ov5642 parallel camera #1

rohanbhargava11 · 2014-09-30T13:56:15Z

Hi,

I am trying to get a ov5642 parallel camera working. I have changed the imx6qdl-var-som.dtsi to include &i2c3 {
clock-frequency = <100000>;
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_i2c3_3>;
status = "okay";

ov5642: ov5642@3c {
    compatible = "ovti,ov5642";
    reg = <0x3c>;
    clocks = <&clks 200>;
    clock-names = "csi_mclk";

//// DOVDD-supply = <&vgen4_reg>; /* 1.8v /
//// AVDD-supply = <&vgen3_reg>; / 2.8v, rev C board is VGEN3 rev B board //is VGEN5 /
//// DVDD-supply = <&vgen2_reg>; / 1.5v*/
pwn-gpios = <&gpio5 20 1>;
rst-gpios = <&gpio5 14 0>;
csi_id = <1>;
mclk = <24000000>;
mclk_source = <0>;
};

};

When I load the driver I get an error ov5642 setup pinctrl failed!. What is the right configuration for ov5642 parallel camera.

I build the dtsi by this command make -j8 ARCH=arm CROSS_COMPILE=arm-fsl-linux-gnueabi- uImage LOADADDR=0x10008000 imx6q-var-som.dtb

The text was updated successfully, but these errors were encountered:

varigit · 2014-09-30T14:10:53Z

Hi Rohan
Please send support question to support@variscite.com.
We will get back to you on this..

Ron

On 30 בספט 2014, at 15:56, Rohan Bhargava notifications@github.com wrote:

Hi,

I am trying to get a ov5642 parallel camera working. I have changed the imx6qdl-var-som.dtsi to include &i2c3 {
clock-frequency = ;
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_i2c3_3>;
status = "okay";

ov5642: ov5642@3c {
compatible = "ovti,ov5642";
reg = <0x3c>;
clocks = <&clks 200>;
clock-names = "csi_mclk";
//// DOVDD-supply = <&vgen4_reg>; /* 1.8v /
//// AVDD-supply = <&vgen3_reg>; / 2.8v, rev C board is VGEN3 rev B board //is VGEN5 /
//// DVDD-supply = <&vgen2_reg>; / 1.5v*/
pwn-gpios = <&gpio5 20 1>;
rst-gpios = <&gpio5 14 0>;
csi_id = ;
mclk = ;
mclk_source = ;
};

};

When I load the driver I get an error ov5642 setup pinctrl failed!. What is the right configuration for ov5642 parallel camera.

I build the dtsi by this command make -j8 ARCH=arm CROSS_COMPILE=arm-fsl-linux-gnueabi- uImage LOADADDR=0x10008000 imx6q-var-som.dtb

—
Reply to this email directly or view it on GitHub.

rohanbhargava11 · 2014-09-30T14:14:16Z

Hi Ron,

I have already sent an email. I have been getting help from Or Sade. I just thought it would be nice to document the issue here to help other users.

varigit · 2014-09-30T14:16:14Z

We never used this. It create a cross channel.
I appricate if you can use the support channel.
On Sep 30, 2014 4:14 PM, "Rohan Bhargava" notifications@github.com wrote:

Hi Ron,

I have already sent an email. I have been getting help from Or Sade. I
just thought it would be nice to document the issue here to help other
users.

—
Reply to this email directly or view it on GitHub
#1 (comment).

[ Upstream commit e18503f ] IPv4 mapped addresses cause kernel panic. The patch juste check whether the IPv6 address is an IPv4 mapped address. If so, use IPv4 API instead of IPv6. [ 940.026915] general protection fault: 0000 [#1] [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 [ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 [ 940.026915] Stack: [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 [ 940.026915] Call Trace: [ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4 [ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] [ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214 [ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] [ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic] [ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic] [ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106 [ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a [ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 [ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326 [ 940.026915] RSP <ffff88000737fd28> [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 455cc32 ] François Cachereul made a very nice bug report and suspected the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from process context was not good. This problem was added by commit 6af88da ("l2tp: Fix locking in l2tp_core.c"). l2tp_eth_dev_xmit() runs from BH context, so we must disable BH from other l2tp_xmit_skb() users. [ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662] [ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan] [ 452.064012] CPU 1 [ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643] [ 452.080015] CPU 2 [ 452.080015] [ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs [ 452.080015] RIP: 0010:[<ffffffff81059f6c>] [<ffffffff81059f6c>] do_raw_spin_lock+0x17/0x1f [ 452.080015] RSP: 0018:ffff88007125fc18 EFLAGS: 00000293 [ 452.080015] RAX: 000000000000aba9 RBX: ffffffff811d0703 RCX: 0000000000000000 [ 452.080015] RDX: 00000000000000ab RSI: ffff8800711f6896 RDI: ffff8800745c8110 [ 452.080015] RBP: ffff88007125fc18 R08: 0000000000000020 R09: 0000000000000000 [ 452.080015] R10: 0000000000000000 R11: 0000000000000280 R12: 0000000000000286 [ 452.080015] R13: 0000000000000020 R14: 0000000000000240 R15: 0000000000000000 [ 452.080015] FS: 00007fdc0cc24700(0000) GS:ffff8800b6f00000(0000) knlGS:0000000000000000 [ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 452.080015] CR2: 00007fdb054899b8 CR3: 0000000074404000 CR4: 00000000000006a0 [ 452.080015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 452.080015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 452.080015] Process accel-pppd (pid: 6643, threadinfo ffff88007125e000, task ffff8800b27e6dd0) [ 452.080015] Stack: [ 452.080015] ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1 [ 452.080015] ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e [ 452.080015] 000000000000005c 000000080000000e 0000000000000000 ffff880071170600 [ 452.080015] Call Trace: [ 452.080015] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10 [ 452.080015] [<ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] [ 452.080015] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] [ 452.080015] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24 [ 452.080015] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6 [ 452.080015] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616 [ 452.080015] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c [ 452.080015] [<ffffffff810bbd21>] ? fget_light+0x75/0x89 [ 452.080015] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56 [ 452.080015] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b [ 452.080015] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b [ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 [ 452.080015] Call Trace: [ 452.080015] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10 [ 452.080015] [<ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] [ 452.080015] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] [ 452.080015] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24 [ 452.080015] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6 [ 452.080015] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616 [ 452.080015] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c [ 452.080015] [<ffffffff810bbd21>] ? fget_light+0x75/0x89 [ 452.080015] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56 [ 452.080015] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b [ 452.080015] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b [ 452.064012] [ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs [ 452.064012] RIP: 0010:[<ffffffff81059f6e>] [<ffffffff81059f6e>] do_raw_spin_lock+0x19/0x1f [ 452.064012] RSP: 0018:ffff8800b6e83ba0 EFLAGS: 00000297 [ 452.064012] RAX: 000000000000aaa9 RBX: ffff8800b6e83b40 RCX: 0000000000000002 [ 452.064012] RDX: 00000000000000aa RSI: 000000000000000a RDI: ffff8800745c8110 [ 452.064012] RBP: ffff8800b6e83ba0 R08: 000000000000c802 R09: 000000000000001c [ 452.064012] R10: ffff880071096c4e R11: 0000000000000006 R12: ffff8800b6e83b18 [ 452.064012] R13: ffffffff8125d51e R14: ffff8800b6e83ba0 R15: ffff880072a589c0 [ 452.064012] FS: 00007fdc0b81e700(0000) GS:ffff8800b6e80000(0000) knlGS:0000000000000000 [ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 452.064012] CR2: 0000000000625208 CR3: 0000000074404000 CR4: 00000000000006a0 [ 452.064012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 452.064012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 452.064012] Process accel-pppd (pid: 6662, threadinfo ffff88007129a000, task ffff8800744f7410) [ 452.064012] Stack: [ 452.064012] ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a [ 452.064012] ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62 [ 452.064012] 0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276 [ 452.064012] Call Trace: [ 452.064012] <IRQ> [ 452.064012] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10 [ 452.064012] [<ffffffff8121c64a>] spin_lock+0x9/0xb [ 452.064012] [<ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269 [ 452.064012] [<ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae [ 452.064012] [<ffffffff8121c178>] ? raw_rcv+0xe9/0xf0 [ 452.064012] [<ffffffff8121f4a7>] udp_rcv+0x1a/0x1c [ 452.064012] [<ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5 [ 452.064012] [<ffffffff811fe54e>] ip_local_deliver+0x53/0x84 [ 452.064012] [<ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3 [ 452.064012] [<ffffffff811fe78f>] ip_rcv+0x210/0x269 [ 452.064012] [<ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb [ 452.064012] [<ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7 [ 452.064012] [<ffffffff811d8eba>] netif_receive_skb+0x57/0x5e [ 452.064012] [<ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b [ 452.064012] [<ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net] [ 452.064012] [<ffffffff811d9417>] net_rx_action+0x73/0x184 [ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] [ 452.064012] [<ffffffff810343b9>] __do_softirq+0xc3/0x1a8 [ 452.064012] [<ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12 [ 452.064012] [<ffffffff81256559>] ? _raw_spin_lock+0xe/0x10 [ 452.064012] [<ffffffff8125e0ac>] call_softirq+0x1c/0x26 [ 452.064012] [<ffffffff81003587>] do_softirq+0x45/0x82 [ 452.064012] [<ffffffff81034667>] irq_exit+0x42/0x9c [ 452.064012] [<ffffffff8125e146>] do_IRQ+0x8e/0xa5 [ 452.064012] [<ffffffff8125676e>] common_interrupt+0x6e/0x6e [ 452.064012] <EOI> [ 452.064012] [<ffffffff810b82a1>] ? kfree+0x8a/0xa3 [ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] [ 452.064012] [<ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] [ 452.064012] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] [ 452.064012] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24 [ 452.064012] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6 [ 452.064012] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616 [ 452.064012] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c [ 452.064012] [<ffffffff810bbd21>] ? fget_light+0x75/0x89 [ 452.064012] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56 [ 452.064012] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b [ 452.064012] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b [ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 <eb> f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48 [ 452.064012] Call Trace: [ 452.064012] <IRQ> [<ffffffff81256559>] _raw_spin_lock+0xe/0x10 [ 452.064012] [<ffffffff8121c64a>] spin_lock+0x9/0xb [ 452.064012] [<ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269 [ 452.064012] [<ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae [ 452.064012] [<ffffffff8121c178>] ? raw_rcv+0xe9/0xf0 [ 452.064012] [<ffffffff8121f4a7>] udp_rcv+0x1a/0x1c [ 452.064012] [<ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5 [ 452.064012] [<ffffffff811fe54e>] ip_local_deliver+0x53/0x84 [ 452.064012] [<ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3 [ 452.064012] [<ffffffff811fe78f>] ip_rcv+0x210/0x269 [ 452.064012] [<ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb [ 452.064012] [<ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7 [ 452.064012] [<ffffffff811d8eba>] netif_receive_skb+0x57/0x5e [ 452.064012] [<ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b [ 452.064012] [<ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net] [ 452.064012] [<ffffffff811d9417>] net_rx_action+0x73/0x184 [ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] [ 452.064012] [<ffffffff810343b9>] __do_softirq+0xc3/0x1a8 [ 452.064012] [<ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12 [ 452.064012] [<ffffffff81256559>] ? _raw_spin_lock+0xe/0x10 [ 452.064012] [<ffffffff8125e0ac>] call_softirq+0x1c/0x26 [ 452.064012] [<ffffffff81003587>] do_softirq+0x45/0x82 [ 452.064012] [<ffffffff81034667>] irq_exit+0x42/0x9c [ 452.064012] [<ffffffff8125e146>] do_IRQ+0x8e/0xa5 [ 452.064012] [<ffffffff8125676e>] common_interrupt+0x6e/0x6e [ 452.064012] <EOI> [<ffffffff810b82a1>] ? kfree+0x8a/0xa3 [ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] [ 452.064012] [<ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] [ 452.064012] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] [ 452.064012] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24 [ 452.064012] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6 [ 452.064012] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616 [ 452.064012] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c [ 452.064012] [<ffffffff810bbd21>] ? fget_light+0x75/0x89 [ 452.064012] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56 [ 452.064012] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b [ 452.064012] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b Reported-by: François Cachereul <f.cachereul@alphalink.fr> Tested-by: François Cachereul <f.cachereul@alphalink.fr> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a4461f4 upstream. Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = d5300000 [00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755 task: dee74800 ti: e213c000 task.ti: e213c000 PC is at snd_pcm_info+0xc8/0xd8 LR is at 0x30232065 pc : [<c031b52c>] lr : [<30232065>] psr: a0070013 sp : e213dea8 ip : d81cb0d0 fp : c05f7678 r10: c05f7770 r9 : fffffdfd r8 : 00000000 r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000 r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 15300019 DAC: 00000015 Process vlc (pid: 2295, stack limit = 0xe213c248) [<c031b52c>] (snd_pcm_info) from [<c031b570>] (snd_pcm_info_user+0x34/0x9c) [<c031b570>] (snd_pcm_info_user) from [<c03164a4>] (snd_pcm_control_ioctl+0x274/0x280) [<c03164a4>] (snd_pcm_control_ioctl) from [<c0311458>] (snd_ctl_ioctl+0xc0/0x55c) [<c0311458>] (snd_ctl_ioctl) from [<c00eca84>] (do_vfs_ioctl+0x80/0x31c) [<c00eca84>] (do_vfs_ioctl) from [<c00ecd5c>] (SyS_ioctl+0x3c/0x60) [<c00ecd5c>] (SyS_ioctl) from [<c000e500>] (ret_fast_syscall+0x0/0x48) Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008) ---[ end trace cb3d9bdb8dfefb3c ]--- This is provoked when the ASoC front end is open along with its backend, (which causes the backend to have a runtime assigned to it) and then the SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device. Resolve this by ensuring that ASoC internal backend devices are not visible to userspace, just as the commentry for snd_pcm_new_internal() says it should be. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Acked-by: Mark Brown <broonie@linaro.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3017f07 upstream. When walk_page_range walk a memory map's page tables, it'll skip VM_PFNMAP area, then variable 'next' will to assign to vma->vm_end, it maybe larger than 'end'. In next loop, 'addr' will be larger than 'next'. Then in /proc/XXXX/pagemap file reading procedure, the 'addr' will growing forever in pagemap_pte_range, pte_to_pagemap_entry will access the wrong pte. BUG: Bad page map in process procrank pte:8437526f pmd:785de067 addr:9108d000 vm_flags:00200073 anon_vma:f0d99020 mapping: (null) index:9108d CPU: 1 PID: 4974 Comm: procrank Tainted: G B W O 3.10.1+ #1 Call Trace: dump_stack+0x16/0x18 print_bad_pte+0x114/0x1b0 vm_normal_page+0x56/0x60 pagemap_pte_range+0x17a/0x1d0 walk_page_range+0x19e/0x2c0 pagemap_read+0x16e/0x200 vfs_read+0x84/0x150 SyS_read+0x4a/0x80 syscall_call+0x7/0xb Signed-off-by: Liu ShuoX <shuox.liu@intel.com> Signed-off-by: Chen LinX <linx.z.chen@intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 057db84 upstream. Andrey reported the following report: ERROR: AddressSanitizer: heap-buffer-overflow on address ffff8800359c99f3 ffff8800359c99f3 is located 0 bytes to the right of 243-byte region [ffff8800359c9900, ffff8800359c99f3) Accessed by thread T13003: #0 ffffffff810dd2da (asan_report_error+0x32a/0x440) #1 ffffffff810dc6b0 (asan_check_region+0x30/0x40) #2 ffffffff810dd4d3 (__tsan_write1+0x13/0x20) #3 ffffffff811cd19e (ftrace_regex_release+0x1be/0x260) #4 ffffffff812a1065 (__fput+0x155/0x360) #5 ffffffff812a12de (____fput+0x1e/0x30) #6 ffffffff8111708d (task_work_run+0x10d/0x140) #7 ffffffff810ea043 (do_exit+0x433/0x11f0) #8 ffffffff810eaee4 (do_group_exit+0x84/0x130) #9 ffffffff810eafb1 (SyS_exit_group+0x21/0x30) #10 ffffffff81928782 (system_call_fastpath+0x16/0x1b) Allocated by thread T5167: #0 ffffffff810dc778 (asan_slab_alloc+0x48/0xc0) #1 ffffffff8128337c (__kmalloc+0xbc/0x500) #2 ffffffff811d9d54 (trace_parser_get_init+0x34/0x90) #3 ffffffff811cd7b3 (ftrace_regex_open+0x83/0x2e0) #4 ffffffff811cda7d (ftrace_filter_open+0x2d/0x40) #5 ffffffff8129b4ff (do_dentry_open+0x32f/0x430) #6 ffffffff8129b668 (finish_open+0x68/0xa0) #7 ffffffff812b66ac (do_last+0xb8c/0x1710) #8 ffffffff812b7350 (path_openat+0x120/0xb50) #9 ffffffff812b8884 (do_filp_open+0x54/0xb0) #10 ffffffff8129d36c (do_sys_open+0x1ac/0x2c0) #11 ffffffff8129d4b7 (SyS_open+0x37/0x50) #12 ffffffff81928782 (system_call_fastpath+0x16/0x1b) Shadow bytes around the buggy address: ffff8800359c9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd ffff8800359c9780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa ffff8800359c9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ffff8800359c9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ffff8800359c9900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>ffff8800359c9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fb ffff8800359c9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ffff8800359c9a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ffff8800359c9b00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 ffff8800359c9b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800359c9c00: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap redzone: fa Heap kmalloc redzone: fb Freed heap region: fd Shadow gap: fe The out-of-bounds access happens on 'parser->buffer[parser->idx] = 0;' Although the crash happened in ftrace_regex_open() the real bug occurred in trace_get_user() where there's an incrementation to parser->idx without a check against the size. The way it is triggered is if userspace sends in 128 characters (EVENT_BUF_SIZE + 1), the loop that reads the last character stores it and then breaks out because there is no more characters. Then the last character is read to determine what to do next, and the index is incremented without checking size. Then the caller of trace_get_user() usually nulls out the last character with a zero, but since the index is equal to the size, it writes a nul character after the allocated space, which can corrupt memory. Luckily, only root user has write access to this file. Link: http://lkml.kernel.org/r/20131009222323.04fd1a0d@gandalf.local.home Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5671ab0 upstream. Fix random kernel panic with below messages when remove dongle. [ 2212.355447] BUG: unable to handle kernel NULL pointer dereference at 0000000000000250 [ 2212.355527] IP: [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb] [ 2212.355599] PGD 0 [ 2212.355626] Oops: 0000 [#1] SMP [ 2212.355664] Modules linked in: rt2800usb rt2x00usb rt2800lib crc_ccitt rt2x00lib mac80211 cfg80211 tun arc4 fuse rfcomm bnep snd_hda_codec_realtek snd_hda_intel snd_hda_codec btusb uvcvideo bluetooth snd_hwdep x86_pkg_temp_thermal snd_seq coretemp aesni_intel aes_x86_64 snd_seq_device glue_helper snd_pcm ablk_helper videobuf2_vmalloc sdhci_pci videobuf2_memops videobuf2_core sdhci videodev mmc_core serio_raw snd_page_alloc microcode i2c_i801 snd_timer hid_multitouch thinkpad_acpi lpc_ich mfd_core snd tpm_tis wmi tpm tpm_bios soundcore acpi_cpufreq i915 i2c_algo_bit drm_kms_helper drm i2c_core video [last unloaded: cfg80211] [ 2212.356224] CPU: 0 PID: 34 Comm: khubd Not tainted 3.12.0-rc3-wl+ #3 [ 2212.356268] Hardware name: LENOVO 3444CUU/3444CUU, BIOS G6ET93WW (2.53 ) 02/04/2013 [ 2212.356319] task: ffff880212f687c0 ti: ffff880212f66000 task.ti: ffff880212f66000 [ 2212.356392] RIP: 0010:[<ffffffffa02667f2>] [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb] [ 2212.356481] RSP: 0018:ffff880212f67750 EFLAGS: 00010202 [ 2212.356519] RAX: 000000000000000c RBX: 000000000000000c RCX: 0000000000000293 [ 2212.356568] RDX: ffff8801f4dc219a RSI: 0000000000000000 RDI: 0000000000000240 [ 2212.356617] RBP: ffff880212f67778 R08: ffffffffa02667e0 R09: 0000000000000002 [ 2212.356665] R10: 0001f95254ab4b40 R11: ffff880212f675be R12: ffff8801f4dc2150 [ 2212.356712] R13: 0000000000000000 R14: ffffffffa02667e0 R15: 000000000000000d [ 2212.356761] FS: 0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000 [ 2212.356813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2212.356852] CR2: 0000000000000250 CR3: 0000000001a0c000 CR4: 00000000001407f0 [ 2212.356899] Stack: [ 2212.356917] 000000000000000c ffff8801f4dc2150 0000000000000000 ffffffffa02667e0 [ 2212.356980] 000000000000000d ffff880212f677b8 ffffffffa03a31ad ffff8801f4dc219a [ 2212.357038] ffff8801f4dc2150 0000000000000000 ffff8800b93217a0 ffff8801f49bc800 [ 2212.357099] Call Trace: [ 2212.357122] [<ffffffffa02667e0>] ? rt2x00usb_interrupt_txdone+0x90/0x90 [rt2x00usb] [ 2212.357174] [<ffffffffa03a31ad>] rt2x00queue_for_each_entry+0xed/0x170 [rt2x00lib] [ 2212.357244] [<ffffffffa026701c>] rt2x00usb_kick_queue+0x5c/0x60 [rt2x00usb] [ 2212.357314] [<ffffffffa03a3682>] rt2x00queue_flush_queue+0x62/0xa0 [rt2x00lib] [ 2212.357386] [<ffffffffa03a2930>] rt2x00mac_flush+0x30/0x70 [rt2x00lib] [ 2212.357470] [<ffffffffa04edded>] ieee80211_flush_queues+0xbd/0x140 [mac80211] [ 2212.357555] [<ffffffffa0502e52>] ieee80211_set_disassoc+0x2d2/0x3d0 [mac80211] [ 2212.357645] [<ffffffffa0506da3>] ieee80211_mgd_deauth+0x1d3/0x240 [mac80211] [ 2212.357718] [<ffffffff8108b17c>] ? try_to_wake_up+0xec/0x290 [ 2212.357788] [<ffffffffa04dbd18>] ieee80211_deauth+0x18/0x20 [mac80211] [ 2212.357872] [<ffffffffa0418ddc>] cfg80211_mlme_deauth+0x9c/0x140 [cfg80211] [ 2212.357913] [<ffffffffa041907c>] cfg80211_mlme_down+0x5c/0x60 [cfg80211] [ 2212.357962] [<ffffffffa041cd18>] cfg80211_disconnect+0x188/0x1a0 [cfg80211] [ 2212.358014] [<ffffffffa04013bc>] ? __cfg80211_stop_sched_scan+0x1c/0x130 [cfg80211] [ 2212.358067] [<ffffffffa03f8954>] cfg80211_leave+0xc4/0xe0 [cfg80211] [ 2212.358124] [<ffffffffa03f8d1b>] cfg80211_netdev_notifier_call+0x3ab/0x5e0 [cfg80211] [ 2212.358177] [<ffffffff815140f8>] ? inetdev_event+0x38/0x510 [ 2212.358217] [<ffffffff81085a94>] ? __wake_up+0x44/0x50 [ 2212.358254] [<ffffffff8155995c>] notifier_call_chain+0x4c/0x70 [ 2212.358293] [<ffffffff81081156>] raw_notifier_call_chain+0x16/0x20 [ 2212.358361] [<ffffffff814b6dd5>] call_netdevice_notifiers_info+0x35/0x60 [ 2212.358429] [<ffffffff814b6ec9>] __dev_close_many+0x49/0xd0 [ 2212.358487] [<ffffffff814b7028>] dev_close_many+0x88/0x100 [ 2212.358546] [<ffffffff814b8150>] rollback_registered_many+0xb0/0x220 [ 2212.358612] [<ffffffff814b8319>] unregister_netdevice_many+0x19/0x60 [ 2212.358694] [<ffffffffa04d8eb2>] ieee80211_remove_interfaces+0x112/0x190 [mac80211] [ 2212.358791] [<ffffffffa04c585f>] ieee80211_unregister_hw+0x4f/0x100 [mac80211] [ 2212.361994] [<ffffffffa03a1221>] rt2x00lib_remove_dev+0x161/0x1a0 [rt2x00lib] [ 2212.365240] [<ffffffffa0266e2e>] rt2x00usb_disconnect+0x2e/0x70 [rt2x00usb] [ 2212.368470] [<ffffffff81419ce4>] usb_unbind_interface+0x64/0x1c0 [ 2212.371734] [<ffffffff813b446f>] __device_release_driver+0x7f/0xf0 [ 2212.374999] [<ffffffff813b4503>] device_release_driver+0x23/0x30 [ 2212.378131] [<ffffffff813b3c98>] bus_remove_device+0x108/0x180 [ 2212.381358] [<ffffffff813b0565>] device_del+0x135/0x1d0 [ 2212.384454] [<ffffffff81417760>] usb_disable_device+0xb0/0x270 [ 2212.387451] [<ffffffff8140d9cd>] usb_disconnect+0xad/0x1d0 [ 2212.390294] [<ffffffff8140f6cd>] hub_thread+0x63d/0x1660 [ 2212.393034] [<ffffffff8107c860>] ? wake_up_atomic_t+0x30/0x30 [ 2212.395728] [<ffffffff8140f090>] ? hub_port_debounce+0x130/0x130 [ 2212.398412] [<ffffffff8107baa0>] kthread+0xc0/0xd0 [ 2212.401058] [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40 [ 2212.403639] [<ffffffff8155de3c>] ret_from_fork+0x7c/0xb0 [ 2212.406193] [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40 [ 2212.408732] Code: 24 58 08 00 00 bf 80 00 00 00 e8 3a c3 e0 e0 5b 41 5c 5d c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 47 10 48 89 fb 4c 8b 6f 28 4c 8b 20 49 8b 04 24 4c 8b 30 [ 2212.414671] RIP [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb] [ 2212.417646] RSP <ffff880212f67750> [ 2212.420547] CR2: 0000000000000250 [ 2212.441024] ---[ end trace 5442918f33832bce ]--- Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl> Acked-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f494a60 upstream. _nfs4_opendata_reclaim_to_nfs4_state doesn't expect to see a cached open CLAIM_PREVIOUS, but this can happen. An example is when there are RDWR openers and RDONLY openers on a delegation stateid. The recovery path will first try an open CLAIM_PREVIOUS for the RDWR openers, this marks the delegation as not needing RECLAIM anymore, so the open CLAIM_PREVIOUS for the RDONLY openers will not actually send an rpc. The NULL dereference is due to _nfs4_opendata_reclaim_to_nfs4_state returning PTR_ERR(rpc_status) when !rpc_done. When the open is cached, rpc_done == 0 and rpc_status == 0, thus _nfs4_opendata_reclaim_to_nfs4_state returns NULL - this is unexpected by callers of nfs4_opendata_to_nfs4_state(). This can be reproduced easily by opening the same file two times on an NFSv4.0 mount with delegations enabled, once as RDWR and once as RDONLY then sleeping for a long time. While the files are held open, kick off state recovery and this NULL dereference will be hit every time. An example OOPS: [ 65.003602] BUG: unable to handle kernel NULL pointer dereference at 00000000 00000030 [ 65.005312] IP: [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4] [ 65.006820] PGD 7b0ea067 PUD 791ff067 PMD 0 [ 65.008075] Oops: 0000 [#1] SMP [ 65.008802] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache snd_ens1371 gameport nfsd snd_rawmidi snd_ac97_codec ac97_bus btusb snd_seq snd _seq_device snd_pcm ppdev bluetooth auth_rpcgss coretemp snd_page_alloc crc32_pc lmul crc32c_intel ghash_clmulni_intel microcode rfkill nfs_acl vmw_balloon serio _raw snd_timer lockd parport_pc e1000 snd soundcore parport i2c_piix4 shpchp vmw _vmci sunrpc ata_generic mperf pata_acpi mptspi vmwgfx ttm scsi_transport_spi dr m mptscsih mptbase i2c_core [ 65.018684] CPU: 0 PID: 473 Comm: 192.168.10.85-m Not tainted 3.11.2-201.fc19 .x86_64 #1 [ 65.020113] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013 [ 65.022012] task: ffff88003707e320 ti: ffff88007b906000 task.ti: ffff88007b906000 [ 65.023414] RIP: 0010:[<ffffffffa037d6ee>] [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4] [ 65.025079] RSP: 0018:ffff88007b907d10 EFLAGS: 00010246 [ 65.026042] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 65.027321] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000000000000000 [ 65.028691] RBP: ffff88007b907d38 R08: 0000000000016f60 R09: 0000000000000000 [ 65.029990] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 65.031295] R13: 0000000000000050 R14: 0000000000000000 R15: 0000000000000001 [ 65.032527] FS: 0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000 [ 65.033981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 65.035177] CR2: 0000000000000030 CR3: 000000007b27f000 CR4: 00000000000407f0 [ 65.036568] Stack: [ 65.037011] 0000000000000000 0000000000000001 ffff88007b907d90 ffff88007a880220 [ 65.038472] ffff88007b768de8 ffff88007b907d48 ffffffffa037e4a5 ffff88007b907d80 [ 65.039935] ffffffffa036a6c8 ffff880037020e40 ffff88007a880000 ffff880037020e40 [ 65.041468] Call Trace: [ 65.042050] [<ffffffffa037e4a5>] nfs4_close_state+0x15/0x20 [nfsv4] [ 65.043209] [<ffffffffa036a6c8>] nfs4_open_recover_helper+0x148/0x1f0 [nfsv4] [ 65.044529] [<ffffffffa036a886>] nfs4_open_recover+0x116/0x150 [nfsv4] [ 65.045730] [<ffffffffa036d98d>] nfs4_open_reclaim+0xad/0x150 [nfsv4] [ 65.046905] [<ffffffffa037d979>] nfs4_do_reclaim+0x149/0x5f0 [nfsv4] [ 65.048071] [<ffffffffa037e1dc>] nfs4_run_state_manager+0x3bc/0x670 [nfsv4] [ 65.049436] [<ffffffffa037de20>] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4] [ 65.050686] [<ffffffffa037de20>] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4] [ 65.051943] [<ffffffff81088640>] kthread+0xc0/0xd0 [ 65.052831] [<ffffffff81088580>] ? insert_kthread_work+0x40/0x40 [ 65.054697] [<ffffffff8165686c>] ret_from_fork+0x7c/0xb0 [ 65.056396] [<ffffffff81088580>] ? insert_kthread_work+0x40/0x40 [ 65.058208] Code: 5c 41 5d 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 57 41 89 f7 41 56 41 89 ce 41 55 41 89 d5 41 54 53 48 89 fb <4c> 8b 67 30 f0 41 ff 44 24 44 49 8d 7c 24 40 e8 0e 0a 2d e1 44 [ 65.065225] RIP [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4] [ 65.067175] RSP <ffff88007b907d10> [ 65.068570] CR2: 0000000000000030 [ 65.070098] ---[ end trace 0d1fe4f5c7dd6f8b ]--- Signed-off-by: Weston Andros Adamson <dros@netapp.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4912aa6 upstream. crocode i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma dca be2net sg ses enclosure ext4 mbcache jbd2 sd_mod crc_t10dif ahci megaraid_sas(U) dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] Pid: 491, comm: scsi_eh_0 Tainted: G W ---------------- 2.6.32-220.13.1.el6.x86_64 #1 IBM -[8722PAX]-/00D1461 RIP: 0010:[<ffffffff8124e424>] [<ffffffff8124e424>] blk_requeue_request+0x94/0xa0 RSP: 0018:ffff881057eefd60 EFLAGS: 00010012 RAX: ffff881d99e3e8a8 RBX: ffff881d99e3e780 RCX: ffff881d99e3e8a8 RDX: ffff881d99e3e8a8 RSI: ffff881d99e3e780 RDI: ffff881d99e3e780 RBP: ffff881057eefd80 R08: ffff881057eefe90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff881057f92338 R13: 0000000000000000 R14: ffff881057f92338 R15: ffff883058188000 FS: 0000000000000000(0000) GS:ffff880040200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000000006d3ec0 CR3: 000000302cd7d000 CR4: 00000000000406b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process scsi_eh_0 (pid: 491, threadinfo ffff881057eee000, task ffff881057e29540) Stack: 0000000000001057 0000000000000286 ffff8810275efdc0 ffff881057f16000 <0> ffff881057eefdd0 ffffffff81362323 ffff881057eefe20 ffffffff8135f393 <0> ffff881057e29af8 ffff8810275efdc0 ffff881057eefe78 ffff881057eefe90 Call Trace: [<ffffffff81362323>] __scsi_queue_insert+0xa3/0x150 [<ffffffff8135f393>] ? scsi_eh_ready_devs+0x5e3/0x850 [<ffffffff81362a23>] scsi_queue_insert+0x13/0x20 [<ffffffff8135e4d4>] scsi_eh_flush_done_q+0x104/0x160 [<ffffffff8135fb6b>] scsi_error_handler+0x35b/0x660 [<ffffffff8135f810>] ? scsi_error_handler+0x0/0x660 [<ffffffff810908c6>] kthread+0x96/0xa0 [<ffffffff8100c14a>] child_rip+0xa/0x20 [<ffffffff81090830>] ? kthread+0x0/0xa0 [<ffffffff8100c140>] ? child_rip+0x0/0x20 Code: 00 00 eb d1 4c 8b 2d 3c 8f 97 00 4d 85 ed 74 bf 49 8b 45 00 49 83 c5 08 48 89 de 4c 89 e7 ff d0 49 8b 45 00 48 85 c0 75 eb eb a4 <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00 RIP [<ffffffff8124e424>] blk_requeue_request+0x94/0xa0 RSP <ffff881057eefd60> The RIP is this line: BUG_ON(blk_queued_rq(rq)); After digging through the code, I think there may be a race between the request completion and the timer handler running. A timer is started for each request put on the device's queue (see blk_start_request->blk_add_timer). If the request does not complete before the timer expires, the timer handler (blk_rq_timed_out_timer) will mark the request complete atomically: static inline int blk_mark_rq_complete(struct request *rq) { return test_and_set_bit(REQ_ATOM_COMPLETE, &rq->atomic_flags); } and then call blk_rq_timed_out. The latter function will call scsi_times_out, which will return one of BLK_EH_HANDLED, BLK_EH_RESET_TIMER or BLK_EH_NOT_HANDLED. If BLK_EH_RESET_TIMER is returned, blk_clear_rq_complete is called, and blk_add_timer is again called to simply wait longer for the request to complete. Now, if the request happens to complete while this is going on, what happens? Given that we know the completion handler will bail if it finds the REQ_ATOM_COMPLETE bit set, we need to focus on the completion handler running after that bit is cleared. So, from the above paragraph, after the call to blk_clear_rq_complete. If the completion sets REQ_ATOM_COMPLETE before the BUG_ON in blk_add_timer, we go boom there (I haven't seen this in the cores). Next, if we get the completion before the call to list_add_tail, then the timer will eventually fire for an old req, which may either be freed or reallocated (there is evidence that this might be the case). Finally, if the completion comes in *after* the addition to the timeout list, I think it's harmless. The request will be removed from the timeout list, req_atom_complete will be set, and all will be well. This will only actually explain the coredumps *IF* the request structure was freed, reallocated *and* queued before the error handler thread had a chance to process it. That is possible, but it may make sense to keep digging for another race. I think that if this is what was happening, we would see other instances of this problem showing up as null pointer or garbage pointer dereferences, for example when the request structure was not re-used. It looks like we actually do run into that situation in other reports. This patch moves the BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags)); from blk_add_timer to the only caller that could trip over it (blk_start_request). It then inverts the calls to blk_clear_rq_complete and blk_add_timer in blk_rq_timed_out to address the race. I've boot tested this patch, but nothing more. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Acked-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a207f59 upstream. The probe function is supposed to return NULL on failure (as we can see in kobj_lookup: kobj = probe(dev, index, data); ... if (kobj) return kobj; However, in loop and brd, it returns negative error from ERR_PTR. This causes a crash if we simulate disk allocation failure and run less -f /dev/loop0 because the negative number is interpreted as a pointer: BUG: unable to handle kernel NULL pointer dereference at 00000000000002b4 IP: [<ffffffff8118b188>] __blkdev_get+0x28/0x450 PGD 23c677067 PUD 23d6d1067 PMD 0 Oops: 0000 [#1] PREEMPT SMP Modules linked in: loop hpfs nvidia(PO) ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_stats cpufreq_ondemand cpufreq_userspace cpufreq_powersave cpufreq_conservative hid_generic spadfs usbhid hid fuse raid0 snd_usb_audio snd_pcm_oss snd_mixer_oss md_mod snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib dmi_sysfs snd_rawmidi nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd soundcore lm85 hwmon_vid ohci_hcd ehci_pci ehci_hcd serverworks sata_svw libata acpi_cpufreq freq_table mperf ide_core usbcore kvm_amd kvm tg3 i2c_piix4 libphy microcode e100 usb_common ptp skge i2c_core pcspkr k10temp evdev floppy hwmon pps_core mii rtc_cmos button processor unix [last unloaded: nvidia] CPU: 1 PID: 6831 Comm: less Tainted: P W O 3.10.15-devel #18 Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009 task: ffff880203cc6bc0 ti: ffff88023e47c000 task.ti: ffff88023e47c000 RIP: 0010:[<ffffffff8118b188>] [<ffffffff8118b188>] __blkdev_get+0x28/0x450 RSP: 0018:ffff88023e47dbd8 EFLAGS: 00010286 RAX: ffffffffffffff74 RBX: ffffffffffffff74 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88023e47dc18 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88023f519658 R13: ffffffff8118c300 R14: 0000000000000000 R15: ffff88023f519640 FS: 00007f2070bf7700(0000) GS:ffff880247400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000002b4 CR3: 000000023da1d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: 0000000000000002 0000001d00000000 000000003e47dc50 ffff88023f519640 ffff88043d5bb668 ffffffff8118c300 ffff88023d683550 ffff88023e47de60 ffff88023e47dc98 ffffffff8118c10d 0000001d81605698 0000000000000292 Call Trace: [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60 [<ffffffff8118c10d>] blkdev_get+0x1dd/0x370 [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60 [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50 [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60 [<ffffffff8118c365>] blkdev_open+0x65/0x80 [<ffffffff8114d12e>] do_dentry_open.isra.18+0x23e/0x2f0 [<ffffffff8114d214>] finish_open+0x34/0x50 [<ffffffff8115e122>] do_last.isra.62+0x2d2/0xc50 [<ffffffff8115eb58>] path_openat.isra.63+0xb8/0x4d0 [<ffffffff81115a8e>] ? might_fault+0x4e/0xa0 [<ffffffff8115f4f0>] do_filp_open+0x40/0x90 [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50 [<ffffffff8116db85>] ? __alloc_fd+0xa5/0x1f0 [<ffffffff8114e45f>] do_sys_open+0xef/0x1d0 [<ffffffff8114e559>] SyS_open+0x19/0x20 [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f Code: 44 00 00 55 48 89 e5 41 57 49 89 ff 41 56 41 89 d6 41 55 41 54 4c 8d 67 18 53 48 83 ec 18 89 75 cc e9 f2 00 00 00 0f 1f 44 00 00 <48> 8b 80 40 03 00 00 48 89 df 4c 8b 68 58 e8 d5 a4 07 00 44 89 RIP [<ffffffff8118b188>] __blkdev_get+0x28/0x450 RSP <ffff88023e47dbd8> CR2: 00000000000002b4 ---[ end trace bb7f32dbf02398dc ]--- The brd change should be backported to stable kernels starting with 2.6.25. The loop change should be backported to stable kernels starting with 2.6.22. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6f58d9 upstream. Andreas Herrmann writes: When I've used slub_debug kernel option (e.g. "slub_debug=,skbuff_fclone_cache" or similar) on a debug session I've seen a panic like: Highbank #setenv bootargs console=ttyAMA0 root=/dev/sda2 kgdboc.kgdboc=ttyAMA0,115200 slub_debug=,kmalloc-4096 earlyprintk=ttyAMA0 ... Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = c0004000 [00000000] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: CPU: 0 PID: 0 Comm: swapper Tainted: G W 3.12.0-00048-gbe408cd #314 task: c0898360 ti: c088a000 task.ti: c088a000 PC is at strncmp+0x1c/0x84 LR is at kmem_cache_flags.isra.46.part.47+0x44/0x60 pc : [<c02c6da0>] lr : [<c0110a3c>] psr: 200001d3 sp : c088bea8 ip : c088beb8 fp : c088beb4 r10: 00000000 r9 : 413fc090 r8 : 00000001 r7 : 00000000 r6 : c2984a08 r5 : c0966e78 r4 : 00000000 r3 : 0000006b r2 : 0000000c r1 : 00000000 r0 : c2984a08 Flags: nzCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 0000404a DAC: 00000015 Process swapper (pid: 0, stack limit = 0xc088a248) Stack: (0xc088bea8 to 0xc088c000) bea0: c088bed4 c088beb8 c0110a3c c02c6d90 c0966e78 00000040 bec0: ef001f00 00000040 c088bf14 c088bed8 c0112070 c0110a04 00000005 c010fac8 bee0: c088bf5c c088bef0 c010fac8 ef001f00 00000040 00000000 00000040 00000001 bf00: 413fc090 00000000 c088bf34 c088bf18 c0839190 c0112040 00000000 ef001f00 bf20: 00000000 00000000 c088bf54 c088bf38 c0839200 c083914c 00000006 c0961c4c bf40: c0961c28 00000000 c088bf7c c088bf58 c08392ac c08391c0 c08a2ed8 c0966e78 bf60: c086b874 c08a3f50 c0961c28 00000001 c088bfb4 c088bf80 c083b258 c0839248 bf80: 2f800000 0f000000 c08935b4 ffffffff c08cd400 ffffffff c08cd400 c0868408 bfa0: c29849c0 00000000 c088bff4 c088bfb8 c0824974 c083b1e4 ffffffff ffffffff bfc0: c08245c0 00000000 00000000 c0868408 00000000 10c5387d c0892bcc c0868404 bfe0: c0899440 0000406a 00000000 c088bff8 00008074 c0824824 00000000 00000000 [<c02c6da0>] (strncmp+0x1c/0x84) from [<c0110a3c>] (kmem_cache_flags.isra.46.part.47+0x44/0x60) [<c0110a3c>] (kmem_cache_flags.isra.46.part.47+0x44/0x60) from [<c0112070>] (__kmem_cache_create+0x3c/0x410) [<c0112070>] (__kmem_cache_create+0x3c/0x410) from [<c0839190>] (create_boot_cache+0x50/0x74) [<c0839190>] (create_boot_cache+0x50/0x74) from [<c0839200>] (create_kmalloc_cache+0x4c/0x88) [<c0839200>] (create_kmalloc_cache+0x4c/0x88) from [<c08392ac>] (create_kmalloc_caches+0x70/0x114) [<c08392ac>] (create_kmalloc_caches+0x70/0x114) from [<c083b258>] (kmem_cache_init+0x80/0xe0) [<c083b258>] (kmem_cache_init+0x80/0xe0) from [<c0824974>] (start_kernel+0x15c/0x318) [<c0824974>] (start_kernel+0x15c/0x318) from [<00008074>] (0x8074) Code: e3520000 01a00002 089da800 e5d03000 (e5d1c000) ---[ end trace 1b75b31a2719ed1d ]--- Kernel panic - not syncing: Fatal exception Problem is that slub_debug option is not parsed before create_boot_cache is called. Solve this by changing slub_debug to early_param. Kernels 3.11, 3.10 are also affected. I am not sure about older kernels. Christoph Lameter explains: kmem_cache_flags may be called with NULL parameter during early boot. Skip the test in that case. Reported-by: Andreas Herrmann <andreas.herrmann@calxeda.com> Signed-off-by: Christoph Lameter <cl@linux.com> Signed-off-by: Pekka Enberg <penberg@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3ec981e upstream. loop: fix crash if blk_alloc_queue fails If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the identifier allocated with idr_alloc. That causes crash on module unload in idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to remove non-existed device with that id. BUG: unable to handle kernel NULL pointer dereference at 0000000000000380 IP: [<ffffffff812057c9>] del_gendisk+0x19/0x2d0 PGD 43d399067 PUD 43d0ad067 PMD 0 Oops: 0000 [#1] PREEMPT SMP Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but! ton unix CPU: 7 PID: 2735 Comm: rmmod Tainted: G W 3.10.15-devel #15 Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009 task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000 RIP: 0010:[<ffffffff812057c9>] [<ffffffff812057c9>] del_gendisk+0x19/0x2d0 RSP: 0018:ffff88043d21fe10 EFLAGS: 00010282 RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000 RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800 FS: 00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800 00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60 ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec Call Trace: [<ffffffff8100aba4>] ? native_sched_clock+0x24/0x80 [<ffffffffa05102b4>] loop_remove+0x14/0x40 [loop] [<ffffffffa05102ec>] loop_exit_cb+0xc/0x10 [loop] [<ffffffff81217b74>] idr_for_each+0x104/0x190 [<ffffffffa05102e0>] ? loop_remove+0x40/0x40 [loop] [<ffffffff8109adc5>] ? trace_hardirqs_on_caller+0x105/0x1d0 [<ffffffffa05135dc>] loop_exit+0x34/0xa58 [loop] [<ffffffff810a98ea>] SyS_delete_module+0x13a/0x260 [<ffffffff81221d5e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00 00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20 RIP [<ffffffff812057c9>] del_gendisk+0x19/0x2d0 RSP <ffff88043d21fe10> CR2: 0000000000000380 ---[ end trace 64ec069ec70f1309 ]--- Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef7e7c8 upstream. When the loop module is loaded, it creates 8 loop devices /dev/loop[0-7]. The devices have no request routine and thus, when they are used without being assigned, a crash happens. For example, these commands cause crash (assuming there are no used loop devices): Kernel Fault: Code=26 regs=000000007f420980 (Addr=0000000000000010) CPU: 1 PID: 50 Comm: kworker/1:1 Not tainted 3.11.0 #1 Workqueue: ksnaphd do_metadata [dm_snapshot] task: 000000007fcf4078 ti: 000000007f420000 task.ti: 000000007f420000 [ 116.319988] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI PSW: 00001000000001001111111100001111 Not tainted r00-03 000000ff0804ff0f 00000000408bf5d0 00000000402d8204 000000007b7ff6c0 r04-07 00000000408a95d0 000000007f420950 000000007b7ff6c0 000000007d06c930 r08-11 000000007f4205c0 0000000000000001 000000007f4205c0 000000007f4204b8 r12-15 0000000000000010 0000000000000000 0000000000000000 0000000000000000 r16-19 000000001108dd48 000000004061cd7c 000000007d859800 000000000800000f r20-23 0000000000000000 0000000000000008 0000000000000000 0000000000000000 r24-27 00000000ffffffff 000000007b7ff6c0 000000007d859800 00000000408a95d0 r28-31 0000000000000000 000000007f420950 000000007f420980 000000007f4208e8 sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000303000 sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 117.549988] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d82fc 00000000402d8300 IIR: 53820020 ISR: 0000000000000000 IOR: 0000000000000010 CPU: 1 CR30: 000000007f420000 CR31: ffffffffffffffff ORIG_R28: 0000000000000001 IAOQ[0]: generic_make_request+0x11c/0x1a0 IAOQ[1]: generic_make_request+0x120/0x1a0 RP(r2): generic_make_request+0x24/0x1a0 Backtrace: [<00000000402d83f0>] submit_bio+0x70/0x140 [<0000000011087c4c>] dispatch_io+0x234/0x478 [dm_mod] [<0000000011087f44>] sync_io+0xb4/0x190 [dm_mod] [<00000000110883bc>] dm_io+0x2c4/0x310 [dm_mod] [<00000000110bfcd0>] do_metadata+0x28/0xb0 [dm_snapshot] [<00000000401591d8>] process_one_work+0x160/0x460 [<0000000040159bc0>] worker_thread+0x300/0x478 [<0000000040161a70>] kthread+0x118/0x128 [<0000000040104020>] end_fault_vector+0x20/0x28 [<0000000040177220>] task_tick_fair+0x420/0x4d0 [<00000000401aa048>] invoke_rcu_core+0x50/0x60 [<00000000401ad5b8>] rcu_check_callbacks+0x210/0x8d8 [<000000004014aaa0>] update_process_times+0xa8/0xc0 [<00000000401ab86c>] rcu_process_callbacks+0x4b4/0x598 [<0000000040142408>] __do_softirq+0x250/0x2c0 [<00000000401789d0>] find_busiest_group+0x3c0/0xc70 [ 119.379988] Kernel panic - not syncing: Kernel Fault Rebooting in 1 seconds.. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4355b70 upstream. Some bright specification writers decided to write this in the ONFI spec (from ONFI 3.0, Section 3.1): "The number of blocks and number of pages per block is not required to be a power of two. In the case where one of these values is not a power of two, the corresponding address shall be rounded to an integral number of bits such that it addresses a range up to the subsequent power of two value. The host shall not access upper addresses in a range that is shown as not supported." This breaks every assumption MTD makes about NAND block/chip-size dimensions -- they *must* be a power of two! And of course, an enterprising manufacturer has made use of this lovely freedom. Exhibit A: Micron MT29F32G08CBADAWP "- Plane size: 2 planes x 1064 blocks per plane - Device size: 32Gb: 2128 blockss [sic]" This quickly hits a BUG() in nand_base.c, since the extra dimensions overflow so we think it's a second chip (on my single-chip setup): ONFI param page 0 valid ONFI flash detected NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744 ------------[ cut here ]------------ kernel BUG at drivers/mtd/nand/nand_base.c:203! Internal error: Oops - BUG: 0 [#1] SMP ARM [... trim ...] [<c02cf3e4>] (nand_select_chip+0x18/0x2c) from [<c02d25c0>] (nand_do_read_ops+0x90/0x424) [<c02d25c0>] (nand_do_read_ops+0x90/0x424) from [<c02d2dd8>] (nand_read+0x54/0x78) [<c02d2dd8>] (nand_read+0x54/0x78) from [<c02ad2c8>] (mtd_read+0x84/0xbc) [<c02ad2c8>] (mtd_read+0x84/0xbc) from [<c02d4b28>] (scan_read.clone.4+0x4c/0x64) [<c02d4b28>] (scan_read.clone.4+0x4c/0x64) from [<c02d4c88>] (search_bbt+0x148/0x290) [<c02d4c88>] (search_bbt+0x148/0x290) from [<c02d4ea4>] (nand_scan_bbt+0xd4/0x5c0) [... trim ...] ---[ end trace 0c9363860d865ff2 ]--- So to fix this, just truncate these dimensions down to the greatest power-of-2 dimension that is less than or equal to the specified dimension. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 42d64e1 upstream. The SELinux/NetLabel glue code has a locking bug that affects systems with NetLabel enabled, see the kernel error message below. This patch corrects this problem by converting the bottom half socket lock to a more conventional, and correct for this call-path, lock_sock() call. =============================== [ INFO: suspicious RCU usage. ] 3.11.0-rc3+ #19 Not tainted ------------------------------- net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 2 locks held by ping/731: #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect #1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr stack backtrace: CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500 ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7 Call Trace: [<ffffffff81726b6a>] dump_stack+0x54/0x74 [<ffffffff810e4457>] lockdep_rcu_suspicious+0xe7/0x120 [<ffffffff8169bec7>] cipso_v4_sock_setattr+0x187/0x1a0 [<ffffffff8170f317>] netlbl_conn_setattr+0x187/0x190 [<ffffffff8170f195>] ? netlbl_conn_setattr+0x5/0x190 [<ffffffff8131ac9e>] selinux_netlbl_socket_connect+0xae/0xc0 [<ffffffff81303025>] selinux_socket_connect+0x135/0x170 [<ffffffff8119d127>] ? might_fault+0x57/0xb0 [<ffffffff812fb146>] security_socket_connect+0x16/0x20 [<ffffffff815d3ad3>] SYSC_connect+0x73/0x130 [<ffffffff81739a85>] ? sysret_check+0x22/0x5d [<ffffffff810e5e2d>] ? trace_hardirqs_on_caller+0xfd/0x1c0 [<ffffffff81373d4e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff815d52be>] SyS_connect+0xe/0x10 [<ffffffff81739a59>] system_call_fastpath+0x16/0x1b Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4e58e54 upstream. If an TRACE_EVENT() uses __assign_str() or __get_str on a NULL pointer then the following oops will happen: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<c127a17b>] strlen+0x10/0x1a *pde = 00000000 ^M Oops: 0000 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.13.0-rc1-test+ #2 Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006^M task: f5cde9f0 ti: f5e5e000 task.ti: f5e5e000 EIP: 0060:[<c127a17b>] EFLAGS: 00210046 CPU: 1 EIP is at strlen+0x10/0x1a EAX: 00000000 EBX: c2472da8 ECX: ffffffff EDX: c2472da8 ESI: c1c5e5fc EDI: 00000000 EBP: f5e5fe84 ESP: f5e5fe80 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 CR0: 8005003b CR2: 00000000 CR3: 01f32000 CR4: 000007d0 Stack: f5f18b90 f5e5feb8 c10687a8 0759004f 00000005 00000005 00000005 00200046 00000002 00000000 c1082a93 f56c7e28 c2472da8 c1082a93 f5e5fee4 c106bc61^M 00000000 c1082a93 00000000 00000000 00000001 00200046 00200082 00000000 Call Trace: [<c10687a8>] ftrace_raw_event_lock+0x39/0xc0 [<c1082a93>] ? ktime_get+0x29/0x69 [<c1082a93>] ? ktime_get+0x29/0x69 [<c106bc61>] lock_release+0x57/0x1a5 [<c1082a93>] ? ktime_get+0x29/0x69 [<c10824dd>] read_seqcount_begin.constprop.7+0x4d/0x75 [<c1082a93>] ? ktime_get+0x29/0x69^M [<c1082a93>] ktime_get+0x29/0x69 [<c108a46a>] __tick_nohz_idle_enter+0x1e/0x426 [<c10690e8>] ? lock_release_holdtime.part.19+0x48/0x4d [<c10bc184>] ? time_hardirqs_off+0xe/0x28 [<c1068c82>] ? trace_hardirqs_off_caller+0x3f/0xaf [<c108a8cb>] tick_nohz_idle_enter+0x59/0x62 [<c1079242>] cpu_startup_entry+0x64/0x192 [<c102299c>] start_secondary+0x277/0x27c Code: 90 89 c6 89 d0 88 c4 ac 38 e0 74 09 84 c0 75 f7 be 01 00 00 00 89 f0 48 5e 5d c3 55 89 e5 57 66 66 66 66 90 83 c9 ff 89 c7 31 c0 <f2> ae f7 d1 8d 41 ff 5f 5d c3 55 89 e5 57 66 66 66 66 90 31 ff EIP: [<c127a17b>] strlen+0x10/0x1a SS:ESP 0068:f5e5fe80 CR2: 0000000000000000 ---[ end trace 01bc47bf519ec1b2 ]--- New tracepoints have been added that have allowed for NULL pointers being assigned to strings. To fix this, change the TRACE_EVENT() code to check for NULL and if it is, it will assign "(null)" to it instead (similar to what glibc printf does). Reported-by: Shuah Khan <shuah.kh@samsung.com> Reported-by: Jovi Zhangwei <jovi.zhangwei@gmail.com> Link: http://lkml.kernel.org/r/CAGdX0WFeEuy+DtpsJzyzn0343qEEjLX97+o1VREFkUEhndC+5Q@mail.gmail.com Link: http://lkml.kernel.org/r/528D6972.9010702@samsung.com Fixes: 9cbf117 ("tracing/events: provide string with undefined size support") Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 7fe0ee0 ] Using iperf to send packets(GSO mode is on), a bug is triggered: [ 212.672781] kernel BUG at lib/dynamic_queue_limits.c:26! [ 212.673396] invalid opcode: 0000 [#1] SMP [ 212.673882] Modules linked in: 8139cp(O) nls_utf8 edd fuse loop dm_mod ipv6 i2c_piix4 8139too i2c_core intel_agp joydev pcspkr hid_generic intel_gtt floppy sr_mod mii button sg cdrom ext3 jbd mbcache usbhid hid uhci_hcd ehci_hcd usbcore sd_mod usb_common crc_t10dif crct10dif_common processor thermal_sys hwmon scsi_dh_emc scsi_dh_rdac scsi_dh_hp_sw scsi_dh ata_generic ata_piix libata scsi_mod [last unloaded: 8139cp] [ 212.676084] CPU: 0 PID: 4124 Comm: iperf Tainted: G O 3.12.0-0.7-default+ #16 [ 212.676084] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 212.676084] task: ffff8800d83966c0 ti: ffff8800db4c8000 task.ti: ffff8800db4c8000 [ 212.676084] RIP: 0010:[<ffffffff8122e23f>] [<ffffffff8122e23f>] dql_completed+0x17f/0x190 [ 212.676084] RSP: 0018:ffff880116e03e30 EFLAGS: 00010083 [ 212.676084] RAX: 00000000000005ea RBX: 0000000000000f7c RCX: 0000000000000002 [ 212.676084] RDX: ffff880111dd0dc0 RSI: 0000000000000bd4 RDI: ffff8800db6ffcc0 [ 212.676084] RBP: ffff880116e03e48 R08: 0000000000000992 R09: 0000000000000000 [ 212.676084] R10: ffffffff8181e400 R11: 0000000000000004 R12: 000000000000000f [ 212.676084] R13: ffff8800d94ec840 R14: ffff8800db440c80 R15: 000000000000000e [ 212.676084] FS: 00007f6685a3c700(0000) GS:ffff880116e00000(0000) knlGS:0000000000000000 [ 212.676084] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 212.676084] CR2: 00007f6685ad6460 CR3: 00000000db714000 CR4: 00000000000006f0 [ 212.676084] Stack: [ 212.676084] ffff8800db6ffc00 000000000000000f ffff8800d94ec840 ffff880116e03eb8 [ 212.676084] ffffffffa041509f ffff880116e03e88 0000000f16e03e88 ffff8800d94ec000 [ 212.676084] 00000bd400059858 000000050000000f ffffffff81094c36 ffff880116e03eb8 [ 212.676084] Call Trace: [ 212.676084] <IRQ> [ 212.676084] [<ffffffffa041509f>] cp_interrupt+0x4ef/0x590 [8139cp] [ 212.676084] [<ffffffff81094c36>] ? ktime_get+0x56/0xd0 [ 212.676084] [<ffffffff8108cf73>] handle_irq_event_percpu+0x53/0x170 [ 212.676084] [<ffffffff8108d0cc>] handle_irq_event+0x3c/0x60 [ 212.676084] [<ffffffff8108fdb5>] handle_fasteoi_irq+0x55/0xf0 [ 212.676084] [<ffffffff810045df>] handle_irq+0x1f/0x30 [ 212.676084] [<ffffffff81003c8b>] do_IRQ+0x5b/0xe0 [ 212.676084] [<ffffffff8142beaa>] common_interrupt+0x6a/0x6a [ 212.676084] <EOI> [ 212.676084] [<ffffffffa0416a21>] ? cp_start_xmit+0x621/0x97c [8139cp] [ 212.676084] [<ffffffffa0416a09>] ? cp_start_xmit+0x609/0x97c [8139cp] [ 212.676084] [<ffffffff81378ed9>] dev_hard_start_xmit+0x2c9/0x550 [ 212.676084] [<ffffffff813960a9>] sch_direct_xmit+0x179/0x1d0 [ 212.676084] [<ffffffff813793f3>] dev_queue_xmit+0x293/0x440 [ 212.676084] [<ffffffff813b0e46>] ip_finish_output+0x236/0x450 [ 212.676084] [<ffffffff810e59e7>] ? __alloc_pages_nodemask+0x187/0xb10 [ 212.676084] [<ffffffff813b10e8>] ip_output+0x88/0x90 [ 212.676084] [<ffffffff813afa64>] ip_local_out+0x24/0x30 [ 212.676084] [<ffffffff813aff0d>] ip_queue_xmit+0x14d/0x3e0 [ 212.676084] [<ffffffff813c6fd1>] tcp_transmit_skb+0x501/0x840 [ 212.676084] [<ffffffff813c8323>] tcp_write_xmit+0x1e3/0xb20 [ 212.676084] [<ffffffff81363237>] ? skb_page_frag_refill+0x87/0xd0 [ 212.676084] [<ffffffff813c8c8b>] tcp_push_one+0x2b/0x40 [ 212.676084] [<ffffffff813bb7e6>] tcp_sendmsg+0x926/0xc90 [ 212.676084] [<ffffffff813e1d21>] inet_sendmsg+0x61/0xc0 [ 212.676084] [<ffffffff8135e861>] sock_aio_write+0x101/0x120 [ 212.676084] [<ffffffff81107cf1>] ? vma_adjust+0x2e1/0x5d0 [ 212.676084] [<ffffffff812163e0>] ? timerqueue_add+0x60/0xb0 [ 212.676084] [<ffffffff81130b60>] do_sync_write+0x60/0x90 [ 212.676084] [<ffffffff81130d44>] ? rw_verify_area+0x54/0xf0 [ 212.676084] [<ffffffff81130f66>] vfs_write+0x186/0x190 [ 212.676084] [<ffffffff811317fd>] SyS_write+0x5d/0xa0 [ 212.676084] [<ffffffff814321e2>] system_call_fastpath+0x16/0x1b [ 212.676084] Code: ca 41 89 dc 41 29 cc 45 31 db 29 c2 41 89 c5 89 d0 45 29 c5 f7 d0 c1 e8 1f e9 43 ff ff ff 66 0f 1f 44 00 00 31 c0 e9 7b ff ff ff <0f> 0b eb fe 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 c7 47 40 00 [ 212.676084] RIP [<ffffffff8122e23f>] dql_completed+0x17f/0x190 ------------[ cut here ]------------ When a skb has frags, bytes_compl plus skb->len nr_frags times in cp_tx(). It's not the correct value(actually, it should plus skb->len once) and it will trigger the BUG_ON(bytes_compl > num_queued - dql->num_completed). So only increase bytes_compl when finish sending all frags. pkts_compl also has a wrong value, fix it too. It's introduced by commit 871f0d4 ("8139cp: enable bql"). Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5638cab upstream. There are cases when cryptlen can be zero in crypto_ccm_auth(): -encryptiom: input scatterlist length is zero (no plaintext) -decryption: input scatterlist contains only the mac plus the condition of having different source and destination buffers (or else scatterlist length = max(plaintext_len, ciphertext_len)). These are not handled correctly, leading to crashes like: root@p4080ds:~/crypto# insmod tcrypt.ko mode=45 ------------[ cut here ]------------ kernel BUG at crypto/scatterwalk.c:37! Oops: Exception in kernel mode, sig: 5 [#1] SMP NR_CPUS=8 P4080 DS Modules linked in: tcrypt(+) crc32c xts xcbc vmac pcbc ecb gcm ghash_generic gf128mul ccm ctr seqiv CPU: 3 PID: 1082 Comm: cryptomgr_test Not tainted 3.11.0 #14 task: ee12c5b0 ti: eecd0000 task.ti: eecd0000 NIP: c0204d98 LR: f9225848 CTR: c0204d80 REGS: eecd1b70 TRAP: 0700 Not tainted (3.11.0) MSR: 00029002 <CE,EE,ME> CR: 22044022 XER: 20000000 GPR00: f9225c94 eecd1c20 ee12c5b0 eecd1c28 ee879400 ee879400 00000000 ee607464 GPR08: 00000001 00000001 00000000 006b0000 c0204d80 00000000 00000002 c0698e20 GPR16: ee987000 ee895000 fffffff4 ee879500 00000100 eecd1d58 00000001 00000000 GPR24: ee879400 00000020 00000000 00000000 ee5b2800 ee607430 00000004 ee607460 NIP [c0204d98] scatterwalk_start+0x18/0x30 LR [f9225848] get_data_to_compute+0x28/0x2f0 [ccm] Call Trace: [eecd1c20] [f9225974] get_data_to_compute+0x154/0x2f0 [ccm] (unreliable) [eecd1c70] [f9225c94] crypto_ccm_auth+0x184/0x1d0 [ccm] [eecd1cb0] [f9225d40] crypto_ccm_encrypt+0x60/0x2d0 [ccm] [eecd1cf0] [c020d77c] __test_aead+0x3ec/0xe20 [eecd1e20] [c020f35c] test_aead+0x6c/0xe0 [eecd1e40] [c020f420] alg_test_aead+0x50/0xd0 [eecd1e60] [c020e5e4] alg_test+0x114/0x2e0 [eecd1ee0] [c020bd1c] cryptomgr_test+0x4c/0x60 [eecd1ef0] [c0047058] kthread+0xa8/0xb0 [eecd1f40] [c000eb0c] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 0f080000 81290024 552807fe 0f080000 5529003a 4bffffb4 90830000 39400000 39000001 8124000c 2f890000 7d28579e <0f090000> 81240008 91230004 4e800020 ---[ end trace 6d652dfcd1be37bd ]--- Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: Horia Geanta <horia.geanta@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4365922 upstream. It's no good setting vga_base after the VGA console has been initialised, because if we do that we get this: Unable to handle kernel paging request at virtual address 000b8000 pgd = c0004000 [000b8000] *pgd=07ffc831, *pte=00000000, *ppte=00000000 0Internal error: Oops: 5017 [#1] ARM Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 3.12.0+ #49 task: c03e2974 ti: c03d8000 task.ti: c03d8000 PC is at vgacon_startup+0x258/0x39c LR is at request_resource+0x10/0x1c pc : [<c01725d0>] lr : [<c0022b50>] psr: 60000053 sp : c03d9f68 ip : 000b8000 fp : c03d9f8c r10: 000055aa r9 : 4401a103 r8 : ffffaa55 r7 : c03e357c r6 : c051b460 r5 : 000000ff r4 : 000c0000 r3 : 000b8000 r2 : c03e0514 r1 : 00000000 r0 : c0304971 Flags: nZCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment kernel which is an access to the 0xb8000 without the PCI offset required to make it work. Fixes: cc22b4c ("ARM: set vga memory base at run-time") Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a0c20fb upstream. After commit e9e4ea7 "net: smc91x: dont't use SMC_outw for fixing up halfword-aligned data" The Versatile SMSC LAN91C111 is crashing like this: ------------[ cut here ]------------ kernel BUG at /home/linus/linux/drivers/net/ethernet/smsc/smc91x.c:599! Internal error: Oops - BUG: 0 [#1] ARM Modules linked in: CPU: 0 PID: 43 Comm: udhcpc Not tainted 3.13.0-rc1+ #24 task: c6ccfaa0 ti: c6cd0000 task.ti: c6cd0000 PC is at smc_hardware_send_pkt+0x198/0x22c LR is at smc_hardware_send_pkt+0x24/0x22c pc : [<c01be324>] lr : [<c01be1b0>] psr: 20000013 sp : c6cd1d08 ip : 00000001 fp : 00000000 r10: c02adb08 r9 : 00000000 r8 : c6ced802 r7 : c786fba0 r6 : 00000146 r5 : c8800000 r4 : c78d6000 r3 : 0000000f r2 : 00000146 r1 : 00000000 r0 : 00000031 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005317f Table: 06cf4000 DAC: 00000015 Process udhcpc (pid: 43, stack limit = 0xc6cd01c0) Stack: (0xc6cd1d08 to 0xc6cd2000) 1d00: 00000010 c8800000 c78d6000 c786fba0 c78d6000 c01be868 1d20: c01be7a4 00004000 00000000 c786fba0 c6c12b80 c0208554 000004d0 c780fc60 1d40: 00000220 c01fb734 00000000 00000000 00000000 c6c9a440 c6c12b80 c78d6000 1d60: c786fba0 c6c9a440 00000000 c021d1d8 00000000 00000000 c6c12b80 c78d6000 1d80: c786fba0 00000001 c6c9a440 c02087f8 c6c9a4a0 00080008 00000000 00000000 1da0: c78d6000 c786fba0 c78d6000 00000138 00000000 00000000 00000000 00000000 1dc0: 00000000 c027ba74 00000138 00000138 00000001 00000010 c6cedc00 00000000 1de0: 00000008 c7404400 c6cd1eec c6cd1f14 c067a73c c065c0b8 00000000 c067a740 1e00: 01ffffff 002040d0 00000000 00000000 00000000 00000000 00000000 ffffffff 1e20: 43004400 00110022 c6cdef20 c027ae8c c6ccfaa0 be82d65c 00000014 be82d3cc 1e40: 00000000 00000000 00000000 c01f2870 00000000 00000000 00000000 c6cd1e88 1e60: c6ccfaa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1e80: 00000000 00000000 00000031 c7802310 c7802300 00000138 c7404400 c0771da0 1ea0: 00000000 c6cd1eec c7800340 00000138 be82d65c 00000014 be82d3cc c6cd1f08 1ec0: 00000014 00000000 c7404400 c7404400 00000138 c01f4628 c78d6000 00000000 1ee0: 00000000 be82d3cc 00000138 c6cd1f08 00000014 c6cd1ee4 00000001 00000000 1f00: 00000000 00000000 00080011 00000002 06000000 ffffffff 0000ffff 00000002 1f20: 06000000 ffffffff 0000ffff c00928c8 c065c520 c6cd1f58 00000003 c009299c 1f40: 00000003 c065c520 c7404400 00000000 c7404400 c01f2218 c78106b0 c7441cb0 1f60: 00000000 00000006 c06799fc 00000000 00000000 00000006 00000000 c01f3ee0 1f80: 00000000 00000000 be82d678 be82d65c 00000014 00000001 00000122 c00139c8 1fa0: c6cd0000 c0013840 be82d65c 00000014 00000006 be82d3cc 00000138 00000000 1fc0: be82d65c 00000014 00000001 00000122 00000000 00000000 00018cb1 00000000 1fe0: 00003801 be82d3a8 0003a0c7 b6e9af08 60000010 00000006 00000000 00000000 [<c01be324>] (smc_hardware_send_pkt+0x198/0x22c) from [<c01be868>] (smc_hard_start_xmit+0xc4/0x1e8) [<c01be868>] (smc_hard_start_xmit+0xc4/0x1e8) from [<c0208554>] (dev_hard_start_xmit+0x460/0x4cc) [<c0208554>] (dev_hard_start_xmit+0x460/0x4cc) from [<c021d1d8>] (sch_direct_xmit+0x94/0x18c) [<c021d1d8>] (sch_direct_xmit+0x94/0x18c) from [<c02087f8>] (dev_queue_xmit+0x238/0x42c) [<c02087f8>] (dev_queue_xmit+0x238/0x42c) from [<c027ba74>] (packet_sendmsg+0xbe8/0xd28) [<c027ba74>] (packet_sendmsg+0xbe8/0xd28) from [<c01f2870>] (sock_sendmsg+0x84/0xa8) [<c01f2870>] (sock_sendmsg+0x84/0xa8) from [<c01f4628>] (SyS_sendto+0xb8/0xdc) [<c01f4628>] (SyS_sendto+0xb8/0xdc) from [<c0013840>] (ret_fast_syscall+0x0/0x2c) Code: e3130002 1a000001 e3130001 0affffcd (e7f001f2) ---[ end trace 81104fe70e8da7fe ]--- Kernel panic - not syncing: Fatal exception in interrupt This is because the macro operations in smc91x.h defined for Versatile are missing SMC_outsw() as used in this commit. The Versatile needs and uses the same accessors as the other platforms in the first if(...) clause, just switch it to using that and we have one problem less to worry about. This includes a hunk of a patch from Will Deacon fixin the other 32bit platforms as well: Innokom, Ramses, PXA, PCM027. Checkpatch complains about spacing, but I have opted to follow the style of this .h-file. Cc: Russell King <linux@arm.linux.org.uk> Cc: Nicolas Pitre <nico@fluxnic.net> Cc: Eric Miao <eric.y.miao@gmail.com> Cc: Jonathan Cameron <jic23@cam.ac.uk> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f6b1295 upstream. Since we set IEEE80211_HW_QUEUE_CONTROL, we can let mac80211 do the queue assignement and don't need to override its decisions. While reassiging the same values is harmless of course, it triggered a WARNING when iwlwifi and mac80211 came to different conclusions. This happened when mac80211 set IEEE80211_TX_CTL_SEND_AFTER_DTIM, but didn't route the packet to the cab_queue because no stations were asleep. iwlwifi should not override mac80211's decicions for offchannel packets and packets to be sent after DTIM, but it should override mac80211's decision for AMPDUs since we have a special queue for them. So for AMPDU, we still override info->hw_queue by the AMPDU queue. This avoids: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2531 at drivers/net/wireless/iwlwifi/dvm/tx.c:456 iwlagn_tx_skb+0x6c5/0x883() Modules linked in: CPU: 0 PID: 2531 Comm: hostapd Not tainted 3.12.0-rc5+ #1 Hardware name: /D53427RKE, BIOS RKPPT10H.86A.0017.2013.0425.1251 04/25/2013 0000000000000000 0000000000000009 ffffffff8189aa62 0000000000000000 ffffffff8105a4f2 ffff880058339a48 ffffffff815f8a04 0000000000000000 ffff8800560097b0 0000000000000208 0000000000000000 ffff8800561a9e5e Call Trace: [<ffffffff8189aa62>] ? dump_stack+0x41/0x51 [<ffffffff8105a4f2>] ? warn_slowpath_common+0x78/0x90 [<ffffffff815f8a04>] ? iwlagn_tx_skb+0x6c5/0x883 [<ffffffff815f8a04>] ? iwlagn_tx_skb+0x6c5/0x883 [<ffffffff818a0040>] ? put_cred+0x15/0x15 [<ffffffff815f6db4>] ? iwlagn_mac_tx+0x19/0x2f [<ffffffff8186cc45>] ? __ieee80211_tx+0x226/0x29b [<ffffffff8186e6bd>] ? ieee80211_tx+0xa6/0xb5 [<ffffffff8186e98b>] ? ieee80211_monitor_start_xmit+0x1e9/0x204 [<ffffffff8171ce5f>] ? dev_hard_start_xmit+0x271/0x3ec [<ffffffff817351ac>] ? sch_direct_xmit+0x66/0x164 [<ffffffff8171d1bf>] ? dev_queue_xmit+0x1e5/0x3c8 [<ffffffff817fac5a>] ? packet_sendmsg+0xac5/0xb3d [<ffffffff81709a09>] ? sock_sendmsg+0x37/0x52 [<ffffffff810f9e0c>] ? __do_fault+0x338/0x36b [<ffffffff81713820>] ? verify_iovec+0x44/0x94 [<ffffffff81709e63>] ? ___sys_sendmsg+0x1f1/0x283 [<ffffffff81140a73>] ? __inode_wait_for_writeback+0x67/0xae [<ffffffff8111735e>] ? __cache_free.isra.46+0x178/0x187 [<ffffffff811173b1>] ? kmem_cache_free+0x44/0x84 [<ffffffff81132c22>] ? dentry_kill+0x13d/0x149 [<ffffffff81132f6f>] ? dput+0xe5/0xef [<ffffffff81136e04>] ? fget_light+0x2e/0x7c [<ffffffff8170ae62>] ? __sys_sendmsg+0x39/0x57 [<ffffffff818a7e39>] ? system_call_fastpath+0x16/0x1b ---[ end trace 1b3eb79359c1d1e6 ]--- Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Reviewed-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f62b6b8 upstream. Commit 2fc4802 ("dm persistent metadata: add space map threshold callback") introduced a regression to the metadata block allocation path that resulted in errors being ignored. This regression was uncovered by running the following device-mapper-test-suite test: dmtest run --suite thin-provisioning -n /exhausting_metadata_space_causes_fail_mode/ The ignored error codes in sm_metadata_new_block() could crash the kernel through use of either the dm-thin or dm-cache targets, e.g.: device-mapper: thin: 253:4: reached low water mark for metadata device: sending event. device-mapper: space map metadata: unable to allocate new metadata block general protection fault: 0000 [#1] SMP ... Workqueue: dm-thin do_worker [dm_thin_pool] task: ffff880035ce2ab0 ti: ffff88021a054000 task.ti: ffff88021a054000 RIP: 0010:[<ffffffffa0331385>] [<ffffffffa0331385>] metadata_ll_load_ie+0x15/0x30 [dm_persistent_data] RSP: 0018:ffff88021a055a68 EFLAGS: 00010202 RAX: 003fc8243d212ba0 RBX: ffff88021a780070 RCX: ffff88021a055a78 RDX: ffff88021a055a78 RSI: 0040402222a92a80 RDI: ffff88021a780070 RBP: ffff88021a055a68 R08: ffff88021a055ba4 R09: 0000000000000010 R10: 0000000000000000 R11: 00000002a02e1000 R12: ffff88021a055ad4 R13: 0000000000000598 R14: ffffffffa0338470 R15: ffff88021a055ba4 FS: 0000000000000000(0000) GS:ffff88033fca0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f467c0291b8 CR3: 0000000001a0b000 CR4: 00000000000007e0 Stack: ffff88021a055ab8 ffffffffa0332020 ffff88021a055b30 0000000000000001 ffff88021a055b30 0000000000000000 ffff88021a055b18 0000000000000000 ffff88021a055ba4 ffff88021a055b98 ffff88021a055ae8 ffffffffa033304c Call Trace: [<ffffffffa0332020>] sm_ll_lookup_bitmap+0x40/0xa0 [dm_persistent_data] [<ffffffffa033304c>] sm_metadata_count_is_more_than_one+0x8c/0xc0 [dm_persistent_data] [<ffffffffa0333825>] dm_tm_shadow_block+0x65/0x110 [dm_persistent_data] [<ffffffffa0331b00>] sm_ll_mutate+0x80/0x300 [dm_persistent_data] [<ffffffffa0330e60>] ? set_ref_count+0x10/0x10 [dm_persistent_data] [<ffffffffa0331dba>] sm_ll_inc+0x1a/0x20 [dm_persistent_data] [<ffffffffa0332270>] sm_disk_new_block+0x60/0x80 [dm_persistent_data] [<ffffffff81520036>] ? down_write+0x16/0x40 [<ffffffffa001e5c4>] dm_pool_alloc_data_block+0x54/0x80 [dm_thin_pool] [<ffffffffa001b23c>] alloc_data_block+0x9c/0x130 [dm_thin_pool] [<ffffffffa001c27e>] provision_block+0x4e/0x180 [dm_thin_pool] [<ffffffffa001fe9a>] ? dm_thin_find_block+0x6a/0x110 [dm_thin_pool] [<ffffffffa001c57a>] process_bio+0x1ca/0x1f0 [dm_thin_pool] [<ffffffff8111e2ed>] ? mempool_free+0x8d/0xa0 [<ffffffffa001d755>] process_deferred_bios+0xc5/0x230 [dm_thin_pool] [<ffffffffa001d911>] do_worker+0x51/0x60 [dm_thin_pool] [<ffffffff81067872>] process_one_work+0x182/0x3b0 [<ffffffff81068c90>] worker_thread+0x120/0x3a0 [<ffffffff81068b70>] ? manage_workers+0x160/0x160 [<ffffffff8106eb2e>] kthread+0xce/0xe0 [<ffffffff8106ea60>] ? kthread_freezable_should_stop+0x70/0x70 [<ffffffff8152af6c>] ret_from_fork+0x7c/0xb0 [<ffffffff8106ea60>] ? kthread_freezable_should_stop+0x70/0x70 [<ffffffff8152af6c>] ret_from_fork+0x7c/0xb0 [<ffffffff8106ea60>] ? kthread_freezable_should_stop+0x70/0x70 Signed-off-by: Mike Snitzer <snitzer@redhat.com> Acked-by: Joe Thornber <ejt@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 98a947a upstream. If pstate.current_pstate is 0 after the initial intel_pstate_get_cpu_pstates(), this means that we were unable to obtain any useful P-state information and there is no reason to continue, so free memory and return an error in that case. This fixes the following divide error occuring in a nested KVM guest: Intel P-state driver initializing. Intel pstate controlling: cpu 0 cpufreq: __cpufreq_add_dev: ->get() failed divide error: 0000 [#1] SMP Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.13.0-0.rc4.git5.1.fc21.x86_64 #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 task: ffff88001ea20000 ti: ffff88001e9bc000 task.ti: ffff88001e9bc000 RIP: 0010:[<ffffffff815c551d>] [<ffffffff815c551d>] intel_pstate_timer_func+0x11d/0x2b0 RSP: 0000:ffff88001ee03e18 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88001a454348 RCX: 0000000000006100 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88001ee03e38 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88001ea20000 R11: 0000000000000000 R12: 00000c0a1ea20000 R13: 1ea200001ea20000 R14: ffffffff815c5400 R15: ffff88001a454348 FS: 0000000000000000(0000) GS:ffff88001ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000001c0c000 CR4: 00000000000006f0 Stack: fffffffb1a454390 ffffffff821a4500 ffff88001a454390 0000000000000100 ffff88001ee03ea8 ffffffff81083e9a ffffffff81083e15 ffffffff82d5ed40 ffffffff8258cc60 0000000000000000 ffffffff81ac39de 0000000000000000 Call Trace: <IRQ> [<ffffffff81083e9a>] call_timer_fn+0x8a/0x310 [<ffffffff81083e15>] ? call_timer_fn+0x5/0x310 [<ffffffff815c5400>] ? pid_param_set+0x130/0x130 [<ffffffff81084354>] run_timer_softirq+0x234/0x380 [<ffffffff8107aee4>] __do_softirq+0x104/0x430 [<ffffffff8107b5fd>] irq_exit+0xcd/0xe0 [<ffffffff81770645>] smp_apic_timer_interrupt+0x45/0x60 [<ffffffff8176efb2>] apic_timer_interrupt+0x72/0x80 <EOI> [<ffffffff810e15cd>] ? vprintk_emit+0x1dd/0x5e0 [<ffffffff81757719>] printk+0x67/0x69 [<ffffffff815c1493>] __cpufreq_add_dev.isra.13+0x883/0x8d0 [<ffffffff815c14f0>] cpufreq_add_dev+0x10/0x20 [<ffffffff814a14d1>] subsys_interface_register+0xb1/0xf0 [<ffffffff815bf5cf>] cpufreq_register_driver+0x9f/0x210 [<ffffffff81fb19af>] intel_pstate_init+0x27d/0x3be [<ffffffff81761e3e>] ? mutex_unlock+0xe/0x10 [<ffffffff81fb1732>] ? cpufreq_gov_dbs_init+0x12/0x12 [<ffffffff8100214a>] do_one_initcall+0xfa/0x1b0 [<ffffffff8109dbf5>] ? parse_args+0x225/0x3f0 [<ffffffff81f64193>] kernel_init_freeable+0x1fc/0x287 [<ffffffff81f638d0>] ? do_early_param+0x88/0x88 [<ffffffff8174b530>] ? rest_init+0x150/0x150 [<ffffffff8174b53e>] kernel_init+0xe/0x130 [<ffffffff8176e27c>] ret_from_fork+0x7c/0xb0 [<ffffffff8174b530>] ? rest_init+0x150/0x150 Code: c1 e0 05 48 63 bc 03 10 01 00 00 48 63 83 d0 00 00 00 48 63 d6 48 c1 e2 08 c1 e1 08 4c 63 c2 48 c1 e0 08 48 98 48 c1 e0 08 48 99 <49> f7 f8 48 98 48 0f af f8 48 c1 ff 08 29 f9 89 ca c1 fa 1f 89 RIP [<ffffffff815c551d>] intel_pstate_timer_func+0x11d/0x2b0 RSP <ffff88001ee03e18> ---[ end trace f166110ed22cc37a ]--- Kernel panic - not syncing: Fatal exception in interrupt Reported-and-tested-by: Kashyap Chamarthy <kchamart@redhat.com> Cc: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…after split thp commit a3e0f9e upstream. Memory failures on thp tail pages cause kernel panic like below: mce: [Hardware Error]: Machine check events logged MCE exception done on CPU 7 BUG: unable to handle kernel NULL pointer dereference at 0000000000000058 IP: [<ffffffff811b7cd1>] dequeue_hwpoisoned_huge_page+0x131/0x1e0 PGD bae42067 PUD ba47d067 PMD 0 Oops: 0000 [#1] SMP ... CPU: 7 PID: 128 Comm: kworker/7:2 Tainted: G M O 3.13.0-rc4-131217-1558-00003-g83b7df08e462 #25 ... Call Trace: me_huge_page+0x3e/0x50 memory_failure+0x4bb/0xc20 mce_process_work+0x3e/0x70 process_one_work+0x171/0x420 worker_thread+0x11b/0x3a0 ? manage_workers.isra.25+0x2b0/0x2b0 kthread+0xe4/0x100 ? kthread_create_on_node+0x190/0x190 ret_from_fork+0x7c/0xb0 ? kthread_create_on_node+0x190/0x190 ... RIP dequeue_hwpoisoned_huge_page+0x131/0x1e0 CR2: 0000000000000058 The reasoning of this problem is shown below: - when we have a memory error on a thp tail page, the memory error handler grabs a refcount of the head page to keep the thp under us. - Before unmapping the error page from processes, we split the thp, where page refcounts of both of head/tail pages don't change. - Then we call try_to_unmap() over the error page (which was a tail page before). We didn't pin the error page to handle the memory error, this error page is freed and removed from LRU list. - We never have the error page on LRU list, so the first page state check returns "unknown page," then we move to the second check with the saved page flag. - The saved page flag have PG_tail set, so the second page state check returns "hugepage." - We call me_huge_page() for freed error page, then we hit the above panic. The root cause is that we didn't move refcount from the head page to the tail page after split thp. So this patch suggests to do this. This panic was introduced by commit 524fca1 ("HWPOISON: fix misjudgement of page_action() for errors on mlocked pages"). Note that we did have the same refcount problem before this commit, but it was just ignored because we had only first page state check which returned "unknown page." The commit changed the refcount problem from "doesn't work" to "kernel panic." Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Reviewed-by: Wanpeng Li <liwanp@linux.vnet.ibm.com> Cc: Andi Kleen <andi@firstfloor.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5446429 upstream. when mounting ceph with a dev name that starts with a slash, ceph would attempt to access the character before that slash. Since we don't actually own that byte of memory, we would trigger an invalid access: [ 43.499934] BUG: unable to handle kernel paging request at ffff880fa3a97fff [ 43.500984] IP: [<ffffffff818f3884>] parse_mount_options+0x1a4/0x300 [ 43.501491] PGD 743b067 PUD 10283c4067 PMD 10282a6067 PTE 8000000fa3a97060 [ 43.502301] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 43.503006] Dumping ftrace buffer: [ 43.503596] (ftrace buffer empty) [ 43.504046] CPU: 0 PID: 10879 Comm: mount Tainted: G W 3.10.0-sasha #1129 [ 43.504851] task: ffff880fa625b000 ti: ffff880fa3412000 task.ti: ffff880fa3412000 [ 43.505608] RIP: 0010:[<ffffffff818f3884>] [<ffffffff818f3884>] parse_mount_options$ [ 43.506552] RSP: 0018:ffff880fa3413d08 EFLAGS: 00010286 [ 43.507133] RAX: ffff880fa3a98000 RBX: ffff880fa3a98000 RCX: 0000000000000000 [ 43.507893] RDX: ffff880fa3a98001 RSI: 000000000000002f RDI: ffff880fa3a98000 [ 43.508610] RBP: ffff880fa3413d58 R08: 0000000000001f99 R09: ffff880fa3fe64c0 [ 43.509426] R10: ffff880fa3413d98 R11: ffff880fa38710d8 R12: ffff880fa3413da0 [ 43.509792] R13: ffff880fa3a97fff R14: 0000000000000000 R15: ffff880fa3413d90 [ 43.509792] FS: 00007fa9c48757e0(0000) GS:ffff880fd2600000(0000) knlGS:000000000000$ [ 43.509792] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 43.509792] CR2: ffff880fa3a97fff CR3: 0000000fa3bb9000 CR4: 00000000000006b0 [ 43.509792] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.509792] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 43.509792] Stack: [ 43.509792] 0000e5180000000e ffffffff85ca1900 ffff880fa38710d8 ffff880fa3413d98 [ 43.509792] 0000000000000120 0000000000000000 ffff880fa3a98000 0000000000000000 [ 43.509792] ffffffff85cf32a0 0000000000000000 ffff880fa3413dc8 ffffffff818f3c72 [ 43.509792] Call Trace: [ 43.509792] [<ffffffff818f3c72>] ceph_mount+0xa2/0x390 [ 43.509792] [<ffffffff81226314>] ? pcpu_alloc+0x334/0x3c0 [ 43.509792] [<ffffffff81282f8d>] mount_fs+0x8d/0x1a0 [ 43.509792] [<ffffffff812263d0>] ? __alloc_percpu+0x10/0x20 [ 43.509792] [<ffffffff8129f799>] vfs_kern_mount+0x79/0x100 [ 43.509792] [<ffffffff812a224d>] do_new_mount+0xcd/0x1c0 [ 43.509792] [<ffffffff812a2e8d>] do_mount+0x15d/0x210 [ 43.509792] [<ffffffff81220e55>] ? strndup_user+0x45/0x60 [ 43.509792] [<ffffffff812a2fdd>] SyS_mount+0x9d/0xe0 [ 43.509792] [<ffffffff83fd816c>] tracesys+0xdd/0xe2 [ 43.509792] Code: 4c 8b 5d c0 74 0a 48 8d 50 01 49 89 14 24 eb 17 31 c0 48 83 c9 ff $ [ 43.509792] RIP [<ffffffff818f3884>] parse_mount_options+0x1a4/0x300 [ 43.509792] RSP <ffff880fa3413d08> [ 43.509792] CR2: ffff880fa3a97fff [ 43.509792] ---[ end trace 22469cd81e93af51 ]--- Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Reviewed-by: Sage Weil <sage@inktan.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit d4fb84e ] free_netdev calls netif_napi_del too, but it's too late, because napi structures are placed on vi->rq. netif_napi_add() is called from virtnet_alloc_queues. general protection fault: 0000 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: ip6table_filter ip6_tables iptable_filter ip_tables virtio_balloon pcspkr virtio_net(-) i2c_pii CPU: 1 PID: 347 Comm: rmmod Not tainted 3.13.0-rc2+ #171 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 task: ffff8800b779c420 ti: ffff8800379e0000 task.ti: ffff8800379e0000 RIP: 0010:[<ffffffff81322e19>] [<ffffffff81322e19>] __list_del_entry+0x29/0xd0 RSP: 0018:ffff8800379e1dd0 EFLAGS: 00010a83 RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800379c2fd0 RCX: dead000000200200 RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000001 RDI: ffff8800379c2fd0 RBP: ffff8800379e1dd0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800379c2f90 R13: ffff880037839160 R14: 0000000000000000 R15: 00000000013352f0 FS: 00007f1400e34740(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f464124c763 CR3: 00000000b68cf000 CR4: 00000000000006e0 Stack: ffff8800379e1df0 ffffffff8155beab 6b6b6b6b6b6b6b2b ffff8800378391c0 ffff8800379e1e18 ffffffff8156499b ffff880037839be0 ffff880037839d20 ffff88003779d3f0 ffff8800379e1e38 ffffffffa003477c ffff88003779d388 Call Trace: [<ffffffff8155beab>] netif_napi_del+0x1b/0x80 [<ffffffff8156499b>] free_netdev+0x8b/0x110 [<ffffffffa003477c>] virtnet_remove+0x7c/0x90 [virtio_net] [<ffffffff813ae323>] virtio_dev_remove+0x23/0x80 [<ffffffff813f62ef>] __device_release_driver+0x7f/0xf0 [<ffffffff813f6ca0>] driver_detach+0xc0/0xd0 [<ffffffff813f5f28>] bus_remove_driver+0x58/0xd0 [<ffffffff813f72ec>] driver_unregister+0x2c/0x50 [<ffffffff813ae65e>] unregister_virtio_driver+0xe/0x10 [<ffffffffa0036942>] virtio_net_driver_exit+0x10/0x6ce [virtio_net] [<ffffffff810d7cf2>] SyS_delete_module+0x172/0x220 [<ffffffff810a732d>] ? trace_hardirqs_on+0xd/0x10 [<ffffffff810f5d4c>] ? __audit_syscall_entry+0x9c/0xf0 [<ffffffff81677f69>] system_call_fastpath+0x16/0x1b Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de 48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 RIP [<ffffffff81322e19>] __list_del_entry+0x29/0xd0 RSP <ffff8800379e1dd0> ---[ end trace d5931cd3f87c9763 ]--- Fixes: 986a4f4 (virtio_net: multiqueue support) Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 50dc875 ] There's a possible deadlock if we flush the peers notifying work during setting mtu: [ 22.991149] ====================================================== [ 22.991173] [ INFO: possible circular locking dependency detected ] [ 22.991198] 3.10.0-54.0.1.el7.x86_64.debug #1 Not tainted [ 22.991219] ------------------------------------------------------- [ 22.991243] ip/974 is trying to acquire lock: [ 22.991261] ((&(&net_device_ctx->dwork)->work)){+.+.+.}, at: [<ffffffff8108af95>] flush_work+0x5/0x2e0 [ 22.991307] but task is already holding lock: [ 22.991330] (rtnl_mutex){+.+.+.}, at: [<ffffffff81539deb>] rtnetlink_rcv+0x1b/0x40 [ 22.991367] which lock already depends on the new lock. [ 22.991398] the existing dependency chain (in reverse order) is: [ 22.991426] -> #1 (rtnl_mutex){+.+.+.}: [ 22.991449] [<ffffffff810dfdd9>] __lock_acquire+0xb19/0x1260 [ 22.991477] [<ffffffff810e0d12>] lock_acquire+0xa2/0x1f0 [ 22.991501] [<ffffffff81673659>] mutex_lock_nested+0x89/0x4f0 [ 22.991529] [<ffffffff815392b7>] rtnl_lock+0x17/0x20 [ 22.991552] [<ffffffff815230b2>] netdev_notify_peers+0x12/0x30 [ 22.991579] [<ffffffffa0340212>] netvsc_send_garp+0x22/0x30 [hv_netvsc] [ 22.991610] [<ffffffff8108d251>] process_one_work+0x211/0x6e0 [ 22.991637] [<ffffffff8108d83b>] worker_thread+0x11b/0x3a0 [ 22.991663] [<ffffffff81095e5d>] kthread+0xed/0x100 [ 22.991686] [<ffffffff81681c6c>] ret_from_fork+0x7c/0xb0 [ 22.991715] -> #0 ((&(&net_device_ctx->dwork)->work)){+.+.+.}: [ 22.991715] [<ffffffff810de817>] check_prevs_add+0x967/0x970 [ 22.991715] [<ffffffff810dfdd9>] __lock_acquire+0xb19/0x1260 [ 22.991715] [<ffffffff810e0d12>] lock_acquire+0xa2/0x1f0 [ 22.991715] [<ffffffff8108afde>] flush_work+0x4e/0x2e0 [ 22.991715] [<ffffffff8108e1b5>] __cancel_work_timer+0x95/0x130 [ 22.991715] [<ffffffff8108e303>] cancel_delayed_work_sync+0x13/0x20 [ 22.991715] [<ffffffffa03404e4>] netvsc_change_mtu+0x84/0x200 [hv_netvsc] [ 22.991715] [<ffffffff815233d4>] dev_set_mtu+0x34/0x80 [ 22.991715] [<ffffffff8153bc2a>] do_setlink+0x23a/0xa00 [ 22.991715] [<ffffffff8153d054>] rtnl_newlink+0x394/0x5e0 [ 22.991715] [<ffffffff81539eac>] rtnetlink_rcv_msg+0x9c/0x260 [ 22.991715] [<ffffffff8155cdd9>] netlink_rcv_skb+0xa9/0xc0 [ 22.991715] [<ffffffff81539dfa>] rtnetlink_rcv+0x2a/0x40 [ 22.991715] [<ffffffff8155c41d>] netlink_unicast+0xdd/0x190 [ 22.991715] [<ffffffff8155c807>] netlink_sendmsg+0x337/0x750 [ 22.991715] [<ffffffff8150d219>] sock_sendmsg+0x99/0xd0 [ 22.991715] [<ffffffff8150d63e>] ___sys_sendmsg+0x39e/0x3b0 [ 22.991715] [<ffffffff8150eba2>] __sys_sendmsg+0x42/0x80 [ 22.991715] [<ffffffff8150ebf2>] SyS_sendmsg+0x12/0x20 [ 22.991715] [<ffffffff81681d19>] system_call_fastpath+0x16/0x1b This is because we hold the rtnl_lock() before ndo_change_mtu() and try to flush the work in netvsc_change_mtu(), in the mean time, netdev_notify_peers() may be called from worker and also trying to hold the rtnl_lock. This will lead the flush won't succeed forever. Solve this by not canceling and flushing the work, this is safe because the transmission done by NETDEV_NOTIFY_PEERS was synchronized with the netif_tx_disable() called by netvsc_change_mtu(). Reported-by: Yaju Cao <yacao@redhat.com> Tested-by: Yaju Cao <yacao@redhat.com> Cc: K. Y. Srinivasan <kys@microsoft.com> Cc: Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit c234975 ] Binding might result in a NULL device, which is dereferenced causing this BUG: [ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097 4 [ 1317.261847] IP: [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110 [ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0 [ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 1317.264179] Dumping ftrace buffer: [ 1317.264774] (ftrace buffer empty) [ 1317.265220] Modules linked in: [ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G W 3.13.0-rc4- next-20131218-sasha-00013-g2cebb9b-dirty #4159 [ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000 [ 1317.268399] RIP: 0010:[<ffffffff84225f52>] [<ffffffff84225f52>] rds_ib_laddr_check+ 0x82/0x110 [ 1317.269670] RSP: 0000:ffff8803cd31bdf8 EFLAGS: 00010246 [ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000 [ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286 [ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000 [ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031 [ 1317.270230] FS: 00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000 0000 [ 1317.270230] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0 [ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602 [ 1317.270230] Stack: [ 1317.270230] 0000000054086700 5408670000a25de0 5408670000000002 0000000000000000 [ 1317.270230] ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160 [ 1317.270230] ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280 [ 1317.270230] Call Trace: [ 1317.270230] [<ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0 [ 1317.270230] [<ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0 [ 1317.270230] [<ffffffff8421c9c3>] rds_bind+0x73/0xf0 [ 1317.270230] [<ffffffff83e4ce62>] SYSC_bind+0x92/0xf0 [ 1317.270230] [<ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0 [ 1317.270230] [<ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10 [ 1317.270230] [<ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290 [ 1317.270230] [<ffffffff83e4cece>] SyS_bind+0xe/0x10 [ 1317.270230] [<ffffffff843a6ad0>] tracesys+0xdd/0xe2 [ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00 89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7 4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02 [ 1317.270230] RIP [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110 [ 1317.270230] RSP <ffff8803cd31bdf8> [ 1317.270230] CR2: 0000000000000974 Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Kernel will dump when run deinterlace stress test. It is caused by vditmpbuf being reallocated by another thread when one thread accesses it. Issue is fixed by putting these code in mutex. Kernel dump log: [Playing ][Vol=01][00:00:10/00:00:30][fps:32]Unable to handle kernel paging request at virtual address 607d6085 pgd = 80004000 [607d6085] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: CPU: 0 PID: 50 Comm: ipu2_task Not tainted 3.10.17-02308-g3700819 #28 task: ac1dc700 ti: ac1ba000 task.ti: ac1ba000 PC is at __kmalloc+0x40/0x114 LR is at __kmalloc+0x14/0x114 pc : [<800bbd40>] lr : [<800bbd14>] psr: 200f0013 sp : ac1bbbc8 ip : 008cc000 fp : 00001e40 r10: ac772e00 r9 : 0057b255 r8 : 000000d0 r7 : 00000790 r6 : ac773800 r5 : 607d6085 r4 : ac001b00 r3 : 00000000 r2 : 814f92a0 r1 : 000000d0 r0 : 000398c9 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 3c4c004a DAC: 00000015 Process ipu2_task (pid: 50, stack limit = 0xac1ba238) Stack: (0xac1bbbc8 to 0xac1bc000) Signed-off-by: Sandor Yu <R01008@freescale.com>

…p() properly shutdown [Peter] Delete the change for block throttle. request_queue is refcounted but actually depdends on lifetime management from the queue owner - on blk_cleanup_queue(), block layer expects that there's no request passing through request_queue and no new one will. This is fundamentally broken. The queue owner (e.g. SCSI layer) doesn't have a way to know whether there are other active users before calling blk_cleanup_queue() and other users (e.g. bsg) don't have any guarantee that the queue is and would stay valid while it's holding a reference. With delay added in blk_queue_bio() before queue_lock is grabbed, the following oops can be easily triggered when a device is removed with in-flight IOs. sd 0:0:1:0: [sdb] Stopping disk ata1.01: disabled general protection fault: 0000 [#1] PREEMPT SMP CPU 2 Modules linked in: Pid: 648, comm: test_rawio Not tainted 3.1.0-rc3-work+ #56 Bochs Bochs RIP: 0010:[<ffffffff8137d651>] [<ffffffff8137d651>] elv_rqhash_find+0x61/0x100 ... Process test_rawio (pid: 648, threadinfo ffff880019efa000, task ffff880019ef8a80) ... Call Trace: [<ffffffff8137d774>] elv_merge+0x84/0xe0 [<ffffffff81385b54>] blk_queue_bio+0xf4/0x400 [<ffffffff813838ea>] generic_make_request+0xca/0x100 [<ffffffff81383994>] submit_bio+0x74/0x100 [<ffffffff811c53ec>] dio_bio_submit+0xbc/0xc0 [<ffffffff811c610e>] __blockdev_direct_IO+0x92e/0xb40 [<ffffffff811c39f7>] blkdev_direct_IO+0x57/0x60 [<ffffffff8113b1c5>] generic_file_aio_read+0x6d5/0x760 [<ffffffff8118c1ca>] do_sync_read+0xda/0x120 [<ffffffff8118ce55>] vfs_read+0xc5/0x180 [<ffffffff8118cfaa>] sys_pread64+0x9a/0xb0 [<ffffffff81afaf6b>] system_call_fastpath+0x16/0x1b This happens because blk_queue_cleanup() destroys the queue and elevator whether IOs are in progress or not and DEAD tests are sprinkled in the request processing path without proper synchronization. Similar problem exists for blk-throtl. On queue cleanup, blk-throtl is shutdown whether it has requests in it or not. Depending on timing, it either oopses or throttled bios are lost putting tasks which are waiting for bio completion into eternal D state. The way it should work is having the usual clear distinction between shutdown and release. Shutdown drains all currently pending requests, marks the queue dead, and performs partial teardown of the now unnecessary part of the queue. Even after shutdown is complete, reference holders are still allowed to issue requests to the queue although they will be immmediately failed. The rest of teardown happens on release. This patch makes the following changes to make blk_queue_cleanup() behave as proper shutdown. * QUEUE_FLAG_DEAD is now set while holding both q->exit_mutex and queue_lock. * Unsynchronized DEAD check in generic_make_request_checks() removed. This couldn't make any meaningful difference as the queue could die after the check. * blk_drain_queue() updated such that it can drain all requests and is now called during cleanup. * blk_throtl updated such that it checks DEAD on grabbing queue_lock, drains all throttled bios during cleanup and free td when queue is released. Signed-off-by: Peter Chen <peter.chen@freescale.com> Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>

…lock [ Upstream commit 4acd494 ] Cong Wang reports that lockdep detected suspicious RCU usage while enabling IPV6 forwarding: [ 1123.310275] =============================== [ 1123.442202] [ INFO: suspicious RCU usage. ] [ 1123.558207] 3.6.0-rc1+ #109 Not tainted [ 1123.665204] ------------------------------- [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section! [ 1123.992320] [ 1123.992320] other info that might help us debug this: [ 1123.992320] [ 1124.307382] [ 1124.307382] rcu_scheduler_active = 1, debug_locks = 0 [ 1124.522220] 2 locks held by sysctl/5710: [ 1124.648364] #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81768498>] rtnl_trylock+0x15/0x17 [ 1124.882211] #1: (rcu_read_lock){.+.+.+}, at: [<ffffffff81871df8>] rcu_lock_acquire+0x0/0x29 [ 1125.085209] [ 1125.085209] stack backtrace: [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109 [ 1125.441291] Call Trace: [ 1125.545281] [<ffffffff8109d915>] lockdep_rcu_suspicious+0x109/0x112 [ 1125.667212] [<ffffffff8107c240>] rcu_preempt_sleep_check+0x45/0x47 [ 1125.781838] [<ffffffff8107c260>] __might_sleep+0x1e/0x19b [...] [ 1127.445223] [<ffffffff81757ac5>] call_netdevice_notifiers+0x4a/0x4f [...] [ 1127.772188] [<ffffffff8175e125>] dev_disable_lro+0x32/0x6b [ 1127.885174] [<ffffffff81872d26>] dev_forward_change+0x30/0xcb [ 1128.013214] [<ffffffff818738c4>] addrconf_forward_change+0x85/0xc5 [...] addrconf_forward_change() uses RCU iteration over the netdev list, which is unnecessary since it already holds the RTNL lock. We also cannot reasonably require netdevice notifier functions not to sleep. Reported-by: Cong Wang <amwang@redhat.com> Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 307fd54 upstream. Replace equivalent (and partially incorrect) scatter-gather functions with ones from crypto-API. The replacement is motivated by page-faults in sg_copy_part triggered by successive calls to crypto_hash_update. The following fault appears after calling crypto_ahash_update twice, first with 13 and then with 285 bytes: Unable to handle kernel paging request for data at address 0x00000008 Faulting instruction address: 0xf9bf9a8c Oops: Kernel access of bad area, sig: 11 [#1] SMP NR_CPUS=8 CoreNet Generic Modules linked in: tcrypt(+) caamhash caam_jr caam tls CPU: 6 PID: 1497 Comm: cryptomgr_test Not tainted 3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2 #75 task: e9308530 ti: e700e000 task.ti: e700e000 NIP: f9bf9a8c LR: f9bfcf28 CTR: c0019ea0 REGS: e700fb80 TRAP: 0300 Not tainted (3.12.19-rt30-QorIQ-SDK-V1.6+g9fda9f2) MSR: 00029002 <CE,EE,ME> CR: 44f92024 XER: 20000000 DEAR: 00000008, ESR: 00000000 GPR00: f9bfcf28 e700fc30 e9308530 e70b1e55 00000000 ffffffdd e70b1e54 0bebf888 GPR08: 902c7ef5 c0e771e2 00000002 00000888 c0019ea0 00000000 00000000 c07a4154 GPR16: c08d0000 e91a8f9c 00000001 e98fb400 00000100 e9c83028 e70b1e08 e70b1d48 GPR24: e992ce10 e70b1dc8 f9bfe4f4 e70b1e55 ffffffdd e70b1ce0 00000000 00000000 NIP [f9bf9a8c] sg_copy+0x1c/0x100 [caamhash] LR [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash] Call Trace: [e700fc30] [f9bf9c50] sg_copy_part+0xe0/0x160 [caamhash] (unreliable) [e700fc50] [f9bfcf28] ahash_update_no_ctx+0x628/0x660 [caamhash] [e700fcb0] [f954e19c] crypto_tls_genicv+0x13c/0x300 [tls] [e700fd10] [f954e65c] crypto_tls_encrypt+0x5c/0x260 [tls] [e700fd40] [c02250ec] __test_aead.constprop.9+0x2bc/0xb70 [e700fe40] [c02259f0] alg_test_aead+0x50/0xc0 [e700fe60] [c02241e4] alg_test+0x114/0x2e0 [e700fee0] [c022276c] cryptomgr_test+0x4c/0x60 [e700fef0] [c004f658] kthread+0x98/0xa0 [e700ff40] [c000fd04] ret_from_kernel_thread+0x5c/0x64 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Cc: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c9ccfcc) (cherry picked from commit 3e2f6af66b8ad59ea1e4a47be9a3b5ba5c3e4a62)

Radekp81 · 2015-06-11T00:39:16Z

Hi,

I am having exactly the same issue - would someone be able to share the outcome for this?

Thanks,
Radek.

…oad module With commit "95b62fe MLK-10750 usb: chipidea: otg: remove otg fsm before destory gdaget and host", the otg fsm will be removed first, but when the host is removing, it will trigger pcd interrupt, and otg work is still queued to ci_otg workqueue(otg state is OTG_STATE_A_HOST), but at that time, ci_otg workqueue has been destroyed. In this commit, we make sure the otg work is not queued if ci->wq is NULL, and keep otg state is OTG_STATE_UNDEFINED after otg fsm has been removed. The NULL pointer deference error like belows: Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = a873c000 [00000000] *pgd=a90f9831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT SMP ARM Modules linked in: usb_f_ecm u_ether libcomposite configfs ci_hdrc_imx(-) ci_hdrc udc_core ehci_hcd mxc_vadc mx6s_capture mxc_dcic ov5640_camera usbmisc_imx phy_mxs_usb evbug [last unloaded: usb_f_rndis] CPU: 0 PID: 162 Comm: udevd Not tainted 3.14.38-02187-g5639985-dirty #160 task: a863e880 ti: a872e000 task.ti: a872e000 PC is at __queue_work+0x68/0x268 LR is at __queue_work+0x68/0x268 pc : [<80045060>] lr : [<80045060>] psr: 600e0193 sp : a872fed0 ip : 00000000 fp : 00000000 r10: 00000004 r9 : a872e000 r8 : 0000004b r7 : 80e4c804 r6 : a9295000 r5 : a87f8294 r4 : 00000000 r3 : a80690e0 r2 : 00000000 r1 : a8069108 r0 : a8003400 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: a873c04a DAC: 00000015 Process udevd (pid: 162, stack limit = 0xa872e238) Stack: (0xa872fed0 to 0xa8730000) fec0: 00ff3d34 80743750 00000000 600e0193 fee0: a87f8294 a9295000 00000004 0000004b a8008900 80eb51ff 00ff3d34 800452a8 ff00: 00000000 a87f8010 00000000 00000000 00000000 7f060ac0 a8dfced0 a87f8010 ff20: 00002e20 7f059730 a8e7e2c0 a800895c 00000000 8006c1b4 80e46080 80e40458 ff40: a8008900 a800895c a8e7e2c0 c0802100 00fc40e8 00000000 00000048 8006c320 ff60: a8008900 a800895c 00000000 8006f1c4 8006f140 0000004b 0000004b 8006b92c ff80: 80e40e54 8000f9cc c080210c 80e4c970 a872ffb0 8000856c 00fc4308 76d9c890 ffa0: 600e0010 ffffffff 7edef480 800130bc 00fc4308 00ff3d70 00000000 000000ff ffc0: 00000671 00000000 00ff3b90 7edef480 00fc40e8 00000000 00000048 00ff3d34 ffe0: 000321b8 7edef140 000240a0 76d9c890 600e0010 ffffffff abf5e821 abf5ec21 [<80045060>] (__queue_work) from [<800452a8>] (queue_work_on+0x48/0x54) [<800452a8>] (queue_work_on) from [<7f060ac0>] (ci_otg_fsm_irq+0x108/0x310 [ci_hdrc]) [<7f060ac0>] (ci_otg_fsm_irq [ci_hdrc]) from [<7f059730>] (ci_irq+0x94/0x158 [ci_hdrc]) [<7f059730>] (ci_irq [ci_hdrc]) from [<8006c1b4>] (handle_irq_event_percpu+0x50/0x180) [<8006c1b4>] (handle_irq_event_percpu) from [<8006c320>] (handle_irq_event+0x3c/0x5c) [<8006c320>] (handle_irq_event) from [<8006f1c4>] (handle_fasteoi_irq+0x84/0x14c) [<8006f1c4>] (handle_fasteoi_irq) from [<8006b92c>] (generic_handle_irq+0x2c/0x3c) [<8006b92c>] (generic_handle_irq) from [<8000f9cc>] (handle_IRQ+0x40/0x90) [<8000f9cc>] (handle_IRQ) from [<8000856c>] (gic_handle_irq+0x2c/0x5c) [<8000856c>] (gic_handle_irq) from [<800130bc>] (__irq_usr+0x3c/0x60) Exception stack(0xa872ffb0 to 0xa872fff8) ffa0: 00fc4308 00ff3d70 00000000 000000ff ffc0: 00000671 00000000 00ff3b90 7edef480 00fc40e8 00000000 00000048 00ff3d34 ffe0: 000321b8 7edef140 000240a0 76d9c890 600e0010 ffffffff Code: e5964084 e0844003 e1a00005 ebfffa14 (e5943000) ---[ end trace 53dc25e918ff7216 ]--- Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: Peter Chen <peter.chen@freescale.com>

root@imx7d_all:~# rmmod bcmdhd dhd_prot_ioctl : bus is down. we have nothing to do dhd_wlfc_deinit():3268, ampdu_hostreorder get failed Err = -1 dhd_prot_ioctl : bus is down. we have nothing to do dhd_wlfc_deinit():3291 failed to enable/disable bdcv2 tlv signaling Err = -1 dhd_detach(): thread:dhd_watchdog_thread:2d4 terminated OK dhd_dpc_thread: Unexpected up_cnt 0 dhd_detach(): thread:dhd_dpc:2d5 terminated OK CFG80211-ERROR) wl_event_handler : was terminated wl_destroy_event_handler(): thread:wl_event_handler:2d3 terminated OK ------------[ cut here ]------------ Kernel BUG at 800d12b0 [verbose debug info unavailable] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM Modules linked in: bcmdhd(-) evbug CPU: 0 PID: 755 Comm: rmmod Not tainted 3.14.28-7D_alpha #1 task: a8a31680 ti: a841a000 task.ti: a841a000 PC is at kfree+0x17c/0x180 LR is at wiphy_unregister+0x15c/0x1cc pc : [<800d12b0>] lr : [<806b0cf8>] psr: 40070013 sp : a841be28 ip : 00000000 fp : a901396c r10: 7f078dc0 r9 : a9240120 r8 : a9240380 r7 : a9240000 r6 : a9010000 r5 : ab73af20 r4 : a9240120 r3 : 00000000 r2 : ab75a000 r1 : 00000000 r0 : 7f079220 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: a863406a DAC: 00000015 Process rmmod (pid: 755, stack limit = 0xa841a238) Stack: (0xa841be28 to 0xa841c000) be20: 7f079220 a9240120 00000000 a9010000 a9240000 a9240380 be40: a9240120 7f078dc0 a901396c 806b0cf8 00000000 7f078dc0 a901396c 805962b4 be60: 7f07cea0 a8433800 a8ae3840 a9240380 a9010000 a9013000 a9240380 7f02b088 be80: 00000000 00000000 a9010000 a9013000 a9010000 7f07cea0 7f078dc0 7f00f00c bea0: 00000001 a850f800 7f078dc0 a865b3c0 00000081 8000e5e4 a841a000 00000000 bec0: 00000000 7f05588c 7f078dc0 a850f800 00000000 7f056080 7f056044 a865b180 bee0: a865b340 7f048944 a8fe7800 a865b3c0 7f07acd4 7f04a37c 7f04a330 a8487408 bf00: a8487400 804baf10 a8487408 7f07acd4 a848743c 803476b4 7f07acd4 a8487408 bf20: 7f07acd4 80347dc4 7f07acd4 7f07ad38 00000800 803473b4 00000000 7f05f158 bf40: 7f05f12c 80083be8 00000000 00000000 7f07ad38 00000800 a841bf4c 646d6362 bf60: 00006468 00000000 8108f030 a8a31680 a8a31a30 00000000 00000000 8004605c bf80: a89c4d80 a841a018 8000e5e4 a841bfb0 a841a000 00011330 00000000 7ecc5e1c bfa0: 00000002 8000e460 00000000 7ecc5e1c 01b05d3c 00000800 76f26104 00002002 bfc0: 00000000 7ecc5e1c 00000002 00000081 7ecc5f0a 00000001 01b05d08 00000000 bfe0: 76eebeb0 7ecc5bfc 00016e3c 76eebebc 60080010 01b05d3c efdff749 faff7bf3 [<800d12b0>] (kfree) from [<806b0cf8>] (wiphy_unregister+0x15c/0x1cc) [<806b0cf8>] (wiphy_unregister) from [<7f02b088>] (wl_free_wdev+0x2c/0xf8 [bcmdhd]) [<7f02b088>] (wl_free_wdev [bcmdhd]) from [<7f00f00c>] (dhd_detach+0x274/0x430 [bcmdhd]) [<7f00f00c>] (dhd_detach [bcmdhd]) from [<7f05588c>] (dhdsdio_release+0x40/0x1cc [bcmdhd]) [<7f05588c>] (dhdsdio_release [bcmdhd]) from [<7f056080>] (dhdsdio_disconnect+0x3c/0xa0 [bcmdhd]) [<7f056080>] (dhdsdio_disconnect [bcmdhd]) from [<7f048944>] (bcmsdh_remove+0x3c/0x60 [bcmdhd]) [<7f048944>] (bcmsdh_remove [bcmdhd]) from [<7f04a37c>] (bcmsdh_sdmmc_remove+0x4c/0x64 [bcmdhd]) [<7f04a37c>] (bcmsdh_sdmmc_remove [bcmdhd]) from [<804baf10>] (sdio_bus_remove+0x30/0xf8) [<804baf10>] (sdio_bus_remove) from [<803476b4>] (__device_release_driver+0x70/0xcc) [<803476b4>] (__device_release_driver) from [<80347dc4>] (driver_detach+0xac/0xb0) [<80347dc4>] (driver_detach) from [<803473b4>] (bus_remove_driver+0x4c/0xa0) [<803473b4>] (bus_remove_driver) from [<7f05f158>] (dhd_module_cleanup+0x2c/0x3c [bcmdhd]) [<7f05f158>] (dhd_module_cleanup [bcmdhd]) from [<80083be8>] (SyS_delete_module+0x11c/0x17c) [<80083be8>] (SyS_delete_module) from [<8000e460>] (ret_fast_syscall+0x0/0x30) Code: e1a01005 e1a02006 e8bd4ff8 eafffef1 (e7f001f2) ---[ end trace ca749705cd612037 ]--- Segmentation fault Signed-off-by: Dong Aisheng <b29396@freescale.com>

There are several benefits for doing like this: - hc_driver can be customized for each hcd - Other hcd hc_driver's initialization will not affect current one. We run out NULL pointer dereference problem when one hcd is started by module_init, and the other is started by otg thread at SMP platform. The reason for this problem is ehci_init_driver will do memory copy for current uniform hc_driver, and this memory copy will do memset (as 0) first, so when the first hcd is running usb_add_hcd, and the second hcd may clear the uniform hc_driver's space (at ehci_init_driver), then the first hcd will meet NULL pointer at the same time. See below two logs: LOG_1: ci_hdrc ci_hdrc.0: EHCI Host Controller ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1 ci_hdrc ci_hdrc.1: doesn't support gadget Unable to handle kernel NULL pointer dereference at virtual address 00000014 pgd = 80004000 [00000014] *pgd=00000000 Internal error: Oops: 805 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-222193-g24b2734-dirty #25 Workqueue: ci_otg ci_otg_work task: d839ec00 ti: d8400000 task.ti: d8400000 PC is at ehci_run+0x4c/0x284 LR is at _raw_spin_unlock_irqrestore+0x28/0x54 pc : [<8041f9a0>] lr : [<8070ea84>] psr: 60000113 sp : d8401e30 ip : 00000000 fp : d8004400 r10: 00000001 r9 : 00000001 r8 : 00000000 r7 : 00000000 r6 : d8419940 r5 : 80dd24c0 r4 : d8419800 r3 : 8001d060 r2 : 00000000 r1 : 00000001 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 1000404a DAC: 00000015 Process kworker/u8:2 (pid: 108, stack limit = 0xd8400238) Stack: (0xd8401e30 to 0xd8402000) 1e20: d87523c0 d8401e48 66667562 d8419800 1e40: 00000000 00000000 d8419800 00000000 00000000 00000000 d84198b0 8040fcdc 1e60: 00000000 80dd320c d8477610 d8419c00 d803d010 d8419800 00000000 00000000 1e80: d8004400 00000000 d8400008 80431494 80431374 d803d100 d803d010 d803d1ac 1ea0: 00000000 80432428 804323d4 d803d100 00000001 80435eb8 80e0d0bc d803d100 1ec0: 00000006 80436458 00000000 d803d100 80e92ec8 80436f44 d803d010 d803d100 1ee0: d83fde00 8043292c d8752710 d803d1f4 d803d010 8042ddfc 8042ddb8 d83f3b00 1f00: d803d1f4 80042b60 00000000 00000003 00000001 00000001 80054598 d83f3b00 1f20: d8004400 d83f3b18 d8004414 d8400000 80e3957b 00000089 d8004400 80043814 1f40: d839ec00 00000000 d83fcd80 d83f3b00 800436e4 00000000 00000000 00000000 1f60: 00000000 80048f34 00000000 00000000 00000000 d83f3b00 00000000 00000000 1f80: d8401f80 d8401f80 00000000 00000000 d8401f90 d8401f90 d8401fac d83fcd80 1fa0: 80048e68 00000000 00000000 8000e538 00000000 00000000 00000000 00000000 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [<8041f9a0>] (ehci_run) from [<8040fcdc>] (usb_add_hcd+0x248/0x6e8) [<8040fcdc>] (usb_add_hcd) from [<80431494>] (host_start+0x120/0x2e4) [<80431494>] (host_start) from [<80432428>] (ci_otg_start_host+0x54/0xbc) [<80432428>] (ci_otg_start_host) from [<80435eb8>] (otg_set_protocol+0xa4/0xd0) [<80435eb8>] (otg_set_protocol) from [<80436458>] (otg_set_state+0x574/0xc58) [<80436458>] (otg_set_state) from [<80436f44>] (otg_statemachine+0x408/0x46c) [<80436f44>] (otg_statemachine) from [<8043292c>] (ci_otg_fsm_work+0x3c/0x190) [<8043292c>] (ci_otg_fsm_work) from [<8042ddfc>] (ci_otg_work+0x44/0x1c4) [<8042ddfc>] (ci_otg_work) from [<80042b60>] (process_one_work+0xf4/0x35c) [<80042b60>] (process_one_work) from [<80043814>] (worker_thread+0x130/0x3bc) [<80043814>] (worker_thread) from [<80048f34>] (kthread+0xcc/0xe4) [<80048f34>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c) Code: e5953018 e3530000 0a000000 e12fff33 (e5878014) LOG_2: ci_hdrc ci_hdrc.0: EHCI Host Controller ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1 ci_hdrc ci_hdrc.1: doesn't support gadget Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 80004000 [00000000] *pgd=00000000 In Online 00:00ternal e Offline rror: Oops: 80000005 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-02007-g24b2734-dirty #127 Workque Online 00:00ue: ci_o Offline tg ci_otg_work Online 00:00task: d8 Offline 39ec00 ti: d83ea000 task.ti: d83ea000 PC is at 0x0 LR is at usb_add_hcd+0x248/0x6e8 pc : [<00000000>] lr : [<8040f644>] psr: 60000113 sp : d83ebe60 ip : 00000000 fp : d8004400 r10: 00000001 r9 : 00000001 r8 : d85fd4b0 r7 : 00000000 r6 : 00000000 r5 : 00000000 r4 : d85fd400 r3 : 00000000 r2 : d85fd4f4 r1 : 80410178 r0 : d85fd400 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 1000404a DAC: 00000015 Process kworker/u8:2 (pid: 108, stack limit = 0xd83ea238) Stack: (0xd83ebe60 to 0xd83ec000) be60: 00000000 80dd920c d8654e10 d85fd800 d803e010 d85fd400 00000000 00000000 be80: d8004400 00000000 d83ea008 80430e34 80430d14 d803e100 d803e010 d803e1ac bea0: 00000000 80431dc8 80431d74 d803e100 00000001 80435858 80e130bc d803e100 bec0: 00000006 80435df8 00000000 d803e100 80e98ec8 804368e4 d803e010 d803e100 bee0: d86e8100 804322cc d86cf050 d803e1f4 d803e010 8042d79c 8042d758 d83cf900 bf00: d803e1f4 80042b78 00000000 00000003 00000001 00000001 800545e8 d83cf900 bf20: d8004400 d83cf918 d8004414 d83ea000 80e3f57b 00000089 d8004400 8004382c bf40: d839ec00 00000000 d8393780 d83cf900 800436fc 00000000 00000000 00000000 bf60: 00000000 80048f50 80e019f4 00000000 0000264c d83cf900 00000000 00000000 bf80: d83ebf80 d83ebf80 00000000 00000000 d83ebf90 d83ebf90 d83ebfac d8393780 bfa0: 80048e84 00000000 00000000 8000e538 00000000 00000000 00000000 00000000 bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 ee66e85d 133ebd03 [<804 Online 00:000f644>] Offline (usb_add_hcd) from [<80430e34>] (host_start+0x120/0x2e4) [<80430e34>] (host_start) from [<80431dc8>] (ci_otg_start_host+0x54/0xbc) [<80431dc8>] (ci_otg_start_host) from [<80435858>] (otg_set_protocol+0xa4/0xd0) [<80435858>] (otg_set_protocol) from [<80435df8>] (otg_set_state+0x574/0xc58) [<80435df8>] (otg_set_state) from [<804368e4>] (otg_statemachine+0x408/0x46c) [<804368e4>] (otg_statemachine) from [<804322cc>] (ci_otg_fsm_work+0x3c/0x190) [<804322cc>] (ci_otg_fsm_work) from [<8042d79c>] (ci_otg_work+0x44/0x1c4) [<8042d79c>] (ci_otg_work) from [<80042b78>] (process_one_work+0xf4/0x35c) [<80042b78>] (process_one_work) from [<8004382c>] (worker_thread+0x130/0x3bc) [<8004382c>] (worker_thread) from [<80048f50>] (kthread+0xcc/0xe4) [<80048f50>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c) Code: bad PC value Signed-off-by: Peter Chen <peter.chen@freescale.com> (cherry picked from commit 8d0ca70) (cherry picked from commit cde81c0)

There are several benefits for doing like this: - hc_driver can be customized for each hcd - Other hcd hc_driver's initialization will not affect current one. We run out NULL pointer dereference problem when one hcd is started by module_init, and the other is started by otg thread at SMP platform. The reason for this problem is ehci_init_driver will do memory copy for current uniform hc_driver, and this memory copy will do memset (as 0) first, so when the first hcd is running usb_add_hcd, and the second hcd may clear the uniform hc_driver's space (at ehci_init_driver), then the first hcd will meet NULL pointer at the same time. See below two logs: LOG_1: ci_hdrc ci_hdrc.0: EHCI Host Controller ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1 ci_hdrc ci_hdrc.1: doesn't support gadget Unable to handle kernel NULL pointer dereference at virtual address 00000014 pgd = 80004000 [00000014] *pgd=00000000 Internal error: Oops: 805 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-222193-g24b2734-dirty #25 Workqueue: ci_otg ci_otg_work task: d839ec00 ti: d8400000 task.ti: d8400000 PC is at ehci_run+0x4c/0x284 LR is at _raw_spin_unlock_irqrestore+0x28/0x54 pc : [<8041f9a0>] lr : [<8070ea84>] psr: 60000113 sp : d8401e30 ip : 00000000 fp : d8004400 r10: 00000001 r9 : 00000001 r8 : 00000000 r7 : 00000000 r6 : d8419940 r5 : 80dd24c0 r4 : d8419800 r3 : 8001d060 r2 : 00000000 r1 : 00000001 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 1000404a DAC: 00000015 Process kworker/u8:2 (pid: 108, stack limit = 0xd8400238) Stack: (0xd8401e30 to 0xd8402000) 1e20: d87523c0 d8401e48 66667562 d8419800 1e40: 00000000 00000000 d8419800 00000000 00000000 00000000 d84198b0 8040fcdc 1e60: 00000000 80dd320c d8477610 d8419c00 d803d010 d8419800 00000000 00000000 1e80: d8004400 00000000 d8400008 80431494 80431374 d803d100 d803d010 d803d1ac 1ea0: 00000000 80432428 804323d4 d803d100 00000001 80435eb8 80e0d0bc d803d100 1ec0: 00000006 80436458 00000000 d803d100 80e92ec8 80436f44 d803d010 d803d100 1ee0: d83fde00 8043292c d8752710 d803d1f4 d803d010 8042ddfc 8042ddb8 d83f3b00 1f00: d803d1f4 80042b60 00000000 00000003 00000001 00000001 80054598 d83f3b00 1f20: d8004400 d83f3b18 d8004414 d8400000 80e3957b 00000089 d8004400 80043814 1f40: d839ec00 00000000 d83fcd80 d83f3b00 800436e4 00000000 00000000 00000000 1f60: 00000000 80048f34 00000000 00000000 00000000 d83f3b00 00000000 00000000 1f80: d8401f80 d8401f80 00000000 00000000 d8401f90 d8401f90 d8401fac d83fcd80 1fa0: 80048e68 00000000 00000000 8000e538 00000000 00000000 00000000 00000000 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [<8041f9a0>] (ehci_run) from [<8040fcdc>] (usb_add_hcd+0x248/0x6e8) [<8040fcdc>] (usb_add_hcd) from [<80431494>] (host_start+0x120/0x2e4) [<80431494>] (host_start) from [<80432428>] (ci_otg_start_host+0x54/0xbc) [<80432428>] (ci_otg_start_host) from [<80435eb8>] (otg_set_protocol+0xa4/0xd0) [<80435eb8>] (otg_set_protocol) from [<80436458>] (otg_set_state+0x574/0xc58) [<80436458>] (otg_set_state) from [<80436f44>] (otg_statemachine+0x408/0x46c) [<80436f44>] (otg_statemachine) from [<8043292c>] (ci_otg_fsm_work+0x3c/0x190) [<8043292c>] (ci_otg_fsm_work) from [<8042ddfc>] (ci_otg_work+0x44/0x1c4) [<8042ddfc>] (ci_otg_work) from [<80042b60>] (process_one_work+0xf4/0x35c) [<80042b60>] (process_one_work) from [<80043814>] (worker_thread+0x130/0x3bc) [<80043814>] (worker_thread) from [<80048f34>] (kthread+0xcc/0xe4) [<80048f34>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c) Code: e5953018 e3530000 0a000000 e12fff33 (e5878014) LOG_2: ci_hdrc ci_hdrc.0: EHCI Host Controller ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1 ci_hdrc ci_hdrc.1: doesn't support gadget Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 80004000 [00000000] *pgd=00000000 In Online 00:00ternal e Offline rror: Oops: 80000005 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-02007-g24b2734-dirty #127 Workque Online 00:00ue: ci_o Offline tg ci_otg_work Online 00:00task: d8 Offline 39ec00 ti: d83ea000 task.ti: d83ea000 PC is at 0x0 LR is at usb_add_hcd+0x248/0x6e8 pc : [<00000000>] lr : [<8040f644>] psr: 60000113 sp : d83ebe60 ip : 00000000 fp : d8004400 r10: 00000001 r9 : 00000001 r8 : d85fd4b0 r7 : 00000000 r6 : 00000000 r5 : 00000000 r4 : d85fd400 r3 : 00000000 r2 : d85fd4f4 r1 : 80410178 r0 : d85fd400 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 1000404a DAC: 00000015 Process kworker/u8:2 (pid: 108, stack limit = 0xd83ea238) Stack: (0xd83ebe60 to 0xd83ec000) be60: 00000000 80dd920c d8654e10 d85fd800 d803e010 d85fd400 00000000 00000000 be80: d8004400 00000000 d83ea008 80430e34 80430d14 d803e100 d803e010 d803e1ac bea0: 00000000 80431dc8 80431d74 d803e100 00000001 80435858 80e130bc d803e100 bec0: 00000006 80435df8 00000000 d803e100 80e98ec8 804368e4 d803e010 d803e100 bee0: d86e8100 804322cc d86cf050 d803e1f4 d803e010 8042d79c 8042d758 d83cf900 bf00: d803e1f4 80042b78 00000000 00000003 00000001 00000001 800545e8 d83cf900 bf20: d8004400 d83cf918 d8004414 d83ea000 80e3f57b 00000089 d8004400 8004382c bf40: d839ec00 00000000 d8393780 d83cf900 800436fc 00000000 00000000 00000000 bf60: 00000000 80048f50 80e019f4 00000000 0000264c d83cf900 00000000 00000000 bf80: d83ebf80 d83ebf80 00000000 00000000 d83ebf90 d83ebf90 d83ebfac d8393780 bfa0: 80048e84 00000000 00000000 8000e538 00000000 00000000 00000000 00000000 bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 ee66e85d 133ebd03 [<804 Online 00:000f644>] Offline (usb_add_hcd) from [<80430e34>] (host_start+0x120/0x2e4) [<80430e34>] (host_start) from [<80431dc8>] (ci_otg_start_host+0x54/0xbc) [<80431dc8>] (ci_otg_start_host) from [<80435858>] (otg_set_protocol+0xa4/0xd0) [<80435858>] (otg_set_protocol) from [<80435df8>] (otg_set_state+0x574/0xc58) [<80435df8>] (otg_set_state) from [<804368e4>] (otg_statemachine+0x408/0x46c) [<804368e4>] (otg_statemachine) from [<804322cc>] (ci_otg_fsm_work+0x3c/0x190) [<804322cc>] (ci_otg_fsm_work) from [<8042d79c>] (ci_otg_work+0x44/0x1c4) [<8042d79c>] (ci_otg_work) from [<80042b78>] (process_one_work+0xf4/0x35c) [<80042b78>] (process_one_work) from [<8004382c>] (worker_thread+0x130/0x3bc) [<8004382c>] (worker_thread) from [<80048f50>] (kthread+0xcc/0xe4) [<80048f50>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c) Code: bad PC value Signed-off-by: Peter Chen <peter.chen@freescale.com> (cherry picked from commit 8d0ca70)

st_kim_ref() does not take care of the fact that platform_get_drvdata() might return NULL. On AM437x EVM, this causes the platform to stop booting as soon as the module is inserted. This patch fixes the issue by checking for NULL return value. Oops log follows. I have not tested BT functionality after this patch. But at least the platform boots now. [ 12.675697] Unable to handle kernel NULL pointer dereference at virtual address 0000005c [ 12.684310] pgd = c0004000 [ 12.687157] [0000005c] *pgd=00000000 [ 12.690927] Internal error: Oops: 17 [#1] SMP ARM [ 12.695873] Modules linked in: btwilink bluetooth ti_vpfe dwc3(+) ov2659 videobuf2_core v4l2_common videodev ti_am335x_adc 6lowpan_iphc matrix_keypad panel_dpi kfifo_buf pixcir_i2c_ts media industrialio videobuf2_dma_contig c_can_platform videobuf2_memops dwc3_omap c_can can_dev [ 12.721969] CPU: 0 PID: 1235 Comm: kworker/u3:0 Not tainted 3.14.25-02445-g9036ac6daed6 #128 [ 12.730937] Workqueue: hci0 hci_power_on [bluetooth] [ 12.736165] task: ebd93b40 ti: ecd7c000 task.ti: ecd7c000 [ 12.741856] PC is at st_kim_ref+0x30/0x40 [ 12.746071] LR is at st_kim_ref+0x30/0x40 [ 12.750289] pc : [<c03caf58>] lr : [<c03caf58>] psr: a0000013 [ 12.750289] sp : ecd7de08 ip : ecd7de08 fp : ecd7de1c [ 12.762365] r10: bf1e710c r9 : bf1e70ec r8 : bf1e7964 [ 12.767858] r7 : ebd2fd50 r6 : bf1e7964 r5 : 00000000 r4 : ecd7de24 [ 12.774723] r3 : c0957208 r2 : 00000000 r1 : c0957208 r0 : 00000000 [ 12.781589] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel [ 12.789274] Control: 10c5387d Table: abde4059 DAC: 00000015 [ 12.795315] Process kworker/u3:0 (pid: 1235, stack limit = 0xecd7c248) Signed-off-by: Sekhar Nori <nsekhar@ti.com> Signed-off-by: Gigi Joseph <gigi.joseph@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: varigigi <pierluigi.p@variscite.com>

…support Current driver will meet the following warning on MX6SL platform which does not support ADMA. It is caused by the driver is using fixed scatter gather DMA not matter whether the host supports or not. Then the host without ADMA capability will warning if found the DMA sg_count is non-1. Change the driver a bit to avoid multi DMA scatter list if found the host->max_segs is only 1 to fix the issue. root@imx6slevk:~# udhcpc -i wlan0 udhcpc (v1.23.1) started Sending discover... Sending select for 192.168.1.11... Lease of 192.168.1.11 obtained, lease time 86400 /etc/udhcpc.d/50default: Adding DNS 192.168.1.1 root@imx6slevk:~# ------------[ cut here ]------------ WARNING: CPU: 0 PID: 954 at /home/jenkins/jobs/Standalone-X11_with_mfgtools/workspace/temp_build_dir/build_fsl-imx-internal-x11/tmp/work-shared/imx6slevk/kernel-source/drivers/mmc/host/sdhci.c:839 sdhci_send_command+0xc64/0xd10() Modules linked in: bcmdhd evbug [last unloaded: bcmdhd] CPU: 0 PID: 954 Comm: dhd_dpc Tainted: G W 3.14.52-1.1.0_ga+g76946e8 #1 [<80014a68>] (unwind_backtrace) from [<80011758>] (show_stack+0x10/0x14) [<80011758>] (show_stack) from [<80720180>] (dump_stack+0x7c/0xbc) [<80720180>] (dump_stack) from [<80031df8>] (warn_slowpath_common+0x70/0x8c) [<80031df8>] (warn_slowpath_common) from [<80031eb0>] (warn_slowpath_null+0x1c/0x24) [<80031eb0>] (warn_slowpath_null) from [<804d5d2c>] (sdhci_send_command+0xc64/0xd10) [<804d5d2c>] (sdhci_send_command) from [<804d74e8>] (sdhci_request+0xc0/0x1f0) [<804d74e8>] (sdhci_request) from [<804c218c>] (__mmc_start_req+0x60/0x84) [<804c218c>] (__mmc_start_req) from [<804c25a4>] (mmc_wait_for_req+0x10/0x20) [<804c25a4>] (mmc_wait_for_req) from [<7f27ff6c>] (sdioh_request_packet_chain+0x368/0x400 [bcmdhd]) [<7f27ff6c>] (sdioh_request_packet_chain [bcmdhd]) from [<7f280da4>] (sdioh_request_buffer+0x124/0x294 [bcmdhd]) [<7f280da4>] (sdioh_request_buffer [bcmdhd]) from [<7f27f6dc>] (bcmsdh_send_buf+0x94/0x108 [bcmdhd]) [<7f27f6dc>] (bcmsdh_send_buf [bcmdhd]) from [<7f28e98c>] (dhd_bcmsdh_send_buf.constprop.25+0x80/0x220 [bcmdhd]) [<7f28e98c>] (dhd_bcmsdh_send_buf.constprop.25 [bcmdhd]) from [<7f28f454>] (dhdsdio_txpkt.constprop.24+0x928/0xa2c [bcmdhd]) [<7f28f454>] (dhdsdio_txpkt.constprop.24 [bcmdhd]) from [<7f28f6b0>] (dhdsdio_sendfromq+0x158/0x3c4 [bcmdhd]) [<7f28f6b0>] (dhdsdio_sendfromq [bcmdhd]) from [<7f2913d4>] (dhdsdio_dpc+0x2e8/0x1034 [bcmdhd]) [<7f2913d4>] (dhdsdio_dpc [bcmdhd]) from [<7f24a270>] (dhd_dpc_thread+0xe8/0x124 [bcmdhd]) [<7f24a270>] (dhd_dpc_thread [bcmdhd]) from [<8004ca6c>] (kthread+0xcc/0xe4) [<8004ca6c>] (kthread) from [<8000e500>] (ret_from_fork+0x14/0x34) Signed-off-by: Dong Aisheng <aisheng.dong@freescale.com>

When M4 is enabled, Linux has to do save/restore for M4 TCM during suspend/resume, dtb should pass the TCM address for kernel, without this TCM info, kernel will boot up fail: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at arch/arm/mach-imx/pm-imx7.c:1030 imx7d_pm_init+0x58/0) Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.52-02791-g1babdb1-dirty #2093 [<80014b40>] (unwind_backtrace) from [<80011798>] (show_stack+0x10/0x14) [<80011798>] (show_stack) from [<807199ec>] (dump_stack+0x7c/0xbc) [<807199ec>] (dump_stack) from [<80032d78>] (warn_slowpath_common+0x6c/0x88) [<80032d78>] (warn_slowpath_common) from [<80032e30>] (warn_slowpath_null+0x1c/) [<80032e30>] (warn_slowpath_null) from [<80a09760>] (imx7d_pm_init+0x58/0x67c) [<80a09760>] (imx7d_pm_init) from [<80a08d3c>] (imx7d_init_machine+0x3c/0xe4) [<80a08d3c>] (imx7d_init_machine) from [<809e52e4>] (customize_machine+0x20/0x4) [<809e52e4>] (customize_machine) from [<800089bc>] (do_one_initcall+0xf8/0x144) [<800089bc>] (do_one_initcall) from [<809e2c4c>] (kernel_init_freeable+0x138/0x) [<809e2c4c>] (kernel_init_freeable) from [<807159b8>] (kernel_init+0x8/0xf0) [<807159b8>] (kernel_init) from [<8000e580>] (ret_from_fork+0x14/0x34) ---[ end trace fdb0885876d7ac0b ]--- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 80004000 [00000000] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 3.14.52-02791-g1babdb1-dir3 task: a8084000 ti: a8090000 task.ti: a8090000 PC is at memcpy+0x48/0x330 LR is at imx7d_pm_init+0xd0/0x67c pc : [<8028e768>] lr : [<80a097d8>] psr: 20000013 sp : a8091e8c ip : 00000000 fp : 00000000 r10: a8090030 r9 : 0000010b r8 : 809e52c4 r7 : 80ab9380 r6 : 80ab9380 r5 : 80abb5a4 r4 : 80a411cc r3 : 00080000 r2 : 00007f80 r1 : 00000000 r0 : a8140000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 8000406a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xa8090238) Signed-off-by: Anson Huang <Anson.Huang@freescale.com>

Coverity reported: CID 17590 (#1 of 1): Unchecked return value (CHECKED_RETURN) 1. check_return: Calling device_reset without checking return value Fixed the warning by checking return value of device_reset. Signed-off-by: Hongzhang Yang <Hongzhang.Yang@freescale.com>

st_kim_ref() does not take care of the fact that platform_get_drvdata() might return NULL. On AM437x EVM, this causes the platform to stop booting as soon as the module is inserted. This patch fixes the issue by checking for NULL return value. Oops log follows. I have not tested BT functionality after this patch. But at least the platform boots now. [ 12.675697] Unable to handle kernel NULL pointer dereference at virtual address 0000005c [ 12.684310] pgd = c0004000 [ 12.687157] [0000005c] *pgd=00000000 [ 12.690927] Internal error: Oops: 17 [#1] SMP ARM [ 12.695873] Modules linked in: btwilink bluetooth ti_vpfe dwc3(+) ov2659 videobuf2_core v4l2_common videodev ti_am335x_adc 6lowpan_iphc matrix_keypad panel_dpi kfifo_buf pixcir_i2c_ts media industrialio videobuf2_dma_contig c_can_platform videobuf2_memops dwc3_omap c_can can_dev [ 12.721969] CPU: 0 PID: 1235 Comm: kworker/u3:0 Not tainted 3.14.25-02445-g9036ac6daed6 #128 [ 12.730937] Workqueue: hci0 hci_power_on [bluetooth] [ 12.736165] task: ebd93b40 ti: ecd7c000 task.ti: ecd7c000 [ 12.741856] PC is at st_kim_ref+0x30/0x40 [ 12.746071] LR is at st_kim_ref+0x30/0x40 [ 12.750289] pc : [<c03caf58>] lr : [<c03caf58>] psr: a0000013 [ 12.750289] sp : ecd7de08 ip : ecd7de08 fp : ecd7de1c [ 12.762365] r10: bf1e710c r9 : bf1e70ec r8 : bf1e7964 [ 12.767858] r7 : ebd2fd50 r6 : bf1e7964 r5 : 00000000 r4 : ecd7de24 [ 12.774723] r3 : c0957208 r2 : 00000000 r1 : c0957208 r0 : 00000000 [ 12.781589] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel [ 12.789274] Control: 10c5387d Table: abde4059 DAC: 00000015 [ 12.795315] Process kworker/u3:0 (pid: 1235, stack limit = 0xecd7c248) Signed-off-by: Sekhar Nori <nsekhar@ti.com> Signed-off-by: Gigi Joseph <gigi.joseph@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: varigigi <pierluigi.p@variscite.com>

System will hang when calling fb_new_modelist() function from hdmi driver. Hang logs: Unable to handle kernel NULL pointer dereference at virtual address 000000e0 pgd = 80004000 [000000e0] *pgd=00000000 Internal error: Oops: 17 [varigit#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 90 Comm: kworker/0:3 Not tainted 4.1.8-01364-gd02137c varigit#6 CPU: 0 PID: 90 Comm: kworker/0:3 Not tainted 4.1.8-01364-gd02137c varigit#6 00000e0 mmended se run fsck. 42.254 irq=-1) omuxc (307Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) l Workqueue: events hotplug_worker task: a8381c80 ti: a8512000 task.ti: a8512000 PC is at fbcon_new_modelist+0xcc/0xe8 LR is at fbcon_new_modelist+0xcc/0xe8 pc : [<802e23f4>] lr : [<802e23f4>] psr: 600b0013 sp : a8513c60 ip : a829122c fp : 80ac6e6c pc : [<802e23f4>] lr : [<802e23f4>] psr: 600b0013 sp : a8513c60 ip : a829122c fp : 80ac6e6c .254 irq=-1) omuxc (307r10: 00000000 r9 : 80ade1f8 r8 : a8291000 r7 : 80b80b75 r6 : 80b85080 r5 : 80b80c2c r4 : 00000002 r7 : 80b80b75 r6 : 80b85080 r5 : 80b80c2c r4 : 00000002 : a8513c60 ip : a829122c fp : 80ac6e6c .254 ....... irq=-1) omuxc (3073f00: 00000000 80046328 a8512000 ab707380 ab707394 ab707380 a8497198 ab707394 3f20: a8512000 00000008 80b2b2b9 a8497180 ab707380 80046640 80ac6100 ab7074e4 3f40: a8497180 00000000 a84bef00 a8497180 800465f4 00000000 00000000 00000000 3f60: 00000000 8004b588 6d6ddb89 00000000 75cfbfda a8497180 00000000 00000000 3f80: a8513f80 a8513f80 00000000 00000000 a8513f90 a8513f90 a8513fac a84bef00 3fa0: 8004b4ac 00000000 00000000 8000f528 00000000 00000000 00000000 00000000 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 29122c fp : 80ac6e6c .254 irq=-1) omuxc (3073fe0: 00000000 00000000 00000000 00000000 00000013 00000000 68f31fff f537ef6b [<802e23f4>] (fbcon_new_modelist) from [<802e6034>] (fbcon_event_notify+0x16c/0x958) [<802e6034>] (fbcon_event_notify) from [<8004bff0>] (notifier_call_chain+0x44/0x84) [<8004bff0>] (notifier_call_chain) from [<8004c34c>] (__blocking_notifier_call_chain+0x48/0x60) [<8004c34c>] (__blocking_notifier_call_chain) from [<8004c37c>] (blocking_notifier_call_chain+0x18/0x20) [<8004c37c>] (blocking_notifier_call_chain) from [<802ec1c4>] (fb_new_modelist+0xe4/0xf8) [<802ec1c4>] (fb_new_modelist) from [<802f7f08>] (hotplug_worker+0x1cc/0x2f4) [<802f7f08>] (hotplug_worker) from [<80046328>] (process_one_work+0x118/0x3e4) [<80046328>] (process_one_work) from [<80046640>] (worker_thread+0x4c/0x4f4) [<80046640>] (worker_thread) from [<8004b588>] (kthread+0xdc/0xf4) [<8004b588>] (kthread) from [<8000f528>] (ret_from_fork+0x14/0x2c) Code: eb003570 e1a01000 e28d0008 eb0034f7 (e1da2eb0) The root cuase is fbcon driver access null pointer vc in the function of fbcon_new_modelist(). Add null pointer check vc to fix the issue. Signed-off-by: Sandor Yu <R01008@freescale.com> (cherry picked from commit 3bea30f) (cherry picked from commit ddfd6b9) (cherry picked from commit 608a206)

…support Current driver will meet the following warning on MX6SL platform which does not support ADMA. It is caused by the driver is using fixed scatter gather DMA not matter whether the host supports or not. Then the host without ADMA capability will warning if found the DMA sg_count is non-1. Change the driver a bit to avoid multi DMA scatter list if found the host->max_segs is only 1 to fix the issue. root@imx6slevk:~# udhcpc -i wlan0 udhcpc (v1.23.1) started Sending discover... Sending select for 192.168.1.11... Lease of 192.168.1.11 obtained, lease time 86400 /etc/udhcpc.d/50default: Adding DNS 192.168.1.1 root@imx6slevk:~# ------------[ cut here ]------------ WARNING: CPU: 0 PID: 954 at /home/jenkins/jobs/Standalone-X11_with_mfgtools/workspace/temp_build_dir/build_fsl-imx-internal-x11/tmp/work-shared/imx6slevk/kernel-source/drivers/mmc/host/sdhci.c:839 sdhci_send_command+0xc64/0xd10() Modules linked in: bcmdhd evbug [last unloaded: bcmdhd] CPU: 0 PID: 954 Comm: dhd_dpc Tainted: G W 3.14.52-1.1.0_ga+g76946e8 varigit#1 [<80014a68>] (unwind_backtrace) from [<80011758>] (show_stack+0x10/0x14) [<80011758>] (show_stack) from [<80720180>] (dump_stack+0x7c/0xbc) [<80720180>] (dump_stack) from [<80031df8>] (warn_slowpath_common+0x70/0x8c) [<80031df8>] (warn_slowpath_common) from [<80031eb0>] (warn_slowpath_null+0x1c/0x24) [<80031eb0>] (warn_slowpath_null) from [<804d5d2c>] (sdhci_send_command+0xc64/0xd10) [<804d5d2c>] (sdhci_send_command) from [<804d74e8>] (sdhci_request+0xc0/0x1f0) [<804d74e8>] (sdhci_request) from [<804c218c>] (__mmc_start_req+0x60/0x84) [<804c218c>] (__mmc_start_req) from [<804c25a4>] (mmc_wait_for_req+0x10/0x20) [<804c25a4>] (mmc_wait_for_req) from [<7f27ff6c>] (sdioh_request_packet_chain+0x368/0x400 [bcmdhd]) [<7f27ff6c>] (sdioh_request_packet_chain [bcmdhd]) from [<7f280da4>] (sdioh_request_buffer+0x124/0x294 [bcmdhd]) [<7f280da4>] (sdioh_request_buffer [bcmdhd]) from [<7f27f6dc>] (bcmsdh_send_buf+0x94/0x108 [bcmdhd]) [<7f27f6dc>] (bcmsdh_send_buf [bcmdhd]) from [<7f28e98c>] (dhd_bcmsdh_send_buf.constprop.25+0x80/0x220 [bcmdhd]) [<7f28e98c>] (dhd_bcmsdh_send_buf.constprop.25 [bcmdhd]) from [<7f28f454>] (dhdsdio_txpkt.constprop.24+0x928/0xa2c [bcmdhd]) [<7f28f454>] (dhdsdio_txpkt.constprop.24 [bcmdhd]) from [<7f28f6b0>] (dhdsdio_sendfromq+0x158/0x3c4 [bcmdhd]) [<7f28f6b0>] (dhdsdio_sendfromq [bcmdhd]) from [<7f2913d4>] (dhdsdio_dpc+0x2e8/0x1034 [bcmdhd]) [<7f2913d4>] (dhdsdio_dpc [bcmdhd]) from [<7f24a270>] (dhd_dpc_thread+0xe8/0x124 [bcmdhd]) [<7f24a270>] (dhd_dpc_thread [bcmdhd]) from [<8004ca6c>] (kthread+0xcc/0xe4) [<8004ca6c>] (kthread) from [<8000e500>] (ret_from_fork+0x14/0x34) Signed-off-by: Dong Aisheng <aisheng.dong@freescale.com> (cherry picked from commit 77ff69e)

l2c210_flush_all, the underlying implementation of outer_flush_all() has the constraint on 4.1 kernel that, it can not be called under interrupt context. However the EPDC driver can not guarantee this condition at calling point, thus it could cause kernel dump. This has been observed on i.MX6SL, and theorically on other platforms like i.MX6DL (using PL310 L2 cache). So use outer_flush_range to fix it. Although we don't have such issue on i.MX7D (not PL310 L2), we still prefer to use outer_flush_range() for legacy software dithering support and for easy maintenance. Then we do the change in both EPDC driver. ------------[ cut here ]------------ Kernel BUG at 800204d8 [verbose debug info unavailable] Internal error: Oops - BUG: 0 [varigit#1] PREEMPT SMP ARM Modules linked in: galcore(O) evbug CPU: 0 PID: 842 Comm: kworker/u3:1 Tainted: G O 4.1.8-1.0.0+ge352a0b varigit#1 Hardware name: Freescale i.MX6 SoloLite (Device Tree) Workqueue: EPDC Submit epdc_submit_work_func task: a8a8f900 ti: a92a4000 task.ti: a92a4000 PC is at l2c210_flush_all+0x5c/0x60 LR is at epdc_submit_work_func+0x684/0xbf8 pc : [<800204d8>] lr : [<8030702c>] psr: 600b0013 sp : a92a5e90 ip : a9150c8c fp : a8480518 r10: a84a28c0 r9 : 00000008 r8 : a9150644 r7 : a91512e0 r6 : 0000012c r5 : a91512e0 r4 : a91512dc r3 : a00b0013 r2 : 80b184a0 r1 : 701fe019 r0 : f4a02000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: a943404a DAC: 00000015 Process kworker/u3:1 (pid: 842, stack limit = 0xa92a4210) Stack: (0xa92a5e90 to 0xa92a6000) 5e80: a92a5ed0 8005d058 0000bbc2 a851d4c0 5ea0: 00000000 a9150000 a8480000 a8480440 00000190 00000193 55555556 a84a28c0 5ec0: a8480518 a8500000 80b18088 a94f3900 00000000 00000000 00000190 0000012c 5ee0: a94f3900 a8480518 a87e8d80 a8479000 a845a200 00000020 00000000 a8479000 5f00: a8479000 80046458 a92a4000 a8479000 a8479014 a8479000 a87e8d98 a8479014 ... Signed-off-by: Robby Cai <robby.cai@nxp.com>

When connect adhoc network, we got below warning, it's caused by network stack changes during kernel upgrade. root@imx6qdlsolo:/mnt/nfs/vte_mx63# iw wlan0 ibss join TestAdhoc1 2412 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1251 at /home/bamboo/build/4.1.X-1.0.0_ga/fsl-imx-fb/temp_build_dir/build_fsl-imx-fb/tmp/work-shared/imx6qdlsolo/kernel-source/net/wireless/ibss.c:67 wl_notify_connect_status+0x7b0/0x10f0 [bcmdhd]() root@imx6qdlsolo:/mnt/nfs/vte_mx6Modules linked in:3# bcmdhd ov5642_camera ov5640_camera_mipi_int ov5640_camera_int mxc_dcic galcore(O) mxc_v4l2_capture ipu_bg_overlay_sdc ipu_still v4l2_int_device ipu_prp_enc ipu_csi_enc ipu_fg_overlay_sdc evbug CPU: 1 PID: 1251 Comm: wl_event_handle Tainted: G O 4.1.8-1.0.0+g87e6c2f varigit#1 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [<80015d84>] (unwind_backtrace) from [<80012728>] (show_stack+0x10/0x14) [<80012728>] (show_stack) from [<80750a54>] (dump_stack+0x84/0xc4) [<80750a54>] (dump_stack) from [<80032f3c>] (warn_slowpath_common+0x80/0xb0) [<80032f3c>] (warn_slowpath_common) from [<80033008>] (warn_slowpath_null+0x1c/0x24) [<80033008>] (warn_slowpath_null) from [<7f100060>] (wl_notify_connect_status+0x7b0/0x10f0 [bcmdhd]) [<7f100060>] (wl_notify_connect_status [bcmdhd]) from [<7f0f05bc>] (wl_event_handler+0x198/0x26c [bcmdhd]) [<7f0f05bc>] (wl_event_handler [bcmdhd]) from [<8004b588>] (kthread+0xdc/0xf4) [<8004b588>] (kthread) from [<8000f528>] (ret_from_fork+0x14/0x2c) ---[ end trace 40b45ccda84900ce ]--- Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>

When M4 is enabled, Linux has to do save/restore for M4 TCM during suspend/resume, dtb should pass the TCM address for kernel, without this TCM info, kernel will boot up fail: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at arch/arm/mach-imx/pm-imx7.c:1030 imx7d_pm_init+0x58/0) Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.52-02791-g1babdb1-dirty #2093 [<80014b40>] (unwind_backtrace) from [<80011798>] (show_stack+0x10/0x14) [<80011798>] (show_stack) from [<807199ec>] (dump_stack+0x7c/0xbc) [<807199ec>] (dump_stack) from [<80032d78>] (warn_slowpath_common+0x6c/0x88) [<80032d78>] (warn_slowpath_common) from [<80032e30>] (warn_slowpath_null+0x1c/) [<80032e30>] (warn_slowpath_null) from [<80a09760>] (imx7d_pm_init+0x58/0x67c) [<80a09760>] (imx7d_pm_init) from [<80a08d3c>] (imx7d_init_machine+0x3c/0xe4) [<80a08d3c>] (imx7d_init_machine) from [<809e52e4>] (customize_machine+0x20/0x4) [<809e52e4>] (customize_machine) from [<800089bc>] (do_one_initcall+0xf8/0x144) [<800089bc>] (do_one_initcall) from [<809e2c4c>] (kernel_init_freeable+0x138/0x) [<809e2c4c>] (kernel_init_freeable) from [<807159b8>] (kernel_init+0x8/0xf0) [<807159b8>] (kernel_init) from [<8000e580>] (ret_from_fork+0x14/0x34) ---[ end trace fdb0885876d7ac0b ]--- Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = 80004000 [00000000] *pgd=00000000 Internal error: Oops: 5 [varigit#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 3.14.52-02791-g1babdb1-dir3 task: a8084000 ti: a8090000 task.ti: a8090000 PC is at memcpy+0x48/0x330 LR is at imx7d_pm_init+0xd0/0x67c pc : [<8028e768>] lr : [<80a097d8>] psr: 20000013 sp : a8091e8c ip : 00000000 fp : 00000000 r10: a8090030 r9 : 0000010b r8 : 809e52c4 r7 : 80ab9380 r6 : 80ab9380 r5 : 80abb5a4 r4 : 80a411cc r3 : 00080000 r2 : 00007f80 r1 : 00000000 r0 : a8140000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: 8000406a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xa8090238) Signed-off-by: Anson Huang <Anson.Huang@freescale.com> (cherry picked from commit c3dc7c1)

The output buffer in test_ahash_speed will point to an address located within the tcrypt module image. This causes problems when trying to DMA map the buffer. For e.g. on ARM-based LS1021A, a page fault occurs within the DMA API when trying to access the struct page returned by virt_to_page(output): insmod tcrypt.ko mode=403 testing speed of async sha1 (sha1-caam) test 0 ( 16 byte blocks, 16 bytes per update, 1 updates): Unable to handle kernel paging request at virtual address f07e9080 pgd = e58d0e00 [f07e9080] *pgd=80000080007003, *pmd=00000000 Internal error: Oops: 206 [varigit#1] SMP THUMB2 Modules linked in: tcrypt(+) CPU: 1 PID: 1119 Comm: insmod Not tainted 4.2.0-rc1-256134-gbf433416e675 varigit#1 Hardware name: Freescale LS1021A task: ea063900 ti: e5a34000 task.ti: e5a34000 PC is at dma_cache_maint_page+0x38/0xd0 LR is at __dma_page_cpu_to_dev+0x15/0x64 pc : [<800155a0>] lr : [<8001564d>] psr: 000f0033 sp : e5a35ca0 ip : 8063df00 fp : f07e9080 r10: 00000cd0 r9 : 8063df00 r8 : 805a2f04 r7 : 0017f804 r6 : 00000002 r5 : ee7f9000 r4 : 00000014 r3 : 80612d40 r2 : 01ff0080 r1 : 00000380 r0 : ee7f9000 Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user Control: 70c5387d Table: e58d0e00 DAC: 9b7ede70 Process insmod (pid: 1119, stack limit = 0xe5a34210) Stack: (0xe5a35ca0 to 0xe5a36000) [...] [<800155a0>] (dma_cache_maint_page) from [<8001564d>] (__dma_page_cpu_to_dev+0x15/0x64) [<8001564d>] (__dma_page_cpu_to_dev) from [<800156eb>] (arm_dma_map_page+0x1f/0x44) [<800156eb>] (arm_dma_map_page) from [<802935e3>] (ahash_digest+0x35f/0x510) [<802935e3>] (ahash_digest) from [<7f800d03>] (test_ahash_speed.constprop.6+0x24a/0x4e4 [tcrypt]) [<7f800d03>] (test_ahash_speed.constprop.6 [tcrypt]) from [<7f802fd5>] (do_test+0x1898/0x2058 [tcrypt]) [<7f802fd5>] (do_test [tcrypt]) from [<7f80802f>] (tcrypt_mod_init+0x2e/0x63 [tcrypt]) [<7f80802f>] (tcrypt_mod_init [tcrypt]) from [<80009517>] (do_one_initcall+0xb3/0x134) [<80009517>] (do_one_initcall) from [<80351ec7>] (do_init_module+0x3b/0x13c) [<80351ec7>] (do_init_module) from [<8005cc3f>] (load_module+0x97b/0x9dc) [<8005cc3f>] (load_module) from [<8005cd8d>] (SyS_finit_module+0x35/0x3e) [<8005cd8d>] (SyS_finit_module) from [<8000d101>] (ret_fast_syscall+0x1/0x4c) Code: 1aba 0152 eb00 0b02 (5882) 0f92 addr2line -f -i -e vmlinux 800155a0 page_zonenum include/linux/mm.h:728 page_zone include/linux/mm.h:881 dma_cache_maint_page arch/arm/mm/dma-mapping.c:822 Signed-off-by: Horia Geant? <horia.geanta@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Fix the DMA handle checking for the DMA maintainance. Should not call the dma_sync_single_for_device if the handle is NULL, otherwise, kernel will throw out the following complains: when do the following test: insmod ./tcrypt.ko mode=402 Unable to handle kernel paging request at virtual address 70000000 pgd = d8c64000 [70000000] *pgd=00000000 Internal error: Oops: 805 [varigit#1] PREEMPT SMP ARM Modules linked in: tcrypt(+) CPU: 1 PID: 789 Comm: insmod Not tainted 4.1.15-01516-g116e2fc-dirty #14 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) task: d8b54280 ti: d8882000 task.ti: d8882000 PC is at v7_dma_clean_range+0x20/0x38 LR is at dma_cache_maint_page+0xc8/0x22c pc : [<8001e81c>] lr : [<8001b018>] psr: 200b0013 sp : d8883d08 ip : 8001e86c fp : 000004c0 r10: 80b8b000 r9 : 80b244f8 r8 : ee557000 r7 : 00000000 r6 : 80b8f41c r5 : 00000000 r4 : 70000000 r3 : 0000001f r2 : 00000020 r1 : 70000000 r0 : 70000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 68c6404a DAC: 00000015 Process insmod (pid: 789, stack limit = 0xd8882210) Stack: (0xd8883d08 to 0xd8884000) 3d00: ef26bfe0 00000002 00000018 00000001 00000000 00000000 3d20: ee557000 00000001 00000000 d86f0a10 00000000 d8bc2040 d8a7f5c4 8001b1a0 3d40: 8001e86c 8001b2c8 d88a5c40 d88a5c40 80b28bc4 d8a7f400 80beec48 8057f1dc 3d60: 00000002 00000000 00000000 00000038 00000018 80bdc1c0 68bc2128 d8a7f480 3d80: 00000000 80068c10 600b0013 00000100 00000000 d8a7f400 00000040 00000004 3da0: d871ca00 00000040 00000000 8057a9b0 8057a9a4 7f000d14 00000100 80068c10 3dc0: 7f005580 d8883de4 00000100 00000004 d8a7f400 7f005e80 7f005eb0 0000000c 3de0: d871ca00 00000040 00000100 7f0015ec 00000004 80b24648 00000000 00000000 3e00: d8bc2000 d8bc2040 00000008 ef26fa80 00000000 00001000 68c54000 ef26ae80 3e20: 00000000 00001000 00000000 ef270bc0 00000000 00001000 00000000 ef26db02 3e40: 00000000 00001000 00000000 00000000 02880288 d8883e54 d8883e54 00000000 3e60: 00000000 00000010 7f0062f8 80b27698 80b27698 d871ca00 d8882000 00000000 3e80: 00000008 7f003124 7f0062f8 80b27698 00000010 7f0062f8 80b27698 80b27698 3ea0: d871ca00 d8882000 00000000 7f009048 7f009000 00000000 80b27698 80009704 3ec0: 000000d0 ef26fa80 00000000 8040003e 00000001 00000001 d8883eec ef2709c0 3ee0: d8001f00 80b246bc 00000001 8040003e d8883f04 800905a8 00000001 00000001 3f00: d8883f14 d8001f00 000000d0 80b23260 00000008 7f0061a0 d871c3c0 0131e008 3f20: 0000017b 8000f684 d8882000 00000000 00000008 8008f968 00000000 00000000 3f40: 00000003 00000000 00000003 0131e008 0000017b 800906fc f0679000 0000b857 3f60: f0680070 f067ff25 f06840d0 0000671c 00006e8c 00000000 00000000 00000000 3f80: 0000001f 00000020 00000017 00000014 00000012 00000000 0131e018 00000008 3fa0: 0131e008 8000f500 0131e018 00000008 00000003 0131e008 00000000 00000000 3fc0: 0131e018 00000008 0131e008 0000017b 00000003 00000008 0131e008 00000008 3fe0: 7e8a6c38 7e8a6c28 0001f2c0 76f22340 600d0010 00000003 00000000 00000000 [<8001e81c>] (v7_dma_clean_range) from [<8001b018>] (dma_cache_maint_page+0xc8/0x22c) [<8001b018>] (dma_cache_maint_page) from [<8001b1a0>] (__dma_page_cpu_to_dev+0x24/0x88) [<8001b1a0>] (__dma_page_cpu_to_dev) from [<8057f1dc>] (ahash_update_first+0x3cc/0x6f4) [<8057f1dc>] (ahash_update_first) from [<8057a9b0>] (ahash_update+0xc/0x10) [<8057a9b0>] (ahash_update) from [<7f000d14>] (test_ahash_cycles+0x70/0x220 [tcrypt]) [<7f000d14>] (test_ahash_cycles [tcrypt]) from [<7f0015ec>] (test_ahash_speed.constprop.1+0x19c/0x25c [tcrypt]) [<7f0015ec>] (test_ahash_speed.constprop.1 [tcrypt]) from [<7f003124>] (do_test+0xff8/0x301c [tcrypt]) [<7f003124>] (do_test [tcrypt]) from [<7f009048>] (tcrypt_mod_init+0x48/0xa0 [tcrypt]) [<7f009048>] (tcrypt_mod_init [tcrypt]) from [<80009704>] (do_one_initcall+0x80/0x1d0) [<80009704>] (do_one_initcall) from [<8008f968>] (do_init_module+0x58/0x1b4) [<8008f968>] (do_init_module) from [<800906fc>] (SyS_finit_module+0x68/0x6c) [<800906fc>] (SyS_finit_module) from [<8000f500>] (ret_fast_syscall+0x0/0x3c) Code: e1a02312 e2423001 e1c00003 f57ff04f (ee070f3a) ---[ end trace 63ad5840e079f2a5 ]--- Signed-off-by: Jason Liu <jason.hui.liu@nxp.com>

Fix the following crash during module removing. root@imx6qdlsolo:~# modprobe -r bcmdhd dhd_prot_ioctl : bus is down. we have nothing to do dhd_wlfc_deinit():3271, ampdu_hostreorder get failed Err = -1 dhd_prot_ioctl : bus is down. we have nothing to do dhd_wlfc_deinit():3294 failed to enable/disable bdcv2 tlv signaling Err = -1 dhd_detach(): thread:dhd_watchdog_thread:34f terminated OK dhd_dpc_thread: Unexpected up_cnt 0 dhd_detach(): thread:dhd_dpc:350 terminated OK CFG80211-ERROR) wl_event_handler : was terminated wl_destroy_event_handler(): thread:wl_event_handler:34e terminated OK ------------[ cut here ]------------ Kernel BUG at 800e0f40 [verbose debug info unavailable] Internal error: Oops - BUG: 0 [varigit#1] PREEMPT SMP ARM Modules linked in: bcmdhd(-) evbug ov5647_camera_mipi mxc_mipi_csi mx6s_capture [last unloaded: bcmdhd] CPU: 0 PID: 854 Comm: modprobe Not tainted 4.1.15-01434-g70f4b36 #1311 Hardware name: Freescale i.MX7 Dual (Device Tree) task: a97fc4c0 ti: a912e000 task.ti: a912e000 PC is at kfree+0x188/0x18c LR is at wiphy_unregister+0x17c/0x204 pc : [<800e0f40>] lr : [<80712184>] psr: 400d0013 sp : a912fe30 ip : 00080353 fp : a8647970 r10: 7f219440 r9 : a9420140 r8 : ac75fa60 r7 : a9420000 r6 : 00000000 r5 : 00000000 r4 : a9420140 r3 : 00000000 r2 : 00000000 r1 : 07ffffff r0 : 00353443 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: a940c06a DAC: 00000015 Process modprobe (pid: 854, stack limit = 0xa912e210) Stack: (0xa912fe30 to 0xa9130000) fe20: 7f219440 a9420140 00000000 00000000 fe40: a9420000 a94203a0 a9420140 7f219440 a8647970 80712184 00000000 7f219440 fe60: a8647970 805e1994 7f21d5d8 a8500000 a8574840 a94203a0 00000000 a8647000 fe80: a94203a0 7f1cb9ec 00000000 00000000 a8644000 a8647000 a8644000 7f21d5d8 fea0: 7f219440 7f1adf28 00000001 a956d000 7f219440 a9770440 00000000 8000f644 fec0: a912e000 00000000 002691a0 7f1f4cbc a8644000 7f219440 a956d000 00000000 fee0: 00000081 7f1f65ec 7f1f65b0 a9770b40 a9770b00 7f1e9310 a96f6000 a9770440 ff00: 7f21b414 7f1ea950 7f1ea908 a8fdba08 a8fdba00 8050ee74 a8fdba08 7f21b414 ff20: a8fdba3c 80379744 7f21b414 a8fdba08 7f21b414 80379ed4 7f21b414 002691dc ff40: 002691a0 803794a4 7f21b478 7f1ff6bc 7f1ff690 8008fec0 00000000 646d6362 ff60: c0006468 00000000 a97fc8b8 00000000 a97fc8b8 00000000 80b41528 a97fc4c0 ff80: 002691a0 80049c60 a8576540 a912e000 8000f644 0012ffb0 00000006 002691a0 ffa0: 002691dc 8000f4c0 002691a0 002691dc 002691dc 00000800 76e72f78 00000000 ffc0: 002691a0 002691dc 002691a0 00000081 00000001 00000000 00000001 002691a0 ffe0: 76e388a0 7ec089f4 0001f008 76e388ac 600d0010 002691dc 00656e6f 635f6c77 [<800e0f40>] (kfree) from [<80712184>] (wiphy_unregister+0x17c/0x204) [<80712184>] (wiphy_unregister) from [<7f1cb9ec>] (wl_free_wdev+0x40/0x148 [bcmdhd]) [<7f1cb9ec>] (wl_free_wdev [bcmdhd]) from [<7f1adf28>] (dhd_detach+0x280/0x438 [bcmdhd]) [<7f1adf28>] (dhd_detach [bcmdhd]) from [<7f1f4cbc>] (dhdsdio_release+0x4c/0x1dc [bcmdhd]) [<7f1f4cbc>] (dhdsdio_release [bcmdhd]) from [<7f1f65ec>] (dhdsdio_disconnect+0x3c/0xa0 [bcmdhd]) [<7f1f65ec>] (dhdsdio_disconnect [bcmdhd]) from [<7f1e9310>] (bcmsdh_remove+0x3c/0x60 [bcmdhd]) [<7f1e9310>] (bcmsdh_remove [bcmdhd]) from [<7f1ea950>] (bcmsdh_sdmmc_remove+0x48/0x60 [bcmdhd]) [<7f1ea950>] (bcmsdh_sdmmc_remove [bcmdhd]) from [<8050ee74>] (sdio_bus_remove+0x30/0xf8) [<8050ee74>] (sdio_bus_remove) from [<80379744>] (__device_release_driver+0x70/0xe4) [<80379744>] (__device_release_driver) from [<80379ed4>] (driver_detach+0xac/0xb0) [<80379ed4>] (driver_detach) from [<803794a4>] (bus_remove_driver+0x4c/0xa0) [<803794a4>] (bus_remove_driver) from [<7f1ff6bc>] (dhd_module_cleanup+0x2c/0x3c [bcmdhd]) [<7f1ff6bc>] (dhd_module_cleanup [bcmdhd]) from [<8008fec0>] (SyS_delete_module+0x174/0x1b8) [<8008fec0>] (SyS_delete_module) from [<8000f4c0>] (ret_fast_syscall+0x0/0x3c) Code: e1a03007 e28dd004 e8bd4ff0 eafffd59 (e7f001f2) ---[ end trace 49de84cadd3d030b ]--- Segmentation fault root@imx6qdlsolo:~# Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>

bcmdhd can't support removing host during suspend and driver crash when detect card after resume due to no response to CMD7. It looks bcmdhd has a special requirement to enumerate card by itself which is incompatible with current MMC core. So implement post-cd feature to allow driver to detect card as it wants, then we add back non-removable capability to avoid MMC core to redetect card after resume. root@imx6qdlsolo:~# echo standby > /sys/power/state PM: Syncing filesystems ... done. PM: Preparing system for standby sleep Freezing user space processes ... (elapsed 0.001 seconds) done. Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. PM: Entering standby sleep evbug: Event. Dev: input3, Type: 0, Code: 0, Value: 1 evbug: Event. Dev: input2, Type: 0, Code: 0, Value: 1 PM: suspend of devices complete after 652.363 msecs PM: suspend devices took 0.660 seconds PM: late suspend of devices complete after 1.148 msecs PM: noirq suspend of devices complete after 1.043 msecs Disabling non-boot CPUs ... CPU1: shutdown Enabling non-boot CPUs ... CPU1 is up PM: noirq resume of devices complete after 0.534 msecs PM: early resume of devices complete after 0.553 msecs evbug: Event. Dev: input2, Type: 1, Code: 116, Value: 1 evbug: Event. Dev: input2, Type: 0, Code: 0, Value: 0 evbug: Event. Dev: input2, Type: 1, Code: 116, Value: 0 evbug: Event. Dev: input2, Type: 0, Code: 0, Value: 0 mmc1: error -110 during resume (card was removed?) PM: resume of devices complete after 605.525 msecs PM: resume devices took 0.610 seconds PM: Finishing wakeup. Restarting tasks ... done. WARNING: driver bcmsdh_sdmmc did not remove its interrupt handler! root@imx6qdlsolo:~# Unable to handle kernel NULL pointer dereference at virtual address 0000022c pgd = 80004000 [0000022c] *pgd=00000000 Internal error: Oops: 17 [varigit#1] PREEMPT SMP ARM Modules linked in: bcmdhd evbug ov5647_camera_mipi mxc_mipi_csi mx6s_capture CPU: 1 PID: 780 Comm: kworker/u4:4 Not tainted 4.1.15-01434-g70f4b36 #1310 Hardware name: Freescale i.MX7 Dual (Device Tree) Workqueue: kmmcd mmc_rescan task: a974af80 ti: a846e000 task.ti: a846e000 PC is at _raw_spin_lock_irqsave+0x1c/0x5c LR is at get_parent_ip+0x10/0x2c pc : [<8077b9d4>] lr : [<8005207c>] psr: 60050093 sp : a846fc20 ip : 0001001f fp : a800b000 r10: 00000000 r9 : 00000001 r8 : 0000022c r7 : 00000002 r6 : 0000022c r5 : a0050013 r4 : 0000022c r3 : a974af80 r2 : 00000001 r1 : a846fc44 r0 : 00000000 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c53c7d Table: a951406a DAC: 00000015 Process kworker/u4:4 (pid: 780, stack limit = 0xa846e210) Stack: (0xa846fc20 to 0xa8470000) fc20: 00000000 a846fc50 a846fc44 80061808 00000000 000001dc 00000000 805037fc fc40: 8d89d5ec 00000000 a974af80 80053e88 00000000 00000000 ab7293c0 00000000 fc60: 7f09c828 000000c9 7f09c828 a916a804 00000001 0001001f a800b000 7f0698a4 fc80: a974afc8 00000001 00000000 00000000 00012ebc a974af80 00000001 80ad46c0 fca0: a974af80 00000000 a8eeccc0 00000001 0001001f a846fd04 00000000 7f099440 fcc0: a800b000 7f0699c4 a846fcdf 00000000 00000001 7f068834 a937c900 0105c688 fce0: a846fd04 a8e20000 00000000 00000001 00000000 7f071f08 a846fd04 a80a0000 fd00: ffffffff 00000000 ffffffff a8e20000 a8e20000 00000000 7f099440 00000000 fd20: 00000000 7f099440 a800b000 7f072f4c a974af80 00000000 00000000 80778564 fd40: a846fd54 a9346550 80330028 00000001 a846e000 a8e20000 7f099440 00000000 fd60: 18005000 a8eeccc0 00000000 7f099440 a800b000 7f073744 a846fd8c 80052130 fd80: a9273898 00000000 a800b000 a8e20000 7f099440 00000001 a8eec200 a9270000 fda0: 00000000 7f099440 a800b000 7f07cd3c 80b81100 8040003f a800b000 00000000 fdc0: 00000000 a8e20000 7f099440 a9270000 a9273000 a9270000 00000000 7f099440 fde0: a800b000 7f02df4c 00000001 a8e20000 7f099440 a8eec200 00000000 a916e008 fe00: 00000000 a90bfb00 a800b000 7f074cbc a9270000 7f099440 a8e20000 00000000 fe20: a8f81610 7f0765ec 7f0765b0 a8eeccc0 a855df40 7f069310 a916a800 a8eec200 fe40: 7f09b414 7f06a950 7f06a908 a8f81608 a8f81600 8050e8b8 a8f81608 7f09b414 fe60: 80b22c70 80379744 a974af80 a8f8163c a8f81608 803797d4 00000005 a81ce930 fe80: a8f81608 8037923c a8f81608 a8f81608 80b93cf4 80376504 a846fea0 800e0e3c fea0: 00000000 00000000 a8f81608 000000bd a833f000 00000000 00000000 8050ed04 fec0: 00000001 8050dd8c 400f8c0f a833f000 ffffff92 a833f000 a81ce600 8050de30 fee0: 8050ddbc a833f240 a833f1dc 80506048 a90bfb00 a833f240 a800b000 a81ce600 ff00: 00000000 800462f0 a81ce600 80043c94 00000000 a800b000 a90bfb18 a800b014 ff20: a846e000 00000088 80b39379 a90bfb00 a800b000 8004654c 80ad4100 a800b164 ff40: a90bfb00 00000000 a84856c0 a90bfb00 80046500 00000000 00000000 00000000 ff60: 00000000 8004b1e8 2df9acc7 00000000 b5f3ff89 a90bfb00 00000000 00000000 ff80: a846ff80 a846ff80 00000000 00000000 a846ff90 a846ff90 a846ffac a84856c0 ffa0: 8004b10c 00000000 00000000 8000f568 00000000 00000000 00000000 00000000 ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ecd61557 f82769f5 [<8077b9d4>] (_raw_spin_lock_irqsave) from [<80061808>] (add_wait_queue+0x20/0x48) [<80061808>] (add_wait_queue) from [<805037fc>] (__mmc_claim_host+0x58/0x1b0) [<805037fc>] (__mmc_claim_host) from [<7f0698a4>] (sdioh_request_byte+0x1cc/0x2a4 [bcmdhd]) [<7f0698a4>] (sdioh_request_byte [bcmdhd]) from [<7f0699c4>] (sdioh_cfg_write+0x20/0x28 [bcmdhd]) [<7f0699c4>] (sdioh_cfg_write [bcmdhd]) from [<7f068834>] (bcmsdh_cfg_write+0x90/0xdc [bcmdhd]) [<7f068834>] (bcmsdh_cfg_write [bcmdhd]) from [<7f071f08>] (dhdsdio_clk_kso_enab+0x38/0x168 [bcmdhd]) [<7f071f08>] (dhdsdio_clk_kso_enab [bcmdhd]) from [<7f072f4c>] (dhdsdio_clk_devsleep_iovar+0xf4/0x5f4 [bcmdhd]) [<7f072f4c>] (dhdsdio_clk_devsleep_iovar [bcmdhd]) from [<7f073744>] (dhdsdio_bussleep+0x2f8/0x4dc [bcmdhd]) [<7f073744>] (dhdsdio_bussleep [bcmdhd]) from [<7f07cd3c>] (dhd_bus_stop+0x2e8/0x3f0 [bcmdhd]) [<7f07cd3c>] (dhd_bus_stop [bcmdhd]) from [<7f02df4c>] (dhd_detach+0x2a4/0x438 [bcmdhd]) [<7f02df4c>] (dhd_detach [bcmdhd]) from [<7f074cbc>] (dhdsdio_release+0x4c/0x1dc [bcmdhd]) [<7f074cbc>] (dhdsdio_release [bcmdhd]) from [<7f0765ec>] (dhdsdio_disconnect+0x3c/0xa0 [bcmdhd]) [<7f0765ec>] (dhdsdio_disconnect [bcmdhd]) from [<7f069310>] (bcmsdh_remove+0x3c/0x60 [bcmdhd]) [<7f069310>] (bcmsdh_remove [bcmdhd]) from [<7f06a950>] (bcmsdh_sdmmc_remove+0x48/0x60 [bcmdhd]) [<7f06a950>] (bcmsdh_sdmmc_remove [bcmdhd]) from [<8050e8b8>] (sdio_bus_remove+0x30/0xf8) [<8050e8b8>] (sdio_bus_remove) from [<80379744>] (__device_release_driver+0x70/0xe4) [<80379744>] (__device_release_driver) from [<803797d4>] (device_release_driver+0x1c/0x28) [<803797d4>] (device_release_driver) from [<8037923c>] (bus_remove_device+0xd8/0x104) [<8037923c>] (bus_remove_device) from [<80376504>] (device_del+0x10c/0x210) [<80376504>] (device_del) from [<8050ed04>] (sdio_remove_func+0x1c/0x28) [<8050ed04>] (sdio_remove_func) from [<8050dd8c>] (mmc_sdio_remove+0x40/0x70) [<8050dd8c>] (mmc_sdio_remove) from [<8050de30>] (mmc_sdio_detect+0x74/0x100) [<8050de30>] (mmc_sdio_detect) from [<80506048>] (mmc_rescan+0xb8/0x314) [<80506048>] (mmc_rescan) from [<800462f0>] (process_one_work+0x120/0x330) [<800462f0>] (process_one_work) from [<8004654c>] (worker_thread+0x4c/0x480) [<8004654c>] (worker_thread) from [<8004b1e8>] (kthread+0xdc/0xf4) [<8004b1e8>] (kthread) from [<8000f568>] (ret_from_fork+0x14/0x2c) Code: f10c0080 e3a00001 ebe359b1 f594f000 (e1943f9f) Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>

MMC core pm_notify will re-detect card after system suspend/resume, regardless of post-cd claim. Since in current MMC implement, non-removeable card only detects once, this will break post card detect which happens next. e.g. when we suspend/resume system first, then load Broadcom wifi module, we will get below dump: root@imx6qdlsolo:/mnt/nfs/vte_IMX6QP-Sabre-SD# modprobe bcmdhd firmware_path=/lib/firmware/bcm/ZP_BCM4339/fw_bcmdhd.bin nvram_path=/lib/firmware/bcm/ZP_BCM4339/bcmdhd.ZP.SDIO.cal dhd_module_init in Power-up adapter 'DHD generic adapter' wifi_platform_bus_enumerate device present 1 failed to power up DHD generic adapter, 3 retry left wifi_platform_bus_enumerate device present 0 -----------[ cut here ]----------- Kernel BUG at 80513170 [verbose debug info unavailable] Internal error: Oops - BUG: 0 1 PREEMPT SMP ARM Modules linked in: bcmdhd ov5642_camera ov5640_camera_mipi_int ov5640_camera_int mxc_v4l2_capture mxc_dcic ipu_bg_overlay_sdc ipu_still v4l2_int_device ipu_prp_enc ipu_csi_enc ipu_fg_overlay_sdc CPU: 1 PID: 1487 Comm: modprobe Not tainted 4.1.15-1.0.0+g54cf6a2 varigit#1 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) task: a881e3c0 ti: a9152000 task.ti: a9152000 PC is at mmc_sdio_remove+0x7c/0x80 LR is at mmc_sdio_force_remove+0xc/0x34 pc : [<80513170>] lr : [<80513180>] psr: 60030013 sp : a9153d28 ip : 00000000 fp : 00000000 r10: 00000000 r9 : 00000000 r8 : 7f0f76e0 r7 : a9153d58 r6 : 00000000 r5 : 00000000 r4 : a83f1800 r3 : 00000000 r2 : 00000000 r1 : 809c02f4 r0 : a83f1800 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 38d7804a DAC: 00000015 Process modprobe (pid: 1487, stack limit = 0xa9152210) Stack: (0xa9153d28 to 0xa9154000) 3d20: 00000000 7f0c569c a9ffe440 00000003 00000000 7f0c58f4 3d40: a81942c0 8032e33c a8195960 7f0fbf68 00020002 00000000 a9153d58 a9153d58 3d60: fffffdfb 80bc0db4 a81af810 7f0f9518 fffffdfb 00000008 00000000 5624ce5c 3d80: 00000124 80381140 80bc0db4 a81af810 7f0f9518 00000000 00000008 8037f9dc 3da0: a81af810 7f0f9518 a81af844 80b288b0 00000000 8037fbec 00000000 7f0f9518 3dc0: 8037fb60 8037e068 a8025c5c a818fa34 7f0f9518 a20ff280 00000000 8037f16c 3de0: 7f0f0330 a9ffe440 00000000 7f0f9518 a9ffe440 00000000 80bb18f4 803801ec 3e00: 7f0fbf68 a9ffe440 00000000 7f0c5fdc 80b01720 80b01720 a9ffe440 7f11f000 3e20: 00000000 00000001 5624ce5c 80009730 abc7b120 800e316c 000000c8 a9209a00 3e40: 8040003f 00000001 00010000 800b0dfc 000000c8 8040003f abc7dc60 80afc2b0 3e60: abc75880 80afc260 a8001f00 80afe6c0 00000124 800e4944 7f0f9718 00000001 3e80: 7f0f9718 00000001 a9ffeb00 7f0f9718 a9db31c0 8078e47c 7f0f9718 a9db31c0 3ea0: a9153f58 00000001 a9db31c8 80094094 7f0f9724 00007fff 800910d4 00000000 3ec0: 00000000 7f0f9760 00000000 7f0f9860 c0fce8f4 7f0f9724 00000000 8079aa0c 3ee0: c0f07000 000c7944 00b6817a 00000000 0000000e 00000000 00000000 00000000 3f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3f20: 00000000 00000000 00000000 00000000 00000640 00000000 00000003 01608348 3f40: 0000017b 8000f604 a9152000 00000000 01608270 800944f8 c0f07000 000c7944 3f60: c0fce28c c0f83439 c0f99248 0007aff8 0008f968 00000000 00000000 00000000 3f80: 00000029 0000002a 00000020 00000024 00000015 00000000 01608348 00000073 3fa0: 00000000 8000f480 01608348 00000073 00000003 01608348 00000000 00000000 3fc0: 01608348 00000073 00000000 0000017b 01608218 00000000 00000073 01608270 3fe0: 7e9ab8c0 7e9ab8b0 0001f2c0 76eac340 600d0010 00000003 00000000 00000000 [<80513170>] (mmc_sdio_remove) from [<7f0c58f4>] (dhd_wifi_platform_load+0x180/0x39c [bcmdhd]) [<7f0c58f4>] (dhd_wifi_platform_load [bcmdhd]) from [<80381140>] (platform_drv_probe+0x44/0xac) [<80381140>] (platform_drv_probe) from [<8037f9dc>] (driver_probe_device+0x174/0x2b4) [<8037f9dc>] (driver_probe_device) from [<8037fbec>] (__driver_attach+0x8c/0x90) [<8037fbec>] (__driver_attach) from [<8037e068>] (bus_for_each_dev+0x68/0x9c) [<8037e068>] (bus_for_each_dev) from [<8037f16c>] (bus_add_driver+0x148/0x1f0) [<8037f16c>] (bus_add_driver) from [<803801ec>] (driver_register+0x78/0xf8) [<803801ec>] (driver_register) from [<7f0c5fdc>] (dhd_wifi_platform_register_drv+0x1bc/0x208 [bcmdhd]) [<7f0c5fdc>] (dhd_wifi_platform_register_drv [bcmdhd]) from [<80009730>] (do_one_initcall+0x8c/0x1d4) [<80009730>] (do_one_initcall) from [<8078e47c>] (do_init_module+0x5c/0x1a8) [<8078e47c>] (do_init_module) from [<80094094>] (load_module+0x1ba8/0x1e50) [<80094094>] (load_module) from [<800944f8>] (SyS_finit_module+0x80/0x90) [<800944f8>] (SyS_finit_module) from [<8000f480>] (ret_fast_syscall+0x0/0x3c) Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com> (cherry picked from commit 2ce993c)

Do sanity check before calling mmc_force_remove. BCM WiFi driver will call wifi_card_detect(false) if probe fails due to no card exists on board. This is needed for Android BSP since Android has builtin WiFi drver and some boards may not have WiFi cards pluged. Then the kernel dump likes follows may appear. ---------------------------------------------- dhd_module_init in Power-up adapter 'DHD generic adapter' wifi_platform_bus_enumerate device present 1 mmc1: mmc_rescan_try_freq: trying to init card at 400000 Hz mmc1: mmc_rescan_try_freq: trying to init card at 300000 Hz mmc1: mmc_rescan_try_freq: trying to init card at 200000 Hz mmc1: mmc_rescan_try_freq: trying to init card at 100000 Hz failed to power up DHD generic adapter, 3 retry left wifi_platform_bus_enumerate device present 0 ------------[ cut here ]------------ Kernel BUG at 8051247c [verbose debug info unavailable] Internal error: Oops - BUG: 0 [varigit#1] PREEMPT SMP ARM Modules linked in: bcmdhd(+) ov5642_camera ov5640_camera_mipi_int ov5640_camera_int mxc_v4l2_capture ipu_bg_overlay_sdc ipu_still v4l2_int_device mxc_dcic ipu_prp_enc ipu_csi_enc ipu_fg_overlay_sdc evbug CPU: 3 PID: 1071 Comm: modprobe Not tainted 4.1.15-01591-g1393481 #1504 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) task: a99be880 ti: a8dd8000 task.ti: a8dd8000 PC is at mmc_sdio_remove+0x70/0x74 LR is at mmc_sdio_force_remove+0xc/0x34 pc : [<8051247c>] lr : [<8051248c>] psr: 60070013 sp : a8dd9d00 ip : 00000000 fp : 00000000 r10: 7f100c98 r9 : 00000000 r8 : 7f0fc410 r7 : a8dd9d48 r6 : a83b1800 r5 : 00000000 r4 : a83b1800 r3 : 00000000 r2 : 00000000 r1 : 809b50c8 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 38cdc04a DAC: 00000015 Process modprobe (pid: 1071, stack limit = 0xa8dd8210) Stack: (0xa8dd9d00 to 0xa8dda000) 9d00: 00000000 a83b1800 00000000 00000000 a8dd9d48 8051248c 00000000 7f0ca6cc 9d20: a99be880 a90e6280 00000003 7f0ca920 fffffdfb a81af810 80bb570c 00000000 9d40: 00020002 00000000 a8dd9d48 a8dd9d48 00000000 7f100c98 7f100c98 a90e6280 9d60: fffffdfb 00000008 00000000 7f0fe490 56f19f1c 7f0cabe4 80bb6d74 a81af810 9d80: 7f0fe248 8037f864 8037f820 80bb6d74 a81af810 00000000 7f0fe248 8037e118 9da0: a81af810 7f0fe248 a81af844 80b1e8b0 00000000 8037e328 00000000 7f0fe248 9dc0: 8037e29c 8037c660 a8025c5c a8187a34 7f0fe248 a9547780 00000000 8037d8b4 9de0: 7f0f5028 7f0fe248 00000000 7f0fe248 00000000 a90e6280 80ba78f4 8037e92c 9e00: 00000000 7f100c98 00000000 7f0cb02c 00000000 80af7720 80af7720 a90e6280 9e20: 7f124000 00000000 00000001 80009730 00000000 8040003b abc7db80 800e1c68 9e40: 00000000 a935c340 8040003a abc83180 ab757000 80af257c 00000001 8040003a 9e60: 00000001 00000001 a8dd9e7c 80af2260 a8001f00 80af46c0 56f19f1c 800e32a0 9e80: 7f0fe448 a90e6108 a90e6240 7f0fe448 a90e6100 7f0fe490 56f19f1c 8078b2b0 9ea0: 7f0fe448 a90e6100 a8dd9f58 a90e6108 00000001 80092dd8 7f0fe454 00007fff 9ec0: 800902a8 a8928900 7f0fe490 00000000 7f0fe590 000015fa c1754bfc 7f0fe590 9ee0: c16d8000 000c823c 05de516a 00000000 0000000e 00000000 00000000 00000000 9f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9f20: 00000000 00000000 00000000 00000000 00000648 00000000 00000003 01111348 9f40: 0000017b 8000f644 a8dd8000 00000000 00000073 8009352c c16d8000 000c823c 9f60: c175456c c17543a5 c17957ec 0007ad30 0008f7c0 00000000 00000000 00000000 9f80: 0000002a 0000002b 0000001f 00000023 00000014 00000000 01111348 00000000 9fa0: 00000000 8000f4c0 01111348 00000000 00000003 01111348 00000000 00040000 9fc0: 01111348 00000000 00000000 0000017b 00000000 01111218 00000073 00000073 9fe0: 7ec5d950 7ec5d940 0001f0dc 76ecf610 600d0010 00000003 00000000 00000000 [<8051247c>] (mmc_sdio_remove) from [<8051248c>] (mmc_sdio_force_remove+0xc/0x34) [<8051248c>] (mmc_sdio_force_remove) from [<7f0ca6cc>] (wifi_platform_bus_enumerate+0x54/0x90 [bcmdhd]) [<7f0ca6cc>] (wifi_platform_bus_enumerate [bcmdhd]) from [<7f0ca920>] (dhd_wifi_platform_load+0x17c/0x39c [bcmdhd]) [<7f0ca920>] (dhd_wifi_platform_load [bcmdhd]) from [<7f0cabe4>] (wifi_plat_dev_drv_probe+0xa4/0x124 [bcmdhd]) [<7f0cabe4>] (wifi_plat_dev_drv_probe [bcmdhd]) from [<8037f864>] (platform_drv_probe+0x44/0xa4) [<8037f864>] (platform_drv_probe) from [<8037e118>] (driver_probe_device+0x174/0x2b4) [<8037e118>] (driver_probe_device) from [<8037e328>] (__driver_attach+0x8c/0x90) [<8037e328>] (__driver_attach) from [<8037c660>] (bus_for_each_dev+0x6c/0xa0) [<8037c660>] (bus_for_each_dev) from [<8037d8b4>] (bus_add_driver+0x148/0x1f0) [<8037d8b4>] (bus_add_driver) from [<8037e92c>] (driver_register+0x78/0xf8) [<8037e92c>] (driver_register) from [<7f0cb02c>] (dhd_wifi_platform_register_drv+0x1cc/0x20c [bcmdhd]) [<7f0cb02c>] (dhd_wifi_platform_register_drv [bcmdhd]) from [<80009730>] (do_one_initcall+0x8c/0x1d4) [<80009730>] (do_one_initcall) from [<8078b2b0>] (do_init_module+0x5c/0x1a8) [<8078b2b0>] (do_init_module) from [<80092dd8>] (load_module+0x177c/0x1d4c) [<80092dd8>] (load_module) from [<8009352c>] (SyS_finit_module+0x64/0x74) [<8009352c>] (SyS_finit_module) from [<8000f4c0>] (ret_fast_syscall+0x0/0x3c) Code: e3a03000 e58631f8 e5863228 e8bd80f8 (e7f001f2) ---[ end trace 6f28ec270544e09e ]--- Segmentation fault root@imx6qdlsolo:~# Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>

when do vte test it meets follow dump in small probability. Add against-0 check to resovle this. $ v4l_emma.sh 1 1 $ v4l_emma.sh 1 9 ------------[ cut here ]------------ : /dev/video1 Set PARM sucessfulWARNING: CPU: 0 PID: 1123 at /home/bamboo/build/4.1.X-1.0.0_ga/fsl- imx-fb/temp_build_dir/build_fsl-imx-fb/tmp/work-shared/imx6qdlsolo/kernel-source/mm/page_alloc.c:266 5 __alloc_pages_nodemask+0x3c8/0x894() ly v4l_capture_testapp 0 TINModules linked in:FO : /dev/video1 input formatti mx6s_captureng pass v4l_capture_testapp 0 ov5640_camera TINFO : PRP_ENC_ON_D gpRGBcon evbugv_buf malloc pass! CPU: 0 PID: 1123 Comm: v4l2_capture_em Not tainted 4.1.8-1.0.0+g87e6c2f varigit#1 Hardware name: Freescale i.MX6 Ultralite (Device Tree) [<80015d84>] (unwind_backtrace) from [<80012728>] (show_stack+0x10/0x14) [<80012728>] (show_stack) from [<80750a54>] (dump_stack+0x84/0xc4) [<80750a54>] (dump_stack) from [<80032f3c>] (warn_slowpath_common+0x80/0xb0) [<80032f3c>] (warn_slowpath_common) from [<80033008>] (warn_slowpath_null+0x1c/0x24) [<80033008>] (warn_slowpath_null) from [<800b2cc4>] (__alloc_pages_nodemask+0x3c8/0x894) [<800b2cc4>] (__alloc_pages_nodemask) from [<8001ba3c>] (__dma_alloc_buffer.isra.3+0x2c/0x84) [<8001ba3c>] (__dma_alloc_buffer.isra.3) from [<8001bab0>] (__alloc_remap_buffer.isra.6+0x1c/0x8c) [<8001bab0>] (__alloc_remap_buffer.isra.6) from [<8001bd1c>] (__dma_alloc+0x1fc/0x228) [<8001bd1c>] (__dma_alloc) from [<8001be78>] (arm_dma_alloc+0x8c/0xa0) [<8001be78>] (arm_dma_alloc) from [<804cd934>] (vb2_dc_alloc+0x68/0x100) [<804cd934>] (vb2_dc_alloc) from [<804c7df8>] (__vb2_queue_alloc+0x134/0x4d0) [<804c7df8>] (__vb2_queue_alloc) from [<804ca794>] (__reqbufs.isra.17+0x1a8/0x304) [<804ca794>] (__reqbufs.isra.17) from [<804b7ac0>] (__video_do_ioctl+0x2b0/0x324) [<804b7ac0>] (__video_do_ioctl) from [<804b753c>] (video_usercopy+0x1b8/0x480) [<804b753c>] (video_usercopy) from [<804b3f34>] (v4l2_ioctl+0x118/0x150) [<804b3f34>] (v4l2_ioctl) from [<800f8360>] (do_vfs_ioctl+0x3e8/0x608) [<800f8360>] (do_vfs_ioctl) from [<800f85b4>] (SyS_ioctl+0x34/0x5c) [<800f85b4>] (SyS_ioctl) from [<8000f480>] (ret_fast_syscall+0x0/0x3c) ---[ end trace 55ed68f89eca4805 ]--- mx6s-csi 21c4000.csi: dma_alloc_coherent of size 0 failed Signed-off-by: Robby Cai <robby.cai@nxp.com>

Commit 8b13edd ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables") has introduced a trivial logic change which can result in the following crash. BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect] PGD 3ba662067 PUD 3ba661067 PMD 0 Oops: 0000 [varigit#1] SMP Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86_64 varigit#1 Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015 task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000 [...] Call Trace: <IRQ> [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT] [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables] [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat] [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4] [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat] [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4] [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat] [<ffffffff81449137>] nf_iterate+0x57/0x80 [<ffffffff814491f7>] nf_hook_slow+0x97/0x100 [<ffffffff814504d4>] ip_rcv+0x314/0x400 unsigned int nf_nat_redirect_ipv4(struct sk_buff *skb, ... { ... rcu_read_lock(); indev = __in_dev_get_rcu(skb->dev); if (indev != NULL) { ifa = indev->ifa_list; newdst = ifa->ifa_local; <--- } rcu_read_unlock(); ... } Before the commit, 'ifa' had been always checked before access. After the commit, however, it could be accessed even if it's NULL. Interestingly, this was once fixed in 2003. http://marc.info/?l=netfilter-devel&m=106668497403047&w=2 In addition to the original one, we have seen the crash when packets that need to be redirected somehow arrive on an interface which hasn't been yet fully configured. This change just reverts the logic to the old behavior to avoid the crash. Fixes: 8b13edd ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables") Signed-off-by: Munehisa Kamata <kamatam@amazon.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

varigit pushed a commit that referenced this issue Dec 22, 2014

Update operating-points to support reboot select wdog #1

2cb50d3

eranmati closed this as completed Aug 29, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ov5642 parallel camera #1

ov5642 parallel camera #1

rohanbhargava11 commented Sep 30, 2014

varigit commented Sep 30, 2014

rohanbhargava11 commented Sep 30, 2014

varigit commented Sep 30, 2014

Radekp81 commented Jun 11, 2015

ov5642 parallel camera #1

ov5642 parallel camera #1

Comments

rohanbhargava11 commented Sep 30, 2014

varigit commented Sep 30, 2014

rohanbhargava11 commented Sep 30, 2014

varigit commented Sep 30, 2014

Radekp81 commented Jun 11, 2015