ret = bq24190_configure_usb_otg(bdi, bdi->ss_reg);
+   if (ret < 0)
+   goto out_charger;
+
ret = bq24190_sysfs_create_group(bdi);
if (ret < 0) {
dev_err(dev, "Can't create sysfs entries\n");
-- 
2.17.1

[PATCH RFC 5/5] ARM: dts: qcom: msm8974-hammerhead: add USB OTG support

[Brian Masney]

From: Jonathan Marek 

Add the device tree bindings for USB OTG support. Driver was tested
using on a LG Nexus 5 (hammerhead) phone.

Signed-off-by: Jonathan Marek 
Signed-off-by: Brian Masney 
Tested-by: Brian Masney 
---
See my cover letter for a question about how I can convert this patch
over to use a gpio-hog to get rid of the otg-en-gpios property.

 .../qcom-msm8974-lge-nexus5-hammerhead.dts| 54 +++
 arch/arm/boot/dts/qcom-msm8974.dtsi   | 11 
 2 files changed, 65 insertions(+)

diff --git a/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts 
b/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts
index e67d61f25a96..71e308d8628d 100644
--- a/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts
+++ b/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts
@@ -243,6 +243,16 @@
};
};
 
+   i2c1_pins: i2c1 {
+   mux {
+   pins = "gpio2", "gpio3";
+   function = "blsp_i2c1";
+
+   drive-strength = <2>;
+   bias-disable;
+   };
+   };
+
i2c3_pins: i2c3 {
mux {
pins = "gpio10", "gpio11";
@@ -382,6 +392,25 @@
};
};
 
+   i2c@f9923000 {
+   status = "ok";
+   pinctrl-names = "default";
+   pinctrl-0 = <&i2c1_pins>;
+   clock-frequency = <10>;
+   qcom,src-freq = <5000>;
+
+   charger: bq24192@6b {
+   compatible = "ti,bq24192";
+   reg = <0x6b>;
+   interrupts-extended = <&spmi_bus 0 0xd5 0 
IRQ_TYPE_EDGE_FALLING>;
+
+   omit-battery-class;
+
+   otg-en-gpios = <&pm8941_gpios 35 GPIO_ACTIVE_HIGH>;
+   usb_otg_vbus: usb-otg-vbus { };
+   };
+   };
+
i2c@f9925000 {
status = "ok";
pinctrl-names = "default";
@@ -399,6 +428,31 @@
amstaos,proximity-diodes = <0>;
};
};
+
+   usb@f9a55000 {
+   status = "ok";
+
+   phys = <&usb_hs1_phy>;
+   phy-select = <&tcsr 0xb000 0>;
+
+   extcon = <&charger>, <&usb_id>;
+   vbus-supply = <&usb_otg_vbus>;
+
+   hnp-disable;
+   srp-disable;
+   adp-disable;
+
+   ulpi {
+   phy@a {
+   status = "ok";
+
+   v1p8-supply = <&pm8941_l6>;
+   v3p3-supply = <&pm8941_l24>;
+
+   qcom,init-seq = /bits/ 8 <0x1 0x64>;
+   };
+   };
+   };
 };
 
 &spmi_bus {
diff --git a/arch/arm/boot/dts/qcom-msm8974.dtsi 
b/arch/arm/boot/dts/qcom-msm8974.dtsi
index a808973f9dc7..0bd584695ae8 100644
--- a/arch/arm/boot/dts/qcom-msm8974.dtsi
+++ b/arch/arm/boot/dts/qcom-msm8974.dtsi
@@ -704,6 +704,17 @@
interrupts = ;
};
 
+   i2c@f9923000 {
+   status = "disabled";
+   compatible = "qcom,i2c-qup-v2.1.1";
+   reg = <0xf9923000 0x1000>;
+   interrupts = <0 95 IRQ_TYPE_LEVEL_HIGH>;
+   clocks = <&gcc GCC_BLSP1_QUP1_I2C_APPS_CLK>, <&gcc 
GCC_BLSP1_AHB_CLK>;
+   clock-names = "core", "iface";
+   #address-cells = <1>;
+   #size-cells = <0>;
+   };
+
i2c@f9924000 {
status = "disabled";
compatible = "qcom,i2c-qup-v2.1.1";
-- 
2.17.1

Re: possible deadlock in __do_page_fault

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit:17b57b1883c1 Linux 4.19-rc6
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17920a7e40
kernel config:  https://syzkaller.appspot.com/x/.config?x=c0af03fe452b65fb
dashboard link: https://syzkaller.appspot.com/bug?extid=a76129f18c89f3e2ddd4
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=160c0f1140
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1788de8140

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a76129f18c89f3e2d...@syzkaller.appspotmail.com

audit: type=1800 audit(1538371187.479:30): pid=5202 uid=0 auid=4294967295  
ses=4294967295 subj=_ op=collect_data cause=failed(directio)  
comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0


==
WARNING: possible circular locking dependency detected
4.19.0-rc6+ #39 Not tainted
--
syz-executor559/5371 is trying to acquire lock:
e34677d1 (&mm->mmap_sem){}, at: __do_page_fault+0xb70/0xed0  
arch/x86/mm/fault.c:1331


but task is already holding lock:
b0c242ca (&sb->s_type->i_mutex_key#11){+.+.}, at: inode_lock  
include/linux/fs.h:738 [inline]
b0c242ca (&sb->s_type->i_mutex_key#11){+.+.}, at:  
generic_file_write_iter+0xed/0x870 mm/filemap.c:3289


which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&sb->s_type->i_mutex_key#11){+.+.}:
   down_write+0x8a/0x130 kernel/locking/rwsem.c:70
   inode_lock include/linux/fs.h:738 [inline]
   shmem_fallocate+0x18b/0x12c0 mm/shmem.c:2651
   ashmem_shrink_scan+0x238/0x660 drivers/staging/android/ashmem.c:455
   ashmem_ioctl+0x3ae/0x13a0 drivers/staging/android/ashmem.c:797
   vfs_ioctl fs/ioctl.c:46 [inline]
   file_ioctl fs/ioctl.c:501 [inline]
   do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
   ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
   __do_sys_ioctl fs/ioctl.c:709 [inline]
   __se_sys_ioctl fs/ioctl.c:707 [inline]
   __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
   do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (ashmem_mutex){+.+.}:
   __mutex_lock_common kernel/locking/mutex.c:925 [inline]
   __mutex_lock+0x166/0x1700 kernel/locking/mutex.c:1072
   mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
   ashmem_mmap+0x55/0x520 drivers/staging/android/ashmem.c:361
   call_mmap include/linux/fs.h:1813 [inline]
   mmap_region+0xe82/0x1cd0 mm/mmap.c:1762
   do_mmap+0xa10/0x1220 mm/mmap.c:1535
   do_mmap_pgoff include/linux/mm.h:2298 [inline]
   vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357
   ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585
   __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
   __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
   __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
   do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&mm->mmap_sem){}:
   lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3900
   down_read+0xb0/0x1d0 kernel/locking/rwsem.c:24
   __do_page_fault+0xb70/0xed0 arch/x86/mm/fault.c:1331
   do_page_fault+0xf2/0x7e0 arch/x86/mm/fault.c:1470
   page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1161
   fault_in_pages_readable include/linux/pagemap.h:609 [inline]
   iov_iter_fault_in_readable+0x363/0x450 lib/iov_iter.c:421
   generic_perform_write+0x216/0x6a0 mm/filemap.c:3129
   __generic_file_write_iter+0x26e/0x630 mm/filemap.c:3264
   generic_file_write_iter+0x436/0x870 mm/filemap.c:3292
   call_write_iter include/linux/fs.h:1808 [inline]
   new_sync_write fs/read_write.c:474 [inline]
   __vfs_write+0x6b8/0x9f0 fs/read_write.c:487
   vfs_write+0x1fc/0x560 fs/read_write.c:549
   ksys_write+0x101/0x260 fs/read_write.c:598
   __do_sys_write fs/read_write.c:610 [inline]
   __se_sys_write fs/read_write.c:607 [inline]
   __x64_sys_write+0x73/0xb0 fs/read_write.c:607
   do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  &mm->mmap_sem --> ashmem_mutex --> &sb->s_type->i_mutex_key#11

 Possible unsafe locking scenario:

   CPU0CPU1
   
  lock(&sb->s_type->i_mutex_key#11);
   lock(ashmem_mutex);
   lock(&sb->s_type->i_mutex_key#11);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

2 locks held by syz-executor559/5371:
 #0: 12b388bb (sb_writers#5){.+.+}, at: file_start_write  
include/linux/fs.h:2759 [inline]
 #0: 12b388bb (sb_writers#

Re: [PATCH] PM / OPP: Refactor counting of added OPPs for v2 to avoid unsupported OPPs

[Viresh Kumar]

On 21-08-18, 22:10, Dave Gerlach wrote:

Please ping people back if you haven't received a response for too long. Sorry
that I missed getting to this at an earlier point of time.

> Currently the _of_add_opp_table_v2 call loops through the OPP nodes in
> the operating-points-v2 table in the device tree and calls
> _opp_add_static_v2 for each to add them to the table. It counts each
> iteration through this loop as an added OPP, however on platforms making
> use of the opp-supported-hw property, _opp_add_static_v2 does not add
> OPPs that are not seen as supported on the platform but still returns
> success, as this is valid. Because of this the count variable will
> contain the number of OPP nodes in the table in device tree but not
> necessarily the ones that are supported and actually added.
> 
> As this count value is what is checked to determine if there are any
> valid OPPs, if a platform has an operating-points-v2 table with all OPP
> nodes containing opp-supported-hw values that are not currently
> supported then _of_add_opp_table_v2 will fail to abort as it should due
> to an empty table.
> 
> Additionally, since commit 3ba98324e81a ("PM / OPP: Get
> performance state using genpd helper"), the same count variable is
> compared against the number of OPPs containing performance states and
> requires that either all or none have pstates set, however in the case
> of any opp table that has any entries that do not get added by
> _opp_add_static_v2 due to incompatible opp-supported-hw fields, these
> numbers will not match and _of_add_opp_table_v2 will incorrectly fail.
> 
> In order to ensure the count variable reflects the number of OPPs
> actually in the table, increment it during the existing loop which walks
> the opp table to check if pstate is set and then use that for the
> aforementioned checks.
> 
> Fixes: 3ba98324e81a ("PM / OPP: Get performance state using genpd helper")
> Signed-off-by: Dave Gerlach 
> ---
>  drivers/opp/of.c | 15 ++-
>  1 file changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/opp/of.c b/drivers/opp/of.c
> index 7af0ddec936b..f288f83a2e62 100644
> --- a/drivers/opp/of.c
> +++ b/drivers/opp/of.c
> @@ -399,8 +399,6 @@ static int _of_add_opp_table_v2(struct device *dev, 
> struct device_node *opp_np)
>  
>   /* We have opp-table node now, iterate over it and add OPPs */
>   for_each_available_child_of_node(opp_np, np) {
> - count++;
> -
>   ret = _opp_add_static_v2(opp_table, dev, np);
>   if (ret) {
>   dev_err(dev, "%s: Failed to add OPP, %d\n", __func__,
> @@ -411,15 +409,22 @@ static int _of_add_opp_table_v2(struct device *dev, 
> struct device_node *opp_np)
>   }
>   }
>  
> + /*
> +  * Iterate over the list of OPPs that were actually added, as
> +  * OPPs not supported by the hardware will be ignored by
> +  * _opp_add_static_v2 above.
> +  */
> + list_for_each_entry(opp, &opp_table->opp_list, node) {
> + count++;
> + pstate_count += !!opp->pstate;
> + }

So the problem is genuine and is still true with the latest code in linux-next,
but this patch wouldn't fix all cases. What if some OPPs were dynamically added
using dev_pm_opp_add() and everything failed in this routine? We will still have
the problem you are trying to fix here.

What needs to be done is to identify the case where the OPP wasn't supported.
Maybe return the new OPPs pointer from _opp_add_static_v2(), return -ve ERR_PTR
values on error and NULL for the case where OPP isn't added but that's not an
error. Apart from your example another case is of duplicate OPPs where we return
0 without adding the OPP.

Please post patch against linux-next as some updates are already pushed for OPP
core there.

-- 
viresh

Re: [PATCH 01/19] staging: rtl8188eu: cleanup inconsistent indenting

[Dan Carpenter]

On Sun, Sep 30, 2018 at 01:30:11PM -0700, Joe Perches wrote:
> On Sun, 2018-09-30 at 21:52 +0200, Michael Straube wrote:
> > Cleanup all inconsistent indenting reported by smatch.
> 
> There are also some others like:
> 
> drivers/staging/rtl8188eu/core/rtw_mlme.c:1752: WARNING:SUSPECT_CODE_INDENT: 
> suspect code indent for conditional statements (8, 24)
> 1750: if ((ndisauthmode == Ndis802_11AuthModeWPA) ||
> 1751: (ndisauthmode == Ndis802_11AuthModeWPAPSK))
> 1752: authmode = _WPA_IE_ID_;
> 
> Perhaps smatch can be enhanced to find those too.
> 

Style issues are not something I want to get into...  I had hoped that
this test would find bugs, because stuff like this looks so suspicious:

diff --git a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c 
b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c
index 20f34d25c369..5c4ff81987bd 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ieee80211.c
@@ -246,7 +246,7 @@ int rtw_generate_ie(struct registry_priv *pregistrypriv)
wireless_mode = pregistrypriv->wireless_mode;
}

-   rtw_set_supported_rate(pdev_network->SupportedRates, 
wireless_mode);
+   rtw_set_supported_rate(pdev_network->SupportedRates, wireless_mode);

rateLen = rtw_get_rateset_len(pdev_network->SupportedRates);

But I've never found even one bug with the inconsistent indenting
check.  The other related test about missing curly braces is pretty
useful though.

regards,
dan carpenter

Re: [RFC 0/2] ns: introduce binfmt_misc namespace

[Andy Lutomirski]

On Sun, Sep 30, 2018 at 4:47 PM Laurent Vivier  wrote:
>
> This series introduces a new namespace for binfmt_misc.
>

This seems conceptually quite reasonable, but I'm wondering if the
number of namespace types is getting out of hand given the current
API.  Should we be considering whether we need a new set of namespace
creation APIs that scale better to larger numbers of namespace types?

Re: [PATCH] staging: rtlwifi: Removed unused define and code efuse_re_pg* from wifi.h

[Kalle Valo]

Joe Perches  writes:

> On Sun, 2018-09-30 at 20:29 +0200, Rick Veens wrote:
>> The following:
>>  bool efuse_re_pg_sec1flag;
>>  u8 efuse_re_pg_data[8];
>> are not referenced anywhere in the rtlwifi code.
>> 
>> Signed-off-by: Rick Veens 
>> ---
>>  drivers/staging/rtlwifi/wifi.h | 4 
>
> Presumably the equivalent uses in
>   drivers/net/wireless/realtek/rtlwifi/wifi.h
> should be removed as well.

But if it's needed, just do it in separate patch as the patches go via
different trees.

-- 
Kalle Valo

Re: [PATCH 0/3] namei: implement various scoping AT_* flags

[Dave Chinner]

On Sat, Sep 29, 2018 at 08:34:50PM +1000, Aleksa Sarai wrote:
> I've added some selftests for this, but it's not clear to me whether
> they should live here or in xfstests (as far as I can tell there are no
> other VFS tests in selftests, while there are some tests that look like
> generic VFS tests in xfstests). If you'd prefer them to be included in
> xfstests, let me know.

xfstests, please. That way the new functionality will get immediate
coverage by all the main filesystem development and distro QA
teams

Cheers,

Dave.
-- 
Dave Chinner
da...@fromorbit.com

Licenses and revocability, in a paragraph or less. (for the lay-man)

[freedomfromruin]

As has been stated in easily accessible terms elsewhere:
"Most courts hold that simple, non-exclusive licenses with unspecified 
durations that are silent on revocability are revocable at will. This 
means that the licensor may terminate the license at any time, with or 
without cause." +


Version 2 of the GPL specifies no duration, nor does it declare that it 
is non-revocable by the grantor.


(Also note: A perpetual license may violate the rule against 
perpetuities in various jurisdictions where it is applied not only to 
real property but additionally to personal property (and the like), 
which is why the GPL-3's term of duration is set as the duration of 
copyright on the program (and not "forever"))


+[https://www.sidley.com/en/insights/newsupdates/2013/02/the-terms-revocable-and-irrevocable-in-license-agreements-tips-and-pitfalls]

"You are easily replacable" Bruce Peren's message to past contributors.

[freedomfromruin]

"You are easily replacable" Bruce Peren's message to past contributors.:


"Any actual kernel developers who leave will be replaced by one of the 
other 4000 active this year. If they have been vociferous about their 
rights to entirely unlimited conduct (and all of the side-issues that 
seem to come with that) it may be that the folks on the kernel mailing 
list are already tired of them and won't miss them."


https://news.slashdot.org/comments.pl?sid=12682608&cid=57394936

The free software conservancy is wrong.

[freedomfromruin]

Gnu GPL version 2, section 0:
"Each licensee is addressed as "you". "

The "you" is not referring to the licensor (copyright owner). It is 
referring to the licensees and then future 
sub-licensees/additional-licensees receiving the work from said previous 
licensee.


It is independently clear from the context of the clauses if you read 
them in full.


...and then section 0 comes around and makes it _explicit_ that "you" 
refers to the licensee. (if you had any doubt)


Additionally, you should know that the copyright owner is not bound by 
the gratuitous license he proffers to potential licensees regarding his 
property. The licensees are bound to his terms: he is the owner. They 
take at his benefaction.



GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License.  The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language.  (Hereinafter, translation is included without limitation in
the term "modification".)  Each licensee is addressed as "you".



-
-



The free software conservancy has tendered its response:
http://sfconservancy.org/news/2018/sep/26/GPLv2-irrevocability/
http://copyleft.org/guide/comprehensive-gpl-guidech8.html#x11-540007.4


""
"The GPLv2 have several provisions that, when taken together, can be 
construed as an irrevocable license from each contributor. "

""

It cites:


  " That license granted to downstream is irrevocable, again 
provided that the downstream user complies with the license terms: 
\u201c[P]arties who have received copies, or rights, from you under this 
License will not have their licenses terminated so long as such parties 
remain in full compliance\u201d (GPLv2§4). "


However this is disingenuous

The full text of section 4 is as follows:

""
  4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License.  Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
""



The "You" in section 4 is speaking of the licensee regarding 
sub-licensees, it is not speaking to the licensor/copyright-holder.


IE: if the licensee loses his license, through operation of the 
automatic-revocation provisions, the sub-licensees do not also lose 
their licenses.


IE: The language is disclaiming a chain topography for license 
distribution, and instead substituting a hub-and-spoke topography (all 
licenses originating from the copyright holder, not the 
previous-in-line)


GPLv3 added a no-rescission clause for a reason: the reason being to 
attempt to create an estoppel defense for the licensees against the 
licensor. You will notice that Eben Moglen never speaks on these issues. 
(He preumably is aware of the weaknesses vis a vis the US copyright 
regime.)


Section 6 further clarifies the hub-and-spoke model:
""
   6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
""

The memorandum posted then goes on to a discussion of estoppel, 
detrimental reliance, etc; noting that users may have relied on the 
software and their licenses may be estopped from being revoked from said 
users since doing so might cause them unanticipated loss. This is 
speaking of already published, existent, versions of the program used by 
end users.


The memorandum seems to ignore what happens to "upstream" once said 
project  receives a revocation notice. Thought it may be possible that 
users of a published piece of software may have defenses to license 
revocation, the same is not true regarding the rescinded property 
vis-a-vis future prospective versions of the software nor of future 
prospective licensees of said software.


That is: once the grant to use the code in question is rescinded, future 
versions of the software may not use that code. Current users of the 
software may be-able to raise an estoppel / detrimental reliance defense 
regarding the current publis

Why the FSF collects copyright assignments.

[freedomfromruin]

The paramount reason Eben Moglen has the FSF accepting contributions 
only with copyright assignment is because the grantor of a license that 
is a gratuity (no consideration (read: usually money) given) can remove 
the permission regarding the use of his property at his pleasure.


(Regardless of the story that was promulgated for the public ("only to 
have standing to sue under copyright, since the GPL is a bare license 
and does not give rise to contract damages") - which was and is a 
half-truth only (Yes: you do need to own the rights to a work to sue 
under copyright, Yes the GPL is a bare license, No: that's not the whole 
reason why one would want the author to no-longer hold the copyright))

Why the FSF collects copyright assignments.

[freedomfromruin]

The paramount reason Eben Moglen has the FSF accepting contributions 
only with copyright assignment is because the grantor of a license that 
is a gratuity (no consideration (read: usually money) given) can remove 
the permission regarding the use of his property at his pleasure.


(Regardless of the story was promulgated for the public)

Re: [PATCH v6 2/2] iio: proximity: vl53l0x: add interrupt support

[Song Qiang]

On Fri, Sep 28, 2018 at 06:52:13PM -0500, Rob Herring wrote:
> On Fri, Sep 28, 2018 at 4:36 AM Song Qiang  wrote:
> >
> > On Wed, Sep 26, 2018 at 05:46:18PM -0500, Rob Herring wrote:
> > > On Sat, Sep 22, 2018 at 04:05:23PM +0100, Jonathan Cameron wrote:
> > > > On Tue, 18 Sep 2018 16:24:22 +0800
> > > > Song Qiang  wrote:
> > > >
> > > > > The first version of this driver issues a measuring request and 
> > > > > polling
> > > > > for a status register in the device for measuring completes.
> > > > > vl53l0x support configuring GPIO1 on it to generate interrupt to
> > > > > indicate that new measurement is ready. This patch adds support for
> > > > > using this mechanisim to reduce cpu cost.
> > > > >
> > > > > Signed-off-by: Song Qiang 
> > > > Hi Song.
> > > >
> > > > Looks correct in principal but a few things to tidy up before
> > > > this is ready to apply.
> > > >
> > > > Also we have an unrelated change in here to check the devices ID.
> > > > That should be in it's own patch.
> > > >
> > > > Thanks,
> > > >
> > > > Jonathan
> > > > > ---
> > > > >  .../bindings/iio/proximity/vl53l0x.txt|  14 +-
> > >
> > > This should have been split with the complete binding in one patch
> > > rather than piecemeal driver feature by feature.
> > >
> >
> > Hi Rob,
> >
> > A few days ago when I was submitting this driver, I didn't do it very
> > well, the function of this driver is limited. I added interrupt support
> > the next day after you acked my first patch. I thought it's not polite
> > to add something after someone acked that patch, so I send the interrupt
> > support as a second patch. The first patch is merged to togreg now, but
> > this doesn't. I don't know when can I add new functions to the code that
> > just merged to togreg branch, could you offer some suggestions?
> 
> You just needed to state why you didn't add a ack. But really, just
> don't send things except as RFC until they are "done".
> 
> What to do next depends on Jonathan and whether he wants a follow-up
> patch or he will drop the first one.
> 
> > > > >  drivers/iio/proximity/vl53l0x-i2c.c   | 135 
> > > > > +++---
> > > > >  2 files changed, 129 insertions(+), 20 deletions(-)
> > > > >
> > > > > diff --git 
> > > > > a/Documentation/devicetree/bindings/iio/proximity/vl53l0x.txt 
> > > > > b/Documentation/devicetree/bindings/iio/proximity/vl53l0x.txt
> > > > > index ab9a9539fec4..40290f8dd70f 100644
> > > > > --- a/Documentation/devicetree/bindings/iio/proximity/vl53l0x.txt
> > > > > +++ b/Documentation/devicetree/bindings/iio/proximity/vl53l0x.txt
> > > > > @@ -4,9 +4,21 @@ Required properties:
> > > > >   - compatible: must be "st,vl53l0x-i2c"
> > >
> > > Is there more than one interface on this device, such as SPI? If not,
> > > then '-i2c' should be dropped.
> > >
> >
> > Yes, there is a CCI(Camera Control Interface) for communication.
> 
> Isn't CCI just a subset of I2C? I should clarify my question is
> whether there's more than 1 mutually exclusive control interface (as
> many devices have control and data interfaces) where you could have 2
> different drivers. A common example are devices with I2C and SPI
> interfaces.
> 
> Rob

Hi Rob, Jonathan,

I don't know things about CCI very well, and google also tells me little
about it. Actually, I found it difficult to find a standard definition
about it. Then I dug into vl53l0x's API source code, and what I can
tell is when we use these two interfaces, the whole programming
framework is different, even though the pysical bus of them are likely
to be the same. 
Source code of CCI uses a 'msm_camera_i2c_fn_t' struct and a
'v4l2_file_operations' as hardware interfaces for controlling device,
while the i2c one just uses generic i2c bus interfaces.

This explanation is for why the file name still contains '-i2c'.

yours,
Song Qiang

[PATCH] HID: i2c-hid: Add a small delay after powering on/off the device

[Kai-Heng Feng]

Raydium touchpanel (2386:4B33) sometimes does not workin desktop session
although it works in display manager.

During user logging, the display manager exits, close the HID device,
then the device gets runtime suspended and powered off. The desktop
session begins shortly after, opens the HID device, then the device gets
runtime resumed and powered on.

If the trasition from display manager to desktop sesesion is fast, the
touchpanel cannot switch from powered off to powered on in short
timeframe. So add a small delay to workaround the issue.

Signed-off-by: Kai-Heng Feng 
---
 drivers/hid/i2c-hid/i2c-hid.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index f3076659361a..ff5682cc1bce 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -409,6 +409,8 @@ static int i2c_hid_set_power(struct i2c_client *client, int 
power_state)
 
if (ret)
dev_err(&client->dev, "failed to change power setting.\n");
+   else
+   msleep(20);
 
 set_pwr_exit:
return ret;
-- 
2.17.1

[PATCH] ACPI/sbs: Fix GPE storm on recent MacBookPro's.

[Ronald Tschalär]

On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).

In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
CC: Zhang Rui 
Signed-off-by: Ronald Tschalär 
---
 drivers/acpi/sbs.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
index 295b59271189..96c5e27967f4 100644
--- a/drivers/acpi/sbs.c
+++ b/drivers/acpi/sbs.c
@@ -441,9 +441,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
 
/*
 * The spec requires that bit 4 always be 1. If it's not set, assume
-* that the implementation doesn't support an SBS charger
+* that the implementation doesn't support an SBS charger.
+*
+* And on some MacBooks a status of 0x is always returned, no
+* matter whether the charger is plugged in or not, which is also
+* wrong, so ignore the SBS charger for those too.
 */
-   if (!((status >> 4) & 0x1))
+   if (!((status >> 4) & 0x1) || status == 0x)
return -ENODEV;
 
sbs->charger_present = (status >> 15) & 0x1;
-- 
2.17.1

[PATCH] ACPI/sbshc: Fix rare oops when removing modules.

[Ronald Tschalär]

There was a small race when removing the sbshc module where
smbus_alarm() had queued acpi_smbus_callback() for deferred execution
but it hadn't been run yet, so that when it did run hc had been freed
and the module unloaded, resulting in an invalid paging request.

A similar race existed when removing the sbs module with regards to
acpi_sbs_callback() (which is called from acpi_smbus_callback()).

We therefore need to ensure no callbacks are pending or executing before
the cleanups are done and the modules are removed.

Signed-off-by: Ronald Tschalär 
---
 drivers/acpi/osl.c   | 1 +
 drivers/acpi/sbshc.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 8df9abfa947b..9d139727f164 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -1129,6 +1129,7 @@ void acpi_os_wait_events_complete(void)
flush_workqueue(kacpid_wq);
flush_workqueue(kacpi_notify_wq);
 }
+EXPORT_SYMBOL(acpi_os_wait_events_complete);
 
 struct acpi_hp_work {
struct work_struct work;
diff --git a/drivers/acpi/sbshc.c b/drivers/acpi/sbshc.c
index 7a3431018e0a..5008ead4609a 100644
--- a/drivers/acpi/sbshc.c
+++ b/drivers/acpi/sbshc.c
@@ -196,6 +196,7 @@ int acpi_smbus_unregister_callback(struct acpi_smb_hc *hc)
hc->callback = NULL;
hc->context = NULL;
mutex_unlock(&hc->lock);
+   acpi_os_wait_events_complete();
return 0;
 }
 
@@ -292,6 +293,7 @@ static int acpi_smbus_hc_remove(struct acpi_device *device)
 
hc = acpi_driver_data(device);
acpi_ec_remove_query_handler(hc->ec, hc->query_bit);
+   acpi_os_wait_events_complete();
kfree(hc);
device->driver_data = NULL;
return 0;
-- 
2.17.1

Re: [PATCH] printk: inject caller information into the body of message

[Sergey Senozhatsky]

On (10/01/18 11:37), Sergey Senozhatsky wrote:
> If we are about to have a list of printk buffers then we probably can
> define a list of NR_CPUS cont buffers. And we probably can reuse the
> existing struct cont for buffered printk, having 2 different struct-s
> for the same thing - struct cont and struct printk_buffer - is not very
> cool.

And we also can re-use cont_add() / cont_flush() / etc.
Just pass a specific struct cont *cont to those functions.

> All printk()-s are limited by LOG_LINE_MAX. Buffered printk() is not
> special.

Correction: I was wrong about this.

Looking at cont handling, it seems that buffered printk is special after
all. We do let it to be over LOG_LINE_MAX:

if (nr_ext_console_drivers || cont.len + len > sizeof(cont.buf))
cont_flush();

-ss

Re: [LKP] [flow_dissector] d58e468b11: BUG:unable_to_handle_kernel

[Willem de Bruijn]

On Sat, Sep 29, 2018 at 11:20 PM kernel test robot
 wrote:
>
> FYI, we noticed the following commit (built with gcc-7):
>
> commit: d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 ("flow_dissector: implements 
> flow dissector BPF hook")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> in testcase: test_bpf
> with following parameters:
>
> test: jit
>
>
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu host -smp 2 -m 2G
>
> caused below changes (please refer to attached dmesg/kmsg for entire 
> log/backtrace):
>
>
> +--+++
> |  | 1edb6e035e | d58e468b11 |
> +--+++
> | boot_successes   | 16 | 0  |
> | boot_failures| 0  | 4  |
> | BUG:unable_to_handle_kernel  | 0  | 4  |
> | Oops:#[##]   | 0  | 4  |
> | RIP:__skb_flow_dissect   | 0  | 4  |
> | Kernel_panic-not_syncing:Fatal_exception | 0  | 4  |
> +--+++
>
>
>
> [   11.372447] BUG: unable to handle kernel paging request at 1288
> [   11.375142] PGD 0 P4D 0
> [   11.375884] Oops:  [#1] SMP PTI
> [   11.376822] CPU: 1 PID: 446 Comm: modprobe Not tainted 
> 4.19.0-rc2-00341-gd58e468 #1
> [   11.378646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
> 1.10.2-1 04/01/2014
> [   11.380605] RIP: 0010:__skb_flow_dissect+0x8e/0x1690
> [   11.381777] Code: 05 f7 d3 79 7e 4d 8d 14 07 41 0f b7 44 24 06 66 89 85 3e 
> ff ff ff 48 85 db 0f 84 12 02 00 00 48 8b 43 10 48 8b 80 e8 04 00 00 <48> 8b 
> 90 88 12 00 00 48 85 d2 0f 84 f7 01 00 00 48 8d 4d 92 31 c0
> [   11.385799] RSP: 0018:c98c7a80 EFLAGS: 00010286
> [   11.387040] RAX:  RBX: 88007e80d600 RCX: 
> 
> [   11.388612] RDX: c98c7bb4 RSI: 828b3cc0 RDI: 
> 88007e80d600
> [   11.390178] RBP: c98c7b80 R08:  R09: 
> 000e
> [   11.391747] R10: c98c7bb4 R11: 88007ea34c00 R12: 
> 828b3cc0
> [   11.393315] R13: 0008 R14: 001e R15: 
> c98c7bb4
> [   11.394870] FS:  7f64be17e700() GS:88007290() 
> knlGS:
> [   11.396785] CS:  0010 DS:  ES:  CR0: 80050033
> [   11.398112] CR2: 1288 CR3: 7ee8e002 CR4: 
> 000606e0
> [   11.399693] Call Trace:
> [   11.400425]  ? vsnprintf+0xf2/0x4b0
> [   11.401335]  ? up+0x12/0x60
> [   11.402116]  ? _cond_resched+0x19/0x30
> [   11.403069]  ? skb_get_poff+0x4b/0xa0
> [   11.404010]  ? __kmalloc_reserve+0x2e/0x80
> [   11.405145]  skb_get_poff+0x4b/0xa0
> [   11.406050]  bpf_skb_get_pay_offset+0xa/0x10

Thanks for the report. This has most likely been fixed, by commit
100811936f89f ("bpf: test_bpf: add init_net to dev for
flow_dissector")

Re: [PATCH] printk: inject caller information into the body of message

[Sergey Senozhatsky]

On (09/29/18 20:15), Tetsuo Handa wrote:
> 
> Because there is no guarantee that memory information is dumped under the
> oom_lock mutex. The oom_lock is held when calling out_of_memory(), and it
> cannot be held when reporting GFP_ATOMIC memory allocation failures.

IOW, static pr_line buffer needs additional synchronization for OOM. Correct?

If we are about to have a list of printk buffers then we probably can
define a list of NR_CPUS cont buffers. And we probably can reuse the
existing struct cont for buffered printk, having 2 different struct-s
for the same thing - struct cont and struct printk_buffer - is not very
cool.

> But I don't want line buffered printk() API to truncate upon out of
> space for line buffered printk() API.

All printk()-s are limited by LOG_LINE_MAX. Buffered printk() is not
special.

-ss

Re: [PATCH 10/11] ALSA: hda/ca0132 - Add ZxR 600 ohm gain control

[Takashi Sakamoto]

Hi,

On Sep 30 2018 12:03, Connor McAdams wrote:

This patch adds a control for 600 ohm gain on the Sound Blaster ZxR.

Signed-off-by: Connor McAdams 
---
  sound/pci/hda/patch_ca0132.c | 44 ++--
  1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index f0781e4..90e6a96 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
..
@@ -6415,6 +6452,9 @@ static int ca0132_build_controls(struct hda_codec *codec)
ae5_add_headphone_gain_enum(codec);
ae5_add_sound_filter_enum(codec);
}
+
+   if (spec->quirk == QUIRK_ZXR)
+   zxr_add_headphone_gain_switch(codec);
  #ifdef ENABLE_TUNING_CONTROLS
add_tuning_ctls(codec);
  #endif


Though error code can be returned in a call of snd_hda_ctl_add(), it's 
not handled correctly in 'ca0132_build_controls()'. At least, return

code in calls of below functions is better to be checked.

 - add_voicefx()
 - add_ca0132_alt_eq_presets()
 - ca0132_alt_add_svm_enum()
 - ca0132_alt_add_output_enum
 - ca0132_alt_add_input_enum
 - ca0132_alt_add_mic_boost_enum
 - ae5_add_headphone_gain_enum
 - ae5_add_sound_filter_enum
 - zxr_add_headphone_gain_switch

This is not a strong request and you can work for it after merging this
patchset. We have two weeks more till next merge window.


Regards

Takashi Sakamoto

Re: [PATCH 05/11] ALSA: hda/ca0132 - Add DBpro hda_codec_ops

[Takashi Sakamoto]

Hi,

On Sep 30 2018 12:03, Connor McAdams wrote:

This patch adds separate hda_codec_ops for the DBPro daughter board, as
it behaves more like a generic HDA codec than the other ca0132 cards,
despite having a ca0132 on board.

Signed-off-by: Connor McAdams 
---
  sound/pci/hda/patch_ca0132.c | 100 +++
  1 file changed, 100 insertions(+)

diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index 4d23eb9..a543b23 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
...
@@ -8192,6 +8282,13 @@ static const struct hda_codec_ops ca0132_patch_ops = {
...
+
  static void ca0132_config(struct hda_codec *codec)
  {
struct ca0132_spec *spec = codec->spec;
@@ -8488,6 +8585,9 @@ static int patch_ca0132(struct hda_codec *codec)
spec->mixers[0] = desktop_mixer;
snd_hda_codec_set_name(codec, "Sound Blaster Z");
break;
+   case QUIRK_ZXR_DBPRO:
+   codec->patch_ops = dbpro_patch_ops;
+   break;


This patch looks good to me, but in a view of prevention from
errors in future work (you will do), it's not better to assign to
'struct hda_codec.patch_ops' in different lines which have larger
distance.

8551 static int patch_ca0132(struct hda_codec *codec)
8552 {
...
8565 codec->patch_ops = ca0132_patch_ops;
...
8588 case QUIRK_ZXR_DBPRO:
8589 codec->patch_ops = dbpro_patch_ops;
...

This is not a strong request but I recommend you to reorder procedures 
done in 'patch_ca0132()' so that:


patch_ca0132()
->kzalloc(sizeof(struct ca0132_spec))
->snd_pci_quirk_lookup() and sbz_detect_quirk()
->'codec' preparation (assignment to members in hda_codec, etc.)
->'spec' preparation (assignment to members in ca0132_spec, etc.)


Regards

Takashi Sakamoto

[PATCH V9 3/8] clocksource: add C-SKY SMP timer

[Guo Ren]

This timer is used by SMP system and use mfcr/mtcr instruction
to access the regs.

Changelog:
 - Remove #define CPUHP_AP_CSKY_TIMER_STARTING
 - Add CPUHP_AP_CSKY_TIMER_STARTING in cpuhotplug.h
 - Support csky mp timer alpha version.
 - Just use low-counter with 32bit width as clocksource.
 - Coding convention with upstream feed-back.

Signed-off-by: Guo Ren 
---
 drivers/clocksource/Kconfig|   8 ++
 drivers/clocksource/Makefile   |   1 +
 drivers/clocksource/csky_mptimer.c | 176 +
 include/linux/cpuhotplug.h |   1 +
 4 files changed, 186 insertions(+)
 create mode 100644 drivers/clocksource/csky_mptimer.c

diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
index a11f4ba..a28043f 100644
--- a/drivers/clocksource/Kconfig
+++ b/drivers/clocksource/Kconfig
@@ -620,4 +620,12 @@ config RISCV_TIMER
  is accessed via both the SBI and the rdcycle instruction.  This is
  required for all RISC-V systems.
 
+config CSKY_MPTIMER
+   bool "C-SKY Multi Processor Timer"
+   depends on CSKY
+   select TIMER_OF
+   help
+ Say yes here to enable C-SKY SMP timer driver used for C-SKY SMP
+ system.
+
 endmenu
diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile
index db51b24..848c676 100644
--- a/drivers/clocksource/Makefile
+++ b/drivers/clocksource/Makefile
@@ -79,3 +79,4 @@ obj-$(CONFIG_CLKSRC_ST_LPC)   += clksrc_st_lpc.o
 obj-$(CONFIG_X86_NUMACHIP) += numachip.o
 obj-$(CONFIG_ATCPIT100_TIMER)  += timer-atcpit100.o
 obj-$(CONFIG_RISCV_TIMER)  += riscv_timer.o
+obj-$(CONFIG_CSKY_MPTIMER) += csky_mptimer.o
diff --git a/drivers/clocksource/csky_mptimer.c 
b/drivers/clocksource/csky_mptimer.c
new file mode 100644
index 000..9dc3cfb
--- /dev/null
+++ b/drivers/clocksource/csky_mptimer.c
@@ -0,0 +1,176 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (C) 2018 Hangzhou C-SKY Microsystems co.,ltd.
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "timer-of.h"
+
+#define PTIM_CCVR  "cr<3, 14>"
+#define PTIM_CTLR  "cr<0, 14>"
+#define PTIM_LVR   "cr<6, 14>"
+#define PTIM_TSR   "cr<1, 14>"
+
+static int csky_mptimer_set_next_event(unsigned long delta, struct 
clock_event_device *ce)
+{
+   mtcr(PTIM_LVR, delta);
+
+   return 0;
+}
+
+static int csky_mptimer_shutdown(struct clock_event_device *ce)
+{
+   mtcr(PTIM_CTLR, 0);
+
+   return 0;
+}
+
+static int csky_mptimer_oneshot(struct clock_event_device *ce)
+{
+   mtcr(PTIM_CTLR, 1);
+
+   return 0;
+}
+
+static int csky_mptimer_oneshot_stopped(struct clock_event_device *ce)
+{
+   mtcr(PTIM_CTLR, 0);
+
+   return 0;
+}
+
+static DEFINE_PER_CPU(struct timer_of, csky_to) = {
+   .flags  = TIMER_OF_CLOCK,
+   .clkevt = {
+   .rating = 300,
+   .features   = CLOCK_EVT_FEAT_PERCPU |
+ CLOCK_EVT_FEAT_ONESHOT,
+   .set_state_shutdown = csky_mptimer_shutdown,
+   .set_state_oneshot  = csky_mptimer_oneshot,
+   .set_state_oneshot_stopped  = csky_mptimer_oneshot_stopped,
+   .set_next_event = csky_mptimer_set_next_event,
+   },
+   .of_irq = {
+   .flags  = IRQF_TIMER,
+   .percpu = 1,
+   },
+};
+
+static irqreturn_t timer_interrupt(int irq, void *dev)
+{
+   struct timer_of *to = this_cpu_ptr(&csky_to);
+
+   mtcr(PTIM_TSR, 0);
+
+   to->clkevt.event_handler(&to->clkevt);
+
+   return IRQ_HANDLED;
+}
+
+/*
+ * clock event for percpu
+ */
+static int csky_mptimer_starting_cpu(unsigned int cpu)
+{
+   struct timer_of *to = per_cpu_ptr(&csky_to, cpu);
+
+   to->clkevt.cpumask = cpumask_of(cpu);
+
+   clockevents_config_and_register(&to->clkevt, timer_of_rate(to), 2, 
ULONG_MAX);
+
+   enable_percpu_irq(timer_of_irq(to), 0);
+
+   return 0;
+}
+
+static int csky_mptimer_dying_cpu(unsigned int cpu)
+{
+   struct timer_of *to = per_cpu_ptr(&csky_to, cpu);
+
+   disable_percpu_irq(timer_of_irq(to));
+
+   return 0;
+}
+
+/*
+ * clock source
+ */
+static u64 sched_clock_read(void)
+{
+   return (u64) mfcr(PTIM_CCVR);
+}
+
+static u64 clksrc_read(struct clocksource *c)
+{
+   return (u64) mfcr(PTIM_CCVR);
+}
+
+struct clocksource csky_clocksource = {
+   .name   = "csky",
+   .rating = 400,
+   .mask   = CLOCKSOURCE_MASK(32),
+   .flags  = CLOCK_SOURCE_IS_CONTINUOUS,
+   .read   = clksrc_read,
+};
+
+static int __init csky_mptimer_init(struct device_node *np)
+{
+   int ret, cpu;
+   struct timer_of *to;
+   int rate = 0;
+   int irq  = 0;
+
+   /*
+* Csky_mptimer is designed for C-SKY SMP multi-processors

[PATCH V9 0/8] C-SKY(csky) Linux Kernel Drivers

[Guo Ren]

>From "PATCH V5 00/30] C-SKY(csky) Linux Kernel Port" I seperated the
drivers from the patchset. I've sent driver patches with "V5 V6 V7 V8".

Now is V9. The changelog is in every patch.

Perhaps I should seperate driver patchset earlier and the csky port patchset
is too big now.

Any feedback is welcome, thx for all people review my patchset.

Best Regards

Guo Ren (8):
  irqchip: add C-SKY SMP interrupt controller
  dt-bindings: interrupt-controller: C-SKY SMP intc
  clocksource: add C-SKY SMP timer
  dt-bindings: timer: C-SKY Multi-processor timer
  dt-bindings: interrupt-controller: C-SKY APB intc
  irqchip: add C-SKY APB bus interrupt controller
  dt-bindings: timer: gx6605s SOC timer
  clocksource: add gx6605s SOC system timer

 .../interrupt-controller/csky,apb-intc.txt |  62 +
 .../bindings/interrupt-controller/csky,mpintc.txt  |  40 
 .../bindings/timer/csky,gx6605s-timer.txt  |  42 
 .../devicetree/bindings/timer/csky,mptimer.txt |  42 
 drivers/clocksource/Kconfig|  16 ++
 drivers/clocksource/Makefile   |   2 +
 drivers/clocksource/csky_mptimer.c | 176 ++
 drivers/clocksource/timer-gx6605s.c| 150 
 drivers/irqchip/Kconfig|  16 ++
 drivers/irqchip/Makefile   |   2 +
 drivers/irqchip/irq-csky-apb-intc.c| 260 +
 drivers/irqchip/irq-csky-mpintc.c  | 195 
 include/linux/cpuhotplug.h |   1 +
 13 files changed, 1004 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/interrupt-controller/csky,apb-intc.txt
 create mode 100644 
Documentation/devicetree/bindings/interrupt-controller/csky,mpintc.txt
 create mode 100644 
Documentation/devicetree/bindings/timer/csky,gx6605s-timer.txt
 create mode 100644 Documentation/devicetree/bindings/timer/csky,mptimer.txt
 create mode 100644 drivers/clocksource/csky_mptimer.c
 create mode 100644 drivers/clocksource/timer-gx6605s.c
 create mode 100644 drivers/irqchip/irq-csky-apb-intc.c
 create mode 100644 drivers/irqchip/irq-csky-mpintc.c

-- 
2.7.4

Re: [f2fs-dev] [PATCH] f2fs: fix quota info to adjust recovered data

[Chao Yu]

On 2018-10-1 9:27, Jaegeuk Kim wrote:
> On 10/01, Chao Yu wrote:
>> On 2018-10-1 7:58, Jaegeuk Kim wrote:
>>> On 09/29, Chao Yu wrote:
 On 2018/9/29 7:40, Jaegeuk Kim wrote:
> Testing other fix.
>
> ---
>  fs/f2fs/checkpoint.c |  7 +++
>  fs/f2fs/f2fs.h   |  1 +
>  fs/f2fs/gc.c | 10 +-
>  fs/f2fs/super.c  | 22 +-
>  4 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
> index 524b87667cf4..3fde91f41a91 100644
> --- a/fs/f2fs/checkpoint.c
> +++ b/fs/f2fs/checkpoint.c
> @@ -1494,6 +1494,7 @@ int f2fs_write_checkpoint(struct f2fs_sb_info *sbi, 
> struct cp_control *cpc)
>  {
>   struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
>   unsigned long long ckpt_ver;
> + bool need_up = false;
>   int err = 0;
>  
>   if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) {
> @@ -1506,6 +1507,10 @@ int f2fs_write_checkpoint(struct f2fs_sb_info 
> *sbi, struct cp_control *cpc)
>   f2fs_msg(sbi->sb, KERN_WARNING,
>   "Start checkpoint disabled!");
>   }
> + if (!is_sbi_flag_set(sbi, SBI_QUOTA_INIT)) {
> + need_up = true;
> + down_read(&sbi->sb->s_umount);

 This is to avoid show warning when calling dquot_writeback_dquots() in
 f2fs_quota_sync(), right?
>>>
>>> Yup. Unfortunately, this can't fix all the issues, so I'm testing trylock
>>> simply in this case.
>>
>> Oh, that's just warning, it could not be harmful, I think we can simply 
>> remove
>> WARN_ON_ONCE in dquot_writeback_dquots to fix this?
> 
> Well, I think it'd be better to keep it.

We'd better to ask suggestion from maintainer of quota subsystem?

Thanks,

> 
>>
>>>

> + }
>   mutex_lock(&sbi->cp_mutex);
>  
>   if (!is_sbi_flag_set(sbi, SBI_IS_DIRTY) &&
> @@ -1582,6 +1587,8 @@ int f2fs_write_checkpoint(struct f2fs_sb_info *sbi, 
> struct cp_control *cpc)
>   trace_f2fs_write_checkpoint(sbi->sb, cpc->reason, "finish checkpoint");
>  out:
>   mutex_unlock(&sbi->cp_mutex);
> + if (need_up)
> + up_read(&sbi->sb->s_umount);
>   return err;
>  }
>  
> diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> index 57c829dd107e..30194f2f108e 100644
> --- a/fs/f2fs/f2fs.h
> +++ b/fs/f2fs/f2fs.h
> @@ -1096,6 +1096,7 @@ enum {
>   SBI_IS_SHUTDOWN,/* shutdown by ioctl */
>   SBI_IS_RECOVERED,   /* recovered orphan/data */
>   SBI_CP_DISABLED,/* CP was disabled last mount */
> + SBI_QUOTA_INIT, /* avoid sb->s_umount lock */
>   SBI_QUOTA_NEED_FLUSH,   /* need to flush quota info in 
> CP */
>   SBI_QUOTA_SKIP_FLUSH,   /* skip flushing quota in 
> current CP */
>   SBI_QUOTA_NEED_REPAIR,  /* quota file may be corrupted 
> */
> diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
> index adaf5a695b12..deece448cb3b 100644
> --- a/fs/f2fs/gc.c
> +++ b/fs/f2fs/gc.c
> @@ -55,9 +55,14 @@ static int gc_thread_func(void *data)
>   f2fs_stop_checkpoint(sbi, false);
>   }
>  
> - if (!sb_start_write_trylock(sbi->sb))
> + if (!down_read_trylock(&sbi->sb->s_umount))
>   continue;
>  
> + set_sbi_flag(sbi, SBI_QUOTA_INIT);
> +
> + if (!sb_start_write_trylock(sbi->sb))
> + goto next_umount;
> +
>   /*
>* [GC triggering condition]
>* 0. GC is not conducted currently.
> @@ -104,6 +109,9 @@ static int gc_thread_func(void *data)
>   f2fs_balance_fs_bg(sbi);
>  next:
>   sb_end_write(sbi->sb);
> +next_umount:
> + clear_sbi_flag(sbi, SBI_QUOTA_INIT);
> + up_read(&sbi->sb->s_umount);
>  
>   } while (!kthread_should_stop());
>   return 0;
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index a28c245b1288..40a77a4eb465 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -1029,6 +1029,8 @@ static void f2fs_put_super(struct super_block *sb)
>   int i;
>   bool dropped;
>  
> + set_sbi_flag(sbi, SBI_QUOTA_INIT);
> +
>   f2fs_quota_off_umount(sb);
>  
>   /* prevent remaining shrinker jobs */
> @@ -1122,11 +1124,17 @@ int f2fs_sync_fs(struct super_block *sb, int sync)
>  
>   if (sync) {
>   struct cp_control cpc;
> + bool keep = is_sbi_flag_set(sbi, SBI_QUOTA_INIT);
>  
>   cpc.reason = __get_cp_reason(sbi);
>  
>   mutex_lock(&sbi->gc_mutex);
> + if (sbi->sb->s_writers.frozen >= SB_FREEZE_WRITE)
> + set_sbi_flag(sbi, SBI_QUOTA_INIT);
> +
>>

[PATCH V9 2/8] dt-bindings: interrupt-controller: C-SKY SMP intc

[Guo Ren]

Dt-bindings doc about C-SKY Multi-processors interrupt controller.

Changelog:
 - Should be: '#interrupt-cells' not 'interrupt-cells'

Signed-off-by: Guo Ren 
---
 .../bindings/interrupt-controller/csky,mpintc.txt  | 40 ++
 1 file changed, 40 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/interrupt-controller/csky,mpintc.txt

diff --git 
a/Documentation/devicetree/bindings/interrupt-controller/csky,mpintc.txt 
b/Documentation/devicetree/bindings/interrupt-controller/csky,mpintc.txt
new file mode 100644
index 000..ab921f1
--- /dev/null
+++ b/Documentation/devicetree/bindings/interrupt-controller/csky,mpintc.txt
@@ -0,0 +1,40 @@
+===
+C-SKY Multi-processors Interrupt Controller
+===
+
+C-SKY Multi-processors Interrupt Controller is designed for ck807/ck810/ck860
+SMP soc, and it also could be used in non-SMP system.
+
+Interrupt number definition:
+
+  0-15  : software irq, and we use 15 as our IPI_IRQ.
+ 16-31  : private  irq, and we use 16 as the co-processor timer.
+ 31-1024: common irq for soc ip.
+
+=
+intc node bindings definition
+=
+
+   Description: Describes SMP interrupt controller
+
+   PROPERTIES
+
+   - compatible
+   Usage: required
+   Value type: 
+   Definition: must be "csky,mpintc"
+   - #interrupt-cells
+   Usage: required
+   Value type: 
+   Definition: must be <1>
+   - interrupt-controller:
+   Usage: required
+
+Examples:
+-
+
+   intc: interrupt-controller {
+   compatible = "csky,mpintc";
+   #interrupt-cells = <1>;
+   interrupt-controller;
+   };
-- 
2.7.4

[PATCH V9 5/8] dt-bindings: interrupt-controller: C-SKY APB intc

[Guo Ren]

 - Dt-bindings doc about C-SKY apb bus interrupt controller.

Signed-off-by: Guo Ren 
Reviewed-by: Rob Herring 
---
 .../interrupt-controller/csky,apb-intc.txt | 62 ++
 1 file changed, 62 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/interrupt-controller/csky,apb-intc.txt

diff --git 
a/Documentation/devicetree/bindings/interrupt-controller/csky,apb-intc.txt 
b/Documentation/devicetree/bindings/interrupt-controller/csky,apb-intc.txt
new file mode 100644
index 000..44286dc
--- /dev/null
+++ b/Documentation/devicetree/bindings/interrupt-controller/csky,apb-intc.txt
@@ -0,0 +1,62 @@
+==
+C-SKY APB Interrupt Controller
+==
+
+C-SKY APB Interrupt Controller is a simple soc interrupt controller
+on the apb bus and we only use it as root irq controller.
+
+ - csky,apb-intc is used in a lot of csky fpgas and socs, it support 64 irq 
nums.
+ - csky,dual-apb-intc consists of 2 apb-intc and 128 irq nums supported.
+ - csky,gx6605s-intc is gx6605s soc internal irq interrupt controller, 64 irq 
nums.
+
+=
+intc node bindings definition
+=
+
+   Description: Describes APB interrupt controller
+
+   PROPERTIES
+
+   - compatible
+   Usage: required
+   Value type: 
+   Definition: must be "csky,apb-intc"
+   "csky,dual-apb-intc"
+   "csky,gx6605s-intc"
+   - #interrupt-cells
+   Usage: required
+   Value type: 
+   Definition: must be <1>
+   - reg
+   Usage: required
+   Value type: 
+   Definition:  in soc from cpu view
+   - interrupt-controller:
+   Usage: required
+   - csky,support-pulse-signal:
+   Usage: select
+   Description: to support pulse signal flag
+
+Examples:
+-
+
+   intc: interrupt-controller@50 {
+   compatible = "csky,apb-intc";
+   #interrupt-cells = <1>;
+   reg = <0x0050 0x400>;
+   interrupt-controller;
+   };
+
+   intc: interrupt-controller@50 {
+   compatible = "csky,dual-apb-intc";
+   #interrupt-cells = <1>;
+   reg = <0x0050 0x400>;
+   interrupt-controller;
+   };
+
+   intc: interrupt-controller@50 {
+   compatible = "csky,gx6605s-intc";
+   #interrupt-cells = <1>;
+   reg = <0x0050 0x400>;
+   interrupt-controller;
+   };
-- 
2.7.4

[PATCH V9 8/8] clocksource: add gx6605s SOC system timer

[Guo Ren]

Changelog:
 - Add COMIPLE_TEST in Kconfig
 - no cast is needed for "struct clock_event_device *ce = dev"
 - remove: extra space after (u64)
 - Add License and Copyright
 - Use timer-of framework
 - Change name with upstream feedback
 - Use clksource_mmio framework

Signed-off-by: Guo Ren 
---
 drivers/clocksource/Kconfig |   8 ++
 drivers/clocksource/Makefile|   1 +
 drivers/clocksource/timer-gx6605s.c | 150 
 3 files changed, 159 insertions(+)
 create mode 100644 drivers/clocksource/timer-gx6605s.c

diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
index a28043f..3dc24ca 100644
--- a/drivers/clocksource/Kconfig
+++ b/drivers/clocksource/Kconfig
@@ -628,4 +628,12 @@ config CSKY_MPTIMER
  Say yes here to enable C-SKY SMP timer driver used for C-SKY SMP
  system.
 
+config GX6605S_TIMER
+   bool "Gx6605s SOC system timer driver" if COMPILE_TEST
+   depends on CSKY
+   select CLKSRC_MMIO
+   select TIMER_OF
+   help
+ This option enables support for gx6605s SOC's timer.
+
 endmenu
diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile
index 848c676..7a1b0f4 100644
--- a/drivers/clocksource/Makefile
+++ b/drivers/clocksource/Makefile
@@ -80,3 +80,4 @@ obj-$(CONFIG_X86_NUMACHIP)+= numachip.o
 obj-$(CONFIG_ATCPIT100_TIMER)  += timer-atcpit100.o
 obj-$(CONFIG_RISCV_TIMER)  += riscv_timer.o
 obj-$(CONFIG_CSKY_MPTIMER) += csky_mptimer.o
+obj-$(CONFIG_GX6605S_TIMER)+= timer-gx6605s.o
diff --git a/drivers/clocksource/timer-gx6605s.c 
b/drivers/clocksource/timer-gx6605s.c
new file mode 100644
index 000..3974ede
--- /dev/null
+++ b/drivers/clocksource/timer-gx6605s.c
@@ -0,0 +1,150 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (C) 2018 Hangzhou C-SKY Microsystems co.,ltd.
+
+#include 
+#include 
+#include 
+
+#include "timer-of.h"
+
+#define CLKSRC_OFFSET  0x40
+
+#define TIMER_STATUS   0x00
+#define TIMER_VALUE0x04
+#define TIMER_CONTRL   0x10
+#define TIMER_CONFIG   0x20
+#define TIMER_DIV  0x24
+#define TIMER_INI  0x28
+
+#define GX6605S_STATUS_CLR BIT(0)
+#define GX6605S_CONTRL_RST BIT(0)
+#define GX6605S_CONTRL_START   BIT(1)
+#define GX6605S_CONFIG_EN  BIT(0)
+#define GX6605S_CONFIG_IRQ_EN  BIT(1)
+
+static irqreturn_t gx6605s_timer_interrupt(int irq, void *dev)
+{
+   struct clock_event_device *ce = dev;
+   void __iomem *base = timer_of_base(to_timer_of(ce));
+
+   writel_relaxed(GX6605S_STATUS_CLR, base + TIMER_STATUS);
+
+   ce->event_handler(ce);
+
+   return IRQ_HANDLED;
+}
+
+static int gx6605s_timer_set_oneshot(struct clock_event_device *ce)
+{
+   void __iomem *base = timer_of_base(to_timer_of(ce));
+
+   /* reset and stop counter */
+   writel_relaxed(GX6605S_CONTRL_RST, base + TIMER_CONTRL);
+
+   /* enable with irq and start */
+   writel_relaxed(GX6605S_CONFIG_EN | GX6605S_CONFIG_IRQ_EN, base + 
TIMER_CONFIG);
+
+   return 0;
+}
+
+static int gx6605s_timer_set_next_event(unsigned long delta, struct 
clock_event_device *ce)
+{
+   void __iomem *base = timer_of_base(to_timer_of(ce));
+
+   /* use reset to pause timer */
+   writel_relaxed(GX6605S_CONTRL_RST, base + TIMER_CONTRL);
+
+   /* config next timeout value */
+   writel_relaxed(ULONG_MAX - delta, base + TIMER_INI);
+   writel_relaxed(GX6605S_CONTRL_START, base + TIMER_CONTRL);
+
+   return 0;
+}
+
+static int gx6605s_timer_shutdown(struct clock_event_device *ce)
+{
+   void __iomem *base = timer_of_base(to_timer_of(ce));
+
+   writel_relaxed(0, base + TIMER_CONTRL);
+   writel_relaxed(0, base + TIMER_CONFIG);
+
+   return 0;
+}
+
+static struct timer_of to = {
+   .flags = TIMER_OF_IRQ | TIMER_OF_BASE | TIMER_OF_CLOCK,
+   .clkevt = {
+   .rating = 300,
+   .features   = CLOCK_EVT_FEAT_DYNIRQ |
+ CLOCK_EVT_FEAT_ONESHOT,
+   .set_state_shutdown = gx6605s_timer_shutdown,
+   .set_state_oneshot  = gx6605s_timer_set_oneshot,
+   .set_next_event = gx6605s_timer_set_next_event,
+   .cpumask= cpu_possible_mask,
+   },
+   .of_irq = {
+   .handler= gx6605s_timer_interrupt,
+   .flags  = IRQF_TIMER | IRQF_IRQPOLL,
+   },
+};
+
+static u64 notrace gx6605s_sched_clock_read(void)
+{
+   void __iomem *base;
+
+   base = timer_of_base(&to) + CLKSRC_OFFSET;
+
+   return (u64)readl_relaxed(base + TIMER_VALUE);
+}
+
+static void gx6605s_clkevt_init(void __iomem *base)
+{
+   writel_relaxed(0, base + TIMER_DIV);
+   writel_relaxed(0, base + TIMER_CONFIG);
+
+   clockevents_config_and_register(&to.clkevt, timer_of_rate(&to), 2, 
ULONG_MAX);
+}
+
+static int gx6605s_clksrc_init(void __iom

[PATCH V9 7/8] dt-bindings: timer: gx6605s SOC timer

[Guo Ren]

 - Dt-bindings doc for gx6605s SOC's system timer.

Signed-off-by: Guo Ren 
Reviewed-by: Rob Herring 
---
 .../bindings/timer/csky,gx6605s-timer.txt  | 42 ++
 1 file changed, 42 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/timer/csky,gx6605s-timer.txt

diff --git a/Documentation/devicetree/bindings/timer/csky,gx6605s-timer.txt 
b/Documentation/devicetree/bindings/timer/csky,gx6605s-timer.txt
new file mode 100644
index 000..6b04344
--- /dev/null
+++ b/Documentation/devicetree/bindings/timer/csky,gx6605s-timer.txt
@@ -0,0 +1,42 @@
+=
+gx6605s SOC Timer
+=
+
+The timer is used in gx6605s soc as system timer and the driver
+contain clk event and clk source.
+
+==
+timer node bindings definition
+==
+
+   Description: Describes gx6605s SOC timer
+
+   PROPERTIES
+
+   - compatible
+   Usage: required
+   Value type: 
+   Definition: must be "csky,gx6605s-timer"
+   - reg
+   Usage: required
+   Value type: 
+   Definition:  in soc from cpu view
+   - clocks
+   Usage: required
+   Value type: phandle + clock specifier cells
+   Definition: must be input clk node
+   - interrupt
+   Usage: required
+   Value type: 
+   Definition: must be timer irq num defined by soc
+
+Examples:
+-
+
+   timer0: timer@20a000 {
+   compatible = "csky,gx6605s-timer";
+   reg = <0x0020a000 0x400>;
+   clocks = <&dummy_apb_clk>;
+   interrupts = <10>;
+   interrupt-parent = <&intc>;
+   };
-- 
2.7.4

[PATCH V9 4/8] dt-bindings: timer: C-SKY Multi-processor timer

[Guo Ren]

Dt-bingdings doc for C-SKY SMP system setting.

Changelog:
 - Drop the interrupt-parent.

Signed-off-by: Guo Ren 
---
 .../devicetree/bindings/timer/csky,mptimer.txt | 42 ++
 1 file changed, 42 insertions(+)
 create mode 100644 Documentation/devicetree/bindings/timer/csky,mptimer.txt

diff --git a/Documentation/devicetree/bindings/timer/csky,mptimer.txt 
b/Documentation/devicetree/bindings/timer/csky,mptimer.txt
new file mode 100644
index 000..15cfec0
--- /dev/null
+++ b/Documentation/devicetree/bindings/timer/csky,mptimer.txt
@@ -0,0 +1,42 @@
+
+C-SKY Multi-processors Timer
+
+
+C-SKY multi-processors timer is designed for C-SKY SMP system and the
+regs is accessed by cpu co-processor 4 registers with mtcr/mfcr.
+
+ - PTIM_CTLR "cr<0, 14>" Control reg to start reset timer.
+ - PTIM_TSR  "cr<1, 14>" Interrupt cleanup status reg.
+ - PTIM_CCVR "cr<3, 14>" Current counter value reg.
+ - PTIM_LVR  "cr<6, 14>" Window value reg to triger next event.
+
+==
+timer node bindings definition
+==
+
+   Description: Describes SMP timer
+
+   PROPERTIES
+
+   - compatible
+   Usage: required
+   Value type: 
+   Definition: must be "csky,mptimer"
+   - clocks
+   Usage: required
+   Value type: 
+   Definition: must be input clk node
+   - interrupts
+   Usage: required
+   Value type: 
+   Definition: must be timer irq num defined by soc
+
+Examples:
+-
+
+   timer: timer {
+   compatible = "csky,mptimer";
+   clocks = <&dummy_apb_clk>;
+   interrupts = <16>;
+   interrupt-parent = <&intc>;
+   };
-- 
2.7.4

[PATCH V9 6/8] irqchip: add C-SKY APB bus interrupt controller

[Guo Ren]

 - irq-csky-apb-intc is a simple SOC interrupt controller which is
   used in a lot of C-SKY CPU SOC products.

Changelog:
 - use "bool ret" instead of "int ret"
 - add support-pulse-signal in irq-csky-apb-intc.c
 - change name with upstream feed-back
 - add INTC_IFR to clear irq-pending
 - remove CSKY_VECIRQ_LEGENCY
 - change to generic irq chip framework
 - add License and Copyright
 - use irq_domain_add_linear instead of leagcy

Signed-off-by: Guo Ren 
---
 drivers/irqchip/Kconfig |   8 ++
 drivers/irqchip/Makefile|   1 +
 drivers/irqchip/irq-csky-apb-intc.c | 260 
 3 files changed, 269 insertions(+)
 create mode 100644 drivers/irqchip/irq-csky-apb-intc.c

diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
index 92e1c20..bf12549 100644
--- a/drivers/irqchip/Kconfig
+++ b/drivers/irqchip/Kconfig
@@ -379,6 +379,14 @@ config CSKY_MPINTC
  for C-SKY SMP system. In fact it's not mmio map and it use ld/st
  to visit the controller's register inside CPU.
 
+config CSKY_APB_INTC
+   bool "C-SKY APB Interrupt Controller"
+   depends on CSKY
+   help
+ Say yes here to enable C-SKY APB interrupt controller driver used
+ by C-SKY single core SOC system. It use mmio map apb-bus to visit
+ the controller's register.
+
 endmenu
 
 config SIFIVE_PLIC
diff --git a/drivers/irqchip/Makefile b/drivers/irqchip/Makefile
index 6b739ea..72eaf53 100644
--- a/drivers/irqchip/Makefile
+++ b/drivers/irqchip/Makefile
@@ -88,4 +88,5 @@ obj-$(CONFIG_GOLDFISH_PIC)+= irq-goldfish-pic.o
 obj-$(CONFIG_NDS32)+= irq-ativic32.o
 obj-$(CONFIG_QCOM_PDC) += qcom-pdc.o
 obj-$(CONFIG_CSKY_MPINTC)  += irq-csky-mpintc.o
+obj-$(CONFIG_CSKY_APB_INTC)+= irq-csky-apb-intc.o
 obj-$(CONFIG_SIFIVE_PLIC)  += irq-sifive-plic.o
diff --git a/drivers/irqchip/irq-csky-apb-intc.c 
b/drivers/irqchip/irq-csky-apb-intc.c
new file mode 100644
index 000..cfe32a7
--- /dev/null
+++ b/drivers/irqchip/irq-csky-apb-intc.c
@@ -0,0 +1,260 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (C) 2018 Hangzhou C-SKY Microsystems co.,ltd.
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define INTC_IRQS  64
+
+#define CK_INTC_ICR0x00
+#define CK_INTC_PEN31_00   0x14
+#define CK_INTC_PEN63_32   0x2c
+#define CK_INTC_NEN31_00   0x10
+#define CK_INTC_NEN63_32   0x28
+#define CK_INTC_SOURCE 0x40
+#define CK_INTC_DUAL_BASE  0x100
+
+#define GX_INTC_PEN31_00   0x00
+#define GX_INTC_PEN63_32   0x04
+#define GX_INTC_NEN31_00   0x40
+#define GX_INTC_NEN63_32   0x44
+#define GX_INTC_NMASK31_00 0x50
+#define GX_INTC_NMASK63_32 0x54
+#define GX_INTC_SOURCE 0x60
+
+static void __iomem *reg_base;
+static struct irq_domain *root_domain;
+
+static int nr_irq = INTC_IRQS;
+
+/*
+ * When controller support pulse signal, the PEN_reg will hold on signal
+ * without software trigger.
+ *
+ * So, to support pulse signal we need to clear IFR_reg and the address of
+ * IFR_offset is NEN_offset - 8.
+ */
+static void irq_ck_mask_set_bit(struct irq_data *d)
+{
+   struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
+   struct irq_chip_type *ct = irq_data_get_chip_type(d);
+   unsigned long ifr = ct->regs.mask - 8;
+   u32 mask = d->mask;
+
+   irq_gc_lock(gc);
+   *ct->mask_cache |= mask;
+   irq_reg_writel(gc, *ct->mask_cache, ct->regs.mask);
+   irq_reg_writel(gc, irq_reg_readl(gc, ifr) & ~mask, ifr);
+   irq_gc_unlock(gc);
+}
+
+static void __init ck_set_gc(struct device_node *node, void __iomem *reg_base,
+u32 mask_reg, u32 irq_base)
+{
+   struct irq_chip_generic *gc;
+
+   gc = irq_get_domain_generic_chip(root_domain, irq_base);
+   gc->reg_base = reg_base;
+   gc->chip_types[0].regs.mask = mask_reg;
+   gc->chip_types[0].chip.irq_mask = irq_gc_mask_clr_bit;
+   gc->chip_types[0].chip.irq_unmask = irq_gc_mask_set_bit;
+
+   if (of_find_property(node, "csky,support-pulse-signal", NULL))
+   gc->chip_types[0].chip.irq_unmask = irq_ck_mask_set_bit;
+}
+
+static inline u32 build_channel_val(u32 idx, u32 magic)
+{
+   u32 res;
+
+   /*
+* Set the same index for each channel
+*/
+   res = idx | (idx << 8) | (idx << 16) | (idx << 24);
+
+   /*
+* Set the channel magic number in descending order.
+* The magic is 0x00010203 for ck-intc
+* The magic is 0x03020100 for gx6605s-intc
+*/
+   return res | magic;
+}
+
+static inline void setup_irq_channel(u32 magic, void __iomem *reg_addr)
+{
+   u32 i;
+
+   /* Setup 64 channel slots */
+   for (i = 0; i < INTC_IRQS; i += 4) {
+   writel_relaxed(build_channel_val(i, magic), reg_addr + i);
+ 

[PATCH V9 1/8] irqchip: add C-SKY SMP interrupt controller

[Guo Ren]

 - Irq-csky-mpintc is C-SKY smp system interrupt controller and it
   could support 16 soft irqs, 16 private irqs, and 992 max common
   irqs.

Changelog:
 - Move IPI_IRQ into the driver
 - Remove irq_set_default_host() and use set_ipi_irq_mapping()
 - Change name with upstream feed-back
 - Change irq map, reserve soft_irq & private_irq space
 - Add License and Copyright
 - Support set_affinity for irq balance in SMP

Signed-off-by: Guo Ren 
---
 drivers/irqchip/Kconfig   |   8 ++
 drivers/irqchip/Makefile  |   1 +
 drivers/irqchip/irq-csky-mpintc.c | 195 ++
 3 files changed, 204 insertions(+)
 create mode 100644 drivers/irqchip/irq-csky-mpintc.c

diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
index 383e7b7..92e1c20 100644
--- a/drivers/irqchip/Kconfig
+++ b/drivers/irqchip/Kconfig
@@ -371,6 +371,14 @@ config QCOM_PDC
  Power Domain Controller driver to manage and configure wakeup
  IRQs for Qualcomm Technologies Inc (QTI) mobile chips.
 
+config CSKY_MPINTC
+   bool "C-SKY Multi Processor Interrupt Controller"
+   depends on CSKY
+   help
+ Say yes here to enable C-SKY SMP interrupt controller driver used
+ for C-SKY SMP system. In fact it's not mmio map and it use ld/st
+ to visit the controller's register inside CPU.
+
 endmenu
 
 config SIFIVE_PLIC
diff --git a/drivers/irqchip/Makefile b/drivers/irqchip/Makefile
index fbd1ec8..6b739ea 100644
--- a/drivers/irqchip/Makefile
+++ b/drivers/irqchip/Makefile
@@ -87,4 +87,5 @@ obj-$(CONFIG_MESON_IRQ_GPIO)  += irq-meson-gpio.o
 obj-$(CONFIG_GOLDFISH_PIC) += irq-goldfish-pic.o
 obj-$(CONFIG_NDS32)+= irq-ativic32.o
 obj-$(CONFIG_QCOM_PDC) += qcom-pdc.o
+obj-$(CONFIG_CSKY_MPINTC)  += irq-csky-mpintc.o
 obj-$(CONFIG_SIFIVE_PLIC)  += irq-sifive-plic.o
diff --git a/drivers/irqchip/irq-csky-mpintc.c 
b/drivers/irqchip/irq-csky-mpintc.c
new file mode 100644
index 000..2b424d27
--- /dev/null
+++ b/drivers/irqchip/irq-csky-mpintc.c
@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (C) 2018 Hangzhou C-SKY Microsystems co.,ltd.
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static struct irq_domain *root_domain;
+static void __iomem *INTCG_base;
+static void __iomem *INTCL_base;
+
+#define IPI_IRQ15
+#define INTC_IRQS  256
+#define COMM_IRQ_BASE  32
+
+#define INTCG_SIZE 0x8000
+#define INTCL_SIZE 0x1000
+#define INTC_SIZE  INTCL_SIZE*nr_cpu_ids + INTCG_SIZE
+
+#define INTCG_ICTLR0x0
+#define INTCG_CICFGR   0x100
+#define INTCG_CIDSTR   0x1000
+
+#define INTCL_PICTLR   0x0
+#define INTCL_SIGR 0x60
+#define INTCL_HPPIR0x68
+#define INTCL_RDYIR0x6c
+#define INTCL_SENR 0xa0
+#define INTCL_CENR 0xa4
+#define INTCL_CACR 0xb4
+
+static DEFINE_PER_CPU(void __iomem *, intcl_reg);
+
+static void csky_mpintc_handler(struct pt_regs *regs)
+{
+   void __iomem *reg_base = this_cpu_read(intcl_reg);
+
+   do {
+   handle_domain_irq(root_domain,
+ readl_relaxed(reg_base + INTCL_RDYIR),
+ regs);
+   } while (readl_relaxed(reg_base + INTCL_HPPIR) & BIT(31));
+}
+
+static void csky_mpintc_enable(struct irq_data *d)
+{
+   void __iomem *reg_base = this_cpu_read(intcl_reg);
+
+   writel_relaxed(d->hwirq, reg_base + INTCL_SENR);
+}
+
+static void csky_mpintc_disable(struct irq_data *d)
+{
+   void __iomem *reg_base = this_cpu_read(intcl_reg);
+
+   writel_relaxed(d->hwirq, reg_base + INTCL_CENR);
+}
+
+static void csky_mpintc_eoi(struct irq_data *d)
+{
+   void __iomem *reg_base = this_cpu_read(intcl_reg);
+
+   writel_relaxed(d->hwirq, reg_base + INTCL_CACR);
+}
+
+#ifdef CONFIG_SMP
+static int csky_irq_set_affinity(struct irq_data *d,
+const struct cpumask *mask_val,
+bool force)
+{
+   unsigned int cpu;
+   unsigned int offset = 4 * (d->hwirq - COMM_IRQ_BASE);
+
+   if (!force)
+   cpu = cpumask_any_and(mask_val, cpu_online_mask);
+   else
+   cpu = cpumask_first(mask_val);
+
+   if (cpu >= nr_cpu_ids)
+   return -EINVAL;
+
+   /* Enable interrupt destination */
+   cpu |= BIT(31);
+
+   writel_relaxed(cpu, INTCG_base + INTCG_CIDSTR + offset);
+
+   irq_data_update_effective_affinity(d, cpumask_of(cpu));
+
+   return IRQ_SET_MASK_OK_DONE;
+}
+#endif
+
+static struct irq_chip csky_irq_chip = {
+   .name   = "C-SKY SMP Intc",
+   .irq_eoi= csky_mpintc_eoi,
+   .irq_enable = csky_mpintc_enable,
+   .irq_disable= csky_mpintc_disable,
+#ifdef CONFIG_SMP
+   .irq_set_affinity = csky_irq_set_affinity,
+#endif
+};
+
+sta

My Sincere Greetings,

[Mrs Luiza Haydar]

My Sincere Greetings,
 
I am Mrs Luiza Haydar, I decided to donate what I have to you for investment 
towards the good work of charity organization, and  also to help the motherless 
and the less privileged ones and to carry out a charitable works in your 
Country and around the World on my Behalf.
 
I am diagnosing of throat Cancer, hospitalize for good 2 years and some months 
now and quite obvious that I have few days to live, and I am a Widow no child; 
I decided to will/donate the sum of $4.5 million to you for the good work of 
God, and also to help the motherless and less privilege and also forth 
assistance of the widows. At the moment I cannot take any telephone calls right 
now due to the fact that my relatives (that have squandered the funds for this 
purpose before) are around me and my health status also. I have adjusted my 
will and my lawyer is aware.
 
I have willed those properties to you by quoting my Personal File Routing and 
Account Information. And I have also notified the bank that I am willing that 
properties to you for a good, effective and prudent work.
 
 
It is right to say that I have been directed to do this by God.
 
 
I will be going in for a surgery soon and I want to make sure that I make this 
donation before undergoing this surgery.
 
I will need your support to make this dream come through, could you let me know 
your interest to enable me give you further information.
 
 
And I hereby advice to contact me by this email address.
Thanks
Mrs Luiza Haydar

Re: [PATCH AUTOSEL 4.18 39/65] fs/cifs: suppress a string overflow warning

[Stephen Rothwell]

Hi Sasha,

On Mon, 1 Oct 2018 00:38:27 + Sasha Levin  
wrote:
>
> From: Stephen Rothwell 
> 
> [ Upstream commit bcfb84a996f6fa90b5e6e2954b2accb7a4711097 ]
> 
> A powerpc build of cifs with gcc v8.2.0 produces this warning:
> 
> fs/cifs/cifssmb.c: In function ‘CIFSSMBNegotiate’:
> fs/cifs/cifssmb.c:605:3: warning: ‘strncpy’ writing 16 bytes into a region of 
> size 1 overflows the destination [-Wstringop-overflow=]
>strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
>^
> 
> Since we are already doing a strlen() on the source, change the strncpy
> to a memcpy().
> 
> Signed-off-by: Stephen Rothwell 
> Signed-off-by: Steve French 
> Signed-off-by: Sasha Levin 

Just wondering if this should be included as it only fixes a build
warning, there is no actual bug.  Same for the 4.9 and 4.14 versions.

-- 
Cheers,
Stephen Rothwell


pgp_SyEVw_3aO.pgp
Description: OpenPGP digital signature

Re: [RFC 1/2] ns: introduce binfmt_misc namespace

[Greg KH]

On Mon, Oct 01, 2018 at 01:46:27AM +0200, Laurent Vivier wrote:
> Signed-off-by: Laurent Vivier 
> ---

I don't take patches without any changelog text, I don't know if other
maintainers are as nice.  But for a new feature, you really should write
something...

thanks,

greg k-h

Re: [PATCH 1/2] dt-bindings: spi: fsl-lpspi: Option to allow stalling

[Hieu Tran Dang]

Agree. I will create new patch which will just allow stalling by default.

Vào Th 6, 28 thg 9, 2018 vào lúc 05:47 Mark Brown  đã viết:
>
> On Wed, Sep 26, 2018 at 09:37:39PM +0700, Đặng Trần Hiếu wrote:
>
> > Default value of the register is to allow stalling (NOSTALL bit not
> > set) but the spi-fsl-lpspi driver defaults to setting the NOSTALL bit
> > in CFGR1. To me, it's more logical to leave the NOSTALL bit off with
> > fsl,nostall binding to set the bit but as I am not sure if there are
> > other drivers depending on the NOSTALL bit being set and not wanting
> > to break other drivers hence introduction of this binding to keep the
> > current default behavior.
>
> I can't see a situation where you'd actively want to report an error
> rather than stall, stalling allows us to handle things gracefully by
> restarting things.  Even if it's a timeout situation it sounds like we
> can unblock by reading/writing the stalled FIFO, and normally you'd be
> resetting the entire IP anyway.  I'd imagine the driver is this way
> either through an oversight or because there's some bug on some silicon
> which means that stalling breaks.
>
> Probably best to just always enable stalling unless I'm misreading
> things, if it is silicon bugs on some versions then either a whitelist
> or blacklist of SoCs to enable on (depending on how common the bug is)
> would be the way forwards - that way SoCs where it works get the benefit.

linux-next: Signed-off-by missing for commit in the parisc-hd tree

[Stephen Rothwell]

Hi all,

Commit

  f17bbdb5eea2 ("parisc: Remove PTE load and fault check from L2_ptep macro")

is missing a Signed-off-by from its committer.

-- 
Cheers,
Stephen Rothwell


pgp61gh6EvjUt.pgp
Description: OpenPGP digital signature

[PATCH AUTOSEL 4.18 02/65] netfilter: xt_checksum: ignore gso skbs

[Sasha Levin]

From: Florian Westphal 

[ Upstream commit 10568f6c5761db24249c610c94d6e44d5505a0ba ]

Satish Patel reports a skb_warn_bad_offload() splat caused
by -j CHECKSUM rules:

-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM

The CHECKSUM target has never worked with GSO skbs, and the above rule
makes no sense as kernel will handle checksum updates on transmit.

Unfortunately, there are 3rd party tools that install such rules, so we
cannot reject this from the config plane without potential breakage.

Amend Kconfig text to clarify that the CHECKSUM target is only useful
in virtualized environments, where old dhcp clients that use AF_PACKET
used to discard UDP packets with a 'bad' header checksum and add a
one-time warning in case such rule isn't restricted to UDP.

v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek)

Reported-by: Satish Patel 
Reported-by: Markos Chandras 
Reported-by: Michal Kubecek 
Signed-off-by: Florian Westphal 
Reviewed-by: Michal Kubecek 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 net/netfilter/Kconfig   | 12 ++--
 net/netfilter/xt_CHECKSUM.c | 22 +-
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index f0a1c536ef15..e6d5c87f0d96 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -740,13 +740,13 @@ config NETFILTER_XT_TARGET_CHECKSUM
depends on NETFILTER_ADVANCED
---help---
  This option adds a `CHECKSUM' target, which can be used in the 
iptables mangle
- table.
+ table to work around buggy DHCP clients in virtualized environments.
 
- You can use this target to compute and fill in the checksum in
- a packet that lacks a checksum.  This is particularly useful,
- if you need to work around old applications such as dhcp clients,
- that do not work well with checksum offloads, but don't want to 
disable
- checksum offload in your device.
+ Some old DHCP clients drop packets because they are not aware
+ that the checksum would normally be offloaded to hardware and
+ thus should be considered valid.
+ This target can be used to fill in the checksum using iptables
+ when such packets are sent via a virtual network device.
 
  To compile it as a module, choose M here.  If unsure, say N.
 
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 9f4151ec3e06..6c7aa6a0a0d2 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -16,6 +16,9 @@
 #include 
 #include 
 
+#include 
+#include 
+
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Michael S. Tsirkin ");
 MODULE_DESCRIPTION("Xtables: checksum modification");
@@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM");
 static unsigned int
 checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-   if (skb->ip_summed == CHECKSUM_PARTIAL)
+   if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
skb_checksum_help(skb);
 
return XT_CONTINUE;
@@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const struct xt_action_param 
*par)
 static int checksum_tg_check(const struct xt_tgchk_param *par)
 {
const struct xt_CHECKSUM_info *einfo = par->targinfo;
+   const struct ip6t_ip6 *i6 = par->entryinfo;
+   const struct ipt_ip *i4 = par->entryinfo;
 
if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
@@ -43,6 +48,21 @@ static int checksum_tg_check(const struct xt_tgchk_param 
*par)
if (!einfo->operation)
return -EINVAL;
 
+   switch (par->family) {
+   case NFPROTO_IPV4:
+   if (i4->proto == IPPROTO_UDP &&
+   (i4->invflags & XT_INV_PROTO) == 0)
+   return 0;
+   break;
+   case NFPROTO_IPV6:
+   if ((i6->flags & IP6T_F_PROTO) &&
+   i6->proto == IPPROTO_UDP &&
+   (i6->invflags & XT_INV_PROTO) == 0)
+   return 0;
+   break;
+   }
+
+   pr_warn_once("CHECKSUM should be avoided.  If really needed, restrict 
with \"-p udp\" and only use in OUTPUT\n");
return 0;
 }
 
-- 
2.17.1

[PATCH AUTOSEL 4.18 06/65] pinctrl: msm: Really mask level interrupts to prevent latching

[Sasha Levin]

From: Stephen Boyd 

[ Upstream commit b55326dc969ea2d704a008d9a97583b128f54f4f ]

The interrupt controller hardware in this pin controller has two status
enable bits. The first "normal" status enable bit enables or disables
the summary interrupt line being raised when a gpio interrupt triggers
and the "raw" status enable bit allows or prevents the hardware from
latching an interrupt into the status register for a gpio interrupt.
Currently we just toggle the "normal" status enable bit in the mask and
unmask ops so that the summary irq interrupt going to the CPU's
interrupt controller doesn't trigger for the masked gpio interrupt.

For a level triggered interrupt, the flow would be as follows: the pin
controller sees the interrupt, latches the status into the status
register, raises the summary irq to the CPU, summary irq handler runs
and calls handle_level_irq(), handle_level_irq() masks and acks the gpio
interrupt, the interrupt handler runs, and finally unmask the interrupt.
When the interrupt handler completes, we expect that the interrupt line
level will go back to the deasserted state so the genirq code can unmask
the interrupt without it triggering again.

If we only mask the interrupt by clearing the "normal" status enable bit
then we'll ack the interrupt but it will continue to show up as pending
in the status register because the raw status bit is enabled, the
hardware hasn't deasserted the line, and thus the asserted state latches
into the status register again. When the hardware deasserts the
interrupt the pin controller still thinks there is a pending unserviced
level interrupt because it latched it earlier. This behavior causes
software to see an extra interrupt for level type interrupts each time
the interrupt is handled.

Let's fix this by clearing the raw status enable bit for level type
interrupts so that the hardware stops latching the status of the
interrupt after we ack it. We don't do this for edge type interrupts
because it seems that toggling the raw status enable bit for edge type
interrupts causes spurious edge interrupts.

Signed-off-by: Stephen Boyd 
Reviewed-by: Douglas Anderson 
Reviewed-by: Bjorn Andersson 
Signed-off-by: Linus Walleij 
Signed-off-by: Sasha Levin 
---
 drivers/pinctrl/qcom/pinctrl-msm.c | 24 
 1 file changed, 24 insertions(+)

diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c 
b/drivers/pinctrl/qcom/pinctrl-msm.c
index 2155a30c282b..5d72ffad32c2 100644
--- a/drivers/pinctrl/qcom/pinctrl-msm.c
+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
@@ -634,6 +634,29 @@ static void msm_gpio_irq_mask(struct irq_data *d)
raw_spin_lock_irqsave(&pctrl->lock, flags);
 
val = readl(pctrl->regs + g->intr_cfg_reg);
+   /*
+* There are two bits that control interrupt forwarding to the CPU. The
+* RAW_STATUS_EN bit causes the level or edge sensed on the line to be
+* latched into the interrupt status register when the hardware detects
+* an irq that it's configured for (either edge for edge type or level
+* for level type irq). The 'non-raw' status enable bit causes the
+* hardware to assert the summary interrupt to the CPU if the latched
+* status bit is set. There's a bug though, the edge detection logic
+* seems to have a problem where toggling the RAW_STATUS_EN bit may
+* cause the status bit to latch spuriously when there isn't any edge
+* so we can't touch that bit for edge type irqs and we have to keep
+* the bit set anyway so that edges are latched while the line is 
masked.
+*
+* To make matters more complicated, leaving the RAW_STATUS_EN bit
+* enabled all the time causes level interrupts to re-latch into the
+* status register because the level is still present on the line after
+* we ack it. We clear the raw status enable bit during mask here and
+* set the bit on unmask so the interrupt can't latch into the hardware
+* while it's masked.
+*/
+   if (irqd_get_trigger_type(d) & IRQ_TYPE_LEVEL_MASK)
+   val &= ~BIT(g->intr_raw_status_bit);
+
val &= ~BIT(g->intr_enable_bit);
writel(val, pctrl->regs + g->intr_cfg_reg);
 
@@ -655,6 +678,7 @@ static void msm_gpio_irq_unmask(struct irq_data *d)
raw_spin_lock_irqsave(&pctrl->lock, flags);
 
val = readl(pctrl->regs + g->intr_cfg_reg);
+   val |= BIT(g->intr_raw_status_bit);
val |= BIT(g->intr_enable_bit);
writel(val, pctrl->regs + g->intr_cfg_reg);
 
-- 
2.17.1

[PATCH AUTOSEL 4.18 12/65] perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx()

[Sasha Levin]

From: Hisao Tanabe 

[ Upstream commit fd8d2702791a970c751f8b526a17d8e725a05b46 ]

If evsel is NULL, we should return NULL to avoid a NULL pointer
dereference a bit later in the code.

Signed-off-by: Hisao Tanabe 
Acked-by: Namhyung Kim 
Cc: Jiri Olsa 
Cc: Wang Nan 
Fixes: 03e0a7df3efd ("perf tools: Introduce bpf-output event")
LPU-Reference: 20180824154556.23428-1-xtan...@gmail.com
Link: https://lkml.kernel.org/n/tip-e5plzjhx6595a5yjaf22j...@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
---
 tools/perf/util/evsel.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 0d5504751cc5..6324afba8fdd 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -251,8 +251,9 @@ struct perf_evsel *perf_evsel__new_idx(struct 
perf_event_attr *attr, int idx)
 {
struct perf_evsel *evsel = zalloc(perf_evsel__object.size);
 
-   if (evsel != NULL)
-   perf_evsel__init(evsel, attr, idx);
+   if (!evsel)
+   return NULL;
+   perf_evsel__init(evsel, attr, idx);
 
if (perf_evsel__is_bpf_output(evsel)) {
evsel->attr.sample_type |= (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME |
-- 
2.17.1

[PATCH AUTOSEL 4.18 05/65] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]

[Sasha Levin]

From: Anton Vasilyev 

[ Upstream commit c37bd52836296ecc9a0fc8060b819089aebdbcde ]

There is no deallocation of fotg210->ep[i] elements, allocated at
fotg210_udc_probe.

The patch adds deallocation of fotg210->ep array elements and simplifies
error path of fotg210_udc_probe().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev 
Signed-off-by: Felipe Balbi 
Signed-off-by: Sasha Levin 
---
 drivers/usb/gadget/udc/fotg210-udc.c | 15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/gadget/udc/fotg210-udc.c 
b/drivers/usb/gadget/udc/fotg210-udc.c
index 53a48f561458..587c5037ff07 100644
--- a/drivers/usb/gadget/udc/fotg210-udc.c
+++ b/drivers/usb/gadget/udc/fotg210-udc.c
@@ -1063,12 +1063,15 @@ static const struct usb_gadget_ops fotg210_gadget_ops = 
{
 static int fotg210_udc_remove(struct platform_device *pdev)
 {
struct fotg210_udc *fotg210 = platform_get_drvdata(pdev);
+   int i;
 
usb_del_gadget_udc(&fotg210->gadget);
iounmap(fotg210->reg);
free_irq(platform_get_irq(pdev, 0), fotg210);
 
fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req);
+   for (i = 0; i < FOTG210_MAX_NUM_EP; i++)
+   kfree(fotg210->ep[i]);
kfree(fotg210);
 
return 0;
@@ -1099,7 +1102,7 @@ static int fotg210_udc_probe(struct platform_device *pdev)
/* initialize udc */
fotg210 = kzalloc(sizeof(struct fotg210_udc), GFP_KERNEL);
if (fotg210 == NULL)
-   goto err_alloc;
+   goto err;
 
for (i = 0; i < FOTG210_MAX_NUM_EP; i++) {
_ep[i] = kzalloc(sizeof(struct fotg210_ep), GFP_KERNEL);
@@ -,7 +1114,7 @@ static int fotg210_udc_probe(struct platform_device *pdev)
fotg210->reg = ioremap(res->start, resource_size(res));
if (fotg210->reg == NULL) {
pr_err("ioremap error.\n");
-   goto err_map;
+   goto err_alloc;
}
 
spin_lock_init(&fotg210->lock);
@@ -1159,7 +1162,7 @@ static int fotg210_udc_probe(struct platform_device *pdev)
fotg210->ep0_req = fotg210_ep_alloc_request(&fotg210->ep[0]->ep,
GFP_KERNEL);
if (fotg210->ep0_req == NULL)
-   goto err_req;
+   goto err_map;
 
fotg210_init(fotg210);
 
@@ -1187,12 +1190,14 @@ static int fotg210_udc_probe(struct platform_device 
*pdev)
fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req);
 
 err_map:
-   if (fotg210->reg)
-   iounmap(fotg210->reg);
+   iounmap(fotg210->reg);
 
 err_alloc:
+   for (i = 0; i < FOTG210_MAX_NUM_EP; i++)
+   kfree(fotg210->ep[i]);
kfree(fotg210);
 
+err:
return ret;
 }
 
-- 
2.17.1

[PATCH AUTOSEL 4.18 03/65] HID: intel-ish-hid: Enable Sunrise Point-H ish driver

[Sasha Levin]

From: Andreas Bosch 

[ Upstream commit e0ab8b26aa9661df0541a657e2b2416d90488809 ]

Added PCI ID for Sunrise Point-H ISH.

Signed-off-by: Andreas Bosch 
Acked-by: Srinivas Pandruvada 
Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
---
 drivers/hid/intel-ish-hid/ipc/hw-ish.h  | 1 +
 drivers/hid/intel-ish-hid/ipc/pci-ish.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/drivers/hid/intel-ish-hid/ipc/hw-ish.h 
b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
index 97869b7410eb..da133716bed0 100644
--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h
+++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h
@@ -29,6 +29,7 @@
 #define CNL_Ax_DEVICE_ID   0x9DFC
 #define GLK_Ax_DEVICE_ID   0x31A2
 #define CNL_H_DEVICE_ID0xA37C
+#define SPT_H_DEVICE_ID0xA135
 
 #defineREVISION_ID_CHT_A0  0x6
 #defineREVISION_ID_CHT_Ax_SI   0x0
diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c 
b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
index a2c53ea3b5ed..c7b8eb32b1ea 100644
--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
@@ -38,6 +38,7 @@ static const struct pci_device_id ish_pci_tbl[] = {
{PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_Ax_DEVICE_ID)},
{PCI_DEVICE(PCI_VENDOR_ID_INTEL, GLK_Ax_DEVICE_ID)},
{PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_H_DEVICE_ID)},
+   {PCI_DEVICE(PCI_VENDOR_ID_INTEL, SPT_H_DEVICE_ID)},
{0, }
 };
 MODULE_DEVICE_TABLE(pci, ish_pci_tbl);
-- 
2.17.1

[PATCH AUTOSEL 4.18 13/65] perf util: Fix bad memory access in trace info.

[Sasha Levin]

From: Chris Phlipot 

[ Upstream commit a72f64261359b7451f8478f2a2bf357b4e6c757f ]

In the write to the output_fd in the error condition of
record_saved_cmdline(), we are writing 8 bytes from a memory location on
the stack that contains a primitive that is only 4 bytes in size.
Change the primitive to 8 bytes in size to match the size of the write
in order to avoid reading unknown memory from the stack.

Signed-off-by: Chris Phlipot 
Cc: Namhyung Kim 
Cc: Peter Zijlstra 
Link: http://lkml.kernel.org/r/20180829061954.18871-1-cphlip...@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
---
 tools/perf/util/trace-event-info.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/trace-event-info.c 
b/tools/perf/util/trace-event-info.c
index c85d0d1a65ed..7b0ca7cbb7de 100644
--- a/tools/perf/util/trace-event-info.c
+++ b/tools/perf/util/trace-event-info.c
@@ -377,7 +377,7 @@ static int record_ftrace_printk(void)
 
 static int record_saved_cmdline(void)
 {
-   unsigned int size;
+   unsigned long long size;
char *path;
struct stat st;
int ret, err = 0;
-- 
2.17.1

[PATCH AUTOSEL 4.18 15/65] perf annotate: Fix parsing aarch64 branch instructions after objdump update

[Sasha Levin]

From: Kim Phillips 

[ Upstream commit 4e67b2a5df5d3f341776d12ee575e00ca3ef92de ]

Starting with binutils 2.28, aarch64 objdump adds comments to the
disassembly output to show the alternative names of a condition code
[1].

It is assumed that commas in objdump comments could occur in other
arches now or in the future, so this fix is arch-independent.

The fix could have been done with arm64 specific jump__parse and
jump__scnprintf functions, but the jump__scnprintf instruction would
have to have its comment character be a literal, since the scnprintf
functions cannot receive a struct arch easily.

This inconvenience also applies to the generic jump__scnprintf, which is
why we add a raw_comment pointer to struct ins_operands, so the __parse
function assigns it to be re-used by its corresponding __scnprintf
function.

Example differences in 'perf annotate --stdio2' output on an aarch64
perf.data file:

BEFORE: → b.cs   28133d1c   // b.hs, d7ecc47b
AFTER : ↓ b.cs   18c

BEFORE: → b.cc   28d8d9cc   // b.lo, b.ul, 
d727295b
AFTER : ↓ b.cc   31c

The branch target labels 18c and 31c also now appear in the output:

BEFORE:addx26, x29, #0x80
AFTER : 18c:   addx26, x29, #0x80

BEFORE:addx21, x21, #0x8
AFTER : 31c:   addx21, x21, #0x8

The Fixes: tag below is added so stable branches will get the update; it
doesn't necessarily mean that commit was broken at the time, rather it
didn't withstand the aarch64 objdump update.

Tested no difference in output for sample x86_64, power arch perf.data files.

[1] 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=bb7eff5206e4795ac79c177a80fe9f4630aaf730

Signed-off-by: Kim Phillips 
Tested-by: Arnaldo Carvalho de Melo 
Cc: Alexander Shishkin 
Cc: Anton Blanchard 
Cc: Christian Borntraeger 
Cc: Jiri Olsa 
Cc: Mark Rutland 
Cc: Namhyung Kim 
Cc: Peter Zijlstra 
Cc: Ravi Bangoria 
Cc: Robin Murphy 
Cc: Taeung Song 
Cc: linux-arm-ker...@lists.infradead.org
Fixes: b13bbeee5ee6 ("perf annotate: Fix branch instruction with multiple 
operands")
Link: http://lkml.kernel.org/r/20180827125340.a2f7e291901d17cea05da...@arm.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
---
 tools/perf/util/annotate.c | 22 +-
 tools/perf/util/annotate.h |  1 +
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index 31a1e18c7bf2..3b05219c3ed7 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -281,7 +281,19 @@ bool ins__is_call(const struct ins *ins)
return ins->ops == &call_ops || ins->ops == &s390_call_ops;
 }
 
-static int jump__parse(struct arch *arch __maybe_unused, struct ins_operands 
*ops, struct map_symbol *ms)
+/*
+ * Prevents from matching commas in the comment section, e.g.:
+ * 28446e70:   b.cs284470f4 
  // b.hs, b.nlast
+ */
+static inline const char *validate_comma(const char *c, struct ins_operands 
*ops)
+{
+   if (ops->raw_comment && c > ops->raw_comment)
+   return NULL;
+
+   return c;
+}
+
+static int jump__parse(struct arch *arch, struct ins_operands *ops, struct 
map_symbol *ms)
 {
struct map *map = ms->map;
struct symbol *sym = ms->sym;
@@ -290,6 +302,10 @@ static int jump__parse(struct arch *arch __maybe_unused, 
struct ins_operands *op
};
const char *c = strchr(ops->raw, ',');
u64 start, end;
+
+   ops->raw_comment = strchr(ops->raw, arch->objdump.comment_char);
+   c = validate_comma(c, ops);
+
/*
 * Examples of lines to parse for the _cpp_lex_token@@Base
 * function:
@@ -309,6 +325,7 @@ static int jump__parse(struct arch *arch __maybe_unused, 
struct ins_operands *op
ops->target.addr = strtoull(c, NULL, 16);
if (!ops->target.addr) {
c = strchr(c, ',');
+   c = validate_comma(c, ops);
if (c++ != NULL)
ops->target.addr = strtoull(c, NULL, 16);
}
@@ -366,9 +383,12 @@ static int jump__scnprintf(struct ins *ins, char *bf, 
size_t size,
return scnprintf(bf, size, "%-6s %s", ins->name, 
ops->target.sym->name);
 
c = strchr(ops->raw, ',');
+   c = validate_comma(c, ops);
+
if (c != NULL) {
const char *c2 = strchr(c + 1, ',');
 
+   c2 = validate_comma(c2, ops);
/* check for 3-op insn */
if (c2 != NULL)
c = c2;
diff --git a/tools/perf/util/annotate.h b/tools/perf/util/annotate.h
index a4c0d91907e6..61e0c7fd5efd 100644
--- a/tools/perf/util/annotate.h
+++ b/tools/perf/util/annotate.h
@@ -21,6 +21,7 @@ struct ins {
 
 struct ins_operands {
char*raw;
+   char*raw_comment;
struct {
char*raw;
char*name;
-- 
2.17.1

[PATCH AUTOSEL 4.18 09/65] scsi: iscsi: target: Fix conn_ops double free

[Sasha Levin]

From: Mike Christie 

[ Upstream commit 05a86e78ea9823ec25b3515db078dd8a76fc263c ]

If iscsi_login_init_conn fails it can free conn_ops.
__iscsi_target_login_thread will then call iscsi_target_login_sess_out
which will also free it.

This fixes the problem by organizing conn allocation/setup into parts that
are needed through the life of the conn and parts that are only needed for
the login. The free functions then release what was allocated in the alloc
functions.

With this patch we have:

iscsit_alloc_conn/iscsit_free_conn - allocs/frees the conn we need for the
entire life of the conn.

iscsi_login_init_conn/iscsi_target_nego_release - allocs/frees the parts
of the conn that are only needed during login.

Signed-off-by: Mike Christie 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/target/iscsi/iscsi_target.c   |   9 +-
 drivers/target/iscsi/iscsi_target_login.c | 141 --
 drivers/target/iscsi/iscsi_target_login.h |   2 +-
 3 files changed, 77 insertions(+), 75 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target.c 
b/drivers/target/iscsi/iscsi_target.c
index 8e223799347a..a4ecc9d77624 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4211,22 +4211,15 @@ int iscsit_close_connection(
crypto_free_ahash(tfm);
}
 
-   free_cpumask_var(conn->conn_cpumask);
-
-   kfree(conn->conn_ops);
-   conn->conn_ops = NULL;
-
if (conn->sock)
sock_release(conn->sock);
 
if (conn->conn_transport->iscsit_free_conn)
conn->conn_transport->iscsit_free_conn(conn);
 
-   iscsit_put_transport(conn->conn_transport);
-
pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
conn->conn_state = TARG_CONN_STATE_FREE;
-   kfree(conn);
+   iscsit_free_conn(conn);
 
spin_lock_bh(&sess->conn_lock);
atomic_dec(&sess->nconn);
diff --git a/drivers/target/iscsi/iscsi_target_login.c 
b/drivers/target/iscsi/iscsi_target_login.c
index c8bc99727e85..2fda5b0664fd 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -67,45 +67,10 @@ static struct iscsi_login *iscsi_login_init_conn(struct 
iscsi_conn *conn)
goto out_req_buf;
}
 
-   conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL);
-   if (!conn->conn_ops) {
-   pr_err("Unable to allocate memory for"
-   " struct iscsi_conn_ops.\n");
-   goto out_rsp_buf;
-   }
-
-   init_waitqueue_head(&conn->queues_wq);
-   INIT_LIST_HEAD(&conn->conn_list);
-   INIT_LIST_HEAD(&conn->conn_cmd_list);
-   INIT_LIST_HEAD(&conn->immed_queue_list);
-   INIT_LIST_HEAD(&conn->response_queue_list);
-   init_completion(&conn->conn_post_wait_comp);
-   init_completion(&conn->conn_wait_comp);
-   init_completion(&conn->conn_wait_rcfr_comp);
-   init_completion(&conn->conn_waiting_on_uc_comp);
-   init_completion(&conn->conn_logout_comp);
-   init_completion(&conn->rx_half_close_comp);
-   init_completion(&conn->tx_half_close_comp);
-   init_completion(&conn->rx_login_comp);
-   spin_lock_init(&conn->cmd_lock);
-   spin_lock_init(&conn->conn_usage_lock);
-   spin_lock_init(&conn->immed_queue_lock);
-   spin_lock_init(&conn->nopin_timer_lock);
-   spin_lock_init(&conn->response_queue_lock);
-   spin_lock_init(&conn->state_lock);
-
-   if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) {
-   pr_err("Unable to allocate conn->conn_cpumask\n");
-   goto out_conn_ops;
-   }
conn->conn_login = login;
 
return login;
 
-out_conn_ops:
-   kfree(conn->conn_ops);
-out_rsp_buf:
-   kfree(login->rsp_buf);
 out_req_buf:
kfree(login->req_buf);
 out_login:
@@ -1155,6 +1120,75 @@ iscsit_conn_set_transport(struct iscsi_conn *conn, 
struct iscsit_transport *t)
return 0;
 }
 
+static struct iscsi_conn *iscsit_alloc_conn(struct iscsi_np *np)
+{
+   struct iscsi_conn *conn;
+
+   conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL);
+   if (!conn) {
+   pr_err("Could not allocate memory for new connection\n");
+   return NULL;
+   }
+   pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
+   conn->conn_state = TARG_CONN_STATE_FREE;
+
+   init_waitqueue_head(&conn->queues_wq);
+   INIT_LIST_HEAD(&conn->conn_list);
+   INIT_LIST_HEAD(&conn->conn_cmd_list);
+   INIT_LIST_HEAD(&conn->immed_queue_list);
+   INIT_LIST_HEAD(&conn->response_queue_list);
+   init_completion(&conn->conn_post_wait_comp);
+   init_completion(&conn->conn_wait_comp);
+   init_completion(&conn->conn_wait_rcfr_comp);
+   init_completion(&conn->conn_waiting_on_uc_comp);
+   init_completion(&conn->conn_logout_comp);
+   init_completion(&conn->rx_half_close_comp);
+   init

[PATCH AUTOSEL 4.18 08/65] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails

[Sasha Levin]

From: Vincent Pelletier 

[ Upstream commit 7915919bb94e12460c58e27c708472e6f85f6699 ]

Fixes a use-after-free reported by KASAN when later
iscsi_target_login_sess_out gets called and it tries to access
conn->sess->se_sess:

Disabling lock debugging due to kernel taint
iSCSI Login timeout on Network Portal [::]:3260
iSCSI Login negotiation failed.
==
BUG: KASAN: use-after-free in
iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
Read of size 8 at addr 880109d070c8 by task iscsi_np/980

CPU: 1 PID: 980 Comm: iscsi_np Tainted: G   O
4.17.8kasan.sess.connops+ #4
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB,
BIOS 5.6.5 05/19/2014
Call Trace:
 dump_stack+0x71/0xac
 print_address_description+0x65/0x22e
 ? iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
 kasan_report.cold.6+0x241/0x2fd
 iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
 iscsi_target_login_thread+0x1086/0x1710 [iscsi_target_mod]
 ? __sched_text_start+0x8/0x8
 ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
 ? __kthread_parkme+0xcc/0x100
 ? parse_args.cold.14+0xd3/0xd3
 ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
 kthread+0x1a0/0x1c0
 ? kthread_bind+0x30/0x30
 ret_from_fork+0x35/0x40

Allocated by task 980:
 kasan_kmalloc+0xbf/0xe0
 kmem_cache_alloc_trace+0x112/0x210
 iscsi_target_login_thread+0x816/0x1710 [iscsi_target_mod]
 kthread+0x1a0/0x1c0
 ret_from_fork+0x35/0x40

Freed by task 980:
 __kasan_slab_free+0x125/0x170
 kfree+0x90/0x1d0
 iscsi_target_login_thread+0x1577/0x1710 [iscsi_target_mod]
 kthread+0x1a0/0x1c0
 ret_from_fork+0x35/0x40

The buggy address belongs to the object at 880109d06f00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 456 bytes inside of
 512-byte region [880109d06f00, 880109d07100)
The buggy address belongs to the page:
page:ea0004274180 count:1 mapcount:0 mapping:
index:0x0 compound_mapcount: 0
flags: 0x17fffc08100(slab|head)
raw: 017fffc08100   0001000c000c
raw: dead0100 dead0200 88011b002e00 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 880109d06f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 880109d07000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>880109d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ^
 880109d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 880109d07180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==

Signed-off-by: Vincent Pelletier 
[rebased against idr/ida changes and to handle ret review comments from Matthew]
Signed-off-by: Mike Christie 
Cc: Matthew Wilcox 
Reviewed-by: Matthew Wilcox 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/target/iscsi/iscsi_target_login.c | 8 +++-
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target_login.c 
b/drivers/target/iscsi/iscsi_target_login.c
index 68b3eb00a9d0..c8bc99727e85 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -310,11 +310,9 @@ static int iscsi_login_zero_tsih_s1(
return -ENOMEM;
}
 
-   ret = iscsi_login_set_conn_values(sess, conn, pdu->cid);
-   if (unlikely(ret)) {
-   kfree(sess);
-   return ret;
-   }
+   if (iscsi_login_set_conn_values(sess, conn, pdu->cid))
+   goto free_sess;
+
sess->init_task_tag = pdu->itt;
memcpy(&sess->isid, pdu->isid, 6);
sess->exp_cmd_sn= be32_to_cpu(pdu->cmdsn);
-- 
2.17.1

[PATCH AUTOSEL 4.18 14/65] perf probe powerpc: Ignore SyS symbols irrespective of endianness

[Sasha Levin]

From: Sandipan Das 

[ Upstream commit fa694160cca6dbba17c57dc7efec5f93feaf8795 ]

This makes sure that the SyS symbols are ignored for any powerpc system,
not just the big endian ones.

Reported-by: Naveen N. Rao 
Signed-off-by: Sandipan Das 
Reviewed-by: Kamalesh Babulal 
Acked-by: Naveen N. Rao 
Cc: Jiri Olsa 
Cc: Ravi Bangoria 
Fixes: fb6d59423115 ("perf probe ppc: Use the right prefix when ignoring SyS 
symbols on ppc")
Link: http://lkml.kernel.org/r/20180828090848.1914-1-sandi...@linux.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
---
 tools/perf/arch/powerpc/util/sym-handling.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/perf/arch/powerpc/util/sym-handling.c 
b/tools/perf/arch/powerpc/util/sym-handling.c
index 20e7d74d86cd..10a44e946f77 100644
--- a/tools/perf/arch/powerpc/util/sym-handling.c
+++ b/tools/perf/arch/powerpc/util/sym-handling.c
@@ -22,15 +22,16 @@ bool elf__needs_adjust_symbols(GElf_Ehdr ehdr)
 
 #endif
 
-#if !defined(_CALL_ELF) || _CALL_ELF != 2
 int arch__choose_best_symbol(struct symbol *syma,
 struct symbol *symb __maybe_unused)
 {
char *sym = syma->name;
 
+#if !defined(_CALL_ELF) || _CALL_ELF != 2
/* Skip over any initial dot */
if (*sym == '.')
sym++;
+#endif
 
/* Avoid "SyS" kernel syscall aliases */
if (strlen(sym) >= 3 && !strncmp(sym, "SyS", 3))
@@ -41,6 +42,7 @@ int arch__choose_best_symbol(struct symbol *syma,
return SYMBOL_A;
 }
 
+#if !defined(_CALL_ELF) || _CALL_ELF != 2
 /* Allow matching against dot variants */
 int arch__compare_symbol_names(const char *namea, const char *nameb)
 {
-- 
2.17.1

[PATCH AUTOSEL 4.18 17/65] netfilter: nf_tables: release chain in flushing set

[Sasha Levin]

From: Taehee Yoo 

[ Upstream commit 7acfda539c0b9636a58bfee56abfb3aeee806d96 ]

When element of verdict map is deleted, the delete routine should
release chain. however, flush element of verdict map routine doesn't
release chain.

test commands:
   %nft add table ip filter
   %nft add chain ip filter c1
   %nft add map ip filter map1 { type ipv4_addr : verdict \; }
   %nft add element ip filter map1 { 1 : jump c1 }
   %nft flush map ip filter map1
   %nft flush ruleset

splat looks like:
[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
[ 4895.178114] invalid opcode:  [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f 
b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 
89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
[ 4895.228342] RSP: 0018:88010b98f4c0 EFLAGS: 00010202
[ 4895.234841] RAX: 0001 RBX: 8801131c6968 RCX: 8801146585b0
[ 4895.234841] RDX: 110022638d37 RSI: 8801191a9348 RDI: 8801131c69b8
[ 4895.234841] RBP: 8801146585a8 R08: 11002323526a R09: 
[ 4895.234841] R10:  R11:  R12: dead0200
[ 4895.234841] R13: dead0100 R14: a3638af8 R15: dc00
[ 4895.234841] FS:  7f6d188e6700() GS:88011b60() 
knlGS:
[ 4895.234841] CS:  0010 DS:  ES:  CR0: 80050033
[ 4895.234841] CR2: 7ffe72b8df88 CR3: 00010e2d4000 CR4: 001006f0
[ 4895.234841] Call Trace:
[ 4895.234841]  nf_tables_commit+0x2704/0x2c70 [nf_tables]
[ 4895.234841]  ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
[ 4895.234841]  ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
[ 4895.323824]  ? __lock_is_held+0x9d/0x130
[ 4895.323824]  ? kasan_unpoison_shadow+0x30/0x40
[ 4895.333299]  ? kasan_kmalloc+0xa9/0xc0
[ 4895.333299]  ? kmem_cache_alloc_trace+0x2c0/0x310
[ 4895.333299]  ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
[ 4895.333299]  nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
[ 4895.333299]  ? debug_show_all_locks+0x290/0x290
[ 4895.333299]  ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
[ 4895.333299]  ? sched_clock_cpu+0xe5/0x170
[ 4895.333299]  ? sched_clock_local+0xff/0x130
[ 4895.333299]  ? sched_clock_cpu+0xe5/0x170
[ 4895.333299]  ? find_held_lock+0x39/0x1b0
[ 4895.333299]  ? sched_clock_local+0xff/0x130
[ 4895.333299]  ? memset+0x1f/0x40
[ 4895.333299]  ? nla_parse+0x33/0x260
[ 4895.333299]  ? ns_capable_common+0x6e/0x110
[ 4895.333299]  nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
[ ... ]

Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting 
from elements")
Signed-off-by: Taehee Yoo 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f5745e4c6513..77d690a87144 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4582,6 +4582,7 @@ static int nft_flush_set(const struct nft_ctx *ctx,
}
set->ndeact++;
 
+   nft_set_elem_deactivate(ctx->net, set, elem);
nft_trans_elem_set(trans) = set;
nft_trans_elem(trans) = *elem;
list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-- 
2.17.1

[PATCH AUTOSEL 4.18 22/65] HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report

[Sasha Levin]

From: Hans de Goede 

[ Upstream commit ade573eb1e03d1ee5abcb3359b1259469ab6e8ed ]

Commit b0f847e16c1e ("HID: hid-sensor-hub: Force logical minimum to 1 for
power and report state") not only replaced the descriptor fixup done for
devices with the HID_SENSOR_HUB_ENUM_QUIRK with a generic fix, but also
accidentally removed the unrelated descriptor fixup for the Lenovo ThinkPad
Helix 2 sensor hub. This commit restores this fixup.

Restoring this fixup not only fixes the Lenovo ThinkPad Helix 2's sensors,
but also the Lenovo ThinkPad 8's sensors.

Fixes: b0f847e16c1e ("HID: hid-sensor-hub: Force logical minimum ...")
Cc: Srinivas Pandruvada 
Cc: Fernando D S Lima 
Acked-by: Srinivas Pandruvada 
Signed-off-by: Hans de Goede 
Signed-off-by: Jiri Kosina 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-sensor-hub.c | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
index 50af72baa5ca..2b63487057c2 100644
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -579,6 +579,28 @@ void sensor_hub_device_close(struct hid_sensor_hub_device 
*hsdev)
 }
 EXPORT_SYMBOL_GPL(sensor_hub_device_close);
 
+static __u8 *sensor_hub_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+   unsigned int *rsize)
+{
+   /*
+* Checks if the report descriptor of Thinkpad Helix 2 has a logical
+* minimum for magnetic flux axis greater than the maximum.
+*/
+   if (hdev->product == USB_DEVICE_ID_TEXAS_INSTRUMENTS_LENOVO_YOGA &&
+   *rsize == 2558 && rdesc[913] == 0x17 && rdesc[914] == 0x40 &&
+   rdesc[915] == 0x81 && rdesc[916] == 0x08 &&
+   rdesc[917] == 0x00 && rdesc[918] == 0x27 &&
+   rdesc[921] == 0x07 && rdesc[922] == 0x00) {
+   /* Sets negative logical minimum for mag x, y and z */
+   rdesc[914] = rdesc[935] = rdesc[956] = 0xc0;
+   rdesc[915] = rdesc[936] = rdesc[957] = 0x7e;
+   rdesc[916] = rdesc[937] = rdesc[958] = 0xf7;
+   rdesc[917] = rdesc[938] = rdesc[959] = 0xff;
+   }
+
+   return rdesc;
+}
+
 static int sensor_hub_probe(struct hid_device *hdev,
const struct hid_device_id *id)
 {
@@ -743,6 +765,7 @@ static struct hid_driver sensor_hub_driver = {
.probe = sensor_hub_probe,
.remove = sensor_hub_remove,
.raw_event = sensor_hub_raw_event,
+   .report_fixup = sensor_hub_report_fixup,
 #ifdef CONFIG_PM
.suspend = sensor_hub_suspend,
.resume = sensor_hub_resume,
-- 
2.17.1

[PATCH AUTOSEL 4.18 10/65] scsi: qedi: Add the CRC size within iSCSI NVM image

[Sasha Levin]

From: Nilesh Javali 

[ Upstream commit c77a2fa3ff8f73d1a485e67e6f81c64823739d59 ]

The QED driver commit, 1ac4329a1cff ("qed: Add configuration information
to register dump and debug data"), removes the CRC length validation
causing nvm_get_image failure while loading qedi driver:

[qed_mcp_get_nvm_image:2700(host_10-0)]Image [0] is too big - 6008 bytes
where only 6004 are available
[qedi_get_boot_info:2253]:10: Could not get NVM image. ret = -12

Hence add and adjust the CRC size to iSCSI NVM image to read boot info at
qedi load time.

Signed-off-by: Nilesh Javali 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/scsi/qedi/qedi.h  |  7 ++-
 drivers/scsi/qedi/qedi_main.c | 28 +++-
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/drivers/scsi/qedi/qedi.h b/drivers/scsi/qedi/qedi.h
index fc3babc15fa3..a6f96b35e971 100644
--- a/drivers/scsi/qedi/qedi.h
+++ b/drivers/scsi/qedi/qedi.h
@@ -77,6 +77,11 @@ enum qedi_nvm_tgts {
QEDI_NVM_TGT_SEC,
 };
 
+struct qedi_nvm_iscsi_image {
+   struct nvm_iscsi_cfg iscsi_cfg;
+   u32 crc;
+};
+
 struct qedi_uio_ctrl {
/* meta data */
u32 uio_hsi_version;
@@ -294,7 +299,7 @@ struct qedi_ctx {
void *bdq_pbl_list;
dma_addr_t bdq_pbl_list_dma;
u8 bdq_pbl_list_num_entries;
-   struct nvm_iscsi_cfg *iscsi_cfg;
+   struct qedi_nvm_iscsi_image *iscsi_image;
dma_addr_t nvm_buf_dma;
void __iomem *bdq_primary_prod;
void __iomem *bdq_secondary_prod;
diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
index cff83b9457f7..3e18a68c2b03 100644
--- a/drivers/scsi/qedi/qedi_main.c
+++ b/drivers/scsi/qedi/qedi_main.c
@@ -1346,23 +1346,26 @@ static int qedi_setup_int(struct qedi_ctx *qedi)
 
 static void qedi_free_nvm_iscsi_cfg(struct qedi_ctx *qedi)
 {
-   if (qedi->iscsi_cfg)
+   if (qedi->iscsi_image)
dma_free_coherent(&qedi->pdev->dev,
- sizeof(struct nvm_iscsi_cfg),
- qedi->iscsi_cfg, qedi->nvm_buf_dma);
+ sizeof(struct qedi_nvm_iscsi_image),
+ qedi->iscsi_image, qedi->nvm_buf_dma);
 }
 
 static int qedi_alloc_nvm_iscsi_cfg(struct qedi_ctx *qedi)
 {
-   qedi->iscsi_cfg = dma_zalloc_coherent(&qedi->pdev->dev,
-sizeof(struct nvm_iscsi_cfg),
-&qedi->nvm_buf_dma, GFP_KERNEL);
-   if (!qedi->iscsi_cfg) {
+   struct qedi_nvm_iscsi_image nvm_image;
+
+   qedi->iscsi_image = dma_zalloc_coherent(&qedi->pdev->dev,
+   sizeof(nvm_image),
+   &qedi->nvm_buf_dma,
+   GFP_KERNEL);
+   if (!qedi->iscsi_image) {
QEDI_ERR(&qedi->dbg_ctx, "Could not allocate NVM BUF.\n");
return -ENOMEM;
}
QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO,
- "NVM BUF addr=0x%p dma=0x%llx.\n", qedi->iscsi_cfg,
+ "NVM BUF addr=0x%p dma=0x%llx.\n", qedi->iscsi_image,
  qedi->nvm_buf_dma);
 
return 0;
@@ -1905,7 +1908,7 @@ qedi_get_nvram_block(struct qedi_ctx *qedi)
struct nvm_iscsi_block *block;
 
pf = qedi->dev_info.common.abs_pf_id;
-   block = &qedi->iscsi_cfg->block[0];
+   block = &qedi->iscsi_image->iscsi_cfg.block[0];
for (i = 0; i < NUM_OF_ISCSI_PF_SUPPORTED; i++, block++) {
flags = ((block->id) & NVM_ISCSI_CFG_BLK_CTRL_FLAG_MASK) >>
NVM_ISCSI_CFG_BLK_CTRL_FLAG_OFFSET;
@@ -2194,15 +2197,14 @@ static void qedi_boot_release(void *data)
 static int qedi_get_boot_info(struct qedi_ctx *qedi)
 {
int ret = 1;
-   u16 len;
-
-   len = sizeof(struct nvm_iscsi_cfg);
+   struct qedi_nvm_iscsi_image nvm_image;
 
QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO,
  "Get NVM iSCSI CFG image\n");
ret = qedi_ops->common->nvm_get_image(qedi->cdev,
  QED_NVM_IMAGE_ISCSI_CFG,
- (char *)qedi->iscsi_cfg, len);
+ (char *)qedi->iscsi_image,
+ sizeof(nvm_image));
if (ret)
QEDI_ERR(&qedi->dbg_ctx,
 "Could not get NVM image. ret = %d\n", ret);
-- 
2.17.1

[PATCH AUTOSEL 4.18 16/65] netfilter: kconfig: nat related expression depend on nftables core

[Sasha Levin]

From: Florian Westphal 

[ Upstream commit e0758412208960be9de11e6d2350c81ffd88410f ]

NF_TABLES_IPV4 is now boolean so it is possible to set

NF_TABLES=m
NF_TABLES_IPV4=y
NFT_CHAIN_NAT_IPV4=y

which causes:
nft_chain_nat_ipv4.c:(.text+0x6d): undefined reference to `nft_do_chain'

Wrap NFT_CHAIN_NAT_IPV4 and related nat expressions with NF_TABLES to
restore the dependency.

Reported-by: Randy Dunlap 
Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type")
Signed-off-by: Florian Westphal 
Acked-by: Randy Dunlap 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Sasha Levin 
---
 net/ipv4/netfilter/Kconfig | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index bbfc356cb1b5..d7ecae5e93ea 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -122,6 +122,10 @@ config NF_NAT_IPV4
 
 if NF_NAT_IPV4
 
+config NF_NAT_MASQUERADE_IPV4
+   bool
+
+if NF_TABLES
 config NFT_CHAIN_NAT_IPV4
depends on NF_TABLES_IPV4
tristate "IPv4 nf_tables nat chain support"
@@ -131,9 +135,6 @@ config NFT_CHAIN_NAT_IPV4
  packet transformations such as the source, destination address and
  source and destination ports.
 
-config NF_NAT_MASQUERADE_IPV4
-   bool
-
 config NFT_MASQ_IPV4
tristate "IPv4 masquerading support for nf_tables"
depends on NF_TABLES_IPV4
@@ -151,6 +152,7 @@ config NFT_REDIR_IPV4
help
  This is the expression that provides IPv4 redirect support for
  nf_tables.
+endif # NF_TABLES
 
 config NF_NAT_SNMP_BASIC
tristate "Basic SNMP-ALG support"
-- 
2.17.1

[PATCH AUTOSEL 4.18 11/65] perf annotate: Properly interpret indirect call

[Sasha Levin]

From: Martin Liška 

[ Upstream commit 1dc27f63303db58ce1b1a6932d1825305f86d574 ]

The patch changes the parsing of:

callq  *0x8(%rbx)

from:

  0.26 │ → callq  *8

to:

  0.26 │ → callq  *0x8(%rbx)

in this case an address is followed by a register, thus one can't parse
only the address.

Committer testing:

1) run 'perf record sleep 10'
2) before applying the patch, run:

 perf annotate --stdio2 > /tmp/before

3) after applying the patch, run:

 perf annotate --stdio2 > /tmp/after

4) diff /tmp/before /tmp/after:
  --- /tmp/before 2018-08-28 11:16:03.238384143 -0300
  +++ /tmp/after  2018-08-28 11:15:39.335341042 -0300
  @@ -13274,7 +13274,7 @@
↓ jle128
  hash_value = hash_table->hash_func (key);
  mov0x8(%rsp),%rdi
  -  0.91   → callq  *30
  +  0.91   → callq  *0x30(%r12)
  mov$0x2,%r8d
  cmp$0x2,%eax
  node_hash = hash_table->hashes[node_index];
  @@ -13848,7 +13848,7 @@
   mov%r14,%rdi
   sub%rbx,%r13
   mov%r13,%rdx
  -  → callq  *38
  +  → callq  *0x38(%r15)
   cmp%rax,%r13
 1.91↓ je 240
1b4:   mov$0x,%r13d
  @@ -14026,7 +14026,7 @@
   mov%rcx,-0x500(%rbp)
   mov%r15,%rsi
   mov%r14,%rdi
  -  → callq  *38
  +  → callq  *0x38(%rax)
   mov-0x500(%rbp),%rcx
   cmp%rax,%rcx
 ↓ jne9b0


Signed-off-by: Martin Liška 
Tested-by: Arnaldo Carvalho de Melo 
Tested-by: Kim Phillips 
Cc: Jiri Olsa 
Link: http://lkml.kernel.org/r/bd1f3932-be2b-85f9-7582-111ee0a43...@suse.cz
Signed-off-by: Arnaldo Carvalho de Melo 
Signed-off-by: Sasha Levin 
---
 tools/perf/util/annotate.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index f91775b4bc3c..31a1e18c7bf2 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -245,8 +245,14 @@ static int call__parse(struct arch *arch, struct 
ins_operands *ops, struct map_s
 
 indirect_call:
tok = strchr(endptr, '*');
-   if (tok != NULL)
-   ops->target.addr = strtoull(tok + 1, NULL, 16);
+   if (tok != NULL) {
+   endptr++;
+
+   /* Indirect call can use a non-rip register and offset: callq  
*0x8(%rbx).
+* Do not parse such instruction.  */
+   if (strstr(endptr, "(%r") == NULL)
+   ops->target.addr = strtoull(endptr, NULL, 16);
+   }
goto find_target;
 }
 
-- 
2.17.1

[PATCH AUTOSEL 4.18 27/65] net/mlx5: Consider PCI domain in search for next dev

[Sasha Levin]

From: Daniel Jurgens 

[ Upstream commit df7ddb2396cd162e64aaff9401be05e31e438961 ]

The PCI BDF is not unique. PCI domain must also be considered when
searching for the next physical device during lag setup. Example below:

mlx5_core :01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
mlx5_core :01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
mlx5_core 0001:01:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)
mlx5_core 0001:01:00.1: MLX5E: StrdRq(1) RqSz(8) StrdSz(128) RxCqeCmprss(0)

Signed-off-by: Daniel Jurgens 
Reviewed-by: Aviv Heller 
Signed-off-by: Saeed Mahameed 
Signed-off-by: Sasha Levin 
---
 drivers/net/ethernet/mellanox/mlx5/core/dev.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c 
b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
index 922811fb66e7..37ba7c78859d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
@@ -396,16 +396,17 @@ void mlx5_remove_dev_by_protocol(struct mlx5_core_dev 
*dev, int protocol)
}
 }
 
-static u16 mlx5_gen_pci_id(struct mlx5_core_dev *dev)
+static u32 mlx5_gen_pci_id(struct mlx5_core_dev *dev)
 {
-   return (u16)((dev->pdev->bus->number << 8) |
+   return (u32)((pci_domain_nr(dev->pdev->bus) << 16) |
+(dev->pdev->bus->number << 8) |
 PCI_SLOT(dev->pdev->devfn));
 }
 
 /* Must be called with intf_mutex held */
 struct mlx5_core_dev *mlx5_get_next_phys_dev(struct mlx5_core_dev *dev)
 {
-   u16 pci_id = mlx5_gen_pci_id(dev);
+   u32 pci_id = mlx5_gen_pci_id(dev);
struct mlx5_core_dev *res = NULL;
struct mlx5_core_dev *tmp_dev;
struct mlx5_priv *priv;
-- 
2.17.1

[PATCH AUTOSEL 4.18 21/65] riscv: Do not overwrite initrd_start and initrd_end

[Sasha Levin]

From: Guenter Roeck 

[ Upstream commit e866d3e84eb7c9588afb77604d417e8cc49fe216 ]

setup_initrd() overwrites initrd_start and initrd_end if __initramfs_size
is larger than 0, which is always true even if there is no embedded
initramfs. This prevents booting qemu with "-initrd" parameter.
Overwriting initrd_start and initrd_end is not necessary since
__initramfs_start and __initramfs_size are used directly in
populate_rootfs() to load the built-in initramfs, so just drop
that code.

Signed-off-by: Guenter Roeck 
Signed-off-by: Palmer Dabbelt 
Signed-off-by: Sasha Levin 
---
 arch/riscv/kernel/setup.c | 7 ---
 1 file changed, 7 deletions(-)

diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
index f0d2070866d4..0efa5b29d0a3 100644
--- a/arch/riscv/kernel/setup.c
+++ b/arch/riscv/kernel/setup.c
@@ -64,15 +64,8 @@ atomic_t hart_lottery;
 #ifdef CONFIG_BLK_DEV_INITRD
 static void __init setup_initrd(void)
 {
-   extern char __initramfs_start[];
-   extern unsigned long __initramfs_size;
unsigned long size;
 
-   if (__initramfs_size > 0) {
-   initrd_start = (unsigned long)(&__initramfs_start);
-   initrd_end = initrd_start + __initramfs_size;
-   }
-
if (initrd_start >= initrd_end) {
printk(KERN_INFO "initrd not found or empty");
goto disable;
-- 
2.17.1

[PATCH AUTOSEL 4.18 34/65] drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels

[Sasha Levin]

From: Ben Skeggs 

[ Upstream commit 53b0cc46f27cfc2cadca609b503a7d92b5185a47 ]

Fixes eDP backlight issues on more recent laptops.

Signed-off-by: Ben Skeggs 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c | 14 ++
 drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h  |  1 +
 drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c | 15 ---
 drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h |  1 +
 4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c 
b/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c
index 32fa94a9773f..cbd33e87b799 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c
@@ -275,6 +275,7 @@ nvkm_disp_oneinit(struct nvkm_engine *engine)
struct nvkm_outp *outp, *outt, *pair;
struct nvkm_conn *conn;
struct nvkm_head *head;
+   struct nvkm_ior *ior;
struct nvbios_connE connE;
struct dcb_output dcbE;
u8  hpd = 0, ver, hdr;
@@ -399,6 +400,19 @@ nvkm_disp_oneinit(struct nvkm_engine *engine)
return ret;
}
 
+   /* Enforce identity-mapped SOR assignment for panels, which have
+* certain bits (ie. backlight controls) wired to a specific SOR.
+*/
+   list_for_each_entry(outp, &disp->outp, head) {
+   if (outp->conn->info.type == DCB_CONNECTOR_LVDS ||
+   outp->conn->info.type == DCB_CONNECTOR_eDP) {
+   ior = nvkm_ior_find(disp, SOR, ffs(outp->info.or) - 1);
+   if (!WARN_ON(!ior))
+   ior->identity = true;
+   outp->identity = true;
+   }
+   }
+
i = 0;
list_for_each_entry(head, &disp->head, head)
i = max(i, head->id + 1);
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h 
b/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h
index e0b4e0c5704e..19911211a12a 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/ior.h
@@ -16,6 +16,7 @@ struct nvkm_ior {
char name[8];
 
struct list_head head;
+   bool identity;
 
struct nvkm_ior_state {
struct nvkm_outp *outp;
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c 
b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
index bbba77ff9385..44df835e5473 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.c
@@ -129,17 +129,26 @@ nvkm_outp_acquire(struct nvkm_outp *outp, u8 user)
if (proto == UNKNOWN)
return -ENOSYS;
 
+   /* Deal with panels requiring identity-mapped SOR assignment. */
+   if (outp->identity) {
+   ior = nvkm_ior_find(outp->disp, SOR, ffs(outp->info.or) - 1);
+   if (WARN_ON(!ior))
+   return -ENOSPC;
+   return nvkm_outp_acquire_ior(outp, user, ior);
+   }
+
/* First preference is to reuse the OR that is currently armed
 * on HW, if any, in order to prevent unnecessary switching.
 */
list_for_each_entry(ior, &outp->disp->ior, head) {
-   if (!ior->asy.outp && ior->arm.outp == outp)
+   if (!ior->identity && !ior->asy.outp && ior->arm.outp == outp)
return nvkm_outp_acquire_ior(outp, user, ior);
}
 
/* Failing that, a completely unused OR is the next best thing. */
list_for_each_entry(ior, &outp->disp->ior, head) {
-   if (!ior->asy.outp && ior->type == type && !ior->arm.outp &&
+   if (!ior->identity &&
+   !ior->asy.outp && ior->type == type && !ior->arm.outp &&
(ior->func->route.set || ior->id == __ffs(outp->info.or)))
return nvkm_outp_acquire_ior(outp, user, ior);
}
@@ -148,7 +157,7 @@ nvkm_outp_acquire(struct nvkm_outp *outp, u8 user)
 * but will be released during the next modeset.
 */
list_for_each_entry(ior, &outp->disp->ior, head) {
-   if (!ior->asy.outp && ior->type == type &&
+   if (!ior->identity && !ior->asy.outp && ior->type == type &&
(ior->func->route.set || ior->id == __ffs(outp->info.or)))
return nvkm_outp_acquire_ior(outp, user, ior);
}
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h 
b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
index 97196f802924..3f932fb39c94 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/outp.h
@@ -17,6 +17,7 @@ struct nvkm_outp {
 
struct list_head head;
struct nvkm_conn *conn;
+   bool identity;
 
/* Assembly state. */
 #define NVKM_OUTP_PRIV 1
-- 
2.17.1

[PATCH AUTOSEL 4.18 31/65] drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer

[Sasha Levin]

From: Ben Skeggs 

[ Upstream commit 51ed833c881b9d96557c773f6a37018d79e29a46 ]

Fixes oopses in certain failure paths.

Signed-off-by: Ben Skeggs 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c 
b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
index de269eb482dd..7459def78d50 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
@@ -1423,7 +1423,7 @@ nvkm_vmm_get(struct nvkm_vmm *vmm, u8 page, u64 size, 
struct nvkm_vma **pvma)
 void
 nvkm_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst)
 {
-   if (vmm->func->part && inst) {
+   if (inst && vmm->func->part) {
mutex_lock(&vmm->mutex);
vmm->func->part(vmm, inst);
mutex_unlock(&vmm->mutex);
-- 
2.17.1

[PATCH AUTOSEL 4.18 23/65] usb: host: xhci-plat: Iterate over parent nodes for finding quirks

[Sasha Levin]

From: Anurag Kumar Vulisha 

[ Upstream commit 222471f7640d9771a993218d825d84825adc805d ]

In xhci_plat_probe() both sysdev and pdev->dev are being used
for finding quirks. There are some drivers(like dwc3 host.c)
which adds quirks(like usb3-lpm-capable) into pdev and the logic
present in xhci_plat_probe() checks for quirks in either sysdev
or pdev for finding the quirks. Because of this logic, some of
the quirks are getting missed(usb3-lpm-capable quirk added by dwc3
host.c driver is getting missed).This patch fixes this by iterating
over all the available parents for finding the quirks. In this way
all the quirks which are present in child or parent are correctly
updated.

Signed-off-by: Anurag Kumar Vulisha 
Signed-off-by: Mathias Nyman 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/usb/host/xhci-plat.c | 27 ---
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index c1b22fc64e38..b5a14caa9297 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -152,7 +152,7 @@ static int xhci_plat_probe(struct platform_device *pdev)
 {
const struct xhci_plat_priv *priv_match;
const struct hc_driver  *driver;
-   struct device   *sysdev;
+   struct device   *sysdev, *tmpdev;
struct xhci_hcd *xhci;
struct resource *res;
struct usb_hcd  *hcd;
@@ -272,19 +272,24 @@ static int xhci_plat_probe(struct platform_device *pdev)
goto disable_clk;
}
 
-   if (device_property_read_bool(sysdev, "usb2-lpm-disable"))
-   xhci->quirks |= XHCI_HW_LPM_DISABLE;
+   /* imod_interval is the interrupt moderation value in nanoseconds. */
+   xhci->imod_interval = 4;
 
-   if (device_property_read_bool(sysdev, "usb3-lpm-capable"))
-   xhci->quirks |= XHCI_LPM_SUPPORT;
+   /* Iterate over all parent nodes for finding quirks */
+   for (tmpdev = &pdev->dev; tmpdev; tmpdev = tmpdev->parent) {
 
-   if (device_property_read_bool(&pdev->dev, "quirk-broken-port-ped"))
-   xhci->quirks |= XHCI_BROKEN_PORT_PED;
+   if (device_property_read_bool(tmpdev, "usb2-lpm-disable"))
+   xhci->quirks |= XHCI_HW_LPM_DISABLE;
 
-   /* imod_interval is the interrupt moderation value in nanoseconds. */
-   xhci->imod_interval = 4;
-   device_property_read_u32(sysdev, "imod-interval-ns",
-&xhci->imod_interval);
+   if (device_property_read_bool(tmpdev, "usb3-lpm-capable"))
+   xhci->quirks |= XHCI_LPM_SUPPORT;
+
+   if (device_property_read_bool(tmpdev, "quirk-broken-port-ped"))
+   xhci->quirks |= XHCI_BROKEN_PORT_PED;
+
+   device_property_read_u32(tmpdev, "imod-interval-ns",
+&xhci->imod_interval);
+   }
 
hcd->usb_phy = devm_usb_get_phy_by_phandle(sysdev, "usb-phy", 0);
if (IS_ERR(hcd->usb_phy)) {
-- 
2.17.1

[PATCH AUTOSEL 4.18 30/65] drm/nouveau: fix oops in client init failure path

[Sasha Levin]

From: Ben Skeggs 

[ Upstream commit a43b16dda2d7485f5c5aed075c1dc9785e339515 ]

The NV_ERROR macro requires drm->client to be initialised, which it may not
be at this stage of the init process.

Signed-off-by: Ben Skeggs 
Signed-off-by: Sasha Levin 
---
 drivers/gpu/drm/nouveau/nouveau_drm.c | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c 
b/drivers/gpu/drm/nouveau/nouveau_drm.c
index c2ebe5da34d0..89225adaa60a 100644
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -230,7 +230,7 @@ nouveau_cli_init(struct nouveau_drm *drm, const char *sname,
mutex_unlock(&drm->master.lock);
}
if (ret) {
-   NV_ERROR(drm, "Client allocation failed: %d\n", ret);
+   NV_PRINTK(err, cli, "Client allocation failed: %d\n", ret);
goto done;
}
 
@@ -240,37 +240,37 @@ nouveau_cli_init(struct nouveau_drm *drm, const char 
*sname,
   }, sizeof(struct nv_device_v0),
   &cli->device);
if (ret) {
-   NV_ERROR(drm, "Device allocation failed: %d\n", ret);
+   NV_PRINTK(err, cli, "Device allocation failed: %d\n", ret);
goto done;
}
 
ret = nvif_mclass(&cli->device.object, mmus);
if (ret < 0) {
-   NV_ERROR(drm, "No supported MMU class\n");
+   NV_PRINTK(err, cli, "No supported MMU class\n");
goto done;
}
 
ret = nvif_mmu_init(&cli->device.object, mmus[ret].oclass, &cli->mmu);
if (ret) {
-   NV_ERROR(drm, "MMU allocation failed: %d\n", ret);
+   NV_PRINTK(err, cli, "MMU allocation failed: %d\n", ret);
goto done;
}
 
ret = nvif_mclass(&cli->mmu.object, vmms);
if (ret < 0) {
-   NV_ERROR(drm, "No supported VMM class\n");
+   NV_PRINTK(err, cli, "No supported VMM class\n");
goto done;
}
 
ret = nouveau_vmm_init(cli, vmms[ret].oclass, &cli->vmm);
if (ret) {
-   NV_ERROR(drm, "VMM allocation failed: %d\n", ret);
+   NV_PRINTK(err, cli, "VMM allocation failed: %d\n", ret);
goto done;
}
 
ret = nvif_mclass(&cli->mmu.object, mems);
if (ret < 0) {
-   NV_ERROR(drm, "No supported MEM class\n");
+   NV_PRINTK(err, cli, "No supported MEM class\n");
goto done;
}
 
-- 
2.17.1