<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/irqchip, branch linux-4.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>irqchip/gic-v3-its: Ensure nr_ites &gt;= nr_lpis</title>
<updated>2018-05-23T01:33:48+00:00</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ard.biesheuvel@linaro.org</email>
</author>
<published>2018-03-06T15:51:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d9d72dc5605e9a97c66f03e239bd459528a99b5c'/>
<id>d9d72dc5605e9a97c66f03e239bd459528a99b5c</id>
<content type='text'>
[ Upstream commit 4f2c7583e33eb08dc09dd2e25574b80175ba7d93 ]

When struct its_device instances are created, the nr_ites member
will be set to a power of 2 that equals or exceeds the requested
number of MSIs passed to the msi_prepare() callback. At the same
time, the LPI map is allocated to be some multiple of 32 in size,
where the allocated size may be less than the requested size
depending on whether a contiguous range of sufficient size is
available in the global LPI bitmap.

This may result in the situation where the nr_ites &lt; nr_lpis, and
since nr_ites is what we program into the hardware when we map the
device, the additional LPIs will be non-functional.

For bog standard hardware, this does not really matter. However,
in cases where ITS device IDs are shared between different PCIe
devices, we may end up allocating these additional LPIs without
taking into account that they don't actually work.

So let's make nr_ites at least 32. This ensures that all allocated
LPIs are 'live', and that its_alloc_device_irq() will fail when
attempts are made to allocate MSIs beyond what was allocated in
the first place.

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
[maz: updated comment]
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4f2c7583e33eb08dc09dd2e25574b80175ba7d93 ]

When struct its_device instances are created, the nr_ites member
will be set to a power of 2 that equals or exceeds the requested
number of MSIs passed to the msi_prepare() callback. At the same
time, the LPI map is allocated to be some multiple of 32 in size,
where the allocated size may be less than the requested size
depending on whether a contiguous range of sufficient size is
available in the global LPI bitmap.

This may result in the situation where the nr_ites &lt; nr_lpis, and
since nr_ites is what we program into the hardware when we map the
device, the additional LPIs will be non-functional.

For bog standard hardware, this does not really matter. However,
in cases where ITS device IDs are shared between different PCIe
devices, we may end up allocating these additional LPIs without
taking into account that they don't actually work.

So let's make nr_ites at least 32. This ensures that all allocated
LPIs are 'live', and that its_alloc_device_irq() will fail when
attempts are made to allocate MSIs beyond what was allocated in
the first place.

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
[maz: updated comment]
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()</title>
<updated>2018-03-04T15:28:34+00:00</updated>
<author>
<name>Shanker Donthineni</name>
<email>shankerd@codeaurora.org</email>
</author>
<published>2018-02-01T00:03:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1bb0e77e4dd294837e99ceb492560074d68c896e'/>
<id>1bb0e77e4dd294837e99ceb492560074d68c896e</id>
<content type='text'>
[ Upstream commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e ]

A DMB instruction can be used to ensure the relative order of only
memory accesses before and after the barrier. Since writes to system
registers are not memory operations, barrier DMB is not sufficient
for observability of memory accesses that occur before ICC_SGI1R_EL1
writes.

A DSB instruction ensures that no instructions that appear in program
order after the DSB instruction, can execute until the DSB instruction
has completed.

Cc: stable@vger.kernel.org
Acked-by: Will Deacon &lt;will.deacon@arm.com&gt;,
Signed-off-by: Shanker Donthineni &lt;shankerd@codeaurora.org&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e ]

A DMB instruction can be used to ensure the relative order of only
memory accesses before and after the barrier. Since writes to system
registers are not memory operations, barrier DMB is not sufficient
for observability of memory accesses that occur before ICC_SGI1R_EL1
writes.

A DSB instruction ensures that no instructions that appear in program
order after the DSB instruction, can execute until the DSB instruction
has completed.

Cc: stable@vger.kernel.org
Acked-by: Will Deacon &lt;will.deacon@arm.com&gt;,
Signed-off-by: Shanker Donthineni &lt;shankerd@codeaurora.org&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/crossbar: Fix incorrect type of register size</title>
<updated>2018-01-17T17:55:26+00:00</updated>
<author>
<name>Franck Demathieu</name>
<email>fdemathieu@gmail.com</email>
</author>
<published>2017-03-06T13:41:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a28fd13338eac8b47942e6b2bebfd1cee9f4aae8'/>
<id>a28fd13338eac8b47942e6b2bebfd1cee9f4aae8</id>
<content type='text'>
[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ]

The 'size' variable is unsigned according to the dt-bindings.
As this variable is used as integer in other places, create a new variable
that allows to fix the following sparse issue (-Wtypesign):

  drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness)
  drivers/irqchip/irq-crossbar.c:279:52:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:279:52:    got int *&lt;noident&gt;

Signed-off-by: Franck Demathieu &lt;fdemathieu@gmail.com&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ]

The 'size' variable is unsigned according to the dt-bindings.
As this variable is used as integer in other places, create a new variable
that allows to fix the following sparse issue (-Wtypesign):

  drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness)
  drivers/irqchip/irq-crossbar.c:279:52:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:279:52:    got int *&lt;noident&gt;

Signed-off-by: Franck Demathieu &lt;fdemathieu@gmail.com&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/crossbar: Fix incorrect type of local variables</title>
<updated>2017-11-06T04:54:30+00:00</updated>
<author>
<name>Franck Demathieu</name>
<email>fdemathieu@gmail.com</email>
</author>
<published>2017-02-23T09:48:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d6770c5061eb694cd6f123de534d68b91a2f31b9'/>
<id>d6770c5061eb694cd6f123de534d68b91a2f31b9</id>
<content type='text'>
[ Upstream commit b28ace12661fbcfd90959c1e84ff5a85113a82a1 ]

The max and entry variables are unsigned according to the dt-bindings.
Fix following 3 sparse issues (-Wtypesign):

  drivers/irqchip/irq-crossbar.c:222:52: warning: incorrect type in argument 3 (different signedness)
  drivers/irqchip/irq-crossbar.c:222:52:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:222:52:    got int *&lt;noident&gt;

  drivers/irqchip/irq-crossbar.c:245:56: warning: incorrect type in argument 4 (different signedness)
  drivers/irqchip/irq-crossbar.c:245:56:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:245:56:    got int *&lt;noident&gt;

  drivers/irqchip/irq-crossbar.c:263:56: warning: incorrect type in argument 4 (different signedness)
  drivers/irqchip/irq-crossbar.c:263:56:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:263:56:    got int *&lt;noident&gt;

Signed-off-by: Franck Demathieu &lt;fdemathieu@gmail.com&gt;
Cc: marc.zyngier@arm.com
Cc: jason@lakedaemon.net
Link: http://lkml.kernel.org/r/20170223094855.6546-1-fdemathieu@gmail.com
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b28ace12661fbcfd90959c1e84ff5a85113a82a1 ]

The max and entry variables are unsigned according to the dt-bindings.
Fix following 3 sparse issues (-Wtypesign):

  drivers/irqchip/irq-crossbar.c:222:52: warning: incorrect type in argument 3 (different signedness)
  drivers/irqchip/irq-crossbar.c:222:52:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:222:52:    got int *&lt;noident&gt;

  drivers/irqchip/irq-crossbar.c:245:56: warning: incorrect type in argument 4 (different signedness)
  drivers/irqchip/irq-crossbar.c:245:56:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:245:56:    got int *&lt;noident&gt;

  drivers/irqchip/irq-crossbar.c:263:56: warning: incorrect type in argument 4 (different signedness)
  drivers/irqchip/irq-crossbar.c:263:56:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:263:56:    got int *&lt;noident&gt;

Signed-off-by: Franck Demathieu &lt;fdemathieu@gmail.com&gt;
Cc: marc.zyngier@arm.com
Cc: jason@lakedaemon.net
Link: http://lkml.kernel.org/r/20170223094855.6546-1-fdemathieu@gmail.com
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip: mips-gic: SYNC after enabling GIC region</title>
<updated>2017-10-04T01:36:40+00:00</updated>
<author>
<name>James Hogan</name>
<email>james.hogan@imgtec.com</email>
</author>
<published>2017-08-13T04:36:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c9656d09831cd142136ce2573a33c68870f919ce'/>
<id>c9656d09831cd142136ce2573a33c68870f919ce</id>
<content type='text'>
[ Upstream commit 2c0e8382386f618c85d20cb05e7cf7df8cdd382c ]

A SYNC is required between enabling the GIC region and actually trying
to use it, even if the first access is a read, otherwise its possible
depending on the timing (and in my case depending on the precise
alignment of certain kernel code) to hit CM bus errors on that first
access.

Add the SYNC straight after setting the GIC base.

[paul.burton@imgtec.com:
  Changes later in this series increase our likelihood of hitting this
  by reducing the amount of code that runs between enabling the GIC &amp;
  accessing it.]

Fixes: a7057270c280 ("irqchip: mips-gic: Add device-tree support")
Signed-off-by: James Hogan &lt;james.hogan@imgtec.com&gt;
Signed-off-by: Paul Burton &lt;paul.burton@imgtec.com&gt;
Acked-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Cc: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: Jason Cooper &lt;jason@lakedaemon.net&gt;
Cc: James Hogan &lt;james.hogan@imgtec.com&gt;
Cc: linux-kernel@vger.kernel.org
Cc: linux-mips@linux-mips.org
Cc: &lt;stable@vger.kernel.org&gt; # 3.19.x-
Patchwork: https://patchwork.linux-mips.org/patch/17019/
Signed-off-by: Ralf Baechle &lt;ralf@linux-mips.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2c0e8382386f618c85d20cb05e7cf7df8cdd382c ]

A SYNC is required between enabling the GIC region and actually trying
to use it, even if the first access is a read, otherwise its possible
depending on the timing (and in my case depending on the precise
alignment of certain kernel code) to hit CM bus errors on that first
access.

Add the SYNC straight after setting the GIC base.

[paul.burton@imgtec.com:
  Changes later in this series increase our likelihood of hitting this
  by reducing the amount of code that runs between enabling the GIC &amp;
  accessing it.]

Fixes: a7057270c280 ("irqchip: mips-gic: Add device-tree support")
Signed-off-by: James Hogan &lt;james.hogan@imgtec.com&gt;
Signed-off-by: Paul Burton &lt;paul.burton@imgtec.com&gt;
Acked-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Cc: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Cc: Jason Cooper &lt;jason@lakedaemon.net&gt;
Cc: James Hogan &lt;james.hogan@imgtec.com&gt;
Cc: linux-kernel@vger.kernel.org
Cc: linux-mips@linux-mips.org
Cc: &lt;stable@vger.kernel.org&gt; # 3.19.x-
Patchwork: https://patchwork.linux-mips.org/patch/17019/
Signed-off-by: Ralf Baechle &lt;ralf@linux-mips.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup()</title>
<updated>2017-10-04T01:36:30+00:00</updated>
<author>
<name>Boris Brezillon</name>
<email>boris.brezillon@free-electrons.com</email>
</author>
<published>2017-07-04T09:10:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c32c9c00655ded02db8e9c3d345c26fbf51be03'/>
<id>6c32c9c00655ded02db8e9c3d345c26fbf51be03</id>
<content type='text'>
[ Upstream commit 277867ade8262583f4280cadbe90e0031a3706a7 ]

of_find_compatible_node() is calling of_node_put() on its first argument
thus leading to an unbalanced of_node_get/put() issue if the node has not
been retained before that.

Instead of passing the root node, pass NULL, which does exactly the same:
iterate over all DT nodes, starting from the root node.

Signed-off-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Reported-by: Alexandre Belloni &lt;alexandre.belloni@free-electrons.com&gt;
Fixes: 3d61467f9bab ("irqchip: atmel-aic: Implement RTC irq fixup")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 277867ade8262583f4280cadbe90e0031a3706a7 ]

of_find_compatible_node() is calling of_node_put() on its first argument
thus leading to an unbalanced of_node_get/put() issue if the node has not
been retained before that.

Instead of passing the root node, pass NULL, which does exactly the same:
iterate over all DT nodes, starting from the root node.

Signed-off-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Reported-by: Alexandre Belloni &lt;alexandre.belloni@free-electrons.com&gt;
Fixes: 3d61467f9bab ("irqchip: atmel-aic: Implement RTC irq fixup")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup()</title>
<updated>2017-10-04T01:36:30+00:00</updated>
<author>
<name>Boris Brezillon</name>
<email>boris.brezillon@free-electrons.com</email>
</author>
<published>2017-07-04T09:10:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=695dedf31ca926c2bb3a1dfe13d9f5a4479096ee'/>
<id>695dedf31ca926c2bb3a1dfe13d9f5a4479096ee</id>
<content type='text'>
[ Upstream commit 469bcef53c546bb792aa66303933272991b7831d ]

aic_common_irq_fixup() is calling twice of_node_put() on the same node
thus leading to an unbalanced refcount on the root node.

Signed-off-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Reported-by: Alexandre Belloni &lt;alexandre.belloni@free-electrons.com&gt;
Fixes: b2f579b58e93 ("irqchip: atmel-aic: Add irq fixup infrastructure")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 469bcef53c546bb792aa66303933272991b7831d ]

aic_common_irq_fixup() is calling twice of_node_put() on the same node
thus leading to an unbalanced refcount on the root node.

Signed-off-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Reported-by: Alexandre Belloni &lt;alexandre.belloni@free-electrons.com&gt;
Fixes: b2f579b58e93 ("irqchip: atmel-aic: Add irq fixup infrastructure")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Suzuki K Poulose</name>
<email>suzuki.poulose@arm.com</email>
</author>
<published>2017-06-30T09:58:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c7a561f8f142ac372e74fab4a45fb9b078b2122e'/>
<id>c7a561f8f142ac372e74fab4a45fb9b078b2122e</id>
<content type='text'>
[ Upstream commit 866d7c1b0a3c70387646c4e455e727a58c5d465a ]

The GICv3 driver doesn't check if the target CPU for gic_set_affinity
is valid before going ahead and making the changes. This triggers the
following splat with KASAN:

[  141.189434] BUG: KASAN: global-out-of-bounds in gic_set_affinity+0x8c/0x140
[  141.189704] Read of size 8 at addr ffff200009741d20 by task swapper/1/0
[  141.189958]
[  141.190158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc7
[  141.190458] Hardware name: Foundation-v8A (DT)
[  141.190658] Call trace:
[  141.190908] [&lt;ffff200008089d70&gt;] dump_backtrace+0x0/0x328
[  141.191224] [&lt;ffff20000808a1b4&gt;] show_stack+0x14/0x20
[  141.191507] [&lt;ffff200008504c3c&gt;] dump_stack+0xa4/0xc8
[  141.191858] [&lt;ffff20000826c19c&gt;] print_address_description+0x13c/0x250
[  141.192219] [&lt;ffff20000826c5c8&gt;] kasan_report+0x210/0x300
[  141.192547] [&lt;ffff20000826ad54&gt;] __asan_load8+0x84/0x98
[  141.192874] [&lt;ffff20000854eeec&gt;] gic_set_affinity+0x8c/0x140
[  141.193158] [&lt;ffff200008148b14&gt;] irq_do_set_affinity+0x54/0xb8
[  141.193473] [&lt;ffff200008148d2c&gt;] irq_set_affinity_locked+0x64/0xf0
[  141.193828] [&lt;ffff200008148e00&gt;] __irq_set_affinity+0x48/0x78
[  141.194158] [&lt;ffff200008bc48a4&gt;] arm_perf_starting_cpu+0x104/0x150
[  141.194513] [&lt;ffff2000080d73bc&gt;] cpuhp_invoke_callback+0x17c/0x1f8
[  141.194783] [&lt;ffff2000080d94ec&gt;] notify_cpu_starting+0x8c/0xb8
[  141.195130] [&lt;ffff2000080911ec&gt;] secondary_start_kernel+0x15c/0x200
[  141.195390] [&lt;0000000080db81b4&gt;] 0x80db81b4
[  141.195603]
[  141.195685] The buggy address belongs to the variable:
[  141.196012]  __cpu_logical_map+0x200/0x220
[  141.196176]
[  141.196315] Memory state around the buggy address:
[  141.196586]  ffff200009741c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  141.196913]  ffff200009741c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  141.197158] &gt;ffff200009741d00: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
[  141.197487]                                ^
[  141.197758]  ffff200009741d80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
[  141.198060]  ffff200009741e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  141.198358] ==================================================================
[  141.198609] Disabling lock debugging due to kernel taint
[  141.198961] CPU1: Booted secondary processor [410fd051]

This patch adds the check to make sure the cpu is valid.

Fixes: commit 021f653791ad17e03f98 ("irqchip: gic-v3: Initial support for GICv3")
Cc: stable@vger.kernel.org
Signed-off-by: Suzuki K Poulose &lt;suzuki.poulose@arm.com&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 866d7c1b0a3c70387646c4e455e727a58c5d465a ]

The GICv3 driver doesn't check if the target CPU for gic_set_affinity
is valid before going ahead and making the changes. This triggers the
following splat with KASAN:

[  141.189434] BUG: KASAN: global-out-of-bounds in gic_set_affinity+0x8c/0x140
[  141.189704] Read of size 8 at addr ffff200009741d20 by task swapper/1/0
[  141.189958]
[  141.190158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc7
[  141.190458] Hardware name: Foundation-v8A (DT)
[  141.190658] Call trace:
[  141.190908] [&lt;ffff200008089d70&gt;] dump_backtrace+0x0/0x328
[  141.191224] [&lt;ffff20000808a1b4&gt;] show_stack+0x14/0x20
[  141.191507] [&lt;ffff200008504c3c&gt;] dump_stack+0xa4/0xc8
[  141.191858] [&lt;ffff20000826c19c&gt;] print_address_description+0x13c/0x250
[  141.192219] [&lt;ffff20000826c5c8&gt;] kasan_report+0x210/0x300
[  141.192547] [&lt;ffff20000826ad54&gt;] __asan_load8+0x84/0x98
[  141.192874] [&lt;ffff20000854eeec&gt;] gic_set_affinity+0x8c/0x140
[  141.193158] [&lt;ffff200008148b14&gt;] irq_do_set_affinity+0x54/0xb8
[  141.193473] [&lt;ffff200008148d2c&gt;] irq_set_affinity_locked+0x64/0xf0
[  141.193828] [&lt;ffff200008148e00&gt;] __irq_set_affinity+0x48/0x78
[  141.194158] [&lt;ffff200008bc48a4&gt;] arm_perf_starting_cpu+0x104/0x150
[  141.194513] [&lt;ffff2000080d73bc&gt;] cpuhp_invoke_callback+0x17c/0x1f8
[  141.194783] [&lt;ffff2000080d94ec&gt;] notify_cpu_starting+0x8c/0xb8
[  141.195130] [&lt;ffff2000080911ec&gt;] secondary_start_kernel+0x15c/0x200
[  141.195390] [&lt;0000000080db81b4&gt;] 0x80db81b4
[  141.195603]
[  141.195685] The buggy address belongs to the variable:
[  141.196012]  __cpu_logical_map+0x200/0x220
[  141.196176]
[  141.196315] Memory state around the buggy address:
[  141.196586]  ffff200009741c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  141.196913]  ffff200009741c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  141.197158] &gt;ffff200009741d00: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
[  141.197487]                                ^
[  141.197758]  ffff200009741d80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
[  141.198060]  ffff200009741e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  141.198358] ==================================================================
[  141.198609] Disabling lock debugging due to kernel taint
[  141.198961] CPU1: Booted secondary processor [410fd051]

This patch adds the check to make sure the cpu is valid.

Fixes: commit 021f653791ad17e03f98 ("irqchip: gic-v3: Initial support for GICv3")
Cc: stable@vger.kernel.org
Signed-off-by: Suzuki K Poulose &lt;suzuki.poulose@arm.com&gt;
Signed-off-by: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xtensa: don't use linux IRQ #0</title>
<updated>2017-06-26T02:02:21+00:00</updated>
<author>
<name>Max Filippov</name>
<email>jcmvbkbc@gmail.com</email>
</author>
<published>2017-06-05T09:43:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b865f707d7c61799b8808b060d0eae476a2b92f3'/>
<id>b865f707d7c61799b8808b060d0eae476a2b92f3</id>
<content type='text'>
[ Upstream commit e5c86679d5e864947a52fb31e45a425dea3e7fa9 ]

Linux IRQ #0 is reserved for error reporting and may not be used.
Increase NR_IRQS for one additional slot and increase
irq_domain_add_legacy parameter first_irq value to 1, so that linux
IRQ #0 is not associated with hardware IRQ #0 in legacy IRQ domains.
Introduce macro XTENSA_PIC_LINUX_IRQ for static translation of xtensa
PIC hardware IRQ # to linux IRQ #. Use this macro in XTFPGA platform
data definitions.

This fixes inability to use hardware IRQ #0 in configurations that don't
use device tree and allows for non-identity mapping between linux IRQ #
and hardware IRQ #.

Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov &lt;jcmvbkbc@gmail.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e5c86679d5e864947a52fb31e45a425dea3e7fa9 ]

Linux IRQ #0 is reserved for error reporting and may not be used.
Increase NR_IRQS for one additional slot and increase
irq_domain_add_legacy parameter first_irq value to 1, so that linux
IRQ #0 is not associated with hardware IRQ #0 in legacy IRQ domains.
Introduce macro XTENSA_PIC_LINUX_IRQ for static translation of xtensa
PIC hardware IRQ # to linux IRQ #. Use this macro in XTFPGA platform
data definitions.

This fixes inability to use hardware IRQ #0 in configurations that don't
use device tree and allows for non-identity mapping between linux IRQ #
and hardware IRQ #.

Cc: stable@vger.kernel.org
Signed-off-by: Max Filippov &lt;jcmvbkbc@gmail.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>irqchip/gicv3: Handle loop timeout proper</title>
<updated>2016-11-01T19:14:22+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2016-10-14T07:26:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9e9ca450cd93936f0a40daf66ce45e93d0873088'/>
<id>9e9ca450cd93936f0a40daf66ce45e93d0873088</id>
<content type='text'>
[ Upstream commit d102eb5c1ac5e6743b1c6d145c06a25d98ad1375 ]

The timeout loop terminates when the loop count is zero, but the decrement
of the count variable is post check. So count is -1 when we check for the
timeout and therefor the error message is supressed.

Change it to predecrement, so the error message is emitted.

[ tglx: Massaged changelog ]

Fixes: a2c225101234 ("irqchip: gic-v3: Refactor gic_enable_redist to support both enabling and disabling")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Sudeep Holla &lt;sudeep.holla@arm.com&gt;
Cc: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Cc: kernel-janitors@vger.kernel.org
Cc: Jason Cooper &lt;jason@lakedaemon.net&gt;
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20161014072534.GA15168@mwanda
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d102eb5c1ac5e6743b1c6d145c06a25d98ad1375 ]

The timeout loop terminates when the loop count is zero, but the decrement
of the count variable is post check. So count is -1 when we check for the
timeout and therefor the error message is supressed.

Change it to predecrement, so the error message is emitted.

[ tglx: Massaged changelog ]

Fixes: a2c225101234 ("irqchip: gic-v3: Refactor gic_enable_redist to support both enabling and disabling")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Acked-by: Sudeep Holla &lt;sudeep.holla@arm.com&gt;
Cc: Marc Zyngier &lt;marc.zyngier@arm.com&gt;
Cc: kernel-janitors@vger.kernel.org
Cc: Jason Cooper &lt;jason@lakedaemon.net&gt;
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20161014072534.GA15168@mwanda
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
