| Age | Commit message (Collapse) | Author |
|---|
|
Use a pinmux configuration for SD/MMC card detect and SPI chip
select instead of relying on reset/boot settings. There have
been no adverse effects observed, but it seems sensible to mux
the pads explicitly.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
The device tree got changed to use the simple card driver, so enable it
in the defconfig.
While at it remove the IMX_SGTL5000 driver now replaced by the simple card driver.
While at it remove the unused ESAI driver.
While at it remove the unused CS42XX8_I2C codec driver.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Stefan Agner <stefan.agner@toradex.com>
|
|
Forward porting of 35928d6c6a to 6e9e049fa introduced a bug for host
controllers which are not aliased in the device tree. Instead of
instantiating the driver it fails with:
sdhci-esdhc-imx 2194000.usdhc: sdhci_pltfm_init failed -12
sdhci-esdhc-imx: probe of 2194000.usdhc failed with error -12
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
This reverts commit 5f60d82d38a8af8529d1493463e301e548595ccb.
Several modules have issues with HS400 at 100MHz at room temperature
but they seem to work fine at HS400 at 200MHz. Do not restrict
frequency for now.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
The Capacitive Touch Adapter is an interface board designed to easily
connect the Capacitive Touch Display 7" Parallel to the Colibri Carrier
boards which do not have PCAP connector yet available on board.
Change the pins for interrupt and reset to those defined in the
Capacitive Touch Adapter's datasheet.
While at it remove the '#ifdef PCAP' in favour of disabled nodes.
That way one can fixup the device tree in U-Boot to disable the
pwm nodes and enable the connected touch controller.
e.g. for a Colibri iMX6S/DL:
Colibri iMX6 # setenv fdt_fixup 'fdt addr ${fdt_addr_r} && fdt resize && fdt set /soc/aips-bus@02100000/i2c@021a8000/atmel_mxt_ts@4a status okay; fdt set /soc/aips-bus@02000000/pwm@02080000 status disabled; fdt set /soc/aips-bus@02000000/pwm@0208c000 status disabled'
Colibri iMX6 # saveenv
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Toradex Carrier boards use the ST M41T0 RTC (not M41T00). The RTC
is almost the same, but the M41T0 needs some special handling in
case the oscillator fails. Now that support for this difference is
available, using the new compatible string to make use of it.
Sync with commit 10e718b1c60c4e490e6972cfa58e97fcf5260685
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Synced with 558d378d522189ad68fcb00aff05fd134bf20924
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Add mxt nodes to dts and gpio-reset functionality.
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Synchronize with commit fcfdb9c32075501e64751cc6a79fd91d15933692
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Provide support for controlling reset pin. If this is not driven
correctly the device will be held in reset and will not respond.
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit f657b00df22e231da217ca0162a75db452475e8f)
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
|
|
Switch mxt_data and interrupt to resource managed allocation methods,
which cleans up the driver slightly and prepares for adding
reset GPIO support.
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit 8cc8446b9b62ef954b630ed30e53bd1553e916a6)
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
|
|
Entry into recent versions of ARM Trusted Firmware will invalidate the CPU
branch predictor state in order to protect against aliasing attacks.
This patch exposes the PSCI "VERSION" function via psci_ops, so that it
can be invoked outside of the PSCI driver where necessary.
Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
(cherry picked commit from a6df699da786079b7e2249df3f3211be7862f0e1)
Signed-off-by: Jason Liu <jason.hui.liu@nxp.com>
|
|
A9, A12 and A17
In order to prevent aliasing attacks on the branch predictor,
invalidate the BTB on CPUs that are known to be affected when taking
a prefetch abort on a address that is outside of a user task limit.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit a07373c8c365746583f25f49fee41b1bc0ff94b2)
Signed-off-by: Jason Liu <jason.hui.liu@nxp.com>
|
|
In order to avoid aliasing attacks against the branch predictor,
some implementations require to invalidate the BTB when switching
from one user context to another.
For this, we reuse the existing implementation for Cortex-A8, and
apply it to A9, A12 and A17.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked commit from efcd0e857a656bbd1c1da15ff984ad6402332c61)
[jason: adapted to 4.9]
Signed-off-by: Jason Liu <jason.hui.liu@nxp.com>
|
|
Prepare FlexCAN use on SODIMM 55/63. Those SODIMM pins are compatible
for CAN bus use with several modules from the Colibri family.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
changed many more clocks than only the SPDIF core clock as stated in
the commit message.
The MLB clock has been added and this causes SPDIF regression as
reported by Xavi Drudis Ferran and also in this forum post:
https://forum.digikey.com/thread/34240
The MX6Q Reference Manual does not mention that MLB is a clock related
to SPDIF, so change it back to a dummy clock to restore SPDIF
functionality.
Thanks to Ambika for providing the fix at:
https://community.nxp.com/thread/387131
Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
Cc: <stable@vger.kernel.org> # 4.4.x
Reported-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
(cherry picked from commit f065e9e4addd75c21bb976bb2558648bf4f61de6)
This fix was correct, but overwritten by commit 833f2cbf7091099baee28136dc68678e974c0ac5.
MLB (Media Local Bus) Clock is in fact not related to SPDIF according to the MX6Q Reference
Manual. Tested playback and record on pulseaudio with 44.1kHz samples.
Signed-off-by: Gerard Salvatella <gerard.salvatella@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
The Colibri iMX6ULL 256MB crashes in resume if the M/F mix domain is
powered down when suspending.
With this workaround this does not happen.
Crash looks as follows:
root@colibri-imx6ull:~# echo +3 > /sys/class/rtc/rtc1/wakealarm; echo mem > /sys/power/state
[ 52.800741] PM: Syncing filesystems ... done.
[ 52.856715] Freezing user space processes ... (elapsed 0.001 seconds) done.
[ 52.865669] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
[ 52.875024] Suspending console(s) (use no_console_suspend to debug)
[ 52.950638] PM: suspend of devices complete after 68.211 msecs
[ 52.952506] PM: late suspend of devices complete after 1.835 msecs
[ 52.954292] PM: noirq suspend of devices complete after 1.757 msecs
[ 52.954300] Disabling non-boot CPUs ...
[ 52.954307] Turn off M/F mix!
[ 52.955663] PM: noirq resume of devices complete after 1.222 msecs
[ 52.956767] imx-sdma 20ec000.sdma: loaded firmware 3.3
[ 52.957669] PM: early resume of devices complete after 1.411 msecs
[ 52.959140] gpmi-nand 1806000.gpmi-nand: use legacy bch geometry
[ 53.005653] Suspended for 2.907 seconds
[ 53.012207] PM: resume of devices complete after 54.507 msecs
[ 53.073751] Restarting tasks ... done.
root@colibri-imx6ull:~# [ 55.049753] gpmi-nand 1806000.gpmi-nand: DMA timeout, last DMA :2
[ 55.056377] gpmi-nand 1806000.gpmi-nand: Show GPMI registers :
[ 55.062835] gpmi-nand 1806000.gpmi-nand: offset 0x000 : 0x00000000
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
dtc recently added PCI bus checks. Fix these warnings.
Signed-off-by: Rob Herring <robh@kernel.org>
Cc: Sascha Hauer <kernel@pengutronix.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
(cherry picked from commit 3e1b857786f0d46a92b3a4d7878767883ed90bdc)
|
|
This reverts commit 9a4bf05126f42c2632729ab0da503021d74ed454.
With this commit the PCIe enumaration fails. A follow up commit further
addresses the issue.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
To operate RS-485 on Toradex Carrier Boards a low active RTS signal
is required. Furthermore, a low active RTS signal requires the
receiver to be active (this seems to be a hardware limitation of the
i.MX UART).
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Add device tree properties to influence RTS polarity and whether
the receiver is enabled during transmission (rs485-rts-active-low,
rs485-rx-during-tx).
This aligns with behavior with upstream Linux, where RTS is active
high by default (SER_RS485_RTS_AFTER_SEND) and the receiver is
disabled by default when using RS485 (SER_RS485_RX_DURING_TX).
Note that for Toradex hardware both properties are required, hence
using RS-485 on Toradex Carrier Boards requires the following
properties being specified in the device tree:
linux,rs485-enabled-at-boot-time;
rs485-rts-active-low;
rs485-rx-during-tx;
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Signed-off-by: Andri Schmidt <a.schmidt@scewo.ch>
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
|
|
pci-imx6.c:303:20: warning: unused variable 'pp' [-Wunused-variable]
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
|
|
4.9 1.0.x imx stable merge
|
|
SDHCI falls back to fixed sampling if there is an error during tuning.
However it also reports an error unless there is periodic re-tuning.
That is not the best option because:
a) there is a reasonable chance that fixed sampling will work, especially
at room temperature.
b) re-tuning will be done again anyway if there are CRC errors.
Change to return no error always when falling back to fixed sampling.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
(cherry picked from commit 0760c355525c08dd598e86edb2a310688ac8af4c)
|
|
This seems to limit possible baud rates due to lower input clock.
Since Toradex modules do not use UART5/6 as console, do not set
clock explicitly.
This reverts commit 4f447cb8bccb1d40973e46478d7b11aa61961c90.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
This seems to limit possible baud rates due to lower input clock.
Since Toradex modules do not use UART3 as console, do not set
clock explicitly.
This reverts commit 89869792e2f59c81354f9a53280c4eb6e95f4a9a.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Remove duplicate nodes introduced with the move to L4.9.11
release.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
The new Apalis iMX6 Mezzanine board allows access to the MIPI-CSI2
interface from the evaluation board. The current device tree has
different GPIO pin assignments for the camera reset and power pins.
Change the pin assignment to use Apalis GPIO1 for reset and Apalis
GPIO2 for power down.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Add timings for LTTD1280800101-L4WH-CT1 panel used in the new
Capacitive Touch 10.1" LVDS display.
Note that the color mapping is to be set as follows:
fsl,data-mapping = "spwg";
fsl,data-width = <24>;
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
The Atmel maXTouch multitouch controller driver does not control the
reset line connected to the chip. Use a GPIO reset controller node to
release the reset line and make the controller work.
Note that both the reset controller's and the mxt mutitouch controller's
node are set to disabled. Either change this in the dtsi source or fix
this from U-Boot if you use an Atmel maXTouch multitouch controller.
setenv fdt_fixup 'fdt addr ${fdt_addr_r} && fdt set /soc/aips-bus@02100000/i2c@021a0000/atmel_mxt_ts@4a status okay && fdt set /mxt-reset status okay'
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Add support to allow configuring the display timings via
kernel command line.
e.g.:
video=mxsfb:800x480M-16@60,pixclockpol=1,outputen=1
Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
(cherry picked from commit 22db6beb45cba5a67cab9e9a55cd60d7471591d9)
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Conflicts:
drivers/video/fbdev/mxsfb.c
|
|
Configure Ethernet clock source for each FEC instance individually.
This allows to use different clock source setting for the two FEC
controllers.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Exit early in case General-Purpose Registers are missing. This makes
sure that clock is always freed properly (clk_put).
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Add alias for Ethernet controllers. This allows code to determine
id of controllers using of_alias_get_id.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
|
|
Commit 95c163471135 ("usb: chipidea: use of extcon framework to
work for non OTG case") requires both pins to be specified (ID and
VBUS pin) to work correctly.
Fix the remaining dts.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Commit 95c163471135 ("usb: chipidea: use of extcon framework to
work for non OTG case") requires both pins to be specified (ID and
VBUS pin) to work correctly.
Fix the remaining dts.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Commit 95c163471135 ("usb: chipidea: use of extcon framework to
work for non OTG case") requires both pins to be specified (ID and
VBUS pin) to work correctly.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
toradex_4.9-1.0.x-imx-next
|
|
This is the 4.9.87 stable release
Conflicts:
drivers/dma/fsl-edma.c
|
|
|
|
commit d7d824966530acfe32b94d1ed672e6fe1638cd68 upstream.
When changing a file's acl mask, btrfs_set_acl() will first set the
group bits of i_mode to the value of the mask, and only then set the
actual extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the
file had no acl attribute to begin with, the system will from now on
assume that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.
Prevent this by restoring the original mode bits if __btrfs_set_acl
fails.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ upstream commit d269176e766c71c998cb75b4ea8cbc321cc0019d ]
While working on 16338a9b3ac3 ("bpf, arm64: fix out of bounds access in
tail call") I noticed that ppc64 JIT is partially affected as well. While
the bound checking is correctly performed as unsigned comparison, the
register with the index value however, is never truncated into 32 bit
space, so e.g. a index value of 0x100000000ULL with a map of 1 element
would pass with PPC_CMPLW() whereas we later on continue with the full
64 bit register value. Therefore, as we do in interpreter and other JITs
truncate the value to 32 bit initially in order to fix access.
Fixes: ce0761419fae ("powerpc/bpf: Implement support for tail calls")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ upstream commit 32fff239de37ef226d5b66329dd133f64d63b22d ]
syszbot managed to trigger RCU detected stalls in
bpf_array_free_percpu()
It takes time to allocate a huge percpu map, but even more time to free
it.
Since we run in process context, use cond_resched() to yield cpu if
needed.
Fixes: a10423b87a7e ("bpf: introduce BPF_MAP_TYPE_PERCPU_ARRAY map")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ upstream commit 16338a9b3ac30740d49f5dfed81bac0ffa53b9c7 ]
I recently noticed a crash on arm64 when feeding a bogus index
into BPF tail call helper. The crash would not occur when the
interpreter is used, but only in case of JIT. Output looks as
follows:
[ 347.007486] Unable to handle kernel paging request at virtual address fffb850e96492510
[...]
[ 347.043065] [fffb850e96492510] address between user and kernel address ranges
[ 347.050205] Internal error: Oops: 96000004 [#1] SMP
[...]
[ 347.190829] x13: 0000000000000000 x12: 0000000000000000
[ 347.196128] x11: fffc047ebe782800 x10: ffff808fd7d0fd10
[ 347.201427] x9 : 0000000000000000 x8 : 0000000000000000
[ 347.206726] x7 : 0000000000000000 x6 : 001c991738000000
[ 347.212025] x5 : 0000000000000018 x4 : 000000000000ba5a
[ 347.217325] x3 : 00000000000329c4 x2 : ffff808fd7cf0500
[ 347.222625] x1 : ffff808fd7d0fc00 x0 : ffff808fd7cf0500
[ 347.227926] Process test_verifier (pid: 4548, stack limit = 0x000000007467fa61)
[ 347.235221] Call trace:
[ 347.237656] 0xffff000002f3a4fc
[ 347.240784] bpf_test_run+0x78/0xf8
[ 347.244260] bpf_prog_test_run_skb+0x148/0x230
[ 347.248694] SyS_bpf+0x77c/0x1110
[ 347.251999] el0_svc_naked+0x30/0x34
[ 347.255564] Code: 9100075a d280220a 8b0a002a d37df04b (f86b694b)
[...]
In this case the index used in BPF r3 is the same as in r1
at the time of the call, meaning we fed a pointer as index;
here, it had the value 0xffff808fd7cf0500 which sits in x2.
While I found tail calls to be working in general (also for
hitting the error cases), I noticed the following in the code
emission:
# bpftool p d j i 988
[...]
38: ldr w10, [x1,x10]
3c: cmp w2, w10
40: b.ge 0x000000000000007c <-- signed cmp
44: mov x10, #0x20 // #32
48: cmp x26, x10
4c: b.gt 0x000000000000007c
50: add x26, x26, #0x1
54: mov x10, #0x110 // #272
58: add x10, x1, x10
5c: lsl x11, x2, #3
60: ldr x11, [x10,x11] <-- faulting insn (f86b694b)
64: cbz x11, 0x000000000000007c
[...]
Meaning, the tests passed because commit ddb55992b04d ("arm64:
bpf: implement bpf_tail_call() helper") was using signed compares
instead of unsigned which as a result had the test wrongly passing.
Change this but also the tail call count test both into unsigned
and cap the index as u32. Latter we did as well in 90caccdd8cc0
("bpf: fix bpf_tail_call() x64 JIT") and is needed in addition here,
too. Tested on HiSilicon Hi1616.
Result after patch:
# bpftool p d j i 268
[...]
38: ldr w10, [x1,x10]
3c: add w2, w2, #0x0
40: cmp w2, w10
44: b.cs 0x0000000000000080
48: mov x10, #0x20 // #32
4c: cmp x26, x10
50: b.hi 0x0000000000000080
54: add x26, x26, #0x1
58: mov x10, #0x110 // #272
5c: add x10, x1, x10
60: lsl x11, x2, #3
64: ldr x11, [x10,x11]
68: cbz x11, 0x0000000000000080
[...]
Fixes: ddb55992b04d ("arm64: bpf: implement bpf_tail_call() helper")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ upstream commit a493a87f38cfa48caaa95c9347be2d914c6fdf29 ]
Implement a retpoline [0] for the BPF tail call JIT'ing that converts
the indirect jump via jmp %rax that is used to make the long jump into
another JITed BPF image. Since this is subject to speculative execution,
we need to control the transient instruction sequence here as well
when CONFIG_RETPOLINE is set, and direct it into a pause + lfence loop.
The latter aligns also with what gcc / clang emits (e.g. [1]).
JIT dump after patch:
# bpftool p d x i 1
0: (18) r2 = map[id:1]
2: (b7) r3 = 0
3: (85) call bpf_tail_call#12
4: (b7) r0 = 2
5: (95) exit
With CONFIG_RETPOLINE:
# bpftool p d j i 1
[...]
33: cmp %edx,0x24(%rsi)
36: jbe 0x0000000000000072 |*
38: mov 0x24(%rbp),%eax
3e: cmp $0x20,%eax
41: ja 0x0000000000000072 |
43: add $0x1,%eax
46: mov %eax,0x24(%rbp)
4c: mov 0x90(%rsi,%rdx,8),%rax
54: test %rax,%rax
57: je 0x0000000000000072 |
59: mov 0x28(%rax),%rax
5d: add $0x25,%rax
61: callq 0x000000000000006d |+
66: pause |
68: lfence |
6b: jmp 0x0000000000000066 |
6d: mov %rax,(%rsp) |
71: retq |
72: mov $0x2,%eax
[...]
* relative fall-through jumps in error case
+ retpoline for indirect jump
Without CONFIG_RETPOLINE:
# bpftool p d j i 1
[...]
33: cmp %edx,0x24(%rsi)
36: jbe 0x0000000000000063 |*
38: mov 0x24(%rbp),%eax
3e: cmp $0x20,%eax
41: ja 0x0000000000000063 |
43: add $0x1,%eax
46: mov %eax,0x24(%rbp)
4c: mov 0x90(%rsi,%rdx,8),%rax
54: test %rax,%rax
57: je 0x0000000000000063 |
59: mov 0x28(%rax),%rax
5d: add $0x25,%rax
61: jmpq *%rax |-
63: mov $0x2,%eax
[...]
* relative fall-through jumps in error case
- plain indirect jump as before
[0] https://support.google.com/faqs/answer/7625886
[1] https://github.com/gcc-mirror/gcc/commit/a31e654fa107be968b802786d747e962c2fcdb2b
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ upstream commit 9c2d63b843a5c8a8d0559cc067b5398aa5ec3ffc ]
syzkaller recently triggered OOM during percpu map allocation;
while there is work in progress by Dennis Zhou to add __GFP_NORETRY
semantics for percpu allocator under pressure, there seems also a
missing bpf_map_precharge_memlock() check in array map allocation.
Given today the actual bpf_map_charge_memlock() happens after the
find_and_alloc_map() in syscall path, the bpf_map_precharge_memlock()
is there to bail out early before we go and do the map setup work
when we find that we hit the limits anyway. Therefore add this for
array map as well.
Fixes: 6c9059817432 ("bpf: pre-allocate hash map elements")
Fixes: a10423b87a7e ("bpf: introduce BPF_MAP_TYPE_PERCPU_ARRAY map")
Reported-by: syzbot+adb03f3f0bb57ce3acda@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Dennis Zhou <dennisszhou@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ upstream commit a316338cb71a3260201490e615f2f6d5c0d8fb2c ]
trie_alloc() always needs to have BPF_F_NO_PREALLOC passed in via
attr->map_flags, since it does not support preallocation yet. We
check the flag, but we never copy the flag into trie->map.map_flags,
which is later on exposed into fdinfo and used by loaders such as
iproute2. Latter uses this in bpf_map_selfcheck_pinned() to test
whether a pinned map has the same spec as the one from the BPF obj
file and if not, bails out, which is currently the case for lpm
since it exposes always 0 as flags.
Also copy over flags in array_map_alloc() and stack_map_alloc().
They always have to be 0 right now, but we should make sure to not
miss to copy them over at a later point in time when we add actual
flags for them to use.
Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation")
Reported-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
