commit 584fd7872c1bc29d3b752bebb6a5b470018f83e8
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu Jan 12 11:41:42 2017 +0100
Linux 4.9.3
commit 3999c535da7add2f5283303d77eb56434e660fd6
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date: Wed Sep 28 12:33:31 2016 +0300
usb: gadget: composite: always set ep->mult to a sensible value
commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream.
ep->mult is supposed to be set to Isochronous and
Interrupt Endapoint's multiplier value. This value
is computed from different places depending on the
link speed.
If we're dealing with HighSpeed, then it's part of
bits [12:11] of wMaxPacketSize. This case wasn't
taken into consideration before.
While at that, also make sure the ep->mult defaults
to one so drivers can use it unconditionally and
assume they'll never multiply ep->maxpacket to zero.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7ff469ceba2652241778e75f263205fe7932b376
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu Jan 12 08:51:32 2017 +0100
Revert "usb: gadget: composite: always set ep->mult to a sensible value"
This reverts commit eab1c4e2d0ad4509ccb8476a604074547dc202e0 which is
commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream as it was
incorrectly backported.
Reported-by: Bin Liu <b-liu@ti.com>
Cc: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ec3d5c521af86e53690c8850def2d2f6a35e7756
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu Jan 12 08:29:09 2017 +0100
Revert "rtlwifi: Fix enter/exit power_save"
This reverts commit 98068574928f499b30f136ff57ef9a03cc575a36, which is
commit ba9f93f82abafe2552eac942ebb11c2df4f8dd7f upstream as it causes
problems.
Reported-by: Dmitry Osipenko <digetx@gmail.com>
Cc: Ping-Ke Shih <pkshih@realtek.com>
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
commit cf365b117388a50902d56988e69dd6f70b7662fc
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Thu Dec 15 12:10:37 2016 +0100
tick/broadcast: Prevent NULL pointer dereference
commit c1a9eeb938b5433947e5ea22f89baff3182e7075 upstream.
When a disfunctional timer, e.g. dummy timer, is installed, the tick core
tries to setup the broadcast timer.
If no broadcast device is installed, the kernel crashes with a NULL pointer
dereference in tick_broadcast_setup_oneshot() because the function has no
sanity check.
Reported-by: Mason <slash.tmp@free.fr>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: Richard Cochran <rcochran@linutronix.de>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
Cc: Sebastian Frias <sf84@laposte.net>
Cc: Thibaud Cornic <thibaud_cornic@sigmadesigns.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 34db201f0de7138d3646946f5d33e178c93efca6
Author: Thomas Gleixner <tglx@linutronix.de>
Date: Thu Dec 15 12:01:05 2016 +0100
clocksource/dummy_timer: Move hotplug callback after the real timers
commit 9bf11ecce5a2758e5a097c2f3a13d08552d0d6f9 upstream.
When the dummy timer callback is invoked before the real timer callbacks,
then it tries to install that timer for the starting CPU. If the platform
does not have a broadcast timer installed the installation fails with a
kernel crash. The crash happens due to a unconditional deference of the non
available broadcast device. This needs to be fixed in the timer core code.
But even when this is fixed in the core code then installing the dummy
timer before the real timers is a pointless exercise.
Move it to the end of the callback list.
Fixes: 00c1d17aab51 ("clocksource/dummy_timer: Convert to hotplug state machine")
Reported-and-tested-by: Mason <slash.tmp@free.fr>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: Richard Cochran <rcochran@linutronix.de>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
Cc: Sebastian Frias <sf84@laposte.net>
Cc: Thibaud Cornic <thibaud_cornic@sigmadesigns.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1b9c2556809ad30ef8e28398d77b6b007e7be6c0
Author: Carlos Maiolino <cmaiolino@redhat.com>
Date: Mon Jan 9 16:39:03 2017 +0100
xfs: fix max_retries _show and _store functions
commit ff97f2399edac1e0fb3fa7851d5fbcbdf04717cf upstream.
max_retries _show and _store functions should test against cfg->max_retries,
not cfg->retry_timeout
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 91192ae41e6f638d580bd0e3e6fd2d311eaf5adf
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Jan 9 16:39:02 2017 +0100
xfs: fix crash and data corruption due to removal of busy COW extents
commit a1b7a4dea6166cf46be895bce4aac67ea5160fe8 upstream.
There is a race window between write_cache_pages calling
clear_page_dirty_for_io and XFS calling set_page_writeback, in which
the mapping for an inode is tagged neither as dirty, nor as writeback.
If the COW shrinker hits in exactly that window we'll remove the delayed
COW extents and writepages trying to write it back, which in release
kernels will manifest as corruption of the bmap btree, and in debug
kernels will trip the ASSERT about now calling xfs_bmapi_write with the
COWFORK flag for holes. A complex customer load manages to hit this
window fairly reliably, probably by always having COW writeback in flight
while the cow shrinker runs.
This patch adds another check for having the I_DIRTY_PAGES flag set,
which is still set during this race window. While this fixes the problem
I'm still not overly happy about the way the COW shrinker works as it
still seems a bit fragile.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b96e4e87d2b0fee921ceafa4f5ae1c90e9121db4
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:39:01 2017 +0100
xfs: use the actual AG length when reserving blocks
commit 20e73b000bcded44a91b79429d8fa743247602ad upstream.
We need to use the actual AG length when making per-AG reservations,
since we could otherwise end up reserving more blocks out of the last
AG than there are actual blocks.
Complained-about-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9c7c9fa600acb0d587678cc71565316d11ec7ad
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:39:00 2017 +0100
xfs: fix double-cleanup when CUI recovery fails
commit 7a21272b088894070391a94fdd1c67014020fa1d upstream.
Dan Carpenter reported a double-free of rcur if _defer_finish fails
while we're recovering CUI items. Fix the error recovery to prevent
this.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aa38f370b25acc478be36e237e882e78f71c67e5
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:59 2017 +0100
xfs: use GPF_NOFS when allocating btree cursors
commit b24a978c377be5f14e798cb41238e66fe51aab2f upstream.
Use NOFS for allocating btree cursors, since they can be called
under the ilock.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3c382dda47e4b51de6d67847ddfc9c10962c4ca3
Author: Eric Sandeen <sandeen@redhat.com>
Date: Mon Jan 9 16:38:58 2017 +0100
xfs: ignore leaf attr ichdr.count in verifier during log replay
commit 2e1d23370e75d7d89350d41b4ab58c7f6a0e26b2 upstream.
When we create a new attribute, we first create a shortform
attribute, and try to fit the new attribute into it.
If that fails, we copy the (empty) attribute into a leaf attribute,
and do the copy again. Thus there can be a transient state where
we have an empty leaf attribute.
If we encounter this during log replay, the verifier will fail.
So add a test to ignore this part of the leaf attr verification
during log replay.
Thanks as usual to dchinner for spotting the problem.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c00203386d50c1d2f2621163b9d7a533de4819fc
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:57 2017 +0100
xfs: don't cap maximum dedupe request length
commit 1bb33a98702d8360947f18a44349df75ba555d5d upstream.
After various discussions on linux-fsdevel, it has been decided that it
is not necessary to cap the length of a dedupe request, and that
correctly-written userspace client programs will be able to absorb the
change. Therefore, remove the length clamping behavior.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f8b20705a383357ddca04ea648a7ac8fccd438ef
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:56 2017 +0100
xfs: don't allow di_size with high bit set
commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream.
The on-disk field di_size is used to set i_size, which is a signed
integer of loff_t. If the high bit of di_size is set, we'll end up with
a negative i_size, which will cause all sorts of problems. Since the
VFS won't let us create a file with such length, we should catch them
here in the verifier too.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 12815dd15c480c0d595401e4eec54542025607f6
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:55 2017 +0100
xfs: error out if trying to add attrs and anextents > 0
commit 0f352f8ee8412bd9d34fb2a6411241da61175c0e upstream.
We shouldn't assert if somehow we end up trying to add an attr fork to
an inode that apparently already has attr extents because this is an
indication of on-disk corruption. Instead, return an error code to
userspace.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cd4bf1d416ef199223fa41eb8225f2a137c0be99
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:54 2017 +0100
xfs: don't crash if reading a directory results in an unexpected hole
commit 96a3aefb8ffde23180130460b0b2407b328eb727 upstream.
In xfs_dir3_data_read, we can encounter the situation where err == 0 and
*bpp == NULL if the given bno offset happens to be a hole; this leads to
a crash if we try to set the buffer type after the _da_read_buf call.
Holes can happen due to corrupt or malicious entries in the bmbt data,
so be a little more careful when we're handling buffers.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b88398de18331ed448739866bf9fe3743e7c1bbf
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:53 2017 +0100
xfs: complain if we don't get nextents bmap records
commit 356a3225222e5bc4df88aef3419fb6424f18ab69 upstream.
When reading into memory all extents of a btree-format inode fork,
complain if the number of extents we find is not the same as the number
of extents reported in the inode core. This is needed to stop an IO
action from accessing the garbage areas of the in-core fork.
[dchinner: removed redundant assert]
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4bb31bccea381ebadf0e1bc4433026613c15ce68
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:52 2017 +0100
xfs: check for bogus values in btree block headers
commit bb3be7e7c1c18e1b141d4cadeb98cc89ecf78099 upstream.
When we're reading a btree block, make sure that what we retrieved
matches the owner and level; and has a plausible number of records.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b85f32481d93a23488d208fca4558e84515dc0f4
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:51 2017 +0100
xfs: forbid AG btrees with level == 0
commit d2a047f31e86941fa896e0e3271536d50aba415e upstream.
There is no such thing as a zero-level AG btree since even a single-node
zero-records btree has one level. Btree cursor constructors read
cur_nlevels straight from disk and then access things like
cur_bufs[cur_nlevels - 1] which is /really/ bad if cur_nlevels is zero!
Therefore, strengthen the verifiers to prevent this possibility.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4081d4a79a95252486569b014b9a666ad5bfdbee
Author: Eric Sandeen <sandeen@sandeen.net>
Date: Mon Jan 9 16:38:50 2017 +0100
xfs: handle cow fork in xfs_bmap_trace_exlist
commit c44a1f22626c153976289e1cd67bdcdfefc16e1f upstream.
By inspection, xfs_bmap_trace_exlist isn't handling cow forks,
and will trace the data fork instead.
Fix this by setting state appropriately if whichfork
== XFS_COW_FORK.
()___()
< @ @ >
| |
{o_o}
(|)
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a585e1c4ec939d1cc5ce8776c606733d046072da
Author: Eric Sandeen <sandeen@sandeen.net>
Date: Mon Jan 9 16:38:49 2017 +0100
xfs: pass state not whichfork to trace_xfs_extlist
commit 7710517fc37b1899722707883b54694ea710b3c0 upstream.
When xfs_bmap_trace_exlist called trace_xfs_extlist,
it sent in the "whichfork" var instead of the bmap "state"
as expected (even though state was already set up for this
purpose).
As a result, the xfs_bmap_class in tracing code used
"whichfork" not state in xfs_iext_state_to_fork(), and got
the wrong ifork pointer. It all goes downhill from
there, including an ASSERT when ifp_bytes is empty
by the time it reaches xfs_iext_get_ext():
XFS: Assertion failed: idx < ifp->if_bytes / sizeof(xfs_bmbt_rec_t)
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bdbfd4ee6bc7aa37062f0222a143b3c3fee7282e
Author: Eric Sandeen <sandeen@sandeen.net>
Date: Mon Jan 9 16:38:48 2017 +0100
xfs: Move AGI buffer type setting to xfs_read_agi
commit 200237d6746faaeaf7f4ff4abbf13f3917cee60a upstream.
We've missed properly setting the buffer type for
an AGI transaction in 3 spots now, so just move it
into xfs_read_agi() and set it if we are in a transaction
to avoid the problem in the future.
This is similar to how it is done in i.e. the dir3
and attr3 read functions.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 06ac11df915d5d607780b86fa7d98f1ab57dab16
Author: Brian Foster <bfoster@redhat.com>
Date: Mon Jan 9 16:38:47 2017 +0100
xfs: pass post-eof speculative prealloc blocks to bmapi
commit f782088c9e5d08e9494c63e68b4e85716df3e5f8 upstream.
xfs_file_iomap_begin_delay() implements post-eof speculative
preallocation by extending the block count of the requested delayed
allocation. Now that xfs_bmapi_reserve_delalloc() has been updated to
handle prealloc blocks separately and tag the inode, update
xfs_file_iomap_begin_delay() to use the new parameter and rely on the
former to tag the inode.
Note that this patch does not change behavior.
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 553937d3cce8d3806655771099928ab5525fa7e4
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Jan 9 16:38:46 2017 +0100
xfs: use new extent lookup helpers xfs_file_iomap_begin_delay
commit 656152e552e5cbe0c11ad261b524376217c2fb13 upstream.
And only lookup the previous extent inside xfs_iomap_prealloc_size
if we actually need it.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3d6e3b12bb4eac5cadb4733530c1967fe9e3d6a9
Author: Brian Foster <bfoster@redhat.com>
Date: Mon Jan 9 16:38:45 2017 +0100
xfs: clean up cow fork reservation and tag inodes correctly
commit 0260d8ff5f76617e3a55a1c471383ecb4404c3ad upstream.
COW fork reservation is implemented via delayed allocation. The code is
modeled after the traditional delalloc allocation code, but is slightly
different in terms of how preallocation occurs. Rather than post-eof
speculative preallocation, COW fork preallocation is implemented via a
COW extent size hint that is designed to minimize fragmentation as a
reflinked file is split over time.
xfs_reflink_reserve_cow() still uses logic that is oriented towards
dealing with post-eof speculative preallocation, however, and is stale
or not necessarily correct. First, the EOF alignment to the COW extent
size hint is implemented in xfs_bmapi_reserve_delalloc() (which does so
correctly by aligning the start and end offsets) and so is not necessary
in xfs_reflink_reserve_cow(). The backoff and retry logic on ENOSPC is
also ineffective for the same reason, as xfs_bmapi_reserve_delalloc()
will simply perform the same allocation request on the retry. Finally,
since the COW extent size hint aligns the start and end offset of the
range to allocate, the end_fsb != orig_end_fsb logic is not sufficient.
Indeed, if a write request happens to end on an aligned offset, it is
possible that we do not tag the inode for COW preallocation even though
xfs_bmapi_reserve_delalloc() may have preallocated at the start offset.
Kill the unnecessary, duplicate code in xfs_reflink_reserve_cow().
Remove the inode tag logic as well since xfs_bmapi_reserve_delalloc()
has been updated to tag the inode correctly.
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4a323331d8c963aaba4f19f84f16c052bd7eb156
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Jan 9 16:38:44 2017 +0100
xfs: use new extent lookup helpers in __xfs_reflink_reserve_cow
commit 2755fc4438501c8c28e7783df890e889f6772bee upstream.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cf168f2ff8bae8a4eb966c3c0f055086c1fae87d
Author: Brian Foster <bfoster@redhat.com>
Date: Mon Jan 9 16:38:43 2017 +0100
xfs: track preallocation separately in xfs_bmapi_reserve_delalloc()
commit 974ae922efd93b07b6cdf989ae959883f6f05fd8 upstream.
Speculative preallocation is currently processed entirely by the callers
of xfs_bmapi_reserve_delalloc(). The caller determines how much
preallocation to include, adjusts the extent length and passes down the
resulting request.
While this works fine for post-eof speculative preallocation, it is not
as reliable for COW fork preallocation. COW fork preallocation is
implemented via the cowextszhint, which aligns the start offset as well
as the length of the extent. Further, it is difficult for the caller to
accurately identify when preallocation occurs because the returned
extent could have been merged with neighboring extents in the fork.
To simplify this situation and facilitate further COW fork preallocation
enhancements, update xfs_bmapi_reserve_delalloc() to take a separate
preallocation parameter to incorporate into the allocation request. The
preallocation blocks value is tacked onto the end of the request and
adjusted to accommodate neighboring extents and extent size limits.
Since xfs_bmapi_reserve_delalloc() now knows precisely how much
preallocation was included in the allocation, it can also tag the inodes
appropriately to support preallocation reclaim.
Note that xfs_bmapi_reserve_delalloc() callers are not yet updated to
use the preallocation mechanism. This patch should not change behavior
outside of correctly tagging reflink inodes when start offset
preallocation occurs (which the caller does not handle correctly).
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cf4fb510473b4529a0969b1d0af898b7a844bc36
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Jan 9 16:38:42 2017 +0100
xfs: remove prev argument to xfs_bmapi_reserve_delalloc
commit 65c5f419788d623a0410eca1866134f5e4628594 upstream.
We can easily lookup the previous extent for the cases where we need it,
which saves the callers from looking it up for us later in the series.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3903257660338c41c22a2464407c8ff93c42e00b
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:41 2017 +0100
xfs: always succeed when deduping zero bytes
commit fba3e594ef0ad911fa8f559732d588172f212d71 upstream.
It turns out that btrfs and xfs had differing interpretations of what
to do when the dedupe length is zero. Change xfs to follow btrfs'
semantics so that the userland interface is consistent.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2b7dae91a1341302077798ddc38e8bfd8a012cf1
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:40 2017 +0100
xfs: factor rmap btree size into the indlen calculations
commit fd26a88093bab6529ea2de819114ca92dbd1d71d upstream.
When we're estimating the amount of space it's going to take to satisfy
a delalloc reservation, we need to include the space that we might need
to grow the rmapbt. This helps us to avoid running out of space later
when _iomap_write_allocate needs more space than we reserved. Eryu Guan
observed this happening on generic/224 when sunit/swidth were set.
Reported-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 49dc19915d3b0893a698a2d78f732beaff119a4d
Author: Christoph Hellwig <hch@lst.de>
Date: Mon Jan 9 16:38:39 2017 +0100
xfs: new inode extent list lookup helpers
commit 93533c7855c3c78c8a900cac65c8d669bb14935d upstream.
xfs_iext_lookup_extent looks up a single extent at the passed in offset,
and returns the extent covering the area, or the one behind it in case
of a hole, as well as the index of the returned extent in arguments,
as well as a simple bool as return value that is set to false if no
extent could be found because the offset is behind EOF. It is a simpler
replacement for xfs_bmap_search_extent that leaves looking up the rarely
needed previous extent to the caller and has a nicer calling convention.
xfs_iext_get_extent is a helper for iterating over the extent list,
it takes an extent index as input, and returns the extent at that index
in it's expanded form in an argument if it exists. The actual return
value is a bool whether the index is valid or not.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b49ef758f6003a7ed0afb37b33fc96e238752497
Author: Brian Foster <bfoster@redhat.com>
Date: Mon Jan 9 16:38:38 2017 +0100
xfs: fix unbalanced inode reclaim flush locking
commit 98efe8af1c9ffac47e842b7a75ded903e2f028da upstream.
Filesystem shutdown testing on an older distro kernel has uncovered an
imbalanced locking pattern for the inode flush lock in
xfs_reclaim_inode(). Specifically, there is a double unlock sequence
between the call to xfs_iflush_abort() and xfs_reclaim_inode() at the
"reclaim:" label.
This actually does not cause obvious problems on current kernels due to
the current flush lock implementation. Older kernels use a counting
based flush lock mechanism, however, which effectively breaks the lock
indefinitely when an already unlocked flush lock is repeatedly unlocked.
Though this only currently occurs on filesystem shutdown, it has
reproduced the effect of elevating an fs shutdown to a system-wide crash
or hang.
As it turns out, the flush lock is not actually required for the reclaim
logic in xfs_reclaim_inode() because by that time we have already cycled
the flush lock once while holding ILOCK_EXCL. Therefore, remove the
additional flush lock/unlock cycle around the 'reclaim:' label and
update branches into this label to release the flush lock where
appropriate. Add an assert to xfs_ifunlock() to help prevent future
occurences of the same problem.
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 63fa793e757dfc08c09865d68936ce3d67a00047
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:37 2017 +0100
xfs: check minimum block size for CRC filesystems
commit bec9d48d7a303a5bb95c05961ff07ec7eeb59058 upstream.
Check the minimum block size on v5 filesystems.
[dchinner: cleaned up XFS_MIN_CRC_BLOCKSIZE check]
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f380ee72a7a498c934afe3aa67a50242b935f540
Author: Eric Sandeen <sandeen@sandeen.net>
Date: Mon Jan 9 16:38:36 2017 +0100
xfs: provide helper for counting extents from if_bytes
commit 5d829300bee000980a09ac2ccb761cb25867b67c upstream.
The open-coded pattern:
ifp->if_bytes / (uint)sizeof(xfs_bmbt_rec_t)
is all over the xfs code; provide a new helper
xfs_iext_count(ifp) to count the number of inline extents
in an inode fork.
[dchinner: pick up several missed conversions]
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3978c5bb004312fd267aed7279fe64b119e126b0
Author: Brian Foster <bfoster@redhat.com>
Date: Mon Jan 9 16:38:35 2017 +0100
xfs: don't BUG() on mixed direct and mapped I/O
commit 04197b341f23b908193308b8d63d17ff23232598 upstream.
We've had reports of generic/095 causing XFS to BUG() in
__xfs_get_blocks() due to the existence of delalloc blocks on a
direct I/O read. generic/095 issues a mix of various types of I/O,
including direct and memory mapped I/O to a single file. This is
clearly not supported behavior and is known to lead to such
problems. E.g., the lack of exclusion between the direct I/O and
write fault paths means that a write fault can allocate delalloc
blocks in a region of a file that was previously a hole after the
direct read has attempted to flush/inval the file range, but before
it actually reads the block mapping. In turn, the direct read
discovers a delalloc extent and cannot proceed.
While the appropriate solution here is to not mix direct and memory
mapped I/O to the same regions of the same file, the current
BUG_ON() behavior is probably overkill as it can crash the entire
system. Instead, localize the failure to the I/O in question by
returning an error for a direct I/O that cannot be handled safely
due to delalloc blocks. Be careful to allow the case of a direct
write to post-eof delalloc blocks. This can occur due to speculative
preallocation and is safe as post-eof blocks are not accompanied by
dirty pages in pagecache (conversely, preallocation within eof must
have been zeroed, and thus dirtied, before the inode size could have
been increased beyond said blocks).
Finally, provide an additional warning if a direct I/O write occurs
while the file is memory mapped. This may not catch all problematic
scenarios, but provides a hint that some known-to-be-problematic I/O
methods are in use.
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2f092422e1ce1f155c6a9da147a78759f0e04f40
Author: Brian Foster <bfoster@redhat.com>
Date: Mon Jan 9 16:38:34 2017 +0100
xfs: don't skip cow forks w/ delalloc blocks in cowblocks scan
commit 399372349a7f9b2d7e56e4fa4467c69822d07024 upstream.
The cowblocks background scanner currently clears the cowblocks tag
for inodes without any real allocations in the cow fork. This
excludes inodes with only delalloc blocks in the cow fork. While we
might never expect to clear delalloc blocks from the cow fork in the
background scanner, it is not necessarily correct to clear the
cowblocks tag from such inodes.
For example, if the background scanner happens to process an inode
between a buffered write and writeback, the scanner catches the
inode in a state after delalloc blocks have been allocated to the
cow fork but before the delalloc blocks have been converted to real
blocks by writeback. The background scanner then incorrectly clears
the cowblocks tag, even if part of the aforementioned delalloc
reservation will not be remapped to the data fork (i.e., extra
blocks due to the cowextsize hint). This means that any such
additional blocks in the cow fork might never be reclaimed by the
background scanner and could persist until the inode itself is
reclaimed.
To address this problem, only skip and clear inodes without any cow
fork allocations whatsoever from the background scanner. While we
generally do not want to cancel delalloc reservations from the
background scanner, the pagecache dirty check following the
cowblocks check should prevent that situation. If we do end up with
delalloc cow fork blocks without a dirty address space mapping, this
is probably an indication that something has gone wrong and the
blocks should be reclaimed, as they may never be converted to a real
allocation.
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a11f90ca5f306a1c38db4f24db8bff97ffb87bd2
Author: Darrick J. Wong <darrick.wong@oracle.com>
Date: Mon Jan 9 16:38:33 2017 +0100
xfs: check return value of _trans_reserve_quota_nblks
commit 4fd29ec47212c8cbf98916af519019ccc5e58e49 upstream.
Check the return value of xfs_trans_reserve_quota_nblks for errors.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ae8b6cb40cb29dfa760641ce55d5b9c0c153a1f2
Author: Eric Sandeen <sandeen@redhat.com>
Date: Mon Jan 9 16:38:32 2017 +0100
xfs: don't call xfs_sb_quota_from_disk twice
commit e6fc6fcf4447c9266038c55c25e4c7c14bee110c upstream.
Source xfsprogs commit: ee3754254e8c186c99b6cdd4d59f741759d04acb
Kernel commit 5ef828c4 ("xfs: avoid false quotacheck after unclean
shutdown") made xfs_sb_from_disk() also call xfs_sb_quota_from_disk
by default.
However, when this was merged to libxfs, existing separate
calls to libxfs_sb_quota_from_disk remained, and calling it
twice in a row on a V4 superblock leads to issues, because:
if (sbp->sb_qflags & XFS_PQUOTA_ACCT) {
...
sbp->sb_pquotino = sbp->sb_gquotino;
sbp->sb_gquotino = NULLFSINO;
and after the second call, we have set both pquotino and gquotino
to NULLFSINO.
Fix this by making it safe to call twice, and also remove the extra
calls to libxfs_sb_quota_from_disk.
This is only spotted when running xfstests with "-m crc=0" because
the sb_from_disk change came about after V5 became default, and
the above behavior only exists on a V4 superblock.
Reported-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 56d22b9125421217fdea41250cce9dfa0013b483
Author: Josh Zimmerman <joshz@google.com>
Date: Thu Oct 27 14:50:09 2016 -0700
tpm_tis: Check return values from get_burstcount.
commit 26a137e31ffe6fbfdb008554a8d9b3d55bd5c86e upstream.
If the TPM we're connecting to uses a static burst count, it will report
a burst count of zero throughout the response read. However, get_burstcount
assumes that a response of zero indicates that the TPM is not ready to
receive more data. In this case, it returns a negative error code, which
is passed on to tpm_tis_{write,read}_bytes as a u16, causing
them to read/write far too many bytes.
This patch checks for negative return codes and bails out from recv_data
and tpm_tis_send_data.
Fixes: 1107d065fdf1 (tpm_tis: Introduce intermediate layer for TPM access)
Signed-off-by: Josh Zimmerman <joshz@google.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4ffac6f06dfa77ead74d448d07079e37339e4da0
Author: Paulo Zanoni <paulo.r.zanoni@intel.com>
Date: Tue Nov 8 18:22:11 2016 -0200
drm/i915/gen9: fix the WM memory bandwidth WA for Y tiling cases
commit 2ef32dee97fcf41987722a37eb6ff1a983915e99 upstream.
The previous spec version said "double Ytile planes minimum lines",
and I interpreted this as referring to what the spec calls "Y tile
minimum", but in fact it was referring to what the spec calls "Minimum
Scanlines for Y tile". I noticed that Mahesh Kumar had a different
interpretation, so I sent and email to the spec authors and got
clarification on the correct meaning. Also, BSpec was updated and
should be clear now.
Fixes: ee3d532fcb64 ("drm/i915/gen9: unconditionally apply the memory bandwidth WA")
Cc: stable@vger.kernel.org
Cc: Mahesh Kumar <mahesh1.kumar@intel.com>
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1478636531-6081-1-git-send-email-paulo.r.zanoni@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f482823e99f045bc5f1bd54626188219dfd1ad46
Author: Paulo Zanoni <paulo.r.zanoni@intel.com>
Date: Tue Oct 11 15:25:38 2016 -0300
drm/i915/gen9: unconditionally apply the memory bandwidth WA
commit ee3d532fcb64872bc20be0ee58f7afdb9fa82abe upstream.
Mahesh Kumar is already working on a proper implementation for the
workaround, but while we still don't have it, let's just
unconditionally apply the workaround for everybody and we hope we can
close all those numerous bugzilla tickets. Also, I'm not sure how easy
it will be to backport the final implementation to the stable Kernels,
and this patch here is probably easier to backport.
At the present moment I still don't have confirmation that this patch
fixes any of the bugs listed below, but we should definitely try
testing all of them again.
v2: s/intel_needs_memory_bw_wa/skl_needs_memory_bw_wa/ (Lyude).
v3: Rebase (dev -> dev_priv change on ilk_wm_max_level).
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94337
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94605
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94884
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=95010
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96226
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96828
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97450
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97830
Cc: Mahesh Kumar <mahesh1.kumar@intel.com>
Cc: Lyude <cpaul@redhat.com>
Cc: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com>
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Reviewed-by: Lyude <cpaul@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1476210338-9797-1-git-send-email-paulo.r.zanoni@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2bdb638de2fc9c2c1aa15ecdf28e295786a02ea1
Author: Paulo Zanoni <paulo.r.zanoni@intel.com>
Date: Tue Dec 13 18:57:44 2016 -0200
drm/i915: disable PSR by default on HSW/BDW
commit 1c4672ce4eeaeaadeea8adabaad21262b7172607 upstream.
We've been ignoring the poor bugzilla reporters that say PSR causes
system lockups and all other sorts of problems. The earliest bug
report is from April, so I think we can use the "revert the offending
commit if no fixes are presented within 8 months" rule here.
Fixes: 9b58e352b463 ("drm/i915: Enable PSR by default on Haswell and Broadwell.")
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97602
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97515
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96736
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96704
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=96569
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=95176
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94985
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Jim Bride <jim.bride@linux.intel.com>
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Acked-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1481662664-18986-1-git-send-email-paulo.r.zanoni@intel.com
(cherry picked from commit 2ee7dc497e348eecbb82adbb1ea9e9a7e29fe921)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9ab30a6529b5d853f45b77593caada1a44156ed8
Author: Michel Dänzer <michel.daenzer@amd.com>
Date: Thu Oct 27 15:37:44 2016 +0900
drm/radeon: Always store CRTC relative radeon_crtc->cursor_x/y values
commit 4349bd775cc8fd75cb648e3a2036a690f497de5c upstream.
We were storing viewport relative coordinates for AVIVO/DCE display
engines. However, radeon_crtc_cursor_set2 and radeon_cursor_reset pass
radeon_crtc->cursor_x/y as the x/y parameters of
radeon_cursor_move_locked, which would break if the CRTC isn't located
at (0, 0).
Cc: stable@vger.kernel.org
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5417f59cb9962a847a3148ff3fa959b7f7502559
Author: Sebastian Ott <sebott@linux.vnet.ibm.com>
Date: Mon Nov 7 15:06:03 2016 +0100
s390/pci: fix dma address calculation in map_sg
commit 6b7df3ce92ac82ec3f4a2953b6fed77da7b38aaa upstream.
__s390_dma_map_sg maps a dma-contiguous area. Although we only map
whole pages we have to take into account that the area doesn't start
or stop at a page boundary because we use the dma address to loop
over the individual sg entries. Failing to do that might lead to an
access of the wrong sg entry.
Fixes: ee877b81c6b9 ("s390/pci_dma: improve map_sg")
Reported-and-tested-by: Christoph Raisch <raisch@de.ibm.com>
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dae9151a88f775f88dd43595b8288f9aac13eedb
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date: Sat Dec 3 09:50:16 2016 +0100
s390/topology: always use s390 specific sched_domain_topology_level
commit ebb299a51059017ec253bd30781a83d1f6e11b24 upstream.
The s390 specific sched_domain_topology_level should always be used,
not only if the machine provides topology information. Luckily this
odd behaviour, that was by accident introduced with git commit
d05d15da18f5 ("s390/topology: delay initialization of topology cpu
masks") has currently no side effect.
Fixes: d05d15da18f5 ("s390/topology: delay initialization of topology cpumasks")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b3539f813578419c6b386a669405284df5c5950d
Author: Johan Hovold <johan@kernel.org>
Date: Tue Nov 1 16:26:03 2016 +0100
powerpc/pci/rpadlpar: Fix device reference leaks
commit 99e5cde5eae78bef95bfe7c16ccda87fb070149b upstream.
Make sure to drop any device reference taken by vio_find_node() when
adding and removing virtual I/O slots.
Fixes: 5eeb8c63a38f ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1aaa777ec0095f66d9717d07c224b374fbb5f08a
Author: Alexey Kardashevskiy <aik@ozlabs.ru>
Date: Mon Oct 24 18:04:17 2016 +1100
PCI: Enable access to non-standard VPD for Chelsio devices (cxgb3)
commit 1c7de2b4ff886a45fbd2f4c3d4627e0f37a9dd77 upstream.
There is at least one Chelsio 10Gb card which uses VPD area to store some
non-standard blocks (example below). However pci_vpd_size() returns the
length of the first block only assuming that there can be only one VPD "End
Tag".
Since 4e1a635552d3 ("vfio/pci: Use kernel VPD access functions"), VFIO
blocks access beyond that offset, which prevents the guest "cxgb3" driver
from probing the device. The host system does not have this problem as its
driver accesses the config space directly without pci_read_vpd().
Add a quirk to override the VPD size to a bigger value. The maximum size
is taken from EEPROMSIZE in drivers/net/ethernet/chelsio/cxgb3/common.h.
We do not read the tag as the cxgb3 driver does as the driver supports
writing to EEPROM/VPD and when it writes, it only checks for 8192 bytes
boundary. The quirk is registered for all devices supported by the cxgb3
driver.
This adds a quirk to the PCI layer (not to the cxgb3 driver) as the cxgb3
driver itself accesses VPD directly and the problem only exists with the
vfio-pci driver (when cxgb3 is not running on the host and may not be even
loaded) which blocks accesses beyond the first block of VPD data. However
vfio-pci itself does not have quirks mechanism so we add it to PCI.
This is the controller:
Ethernet controller [0200]: Chelsio Communications Inc T310 10GbE Single Port Adapter [1425:0030]
This is what I parsed from its VPD:
===
b'\x82*\x0010 Gigabit Ethernet-SR PCI Express Adapter\x90J\x00EC\x07D76809 FN\x0746K'
0000 Large item 42 bytes; name 0x2 Identifier String
b'10 Gigabit Ethernet-SR PCI Express Adapter'
002d Large item 74 bytes; name 0x10
#00 [EC] len=7: b'D76809 '
#0a [FN] len=7: b'46K7897'
#14 [PN] len=7: b'46K7897'
#1e [MN] len=4: b'1037'
#25 [FC] len=4: b'5769'
#2c [SN] len=12: b'YL102035603V'
#3b [NA] len=12: b'00145E992ED1'
007a Small item 1 bytes; name 0xf End Tag
0c00 Large item 16 bytes; name 0x2 Identifier String
b'S310E-SR-X '
0c13 Large item 234 bytes; name 0x10
#00 [PN] len=16: b'TBD '
#13 [EC] len=16: b'110107730D2 '
#26 [SN] len=16: b'97YL102035603V '
#39 [NA] len=12: b'00145E992ED1'
#48 [V0] len=6: b'175000'
#51 [V1] len=6: b'266666'
#5a [V2] len=6: b'266666'
#63 [V3] len=6: b'2000 '
#6c [V4] len=2: b'1 '
#71 [V5] len=6: b'c2 '
#7a [V6] len=6: b'0 '
#83 [V7] len=2: b'1 '
#88 [V8] len=2: b'0 '
#8d [V9] len=2: b'0 '
#92 [VA] len=2: b'0 '
#97 [RV] len=80: b's\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...
0d00 Large item 252 bytes; name 0x11
#00 [VC] len=16: b'122310_1222 dp '
#13 [VD] len=16: b'610-0001-00 H1\x00\x00'
#26 [VE] len=16: b'122310_1353 fp '
#39 [VF] len=16: b'610-0001-00 H1\x00\x00'
#4c [RW] len=173: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...
0dff Small item 0 bytes; name 0xf End Tag
10f3 Large item 13315 bytes; name 0x62
!!! unknown item name 98: b'\xd0\x03\x00@`\x0c\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00'
===
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c444cc34534b779d2f2b0edda17444c7a6aab9b5
Author: Noa Osherovich <noaos@mellanox.com>
Date: Tue Nov 15 10:00:00 2016 +0200
PCI: Support INTx masking on ConnectX-4 with firmware x.14.1100+
commit 1600f62534b7b3da7978b43b52231a54c24df287 upstream.
Mellanox devices were marked as having INTx masking ability broken. As a
result, the VFIO driver fails to start when more than one device function
is passed-through to a VM if both have the same INTx pin.
Prior to Connect-IB, Mellanox devices exposed to the operating system one
PCI function per all ports. Starting from Connect-IB, the devices are
function-per-port. When passing the second function to a VM, VFIO will
fail to start.
Exclude ConnectX-4, ConnectX4-Lx and Connect-IB from the list of Mellanox
devices marked as having broken INTx masking:
- ConnectX-4 and ConnectX4-LX firmware version is checked. If INTx
masking is supported, we unmark the broken INTx masking.
- Connect-IB does not support INTx currently so will not cause any
problem.
[bhelgaas: call pci_disable_device() always, after iounmap()]
Fixes: 11e42532ada3 ("PCI: Assume all Mellanox devices have broken INTx masking")
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e2822904ace59b89c054123534b6da6bb82c72c6
Author: Noa Osherovich <noaos@mellanox.com>
Date: Tue Nov 15 09:59:59 2016 +0200
PCI: Convert Mellanox broken INTx quirks to be for listed devices only
commit d76d2fe05fd93673d184af77255bbbc63780f4ea upstream.
Change Mellanox's broken_intx_masking() quirk from an "all Mellanox
devices" to a quirk for listed devices only.
[bhelgaas: remove #defines, reorder to keep other quirks together]
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 890661544739d929cf4c5d9bce460f66ff18cb6c
Author: Noa Osherovich <noaos@mellanox.com>
Date: Tue Nov 15 09:59:58 2016 +0200
PCI: Convert broken INTx masking quirks from HEADER to FINAL
commit b88214ce4d7064992452765028bd50702414f15f upstream.
Convert all quirk_broken_intx_masking() quirks from HEADER to FINAL.
The quirk sets dev->broken_intx_masking, which is only used by
pci_intx_mask_supported(), which is not needed until after FINAL
quirks have been run.
[bhelgaas: changelog]
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 04b97a6be2eddd984ea176bc470d87248d9213d9
Author: Noa Osherovich <noaos@mellanox.com>
Date: Thu Nov 17 16:06:56 2016 -0600
PCI: Add Mellanox device IDs
commit 7254383341bc6e1a61996accd836009f0c922b21 upstream.
Add Mellanox device IDs for use by the mlx4 driver and INTx quirks.
[bhelgaas: sorted and adapted from
http://lkml.kernel.org/r/1478011644-12080-1-git-send-email-noaos@mellanox.com]
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 090cce6f6f88ecf34cee068080800a27b70e993c
Author: Brian Norris <briannorris@chromium.org>
Date: Wed Dec 7 15:06:00 2016 -0600
PCI: rockchip: Correct the use of FTS mask
commit a45e2611b9bbd81288d97d02ce7e74a60a698d43 upstream.
We're trying to mask out bits[23:8] while retaining [32:24, 7:0], but we're
doing the inverse. That doesn't have too much effect, since we're setting
all the [23:8] bits to 1, and the other bits are only relevant for modes
we're currently not using. But we should get this right.
Fixes: ca1989084054 ("PCI: rockchip: Fix wrong transmitted FTS count")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6e4bcf8539afce37430c4e56b1520535f0f5ea7a
Author: Shawn Lin <shawn.lin@rock-chips.com>
Date: Wed Dec 7 15:05:59 2016 -0600
PCI: rockchip: Fix negotiated lanes calculation
commit 45e9320f3a4ef9588ee50a2eb1891c4bfdbb07df upstream.
The calculation of negotiated lanes is wrong: it should be shifted by
PCIE_CORE_PL_CONF_LANE_SHIFT, but it is shifted by
PCIE_CORE_PL_CONF_LANE_MASK instead. Let's fix it.
Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 257349bedca317b10b25d489082bd32a38480aae
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri Nov 18 09:30:24 2016 -0200
staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs()
commit c4a407b91f4b644145492e28723f9f880efb1da0 upstream.
We should unlock before returning this error code in vpfe_reqbufs().
Fixes: 622897da67b3 ("[media] davinci: vpfe: add v4l2 video driver support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a299abd230818ceb4e68520ba2f442194267cc50
Author: Arnd Bergmann <arnd@arndb.de>
Date: Wed Nov 2 14:52:15 2016 +0100
f2fs: hide a maybe-uninitialized warning
commit 230436b3ef3fd7d4a1da19edf5e87bb2d74e0fc2 upstream.
gcc is unsure about the use of last_ofs_in_node, which might happen
without a prior initialization:
fs/f2fs//git/arm-soc/fs/f2fs/data.c: In function ‘f2fs_map_blocks’:
fs/f2fs/data.c:799:54: warning: ‘last_ofs_in_node’ may be used uninitialized in this function [-Wmaybe-uninitialized]
if (prealloc && dn.ofs_in_node != last_ofs_in_node + 1) {
As pointed out by Chao Yu, the code is actually correct as 'prealloc'
is only set if the last_ofs_in_node has been set, the two always
get updated together.
This initializes last_ofs_in_node to dn.ofs_in_node for each
new dnode at the start of the 'next_block' loop, which at that
point is a correct initialization as well. I assume that compilers
that correctly track the contents of the variables and do not
warn about the condition also figure out that they can eliminate
the extra assignment here.
Fixes: 46008c6d4232 ("f2fs: support in batch multi blocks preallocation")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 725ba1a3ebc49478f76dea369563a79c86546fbd
Author: Jaegeuk Kim <jaegeuk@kernel.org>
Date: Thu Oct 20 19:09:57 2016 -0700
f2fs: remove percpu_count due to performance regression
commit 35782b233f37e48ecc469d9c7232f3f6a7fad41a upstream.
This patch removes percpu_count usage due to performance regression in iozone.
Fixes: 523be8a6b3 ("f2fs: use percpu_counter for page counters")
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5cc85ef4ffe6c3f1d35b75975c5731248c5af4a7
Author: NeilBrown <neilb@suse.com>
Date: Mon Dec 5 16:40:50 2016 +1100
md: fix refcount problem on mddev when stopping array.
commit e2342ca832726a840ca6bd196dd2cc073815b08a upstream.
md_open() gets a counted reference on an mddev using mddev_find().
If it ends up returning an error, it must drop this reference.
There are two error paths where the reference is not dropped.
One only happens if the process is signalled and an awkward time,
which is quite unlikely.
The other was introduced recently in commit af8d8e6f0.
Change the code to ensure the drop the reference when returning an error,
and make it harded to re-introduce this sort of bug in the future.
Reported-by: Marc Smith <marc.smith@mcc.edu>
Fixes: af8d8e6f0315 ("md: changes for MD_STILL_CLOSED flag")
Signed-off-by: NeilBrown <neilb@suse.com>
Acked-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 60a931c20d1a401b79ff742142225c300d545af0
Author: Shaohua Li <shli@fb.com>
Date: Thu Dec 8 15:48:18 2016 -0800
md: MD_RECOVERY_NEEDED is set for mddev->recovery
commit 82a301cb0ea2df8a5c88213094a01660067c7fb4 upstream.
Fixes: 90f5f7ad4f38("md: Wait for md_check_recovery before attempting device
removal.")
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d33a490770e5b5bde66b2773b6e0162039dae11a
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:13 2016 +0100
crypto: arm64/aes-ce - fix for big endian
commit 1803b9a52c4e5a5dbb8a27126f6bc06939359753 upstream.
The core AES cipher implementation that uses ARMv8 Crypto Extensions
instructions erroneously loads the round keys as 64-bit quantities,
which causes the algorithm to fail when built for big endian. In
addition, the key schedule generation routine fails to take endianness
into account as well, when loading the combining the input key with
the round constants. So fix both issues.
Fixes: 12ac3efe74f8 ("arm64/crypto: use crypto instructions to generate AES key schedule")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit eb64cbc5665d6756cebe85977e493fe0507f0bdb
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:19 2016 +0100
crypto: arm64/aes-xts-ce: fix for big endian
commit caf4b9e2b326cc2a5005a5c557274306536ace61 upstream.
Emit the XTS tweak literal constants in the appropriate order for a
single 128-bit scalar literal load.
Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c3edfe038a75ff264fd97cf29f7773e3143df14f
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:15 2016 +0100
crypto: arm64/sha1-ce - fix for big endian
commit ee71e5f1e7d25543ee63a80451871f8985b8d431 upstream.
The SHA1 digest is an array of 5 32-bit quantities, so we should refer
to them as such in order for this code to work correctly when built for
big endian. So replace 16 byte scalar loads and stores with 4x4 vector
ones where appropriate.
Fixes: 2c98833a42cd ("arm64/crypto: SHA-1 using ARMv8 Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 39b7e1c2fdda93d632c38b457f865dcacc8fa01a
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:18 2016 +0100
crypto: arm64/aes-neon - fix for big endian
commit a2c435cc99862fd3d165e1b66bf48ac72c839c62 upstream.
The AES implementation using pure NEON instructions relies on the generic
AES key schedule generation routines, which store the round keys as arrays
of 32-bit quantities stored in memory using native endianness. This means
we should refer to these round keys using 4x4 loads rather than 16x1 loads.
In addition, the ShiftRows tables are loading using a single scalar load,
which is also affected by endianness, so emit these tables in the correct
order depending on whether we are building for big endian or not.
Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d018dc9540f729699f6f96802e67c1dac1a4769d
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:17 2016 +0100
crypto: arm64/aes-ccm-ce: fix for big endian
commit 56e4e76c68fcb51547b5299e5b66a135935ff414 upstream.
The AES-CCM implementation that uses ARMv8 Crypto Extensions instructions
refers to the AES round keys as pairs of 64-bit quantities, which causes
failures when building the code for big endian. In addition, it byte swaps
the input counter unconditionally, while this is only required for little
endian builds. So fix both issues.
Fixes: 12ac3efe74f8 ("arm64/crypto: use crypto instructions to generate AES key schedule")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e6ce55f7be903ec5cecfa0953fb4960d72b961a7
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:20 2016 +0100
crypto: arm/aes-ce - fix for big endian
commit 58010fa6f71c9577922b22e46014b95a4ec80fa0 upstream.
The AES key schedule generation is mostly endian agnostic, with the
exception of the rotation and the incorporation of the round constant
at the start of each round. So implement a big endian specific version
of that part to make the whole routine big endian compatible.
Fixes: 86464859cc77 ("crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a7c9666735f4953199bdebdbc04a85e34fff97a2
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:14 2016 +0100
crypto: arm64/ghash-ce - fix for big endian
commit 9c433ad5083fd4a4a3c721d86cbfbd0b2a2326a5 upstream.
The GHASH key and digest are both pairs of 64-bit quantities, but the
GHASH code does not always refer to them as such, causing failures when
built for big endian. So replace the 16x1 loads and stores with 2x8 ones.
Fixes: b913a6404ce2 ("arm64/crypto: improve performance of GHASH algorithm")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cdeaed7dda7bc0946d9fbf5ea75821c130f95a4b
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Oct 11 19:15:16 2016 +0100
crypto: arm64/sha2-ce - fix for big endian
commit 174122c39c369ed924d2608fc0be0171997ce800 upstream.
The SHA256 digest is an array of 8 32-bit quantities, so we should refer
to them as such in order for this code to work correctly when built for
big endian. So replace 16 byte scalar loads and stores with 4x32 vector
ones where appropriate.
Fixes: 6ba6c74dfc6b ("arm64/crypto: SHA-224/SHA-256 using ARMv8 Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a05aa258b237535df67926204b359b1dacc03ed1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri Nov 18 14:11:00 2016 +0300
s390/crypto: unlock on error in prng_tdes_read()
commit 9e6e7c74315095fd40f41003850690c711e44420 upstream.
We added some new locking but forgot to unlock on error.
Fixes: 57127645d79d ("s390/zcrypt: Introduce new SHA-512 based Pseudo Random Generator.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5d7d362abc408e69ee229459fba21f833f2f5bf1
Author: Ming Ling <ming.ling@spreadtrum.com>
Date: Mon Dec 12 16:42:26 2016 -0800
mm, compaction: fix NR_ISOLATED_* stats for pfn based migration
commit 6afcf8ef0ca0a69d014f8edb613d94821f0ae700 upstream.
Since commit bda807d44454 ("mm: migrate: support non-lru movable page
migration") isolate_migratepages_block) can isolate !PageLRU pages which
would acct_isolated account as NR_ISOLATED_*. Accounting these non-lru
pages NR_ISOLATED_{ANON,FILE} doesn't make any sense and it can misguide
heuristics based on those counters such as pgdat_reclaimable_pages resp.
too_many_isolated which would lead to unexpected stalls during the
direct reclaim without any good reason. Note that
__alloc_contig_migrate_range can isolate a lot of pages at once.
On mobile devices such as 512M ram android Phone, it may use a big zram
swap. In some cases zram(zsmalloc) uses too many non-lru but
migratedable pages, such as:
MemTotal: 468148 kB
Normal free:5620kB
Free swap:4736kB
Total swap:409596kB
ZRAM: 164616kB(zsmalloc non-lru pages)
active_anon:60700kB
inactive_anon:60744kB
active_file:34420kB
inactive_file:37532kB
Fix this by only accounting lru pages to NR_ISOLATED_* in
isolate_migratepages_block right after they were isolated and we still
know they were on LRU. Drop acct_isolated because it is called after
the fact and we've lost that information. Batching per-cpu counter
doesn't make much improvement anyway. Also make sure that we uncharge
only LRU pages when putting them back on the LRU in
putback_movable_pages resp. when unmap_and_move migrates the page.
[mhocko@suse.com: replace acct_isolated() with direct counting]
Fixes: bda807d44454 ("mm: migrate: support non-lru movable page migration")
Link: http://lkml.kernel.org/r/20161019080240.9682-1-mhocko@kernel.org
Signed-off-by: Ming Ling <ming.ling@spreadtrum.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Joonsoo Kim <js1304@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dc1b6d0aed97a5e7c95afd1a2eff20151f440513
Author: Johannes Weiner <hannes@cmpxchg.org>
Date: Mon Dec 12 16:43:35 2016 -0800
mm: khugepaged: fix radix tree node leak in shmem collapse error path
commit 59749e6ce53735d8b696763742225f126e94603f upstream.
The radix tree counts valid entries in each tree node. Entries stored
in the tree cannot be removed by simpling storing NULL in the slot or
the internal counters will be off and the node never gets freed again.
When collapsing a shmem page fails, restore the holes that were filled
with radix_tree_insert() with a proper radix tree deletion.
Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
Link: http://lkml.kernel.org/r/20161117191138.22769-3-hannes@cmpxchg.org
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-by: Jan Kara <jack@suse.cz>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 058a4a534c2392ce6a70ea8372b635de2af1d48f
Author: Johannes Weiner <hannes@cmpxchg.org>
Date: Mon Dec 12 16:43:32 2016 -0800
mm: khugepaged: close use-after-free race during shmem collapsing
commit 91a45f71078a6569ec3ca5bef74e1ab58121d80e upstream.
Patch series "mm: workingset: radix tree subtleties & single-page file
refaults", v3.
This is another revision of the radix tree / workingset patches based on
feedback from Jan and Kirill.
This is a follow-up to d3798ae8c6f3 ("mm: filemap: don't plant shadow
entries without radix tree node"). That patch fixed an issue that was
caused mainly by the page cache sneaking special shadow page entries
into the radix tree and relying on subtleties in the radix tree code to
make that work. The fix also had to stop tracking refaults for
single-page files because shadow pages stored as direct pointers in
radix_tree_root->rnode weren't properly handled during tree extension.
These patches make the radix tree code explicitely support and track
such special entries, to eliminate the subtleties and to restore the
thrash detection for single-page files.
This patch (of 9):
When a radix tree iteration drops the tree lock, another thread might
swoop in and free the node holding the current slot. The iteration
needs to do another tree lookup from the current index to continue.
[kirill.shutemov@linux.intel.com: re-lookup for replacement]
Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
Link: http://lkml.kernel.org/r/20161117191138.22769-2-hannes@cmpxchg.org
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cd6d9ffffc4c2ce545e9d8dfcc7fe562cb02b4ea
Author: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Date: Mon Nov 14 14:32:27 2016 -0200
docs-rst: fix LaTeX \DURole renewcommand with Sphinx 1.3+
commit e2a91f4f42018994d7424d405900d17eba6555d0 upstream.
PDF build on Kernel 4.9-rc? returns an error with Sphinx 1.3.x
and Sphinx 1.4.x, when trying to solve some cross-references.
The solution is to redefine the \DURole macro.
However, this is redefined too late. Move such redefinition to
LaTeX preamble and bind it to just the Sphinx versions where the
error is known to be present.
Tested by building the documentation on interactive mode:
make PDFLATEX=xelatex -C Documentation/output/./latex
Fixes: e61a39baf74d ("[media] index.rst: Fix LaTeX error in interactive mode on Sphinx 1.4.x")
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 66c6770379368ba0738a61c2317edc0ca324b902
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date: Mon Dec 12 16:41:56 2016 -0800
mm/hugetlb.c: use the right pte val for compare in hugetlb_cow
commit 3999f52e3198e76607446ab1a4610c1ddc406c56 upstream.
We cannot use the pte value used in set_pte_at for pte_same comparison,
because archs like ppc64, filter/add new pte flag in set_pte_at.
Instead fetch the pte value inside hugetlb_cow. We are comparing pte
value to make sure the pte didn't change since we dropped the page table
lock. hugetlb_cow get called with page table lock held, and we can take
a copy of the pte value before we drop the page table lock.
With hugetlbfs, we optimize the MAP_PRIVATE write fault path with no
previous mapping (huge_pte_none entries), by forcing a cow in the fault
path. This avoid take an addition fault to covert a read-only mapping
to read/write. Here we were comparing a recently instantiated pte (via
set_pte_at) to the pte values from linux page table. As explained above
on ppc64 such pte_same check returned wrong result, resulting in us
taking an additional fault on ppc64.
Fixes: 6a119eae942c ("powerpc/mm: Add a _PAGE_PTE bit")
Link: http://lkml.kernel.org/r/20161018154245.18023-1-aneesh.kumar@linux.vnet.ibm.com
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Reported-by: Jan Stancek <jstancek@redhat.com>
Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Scott Wood <scottwood@freescale.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 17df3e74fb5174bc9fc078fd640dc3b2762f0ca1
Author: Bjorn Andersson <bjorn.andersson@linaro.org>
Date: Thu Dec 1 16:59:55 2016 -0800
rpmsg: qcom_smd: Correct return value for O_NONBLOCK
commit 1d74e7ed5dc1903ac081574a9b6aa94e7ba4ad45 upstream.
qcom_smd_send() should return -EAGAIN for non-blocking channels with
insufficient space, so that we can propagate this event to user space.
Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1d8286ccbcc6f2f5abca386430825e4c3983edc7
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon Nov 14 14:31:34 2016 +0300
mmc: mmc_test: Uninitialized return value
commit 16652a936e96f5dae53c3fbd38a570497baadaa8 upstream.
We never set "ret" to RESULT_OK.
Fixes: 9f9c4180f88d ("mmc: mmc_test: add test for non-blocking transfers")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 74e365e69687bb250fa71ba5ba389cd2680d843f
Author: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Date: Wed Dec 14 16:01:12 2016 -0200
genirq/affinity: Fix node generation from cpumask
commit c0af52437254fda8b0cdbaae5a9b6d9327f1fcd5 upstream.
Commit 34c3d9819fda ("genirq/affinity: Provide smarter irq spreading
infrastructure") introduced a better IRQ spreading mechanism, taking
account of the available NUMA nodes in the machine.
Problem is that the algorithm of retrieving the nodemask iterates
"linearly" based on the number of online nodes - some architectures
present non-linear node distribution among the nodemask, like PowerPC.
If this is the case, the algorithm lead to a wrong node count number
and therefore to a bad/incomplete IRQ affinity distribution.
For example, this problem were found in a machine with 128 CPUs and two
nodes, namely nodes 0 and 8 (instead of 0 and 1, if it was linearly
distributed). This led to a wrong affinity distribution which then led to
a bad mq allocation for nvme driver.
Finally, we take the opportunity to fix a comment regarding the affinity
distribution when we have _more_ nodes than vectors.
Fixes: 34c3d9819fda ("genirq/affinity: Provide smarter irq spreading infrastructure")
Reported-by: Gabriel Krisman Bertazi <gabriel@krisman.be>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Gabriel Krisman Bertazi <gabriel@krisman.be>
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Cc: linux-pci@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: hch@lst.de
Link: http://lkml.kernel.org/r/1481738472-2671-1-git-send-email-gpiccoli@linux.vnet.ibm.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 65f796837e0051e11334b0c075b153d5d3d4d2c5
Author: Tony Lindgren <tony@atomide.com>
Date: Mon Dec 5 16:38:16 2016 -0800
PM / wakeirq: Fix dedicated wakeirq for drivers not using autosuspend
commit bed570307ed78f21b77cb04a1df781dee4a8f05a upstream.
I noticed some wakeirq flakeyness with consumer drivers not using
autosuspend. For drivers not using autosuspend, the wakeirq may never
get unmasked in rpm_suspend() because of irq desc->depth.
We are configuring dedicated wakeirqs to start with IRQ_NOAUTOEN as we
naturally don't want them running until rpm_suspend() is called.
However, when a consumer driver initially calls pm_runtime_get(), we
now wrongly start with disable_irq_nosync() call on the dedicated
wakeirq that is disabled to start with.
This causes desc->depth to toggle between 1 and 2 instead of the usual
0 and 1. This can prevent enable_irq() from unmasking the wakeirq as
that only happens at desc->depth 1.
This does not necessarily show up with drivers using autosuspend as
there is time for disable_irq_nosync() before rpm_suspend() gets called
after the autosuspend timeout.
Let's fix the issue by adding wirq->status that lazily gets set on
the first rpm_suspend(). We also need PM runtime core private functions
for dev_pm_enable_wake_irq_check() and dev_pm_disable_wake_irq_check()
so we can enable the dedicated wakeirq on the first rpm_suspend().
While at it, let's also fix the comments for dev_pm_enable_wake_irq()
and dev_pm_disable_wake_irq(). Those can still be used by the consumer
drivers as needed because the IRQ core manages the interrupt usecount
for us.
Fixes: 4990d4fe327b (PM / Wakeirq: Add automated device wake IRQ handling)
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3b198ddd5855a5073bac27571394963b87d26613
Author: Florian Fainelli <f.fainelli@gmail.com>
Date: Mon Oct 31 14:17:35 2016 -0700
irqchip/bcm7038-l1: Implement irq_cpu_offline() callback
commit 34c535793bcbf9263cf22f8a52101f796cdfab8e upstream.
We did not implement an irq_cpu_offline callback for our irqchip, yet we
support setting a given IRQ's affinity. This resulted in interrupts
whose affinity mask included CPUs being taken offline not to work
correctly once the CPU had been put offline.
Fixes: 5f7f0317ed28 ("IRQCHIP: Add new driver for BCM7038-style level 1 interrupt controllers")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: jason@lakedaemon.net
Cc: marc.zyngier@arm.com
Cc: cernekee@gmail.com
Cc: jaedon.shin@gmail.com
Cc: ralf@linux-mips.org
Cc: justinpopo6@gmail.com
Link: http://lkml.kernel.org/r/1477948656-12966-2-git-send-email-f.fainelli@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5cbea795f4d13184ff42307daea5a7dc7c046e5f
Author: Jan Beulich <JBeulich@suse.com>
Date: Tue Nov 8 00:43:54 2016 -0700
PCI/MSI: Check for NULL affinity mask in pci_irq_get_affinity()
commit d1d111e073840b8dbc1ae90ba3fc274736451bdc upstream.
If msi_setup_entry() fails to allocate an affinity mask, it logs a message
but continues on and allocates an MSI entry with entry->affinity == NULL.
Check for this case in pci_irq_get_affinity() so we don't try to
dereference a NULL pointer.
[bhelgaas: changelog]
Fixes: ee8d41e53efe "pci/msi: Retrieve affinity for a vector"
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
CC: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 825e6a0f7c51cc2c7e56604d2ea89c86aebef914
Author: Eric Richter <erichte@linux.vnet.ibm.com>
Date: Thu Oct 13 17:47:36 2016 -0500
ima: fix memory leak in ima_release_policy
commit 9a11a18902bc3b904353063763d06480620245a6 upstream.
When the "policy" securityfs file is opened for read, it is opened as a
sequential file. However, when it is eventually released, there is no
cleanup for the sequential file, therefore some memory is leaked.
This patch adds a call to seq_release() in ima_release_policy() to clean up
the memory when the file is opened for read.
Fixes: 80eae209d63a IMA: allow reading back the current policy
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c4c11b4bdbf684540f9baf9f17fc1c7fb688f1fb
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed Dec 14 15:05:38 2016 -0800
relay: check array offset before using it
commit 9a29d0fbc2d9ad99fb8a981ab72548cc360e9d4c upstream.
Smatch complains that we started using the array offset before we
checked that it was valid.
Fixes: 017c59c042d0 ('relay: Use per CPU constructs for the relay channel buffer pointers')
Link: http://lkml.kernel.org/r/20161013084947.GC16198@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3dd50a5e2be97d1c68545a44851be97294bfdcc7
Author: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Fri Nov 18 15:40:31 2016 -0800
sbp-target: Fix second argument of percpu_ida_alloc()
commit 8456066a57940b3884aa080c58b166567dc9de39 upstream.
Pass a task state as second argument to percpu_ida_alloc().
Fixes: commit 5a3ee221b543 ("sbp-target: Conversion to percpu_ida tag pre-allocation")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Chris Boot <bootc@bootc.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0e79a6b4567704970076a5b933bc1736234610ec
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Dec 13 15:27:04 2016 +0300
target/iscsi: Fix double free in lio_target_tiqn_addtpg()
commit a91918cd3ea11f91c68e08e1e8ce1b560447a80e upstream.
This iscsit_tpg_add_portal_group() function is only called from
lio_target_tiqn_addtpg(). Both functions free the "tpg" pointer on
error so it's a double free bug. The memory is allocated in the caller
so it should be freed in the caller and not here.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
[ bvanassche: Added "Fix" at start of patch title ]
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 962a12f8e523b984d77cb5063a722a8d9536cffc
Author: Arnd Bergmann <arnd@arndb.de>
Date: Wed Nov 16 16:08:34 2016 +0100
scsi: mvsas: fix command_active typo
commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream.
gcc-7 notices that the condition in mvs_94xx_command_active looks
suspicious:
drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active':
drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]
This was introduced when the mv_printk() statement got added, and leads
to the condition being ignored. This is probably harmless.
Changing '&&' to '&' makes the code look reasonable, as we check the
command bit before setting and printing it.
Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5157e98aa024c5ef3d5c3b27cb7203f34073ed26
Author: Ondrej Zary <linux@rainbow-software.org>
Date: Fri Nov 11 10:00:20 2016 +1100
scsi: g_NCR5380: Fix release_region in error handling
commit 7b93ca43b7e21fbe6fb1a6f4ecce4a2f70f424a0 upstream.
When a SW-configurable card is specified but not found, the driver
releases wrong region, causing the following message in kernel log:
Trying to free nonexistent resource <0000000000000000-000000000000000f>
Fix it by assigning base earlier.
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Fixes: a8cfbcaec0c1 ("scsi: g_NCR5380: Stop using scsi_module.c")
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d451b3cc89c7f0c037281272d70539cd612ba539
Author: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Date: Fri Oct 21 14:18:48 2016 +0100
ASoC: samsung: i2s: Fixup last IRQ unsafe spin lock call
commit 5faf071d08ddd1c1be66deaa93a09ccf43f5b538 upstream.
Unfortunately, I seem to have missed a case where an IRQ safe spinlock was
required, in samsung_i2s_dai_remove, when I fixed up the other calls in
this patch:
316fa9e09ad7 ("ASoC: samsung: Use IRQ safe spin lock calls")
This causes a lockdep warning when unbinding and rebinding the audio card:
[ 104.357664] CPU0 CPU1
[ 104.362174] ---- ----
[ 104.366692] lock(&(&pri_dai->spinlock)->rlock);
[ 104.371372] local_irq_disable();
[ 104.377283] lock(&(&substream->self_group.lock)->rlock);
[ 104.385259] lock(&(&pri_dai->spinlock)->rlock);
[ 104.392469] <Interrupt>
[ 104.395072] lock(&(&substream->self_group.lock)->rlock);
[ 104.400710]
[ 104.400710] *** DEADLOCK ***
Fixes: ce8bcdbb61d9 ("ASoC: samsung: i2s: Protect more registers with a spinlock")
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 574bac4f402239d8dc5cb15952a93eba0602c646
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Oct 13 11:55:48 2016 +0300
ASoC: Intel: Skylake: Fix a shift wrapping bug
commit c8eabf821cac120afb78ca251b07cbf520406a7e upstream.
"*val" is a u64. It definitely looks like we intend to use the high 32
bits as well.
Fixes: 700a9a63f9c1 ("ASoC: Intel: Skylake: Add module instance id generation APIs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Tested-by: Kranthi G <gudishax.kranthikumar@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d61a969f0e941de5ec682d6236cc9d5fa54bf85b
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Nov 22 18:11:08 2016 +0100
ASoC: cht_bsw_rt5645: Fix leftover kmalloc
commit a823a17981a73faa115bc0f7eda0190763075e2c upstream.
cht_bsw_rt5645 driver allocates the own codec_id string but doesn't
release it. For simplicity, put the string in cht_mc_private; then
the string is allocated in a shot and released altogether.
Fixes: c8560b7c917f ("ASoC: cht_bsw_rt5645: Fix writing to string literal")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 311742c40da94fed4e4492c38ed456963ed4ecd6
Author: Arnd Bergmann <arnd@arndb.de>
Date: Tue Nov 8 14:38:52 2016 +0100
ASoC: lpass-platform: initialize dma channel number
commit 3b89e4b77ef9c2f985964fab17032db98f074ed0 upstream.
A bugfix accidentally removed the implicit initialization of the
dma channel number, causing undefined behavior when
v->alloc_dma_channel is NULL:
sound/soc/qcom/lpass-platform.c: In function ‘lpass_platform_pcmops_open’:
sound/soc/qcom/lpass-platform.c:83:29: error: ‘dma_ch’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
This adds back an explicit initialization to zero, restoring the
previous behavior for that case.
Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Kenneth Westfield <kwestfie@codeaurora.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit afd7e2b4258aa4b01720a2d65846030b3a06689f
Author: Xunlei Pang <xlpang@redhat.com>
Date: Mon Dec 5 20:09:07 2016 +0800
iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped
commit aec0e86172a79eb5e44aff1055bb953fe4d47c59 upstream.
We met the DMAR fault both on hpsa P420i and P421 SmartArray controllers
under kdump, it can be steadily reproduced on several different machines,
the dmesg log is like:
HP HPSA Driver (v 3.4.16-0)
hpsa 0000:02:00.0: using doorbell to reset controller
hpsa 0000:02:00.0: board ready after hard reset.
hpsa 0000:02:00.0: Waiting for controller to respond to no-op
DMAR: Setting identity map for device 0000:02:00.0 [0xe8000 - 0xe8fff]
DMAR: Setting identity map for device 0000:02:00.0 [0xf4000 - 0xf4fff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6e000 - 0xbdf6efff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6f000 - 0xbdf7efff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf7f000 - 0xbdf82fff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf83000 - 0xbdf84fff]
DMAR: DRHD: handling fault status reg 2
DMAR: [DMA Read] Request device [02:00.0] fault addr fffff000 [fault reason 06] PTE Read access is not set
hpsa 0000:02:00.0: controller message 03:00 timed out
hpsa 0000:02:00.0: no-op failed; re-trying
After some debugging, we found that the fault addr is from DMA initiated at
the driver probe stage after reset(not in-flight DMA), and the corresponding
pte entry value is correct, the fault is likely due to the old iommu caches
of the in-flight DMA before it.
Thus we need to flush the old cache after context mapping is setup for the
device, where the device is supposed to finish reset at its driver probe
stage and no in-flight DMA exists hereafter.
I'm not sure if the hardware is responsible for invalidating all the related
caches allocated in the iommu hardware before, but seems not the case for hpsa,
actually many device drivers have problems in properly resetting the hardware.
Anyway flushing (again) by software in kdump kernel when the device gets context
mapped which is a quite infrequent operation does little harm.
With this patch, the problematic machine can survive the kdump tests.
CC: Myron Stowe <myron.stowe@gmail.com>
CC: Joseph Szczypek <jszczype@redhat.com>
CC: Don Brace <don.brace@microsemi.com>
CC: Baoquan He <bhe@redhat.com>
CC: Dave Young <dyoung@redhat.com>
Fixes: 091d42e43d21 ("iommu/vt-d: Copy translation tables from old kernel")
Fixes: dbcd861f252d ("iommu/vt-d: Do not re-use domain-ids from the old kernel")
Fixes: cf484d0e6939 ("iommu/vt-d: Mark copied context entries")
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Tested-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ef41459ab279edd5fa11da4efac4aa0155c06a35
Author: Jacob Pan <jacob.jun.pan@linux.intel.com>
Date: Tue Dec 6 10:14:23 2016 -0800
iommu/vt-d: Fix pasid table size encoding
commit 65ca7f5f7d1cdde6c25172fe6107cd16902f826f upstream.
Different encodings are used to represent supported PASID bits
and number of PASID table entries.
The current code assigns ecap_pss directly to extended context
table entry PTS which is wrong and could result in writing
non-zero bits to the reserved fields. IOMMU fault reason
11 will be reported when reserved bits are nonzero.
This patch converts ecap_pss to extend context entry pts encoding
based on VT-d spec. Chapter 9.4 as follows:
- number of PASID bits = ecap_pss + 1
- number of PASID table entries = 2^(pts + 5)
Software assigned limit of pasid_max value is also respected to
match the allocation limitation of PASID table.
cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
cc: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Tested-by: Mika Kuoppala <mika.kuoppala@intel.com>
Fixes: 2f26e0a9c9860 ('iommu/vt-d: Add basic SVM PASID support')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2148835de3c2410bfb6c64037187a1b72f6d6488
Author: Huang Rui <ray.huang@amd.com>
Date: Mon Dec 12 07:28:26 2016 -0500
iommu/amd: Fix the left value check of cmd buffer
commit 432abf68a79332282329286d190e21fe3ac02a31 upstream.
The generic command buffer entry is 128 bits (16 bytes), so the offset
of tail and head pointer should be 16 bytes aligned and increased with
0x10 per command.
When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.
So when left space of cmd buf should be able to store only two
command, we should be issued one COMPLETE_WAIT additionally to wait
all older commands completed. Then the left space should be increased
after IOMMU fetching from cmd buf.
So left check value should be left <= 0x20 (two commands).
Signed-off-by: Huang Rui <ray.huang@amd.com>
Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 48ffae87e91346382790af10d793cba4d2e1d341
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Nov 24 14:05:44 2016 +0300
iommu/amd: Missing error code in amd_iommu_init_device()
commit 24c790fbf5d8f54c8c82979db11edea8855b74bf upstream.
We should set "ret" to -EINVAL if iommu_group_get() fails.
Fixes: 55c99a4dc50f ("iommu/amd: Use iommu_attach_group()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 54eed7ab1367f3d802ba516a60967e8547224a55
Author: Chris Brandt <chris.brandt@renesas.com>
Date: Thu Dec 15 12:00:27 2016 -0500
clk: renesas: mstp: Support 8-bit registers for r7s72100
commit e2a33c34ddff22ee208d80abdd12b88a98d6cb60 upstream.
The RZ/A1 is different than the other Renesas SOCs because the MSTP
registers are 8-bit instead of 32-bit and if you try writing values as
32-bit nothing happens...meaning this driver never worked for r7s72100.
Fixes: b6face404f38 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi")
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5dd700e897e4d1f74fde0826ed2ed7db08c47327
Author: Vladimir Zapolskiy <vz@mleia.com>
Date: Mon Sep 26 03:03:42 2016 +0300
clk: imx31: fix rewritten input argument of mx31_clocks_init()
commit bae203d58b7dce89664071b3fafe20cedaa3e4f6 upstream.
Function mx31_clocks_init() is called during clock intialization on
legacy boards with reference clock frequency passed as its input
argument, this can be verified by examination of the function
declaration found in arch/arm/mach-imx/common.h and actual function
users which include that header file.
Inside CCF driver the function ignores its input argument, by chance
the used value in the function body is the same as input arguments on
side of all callers.
Fixes: d9388c843237 ("clk: imx31: Do not call mxc_timer_init twice when booting with DT")
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c9f628468723e85fa59651e258bd462091692ad
Author: Chen-Yu Tsai <wens@csie.org>
Date: Fri Nov 11 18:05:58 2016 +0800
clk: sunxi-ng: sun8i-h3: Set CLK_SET_RATE_PARENT for audio module clocks
commit 0f6f9302b819ca352cfd4f42c18ec08d521f9cae upstream.
The audio module clocks are supposed to be set according to the sample
rate of the audio stream. The audio PLL provides the clock signal for
these module clocks, and only it is freely tunable.
Set CLK_SET_RATE_PARENT for the audio module clocks so their users can
properly tune the clock rate.
Fixes: 0577e4853bfb ("clk: sunxi-ng: Add H3 clocks")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 36a6f7005f38b86b938ab3b697ca61a6693eec1e
Author: Chen-Yu Tsai <wens@csie.org>
Date: Fri Nov 11 18:05:57 2016 +0800
clk: sunxi-ng: sun8i-a23: Set CLK_SET_RATE_PARENT for audio module clocks
commit 937ff9ded8b6ebe8963ade55bdd77a61ded88075 upstream.
The audio module clocks are supposed to be set according to the sample
rate of the audio stream. The audio PLL provides the clock signal for
these module clocks, and only it is freely tunable.
Set CLK_SET_RATE_PARENT for the audio module clocks so their users can
properly tune the clock rate.
Fixes: 5690879d93e8 ("clk: sunxi-ng: Add A23 CCU")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7af503c02b33504c82a88bc165e5ef77239faebd
Author: Grygorii Strashko <grygorii.strashko@ti.com>
Date: Tue Nov 29 17:07:57 2016 -0600
clk: ti: dra7: fix "failed to lookup clock node gmac_gmii_ref_clk_div" boot message
commit f8d17344a60921c2387759fc0a85aa64299d1ec6 upstream.
Prevent creating clk alias for non existing gmac_gmii_ref_clk_div clock and,
this way, eliminate excessive error message during boot:
"ti_dt_clocks_register: failed to lookup clock node gmac_gmii_ref_clk_div"
Fixes: c097338ebd3f ("ARM: dts: dra7: cpsw: fix clocks tree")
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 411873a0390e8378bb47e1d5e03fb0b95fd2efb4
Author: Pan Bian <bianpan2016@163.com>
Date: Thu Dec 1 14:25:44 2016 +0800
clk: clk-wm831x: fix a logic error
commit 20979202ee6e4c68dab7bcf408787225a656d18e upstream.
Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188561. Function
wm831x_clkout_is_prepared() returns "true" when it fails to read
CLOCK_CONTROL_1. "true" means the device is already prepared. So
return "true" on the read failure seems improper.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Fixes: f05259a6ffa4 ("clk: wm831x: Add initial WM831x clock driver")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e3b665ef41106381a7ad3e6bbdf2ebba7682cc25
Author: Stephen Boyd <sboyd@codeaurora.org>
Date: Wed Nov 9 17:08:28 2016 -0800
clk: qcom: ipq806x: Fix board clk rates
commit cbf2e548ca8ad4bb274d014e9a70bd841d29948e upstream.
The clocks on these boards run at 25 MHz, not 19.2 and 27 like
other platforms. Unfortunately I copy/pasted from other similar
SoCs but forgot this one is different. Fix it.
Fixes: a085f877a882 ("clk: qcom: Move cxo/pxo/xo into dt files")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 447433e5f804b1a73beb9b1051b9f847541442f0
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed Nov 16 17:23:22 2016 -0800
Input: synaptics-rmi4 - unlock on error
commit 792f497b22afd0563b94dd8fa129a05f762a2c25 upstream.
We should unlock before returning on this error path.
Fixes: 3a762dbd5347 ('[media] Input: synaptics-rmi4 - add support for F54 diagnostics')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 584cb7dd15a3779a8f9a4ac2ec117f1f73bda83d
Author: Michael Walle <michael@walle.cc>
Date: Mon Jan 2 17:53:39 2017 +0100
hwmon: (lm90) fix temp1_max_alarm attribute
commit e9572fdd13e299cfba03abbfd2786c84ac055249 upstream.
Since commit commit eb1c8f4325d5 ("hwmon: (lm90) Convert to use new hwmon
registration API") the temp1_max_alarm and temp1_crit_alarm attributes are
mapped to the same alarm bit. Fix the typo.
Fixes: eb1c8f4325d5 ("hwmon: (lm90) Convert to use new hwmon registration API")
Signed-off-by: Micehael Walle <michael@walle.cc>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2aca9a4fe104e6e8d7ddca7042fe6d5379ead7f9
Author: Guenter Roeck <linux@roeck-us.net>
Date: Sun Dec 11 13:27:42 2016 -0800
hwmon: (g762) Fix overflows and crash seen when writing limit attributes
commit 4fccd4a1e8944033bcd7693ea4e8fb478cd2059a upstream.
Fix overflows seen when writing into fan speed limit attributes.
Also fix crash due to division by zero, seen when certain very
large values (such as 2147483648, or 0x80000000) are written
into fan speed limit attributes.
Fixes: 594fbe713bf60 ("Add support for GMT G762/G763 PWM fan controllers")
Cc: Arnaud Ebalard <arno@natisbad.org>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 81616a9f751e9b08a90d13c79e6ca73a74c4b446
Author: Guenter Roeck <linux@roeck-us.net>
Date: Sun Dec 4 18:15:25 2016 -0800
hwmon: (nct7802) Fix overflows seen when writing into limit attributes
commit c0d04e9112ad59d73f23f3b0f6726c5e798dfcbf upstream.
Fix overflows seen when writing voltage and temperature limit attributes.
The value passed to DIV_ROUND_CLOSEST() needs to be clamped, and the
value parameter passed to nct7802_write_fan_min() is an unsigned long.
Also, writing values larger than 2700000 into a fan limit attribute results
in writing 0 into the chip's limit registers. The exact behavior when
writing this value is unspecified. For consistency, report a limit of
1350000 if the chip register reads 0. This may be wrong, and the chip
behavior should be verified with the actual chip, but it is better than
reporting a value of 0 (which, when written, results in writing a value
of 0x1fff into the chip register).
Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y")
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a69a6ebd036a6c7edf89db09ca358927c158dbe4
Author: Guenter Roeck <linux@roeck-us.net>
Date: Sun Nov 20 10:37:39 2016 -0800
hwmon: (ds620) Fix overflows seen when writing temperature limits
commit e36ce99ee0815d7919a7b589bfb66f3de50b6bc7 upstream.
Module test reports:
temp1_max: Suspected overflow: [160000 vs. 0]
temp1_min: Suspected overflow: [160000 vs. 0]
This is seen because the values passed when writing temperature limits
are unbound.
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Fixes: 6099469805c2 ("hwmon: Support for Dallas Semiconductor DS620")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 29e7b170db90a852b51409a76870cdbe57341a9b
Author: Jared Bents <jared.bents@rockwellcollins.com>
Date: Fri Nov 18 22:20:38 2016 -0600
hwmon: (amc6821) sign extension temperature
commit 4538bfbf2d9f1fc48c07ac0cc0ee58716fe7fe96 upstream.
Converts the unsigned temperature values from the i2c read
to be sign extended as defined in the datasheet so that
negative temperatures are properly read.
Fixes: 28e6274d8fa67 ("hwmon: (amc6821) Avoid forward declaration")
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
[groeck: Dropped unnecessary continuation line]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit af3cd3f0a805ab701f1e56ed93c676c77b7d2169
Author: Javier Martinez Canillas <javier@osg.samsung.com>
Date: Mon Nov 7 17:31:44 2016 -0300
hwmon: (scpi) Fix module autoload
commit 13edb767aa609b6efb7c0c2b57fbd72a6ded0eed upstream.
If the driver is built as a module, autoload won't work because the module
alias information is not filled. So user-space can't match the registered
device with the corresponding module.
Export the module alias information using the MODULE_DEVICE_TABLE() macro.
Before this patch:
$ modinfo drivers/hwmon/scpi-hwmon.ko | grep alias
$
After this patch:
$ modinfo drivers/hwmon/scpi-hwmon.ko | grep alias
alias: of:N*T*Carm,scpi-sensorsC*
alias: of:N*T*Carm,scpi-sensors
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Fixes: ea98b29a05e9c ("hwmon: Support sensors exported via ARM SCP interface")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7a13086bd4575738f385d062e3676e3b13af966c
Author: Micha? K?pie? <kernel@kempniu.pl>
Date: Fri Dec 23 10:00:08 2016 +0100
platform/x86: fujitsu-laptop: use brightness_set_blocking for LED-setting callbacks
commit a608a9d52fa4168efd478d684039ed545a69dbcd upstream.
All LED-setting functions in fujitsu-laptop are currently assigned to
the brightness_set callback, which is incorrect because they can sleep
(due to their use of call_fext_func(), which in turn issues ACPI calls)
and the documentation (in include/linux/leds.h) clearly states they must
not. Assign them to brightness_set_blocking instead and change them to
match the expected function prototype.
This change makes it possible to use Fujitsu-specific LEDs with "heavy"
triggers, like disk-activity or phy0rx.
Fixes: 3a407086090b ("fujitsu-laptop: Add BL power, LED control and radio state information")
Fixes: 4f62568c1fcf ("fujitsu-laptop: Support radio LED")
Fixes: d6b88f64b0d4 ("fujitsu-laptop: Add support for eco LED")
Signed-off-by: Michał Kępień <kernel@kempniu.pl>
Acked-by: Jonathan Woithe <jwoithe@just42.net>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 36c1bc65d211b929dda601f78c444c228d8df27f
Author: Andy Lutomirski <luto@kernel.org>
Date: Thu Dec 15 10:14:42 2016 -0800
x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6
commit 3df8d9208569ef0b2313e516566222d745f3b94b upstream.
A typo (or mis-merge?) resulted in leaf 6 only being probed if
cpuid_level >= 7.
Fixes: 2ccd71f1b278 ("x86/cpufeature: Move some of the scattered feature bits to x86_capability")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Link: http://lkml.kernel.org/r/6ea30c0e9daec21e488b54761881a6dfcf3e04d0.1481825597.git.luto@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bedcab8723cec3bf367ed28b6baa5350d54ef701
Author: Dmitry Safonov <dsafonov@virtuozzo.com>
Date: Thu Oct 27 17:15:15 2016 +0300
x86/prctl/uapi: Remove #ifdef for CHECKPOINT_RESTORE
commit a01aa6c9f40fe03c82032e7f8b3bcf1e6c93ac0e upstream.
As userspace knows nothing about kernel config, thus #ifdefs
around ABI prctl constants makes them invisible to userspace.
Let it be clean'n'simple: remove #ifdefs.
If kernel has CONFIG_CHECKPOINT_RESTORE disabled, sys_prctl()
will return -EINVAL for those prctls.
Reported-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: 0x7f454c46@gmail.com
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: oleg@redhat.com
Fixes: 2eefd8789698 ("x86/arch_prctl/vdso: Add ARCH_MAP_VDSO_*")
Link: http://lkml.kernel.org/r/20161027141516.28447-2-dsafonov@virtuozzo.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e641c92fd2ae2c4a54810cae66c161c9cc5b06a4
Author: Arnd Bergmann <arnd@arndb.de>
Date: Thu Oct 20 22:07:53 2016 +0200
debugfs: improve DEFINE_DEBUGFS_ATTRIBUTE for !CONFIG_DEBUG_FS
commit 7f847dd31736f1284538e54f46cf10e63929eb7f upstream.
The slp_s0_residency_usec debugfs file currently uses
DEFINE_DEBUGFS_ATTRIBUTE(), but that macro cannot really be used to
define files outside of the debugfs code, as it has no reference to
the get/set functions if CONFIG_DEBUG_FS is not defined:
drivers/platform/x86/intel_pmc_core.c:80:12: error: ‘pmc_core_dev_state_get’ defined but not used [-Werror=unused-function]
This fixes the macro to always contain the reference, and instead rely
on the stubbed-out debugfs_create_file to not actually refer to
its arguments so the compiler can still drop the reference.
This works because the attribute definition is always 'static',
and the dead-code removal silently drops all static symbols
that are not used.
Fixes: c64688081490 ("debugfs: add support for self-protecting attribute file fops")
Fixes: df2294fb6428 ("intel_pmc_core: Convert to DEFINE_DEBUGFS_ATTRIBUTE")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[nicstange@gmail.com: Add dummy implementations of debugfs_attr_read() and
debugfs_attr_write() in order to protect against possibly broken dead
code elimination and to improve readability.
Correct CONFIG_DEBUGFS_FS -> CONFIG_DEBUG_FS typo in changelog.]
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 629138cd28becfed37527a02219150e1c2aa580a
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date: Mon Oct 3 13:03:38 2016 +0200
clk: renesas: cpg-mssr: Fix inverted debug check
commit bc4725d9029e2c8205fbaf1105e193d1c4e463bb upstream.
The intention was to enable the checks if debugging is enabled, not
disabled.
Fixes: f793d1e51705b276 ("clk: shmobile: Add new CPG/MSSR driver core")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 47e3472507f0fe563da9291785c1f01693ee22e4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue Oct 18 15:33:18 2016 +0100
efi/efivar_ssdt_load: Don't return success on allocation failure
commit a75dcb5848359f488c32c0aef8711d9bd37a77b8 upstream.
We should return -ENOMEM here, instead of success.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables")
Link: http://lkml.kernel.org/r/20161018143318.15673-9-matt@codeblueprint.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4e1dfb0035e1625cb46e229034887bbc4b159d4f
Author: Guenter Roeck <linux@roeck-us.net>
Date: Sun Oct 30 09:09:18 2016 -0700
cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
commit 328cf6927bb72cadefddebbc9a23c793108147a2 upstream.
If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image
object file is empty. With recent versions of binutils, this results
in the following build error.
cris-linux-objcopy: error:
the input file 'arch/cris/boot/rescue/rescue.o' has no sections
This is seen, for example, when trying to build cris:allnoconfig
with recently generated toolchains.
Since it does not make sense to build a flash rescue image if there is
no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 66ab3a74c5ce ("CRIS: Merge machine dependent boot/compressed ..")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 15e0355a1ec51e1eaf140dddeaf55d70eb91d183
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date: Sat Oct 29 13:17:37 2016 +0200
ath10k: use the right length of "background"
commit 31b239824ece321c09bdb8e61e1d14814eaba38b upstream.
The word "background" contains 10 characters so the third argument of
strncmp() need to be 10 in order to match this prefix correctly.
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Fixes: 855aed1220d2 ("ath10k: add spectral scan feature")
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ac86312e0870ad6d35b97cc79964acbf58e99424
Author: Milo Kim <woogyom.kim@gmail.com>
Date: Tue Nov 15 22:02:11 2016 +0900
mfd: tps65217: Fix page fault on unloading modules
commit 40a50f8b307de8d08f3fa37c312fc16a7dd233e5 upstream.
TPS65217 IRQ domain should be removed and initialised as NULL when the
module is unloaded for the next use. When tps65217.ko is loaded again,
it causes the page fault. This patch fixes the error below.
root@arm:~# lsmod | grep "tps"
tps65217_charger 3538 0
tps65218_pwrbutton 2974 0
tps65217 6710 1 tps65217_charger
root@arm:~# modprobe -r tps65217_charger
root@arm:~# modprobe tps65217.ko
[ 71.990277] Unable to handle kernel paging request at virtual address bf055944
[ 71.998063] pgd = dd3a4000
[ 72.000904] [bf055944] *pgd=9e6f7811, *pte=00000000, *ppte=00000000
[ 72.007567] Internal error: Oops: 7 [#1] SMP ARM
[ 72.012404] Modules linked in: tps65217(+) evdev musb_dsps musb_hdrc udc_core tps65218_pwrbutton usbcore phy_am335]
[ 72.055700] CPU: 0 PID: 243 Comm: modprobe Not tainted 4.9.0-rc5-next-20161114 #3
[ 72.063531] Hardware name: Generic AM33XX (Flattened Device Tree)
[ 72.069899] task: de714380 task.stack: de7e6000
[ 72.074655] PC is at irq_find_matching_fwspec+0x88/0x100
[ 72.080211] LR is at 0xde7e79d8
[ 72.083496] pc : [<c01a5d88>] lr : [<de7e79d8>] psr: 200e0013
[ 72.083496] sp : de7e7a78 ip : 00000000 fp : dd138a68
[ 72.095506] r10: c0ca04f8 r9 : 00000018 r8 : de7e7ab8
[ 72.100973] r7 : 00000001 r6 : c0c4517c r5 : df963f68 r4 : de321980
[ 72.107797] r3 : bf055940 r2 : de714380 r1 : 00000000 r0 : 00000000
[ 72.114633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 72.122084] Control: 10c5387d Table: 9d3a4019 DAC: 00000051
[ 72.128097] Process modprobe (pid: 243, stack limit = 0xde7e6218)
[ 72.134489] Stack: (0xde7e7a78 to 0xde7e8000)
[ 72.139060] 7a60: df963f68 de7e7ab8
[ 72.147643] 7a80: 00000000 dd0e1000 dd491e20 c01a6ea0 600e0013 c01a5dc0 dd138a68 c0c45138
[ 72.156216] 7aa0: df963f68 00000000 df963f68 dd0e1010 00000000 c01a71a4 df963f68 00000001
[ 72.164800] 7ac0: 00000002 de7e7ac0 c80048b8 dd0adf00 df963f68 c0c4517c 00000000 de7e7b50
[ 72.173369] 7ae0: 00000018 c0ca04f8 dd138a68 c01a5dc0 df963f68 dd0e1010 00000000 dd0e1000
[ 72.181942] 7b00: dd491e20 c0653a70 df963f58 00000001 00000002 00000000 00000000 00000000
[ 72.190522] 7b20: 600e0093 c0cbf8f0 c0c0512c c0193674 00000001 00000080 00000000 c0554984
[ 72.199096] 7b40: 00000000 00000000 800e0013 c0553858 df963f68 00000000 00000000 00000000
[ 72.207674] 7b60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 72.216239] 7b80: 00000000 00000000 00000000 00000000 00000000 00000000 dd0e1000 c0544d24
[ 72.224816] 7ba0: dd491e10 dd0e1010 dd16e800 bf1d517c bf1d5620 dd0e1010 c1497ed4 bf1d5620
[ 72.233398] 7bc0: dd0e1010 fffffdfb bf1d5620 bf1d5620 00000000 c054537c c0545330 dd0e1010
[ 72.241967] 7be0: c1497ed4 00000000 bf1d5620 c05433ac 00000000 00000000 de7e7c28 c0543570
[ 72.250537] 7c00: 00000001 c1497e90 00000000 c0541884 de080cd4 dd44b7d4 dd0e1010 dd0e1010
[ 72.259109] 7c20: dd0e1044 c05430c8 dd0e1010 00000001 dd0e1010 dd0e1018 dd0e1010 c0c9e328
[ 72.267676] 7c40: de5d4020 c0542760 dd0e1018 dd0e1010 00000000 c0540ba8 dd138a40 c048dec4
[ 72.276253] 7c60: 00000000 dd0e1000 00000001 dd0e1000 dd0e1010 dd0e1000 bf233de0 dd138a40
[ 72.284829] 7c80: dd0e1010 c05450a0 000000bf 00000000 dd138a60 00000001 dd0e1000 c0571240
[ 72.293398] 7ca0: 00000000 dd1ce9c0 00000040 dd1ce9cc bf233de0 00000003 de5d4020 ffffffff
[ 72.301969] 7cc0: 00000004 dd0adf00 00000000 c0571408 00000000 00000000 dd0adf00 de5d4020
[ 72.310543] 7ce0: c057146c dd1ce9c0 bf233d14 de5d4020 de7fb3d0 00000004 bf233d14 ffffffff
[ 72.319120] 7d00: 00000018 dd49bf30 c01cedc0 c05714d0 00000000 00000000 dd0adf00 de322810
[ 72.327692] 7d20: de322810 00000000 dd033000 000000f0 00000001 bf2333fc 00000000 00000000
[ 72.336269] 7d40: dd0adf00 de5d4020 000000b6 bf233e40 de5d4020 bf233968 de5d4004 de5d4000
[ 72.344848] 7d60: bf233314 c06148ac de5d4020 c1497ed4 00000000 bf233e40 00000000 c05433ac
[ 72.353422] 7d80: 00000000 de5d4020 bf233e40 de5d4054 00000000 bf236000 00000000 c0543538
[ 72.362002] 7da0: 00000000 bf233e40 c0543484 c05417e4 de1442a4 de5d04d0 bf233e40 de321300
[ 72.370582] 7dc0: c0caa5a4 c05429fc bf233be0 bf233e40 c0cbfa44 bf233e40 c0cbfa44 dd2f7740
[ 72.379148] 7de0: bf233f00 c05442f0 bf233e8c bf233e24 c0cbfa44 c0615ae0 00000000 bf233f00
[ 72.387718] 7e00: c0cbfa44 c010186c 200f0013 c0191650 de714380 00000000 600f0013 00000040
[ 72.396286] 7e20: dd2f7740 c018f1ac 00000001 c0c8356c 024000c0 c01a8854 c0c56e0e c028225c
[ 72.404863] 7e40: dd2f7740 c0191984 de714380 dd2f7740 00000001 bf233f00 bf233f00 c0cbfa44
[ 72.413440] 7e60: dd2f7740 bf233f00 00000001 dd49bf08 dd49bf30 c0230998 00000001 c0c8356c
[ 72.421997] 7e80: c0c4c536 c0cbfa44 c0c0512c c01d2070 bf233f0c 00007fff bf233f00 c01cf5b8
[ 72.430570] 7ea0: 00000000 c1475134 c01cee34 bf23411c bf233f48 bf234054 bf234150 00000000
[ 72.439144] 7ec0: 024002c2 de7fbf40 0009bc20 c02776ac ff800000 00000000 00000000 bf233670
[ 72.447723] 7ee0: 00000004 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 72.456298] 7f00: 00000000 00000000 00000000 00000000 c01d2590 0000aa41 00000000 00000000
[ 72.464862] 7f20: 000b2549 e12c3a41 00000051 de7e6000 0009bc20 c01d2630 00000530 e12b9000
[ 72.473438] 7f40: 0000aa41 e12c1434 e12c1211 e12c336c 00001150 00001620 00000000 00000000
[ 72.482003] 7f60: 00000000 000010fc 00000035 00000036 0000001d 0000001a 00000017 00000000
[ 72.490564] 7f80: de7e6000 3ba39a00 0009b008 0009b718 00000080 c0107704 de7e6000 00000000
[ 72.499141] 7fa0: 0009f609 c0107560 3ba39a00 0009b008 000a7b08 0000aa41 0009bc20 0000aa41
[ 72.507717] 7fc0: 3ba39a00 0009b008 0009b718 00000080 00000001 00000008 0009ab14 0009f609
[ 72.516290] 7fe0: bea31ab8 bea31aa8 0001e5eb b6e83b42 800f0030 000a7b08 0000ffff 0840ffff
[ 72.524883] [<c01a5d88>] (irq_find_matching_fwspec) from [<c01a6ea0>] (irq_create_fwspec_mapping+0x28/0x2e0)
[ 72.535174] [<c01a6ea0>] (irq_create_fwspec_mapping) from [<c01a71a4>] (irq_create_of_mapping+0x4c/0x54)
[ 72.545115] [<c01a71a4>] (irq_create_of_mapping) from [<c0653a70>] (of_irq_get+0x58/0x68)
[ 72.553699] [<c0653a70>] (of_irq_get) from [<c0544d24>] (platform_get_irq+0x1c/0xec)
[ 72.561828] [<c0544d24>] (platform_get_irq) from [<bf1d517c>] (tps6521x_pb_probe+0xd0/0x1a8 [tps65218_pwrbutton])
[ 72.572581] [<bf1d517c>] (tps6521x_pb_probe [tps65218_pwrbutton]) from [<c054537c>] (platform_drv_probe+0x4c/0xac)
[ 72.583426] [<c054537c>] (platform_drv_probe) from [<c05433ac>] (driver_probe_device+0x204/0x2dc)
[ 72.592729] [<c05433ac>] (driver_probe_device) from [<c0541884>] (bus_for_each_drv+0x58/0x8c)
[ 72.601657] [<c0541884>] (bus_for_each_drv) from [<c05430c8>] (__device_attach+0xb0/0x114)
[ 72.610324] [<c05430c8>] (__device_attach) from [<c0542760>] (bus_probe_device+0x88/0x90)
[ 72.618898] [<c0542760>] (bus_probe_device) from [<c0540ba8>] (device_add+0x3b8/0x560)
[ 72.627203] [<c0540ba8>] (device_add) from [<c05450a0>] (platform_device_add+0xa8/0x208)
[ 72.635693] [<c05450a0>] (platform_device_add) from [<c0571240>] (mfd_add_device+0x240/0x338)
[ 72.644634] [<c0571240>] (mfd_add_device) from [<c0571408>] (mfd_add_devices+0xa0/0x104)
[ 72.653120] [<c0571408>] (mfd_add_devices) from [<c05714d0>] (devm_mfd_add_devices+0x60/0xa8)
[ 72.662077] [<c05714d0>] (devm_mfd_add_devices) from [<bf2333fc>] (tps65217_probe+0xe8/0x2ec [tps65217])
[ 72.672026] [<bf2333fc>] (tps65217_probe [tps65217]) from [<c06148ac>] (i2c_device_probe+0x168/0x1f4)
[ 72.681695] [<c06148ac>] (i2c_device_probe) from [<c05433ac>] (driver_probe_device+0x204/0x2dc)
[ 72.690816] [<c05433ac>] (driver_probe_device) from [<c0543538>] (__driver_attach+0xb4/0xb8)
[ 72.699657] [<c0543538>] (__driver_attach) from [<c05417e4>] (bus_for_each_dev+0x60/0x94)
[ 72.708224] [<c05417e4>] (bus_for_each_dev) from [<c05429fc>] (bus_add_driver+0x18c/0x214)
[ 72.716892] [<c05429fc>] (bus_add_driver) from [<c05442f0>] (driver_register+0x78/0xf8)
[ 72.725280] [<c05442f0>] (driver_register) from [<c0615ae0>] (i2c_register_driver+0x38/0x80)
[ 72.734120] [<c0615ae0>] (i2c_register_driver) from [<c010186c>] (do_one_initcall+0x3c/0x178)
[ 72.743055] [<c010186c>] (do_one_initcall) from [<c0230998>] (do_init_module+0x5c/0x1d0)
[ 72.751537] [<c0230998>] (do_init_module) from [<c01d2070>] (load_module+0x1d10/0x21c0)
[ 72.759933] [<c01d2070>] (load_module) from [<c01d2630>] (SyS_init_module+0x110/0x154)
[ 72.768242] [<c01d2630>] (SyS_init_module) from [<c0107560>] (ret_fast_syscall+0x0/0x1c)
[ 72.776725] Code: e5944000 e1540006 0a00001b e594300c (e593c004)
[ 72.783181] ---[ end trace 0278ec325f4689b8 ]---
Fixes: 6556bdacf646 ("mfd: tps65217: Add support for IRQs")
Signed-off-by: Milo Kim <woogyom.kim@gmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a24f1f3520e61d46ca7867871d12345b4e5c2215
Author: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
Date: Wed Nov 9 03:40:57 2016 +0200
ath10k: fix failure to send NULL func frame for 10.4
commit fcf7cf1551cae54e747a771f5808240f2a37708f upstream.
This partially reverts 'commit 2cdce425aa33
("ath10k: Fix broken NULL func data frame status for 10.4")'
Unfortunately this breaks sending NULL func and the existing
issue of obtaining proper tx status for NULL function will be
fixed. Also update the comments for feature flag added to be
useless and not working
Fixes: 2cdce425aa33 "ath10k: Fix broken NULL func data frame status for
10.4"
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 45816391e1a5f32e25b8eb2f0c18033ea4b4b6a4
Author: Vamsi Krishna <vamsin@qti.qualcomm.com>
Date: Fri Dec 2 23:59:08 2016 +0200
nl80211: Use different attrs for BSSID and random MAC addr in scan req
commit 2fa436b3a2a7009c11a3bc03fe0ff4c26e80fd87 upstream.
NL80211_ATTR_MAC was used to set both the specific BSSID to be scanned
and the random MAC address to be used when privacy is enabled. When both
the features are enabled, both the BSSID and the local MAC address were
getting same value causing Probe Request frames to go with unintended
DA. Hence, this has been fixed by using a different NL80211_ATTR_BSSID
attribute to set the specific BSSID (which was the more recent addition
in cfg80211) for a scan.
Backwards compatibility with old userspace software is maintained to
some extent by allowing NL80211_ATTR_MAC to be used to set the specific
BSSID when scanning without enabling random MAC address use.
Scanning with random source MAC address was introduced by commit
ad2b26abc157 ("cfg80211: allow drivers to support random MAC addresses
for scan") and the issue was introduced with the addition of the second
user for the same attribute in commit 818965d39177 ("cfg80211: Allow a
scan request for a specific BSSID").
Fixes: 818965d39177 ("cfg80211: Allow a scan request for a specific BSSID")
Signed-off-by: Vamsi Krishna <vamsin@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cd84516473a78a6932b1e034e71742e14842e8dc
Author: Johannes Berg <johannes.berg@intel.com>
Date: Tue Oct 18 23:12:08 2016 +0300
mac80211: fix tid_agg_rx NULL dereference
commit 1c3d185a9a0b136a58e73b02912d593d0303d1da upstream.
On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag,
we crash when the peer sends an AddBA request while we already
have a session open on the seame TID; this is because on those
drivers, the tid_agg_rx is left NULL even though the session is
valid, and the agg_session_valid bit is set.
To fix this, store the dialog tokens outside the tid_agg_rx to
be able to compare them to the received AddBA request.
Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update")
Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1d9c33f1b45ccc1dfbf55c97d7e1d02155e05787
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Tue Dec 13 20:54:14 2016 +0100
drm/i915: tune down the fast link training vs boot fail
commit 2c57b18adb93fc070039538f1ce375d3d3e99bbb upstream.
It's been unfixed since a while and no one is immediately working on
this. And we have the FIXME already. And now also a task in the DP
team's backlog.
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
References: https://lists.freedesktop.org/archives/intel-gfx/2016-July/101951.html
Acked-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
[danvet: Adjust comment per Ville's feedback.]
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161213195414.28923-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2dd85aeb5bc99e3763dd192cdb95ff405a102c8a)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
commit 8b4879154a67442705bb1af6610832ee06689785
Author: Matthew Auld <matthew.auld@intel.com>
Date: Wed Oct 19 22:29:53 2016 +0100
drm/i915/dp: add lane_count check in intel_dp_check_link_status
commit d4cb3fd9b548b8bfe2a712ec920b9ebabd3547ab upstream.
Currently it's entirely possible to go through the link training step
without first determining the lane_count, which is silly since we end up
doing a bunch of aux transfers of size = 0, as highlighted by
WARN_ON(!msg->buffer != !msg->size), and can only ever result in a
'failed to update link training' message. This can be observed during
intel_dp_long_pulse where we can do the link training step, but before
we have had a chance to set the link params. To avoid this we add an
extra check for the lane_count in intel_dp_check_link_status, which
should prevent us from doing the link training step prematurely.
v2: add WARN_ON_ONCE and FIXME comment (Ville)
References: https://bugs.freedesktop.org/show_bug.cgi?id=97344
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Mika Kahola <mika.kahola@intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1476912593-10019-1-git-send-email-matthew.auld@intel.com
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5af6f56bb16ca7a90220f2757cbfa05e02d11976
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date: Tue Dec 20 14:14:40 2016 +0200
usb: dwc3: gadget: always unmap EP0 requests
commit d62145929992f331fdde924d5963ab49588ccc7d upstream.
commit 0416e494ce7d ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced") introduced a bug
where we would leak DMA resources which would cause
us to starve the system of them resulting in failing
DMA transfers.
Fix the bug by making sure that we always unmap EP0
requests since those are *always* mapped.
Fixes: 0416e494ce7d ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced")
Cc: <stable@vger.kernel.org>
Tested-by: Tomasz Medrek <tomaszx.medrek@intel.com>
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c008309f53e57af31c4a7210b4e2c68b1412c899
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date: Tue Dec 20 14:08:48 2016 +0200
usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
commit 19ec31230eb3084431bc2e565fd085f79f564274 upstream.
Let's call dwc3_ep0_prepare_one_trb() explicitly
because there are occasions where we will need more
than one TRB to handle an EP0 transfer.
A follow-up patch will fix one bug related to
multiple-TRB Data Phases when it comes to
mapping/unmapping requests for DMA.
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5f7fd4d2f94d41ec3a7d31c5731e70a6d200c74f
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date: Tue Dec 20 13:57:32 2016 +0200
usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
commit 7931ec86c1b738e4e90e58c6d95e5f720d45ee56 upstream.
For now this is just a cleanup patch, no functional
changes. We will be using the new function to fix a
bug introduced long ago by commit 0416e494ce7d
("usb: dwc3: ep0: correct cache sync issue in case
of ep0_bounced") and further worsened by commit
c0bd5456a470 ("usb: dwc3: ep0: handle non maxpacket
aligned transfers > 512")
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 96a0c8ee7ce6a32c455ff87d4fc4a69fc87c70d1
Author: Linus Walleij <linus.walleij@linaro.org>
Date: Fri Dec 30 23:54:18 2016 +0100
iio: accel: st_accel: fix LIS3LV02 reading and scaling
commit 65e4345c8ef8811bbb4860fe5f2df10646b7f2e1 upstream.
The LIS3LV02 has a special bit that need to be set to get the
read values left aligned. Before this patch we get gibberish
like this:
iio_generic_buffer -a -c10 -n lis3lv02dl_accel
(...)
0.000000 -0.010042 -0.642688 19155832931907
0.000000 -0.010042 -0.642688 19155858751073
Which is because we read a raw value for 1g as 64 which is
the nominal 1024 for 1g shifted 4 bits to the left by being
right-aligned rather than left aligned.
Since all other sensors are left aligned, add some code to
set the special DAS (data alignment setting) bit to 1 so that
the right value is now read like this:
iio_generic_buffer -a -c10 -n lis3lv02dl_accel
(...)
0.000000 -0.147095 -10.120135 24761614364956
-0.029419 -0.176514 -10.120135 24761631624540
The scaling was weird as well: we have a gain of 1000 for 1g
and 3000 for 6g. I don't even remember how I came up with the
old values but they are wrong.
Fixes: 3acddf74f807 ("iio: st-sensors: add support for lis3lv02d accelerometer")
Cc: Lorenzo Bianconi <lorenzo.bianconi@st.com>
Cc: Giuseppe Barba <giuseppe.barba@st.com>
Cc: Denis Ciocca <denis.ciocca@st.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a673f99884e355284eba0d6ffa82bc8ec5365554
Author: Eva Rachel Retuya <eraretuya@gmail.com>
Date: Sun Oct 9 00:05:39 2016 +0800
staging: iio: ad7606: fix improper setting of oversampling pins
commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.
The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.
The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.
Signed-off-by: Eva Rachel Retuya <eraretuya@gmail.com>
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fc322290fc06e53aa515f7db575f9a6c3eb84029
Author: Alexander Usyskin <alexander.usyskin@intel.com>
Date: Wed Dec 14 17:56:52 2016 +0200
mei: move write cb to completion on credentials failures
commit e09ee853c92011860a4bd2fbdf6126f60fc16bd3 upstream.
The credentials handling was pushed to the write handlers
but error handling wasn't done properly.
Move write callbacks to completion queue to destroy them
and to notify a blocked writer about the failure
Fixes: 136698e535cd1 (mei: push credentials inside the irq write handler)
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5d46c4e9a05e4e6cebddf49f7483127390306f5c
Author: Alexander Usyskin <alexander.usyskin@intel.com>
Date: Wed Dec 14 17:56:51 2016 +0200
mei: bus: fix mei_cldev_enable KDoc
commit 5026c9cb0744a9cd40242743ca91a5d712f468c6 upstream.
Adjust function name in KDoc.
Fixes: d49dc5e76fc9 (mei: bus: use mei_cldev_ prefix for the API functions)
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit af776953108b860bf6b4ccb7040969b93fb75080
Author: Alexander Usyskin <alexander.usyskin@intel.com>
Date: Fri Nov 11 03:00:09 2016 +0200
mei: fix parameter rename KDoc
commit 967b274e02e18c9fbb4d19b96a89bd0afbc77b7a upstream.
Parameter renaming to fop_type was not reflected in KDoc
Fixes: 3030dc0564594 (mei: add wrapper for queuing control commands)
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c1ec6ba3d7c71a28d9a14f4abb1999fd5db80e2f
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:46 2017 +0100
USB: serial: io_ti: bind to interface after fw download
commit e35d6d7c4e6532a89732cf4bace0e910ee684c88 upstream.
Bind to the interface, but do not register any ports, after having
downloaded the firmware. The device will still disconnect and
re-enumerate, but this way we avoid an error messages from being logged
as part of the process:
io_ti: probe of 1-1.3:1.0 failed with error -5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fb0a00fb0843136baee7812b7319c2b4db2592aa
Author: Wei Yongjun <weiyongjun1@huawei.com>
Date: Sat Oct 29 23:36:24 2016 -0200
dibusb: fix possible memory leak in dibusb_rc_query()
commit 1f5ecaf985c46889278f51fcb7bc143f60f4eb14 upstream.
'buf' is malloced in dibusb_rc_query() and should be freed before
leaving from the error handling cases, otherwise it will cause
memory leak.
Fixes: ff1c123545d7 ("[media] dibusb: handle error code on RC query")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5f6136debf7eefa8e585c2fa52b72403f324fe77
Author: Chen-Yu Tsai <wens@csie.org>
Date: Tue Nov 15 21:51:04 2016 +0800
ARM: dts: sun7i: bananapi-m1-plus: Enable USB PHY for USB host support
commit 0cff18cbab4f55581d9da86e4286655d9723d7d2 upstream.
The 2 USB host ports are directly tied to the 2 USB hosts in the SoC.
The 2 host pairs were already enabled, but the USB PHY wasn't.
VBUS on the 2 ports are always on.
Enable the USB PHY.
Fixes: 04c85ecad32a ("ARM: dts: sun7i: Add dts file for Bananapi M1 Plus
board")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5ef54ae37b130ba8c01b90e451d059c9fa2dbfa3
Author: Kefeng Wang <wangkefeng.wang@huawei.com>
Date: Sat Sep 24 17:14:21 2016 +0800
arm64: dts: hip06: Correct hardware pin number of usb node
commit 4d75a171b67ffc3f4dadbd654c9d281091300eb2 upstream.
The ohci/ehci hardware pin number should be 640/641, correct them.
Fixes: commit aa8d3e74f54d ("arm64: dts: Add initial dts for Hisilicon Hip06 D03 board")
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 93f6891a383f92f88793da1e46cb018bdef8c18a
Author: Johan Hovold <johan@kernel.org>
Date: Tue Nov 1 11:40:25 2016 +0100
USB: phy: am335x-control: fix device and of_node leaks
commit 015105b12183556771e111e93f5266851e7c5582 upstream.
Make sure to drop the references taken by of_parse_phandle() and
bus_find_device() before returning from am335x_get_phy_control().
Note that there is no guarantee that the devres-managed struct
phy_control will be valid for the lifetime of the sibling phy device
regardless of this change.
Fixes: 3bb869c8b3f1 ("usb: phy: Add AM335x PHY driver")
Acked-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d387f98cb0c1e70ad45daacfb96acec4a5e0cb60
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date: Mon Nov 7 20:07:07 2016 +0100
ARM: dts: r8a7794: Correct hsusb parent clock
commit dc8ee9dbdba509fb58e23ba79f2e6059fe5d8b3b upstream.
The parent clock of the HSUSB clock is the HP clock, not the MP clock.
Fixes: c7bab9f929e51761 ("ARM: shmobile: r8a7794: Add USB clocks to device tree")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a10a1b797a0fc6b352c69826c5e9cf09e2056250
Author: Peter Chen <peter.chen@nxp.com>
Date: Tue Nov 8 10:08:24 2016 +0800
usb: gadget: fix request length error for isoc transfer
commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream.
For isoc endpoint descriptor, the wMaxPacketSize is not real max packet
size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation),
it may contain the number of packet, so the real max packet should be
ep->desc->wMaxPacketSize && 0x7ff.
Cc: Felipe F. Tonello <eu@felipetonello.com>
Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe
endianness and new usb_ep_aligna")
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b429e37b80fd6738ce3d1d6450cc5b4f40ac12a4
Author: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Fri Nov 18 15:42:41 2016 -0800
usb: gadget: Fix second argument of percpu_ida_alloc()
commit 03274445c01562d5352ea522431ab8c6175e2bbf upstream.
Pass a task state as second argument to percpu_ida_alloc().
Fixes: commit 71e7ae8e1fb2 ("usb-gadget/tcm: Conversion to percpu_ida tag pre-allocation")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8da83724d4918b35700fcbce4bfeac39fa2138f5
Author: Pan Bian <bianpan2016@163.com>
Date: Tue Nov 29 16:55:02 2016 +0100
USB: serial: kl5kusb105: abort on open exception path
commit 3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c upstream.
Function klsi_105_open() calls usb_control_msg() (to "enable read") and
checks its return value. When the return value is unexpected, it only
assigns the error code to the return variable retval, but does not
terminate the exception path. This patch fixes the bug by inserting
"goto err_generic_close;" when the call to usb_control_msg() fails.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pan Bian <bianpan2016@163.com>
[johan: rebase on prerequisite fix and amend commit message]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e7c72dccd7250c8379fef1cc2551c3c55009a4e4
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Nov 29 22:28:40 2016 +0100
ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream.
The function returns -EINVAL even if it builds the stream properly.
The bogus error code sneaked in during the code refactoring, but it
wasn't noticed until now since the returned error code itself is
ignored in anyway. Kill it here, but there is no behavior change by
this patch, obviously.
Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2eb09ccfa45b4367a7f416936cf757b95063d015
Author: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Date: Tue Jan 3 18:13:52 2017 -0600
usb: musb: blackfin: add bfin_fifo_offset in bfin_ops
commit 5563bb5743cb09bde0d0f4660a5e5b19c26903bf upstream.
The function bfin_fifo_offset is defined but not used:
drivers/usb/musb/blackfin.c:36:12: warning: ‘bfin_fifo_offset’ defined
but not used [-Wunused-function]
static u32 bfin_fifo_offset(u8 epnum)
^~~~~~~~~~~~~~~~
Adding bfin_fifo_offset to bfin_ops fixes this warning and allows musb
core to call this function instead of default_fifo_offset.
Fixes: cc92f6818f6e ("usb: musb: Populate new IO functions for blackfin")
Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 64244edf304bf06389e2b95ebd17fcc6e86e553c
Author: Felix Hädicke <felixhaedicke@web.de>
Date: Thu Dec 29 23:02:11 2016 +0100
usb: gadget: udc: core: fix return code of usb_gadget_probe_driver()
commit 7b01738112608ce47083178ae2b9ebadf02d32cc upstream.
This fixes a regression which was introduced by commit f1bddbb, by
reverting a small fragment of commit 855ed04.
If the following conditions were met, usb_gadget_probe_driver() returned
0, although the call was unsuccessful:
1. A particular UDC was specified by thge gadget driver (using member
"udc_name" of struct usb_gadget_driver).
2. The UDC with this name is available.
3. Another gadget driver is already bound to this gadget.
4. The gadget driver has the "match_existing_only" flag set.
In this case, the return code variable "ret" is set to 0, the return
code of a strcmp() call (to check for the second condition).
This also fixes an oops which could occur in the following scenario:
1. Two usb gadget instances were configured using configfs.
2. The first gadget configuration was bound to a UDC (using the configfs
attribute "UDC").
3. It was tried to bind the second gadget configuration to the same UDC
in the same way. This operation was then wrongly reported as being
successful.
4. The second gadget configuration's "UDC" attribute is cleared, to
unbind the (not really bound) second gadget configuration from the UDC.
<BUG: unable to handle kernel NULL pointer dereference
at (null)
IP: [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
PGD 41b4c5067
PUD 41a598067
PMD 0
Oops: 0000 [#1] SMP
Modules linked in: cdc_acm usb_f_fs usb_f_serial
usb_f_acm u_serial libcomposite configfs dummy_hcd bnep intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper
ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic serio_raw
uvcvideo videobuf2_vmalloc btusb snd_usb_audio snd_hda_intel
videobuf2_memops btrtl snd_hda_codec snd_hda_core snd_usbmidi_lib btbcm
videobuf2_v4l2 btintel snd_hwdep videobuf2_core snd_seq_midi bluetooth
snd_seq_midi_event videodev xpad efi_pstore snd_pcm_oss rfkill joydev
media crc16 ff_memless snd_mixer_oss snd_rawmidi nls_ascii snd_pcm
snd_seq snd_seq_device nls_cp437 mei_me snd_timer vfat sg udc_core
lpc_ich fat
efivars mfd_core mei snd soundcore battery nuvoton_cir rc_core evdev
intel_smartconnect ie31200_edac edac_core shpchp tpm_tis tpm_tis_core
tpm parport_pc ppdev lp parport efivarfs autofs4 btrfs xor raid6_pq
hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid uas
usb_storage sr_mod cdrom sd_mod ahci libahci nouveau i915 crc32c_intel
i2c_algo_bit psmouse ttm xhci_pci libata scsi_mod ehci_pci
drm_kms_helper xhci_hcd ehci_hcd r8169 mii usbcore drm nvme nvme_core
fjes button [last unloaded: net2280]
CPU: 5 PID: 829 Comm: bash Not tainted 4.9.0-rc7 #1
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77
Extreme3, BIOS P1.50 07/11/2013
task: ffff880419ce4040 task.stack: ffffc90002ed4000
RIP: 0010:[<ffffffff94f5e5e9>] [<ffffffff94f5e5e9>]
__list_del_entry+0x29/0xc0
RSP: 0018:ffffc90002ed7d68 EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff88041787ec30 RCX: dead000000000200
RDX: 0000000000000000 RSI: ffff880417482002 RDI: ffff88041787ec30
RBP: ffffc90002ed7d68 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: ffff880419ce4040 R12: ffff88041787eb68
R13: ffff88041787eaa8 R14: ffff88041560a2c0 R15: 0000000000000001
FS: 00007fe4e49b8700(0000) GS:ffff88042f340000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000041b4c4000 CR4: 00000000001406e0
Stack:
ffffc90002ed7d80 ffffffff94f5e68d ffffffffc0ae5ef0 ffffc90002ed7da0
ffffffffc0ae22aa ffff88041787e800 ffff88041787e800 ffffc90002ed7dc0
ffffffffc0d7a727 ffffffff952273fa ffff88041aba5760 ffffc90002ed7df8
Call Trace:
[<ffffffff94f5e68d>] list_del+0xd/0x30
[<ffffffffc0ae22aa>] usb_gadget_unregister_driver+0xaa/0xc0 [udc_core]
[<ffffffffc0d7a727>] unregister_gadget+0x27/0x60 [libcomposite]
[<ffffffff952273fa>] ? mutex_lock+0x1a/0x30
[<ffffffffc0d7a9b8>] gadget_dev_desc_UDC_store+0x88/0xe0 [libcomposite]
[<ffffffffc0af8aa0>] configfs_write_file+0xa0/0x100 [configfs]
[<ffffffff94e10d27>] __vfs_write+0x37/0x160
[<ffffffff94e31430>] ? __fd_install+0x30/0xd0
[<ffffffff95229dae>] ? _raw_spin_unlock+0xe/0x10
[<ffffffff94e11458>] vfs_write+0xb8/0x1b0
[<ffffffff94e128f8>] SyS_write+0x58/0xc0
[<ffffffff94e31594>] ? __close_fd+0x94/0xc0
[<ffffffff9522a0fb>] entry_SYSCALL_64_fastpath+0x1e/0xad
Code: 66 90 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89
e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a <4c> 8b
02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08
RIP [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
RSP <ffffc90002ed7d68>
CR2: 0000000000000000
---[ end trace 99fc090ab3ff6cbc ]---
Fixes: f1bddbb ("usb: gadget: Fix binding to UDC via configfs interface")
Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
Tested-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8ecf70fb0889754e27bbc2852fa331734dc4d61a
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Wed Dec 14 15:37:30 2016 +0100
usb: hub: Move hub_port_disable() to fix warning if PM is disabled
commit 3bc02bce908c7250781376052248f5cd60a4e3d4 upstream.
If CONFIG_PM=n:
drivers/usb/core/hub.c:107: warning: ‘hub_usb3_port_prepare_disable’ declared inline after being called
drivers/usb/core/hub.c:107: warning: previous declaration of ‘hub_usb3_port_prepare_disable’ was here
To fix this, move hub_port_disable() after
hub_usb3_port_prepare_disable(), and adjust forward declarations.
Fixes: 37be66767e3cae4f ("usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d7550d7d6ae2c769a32a48d7a02c351dc61efe3f
Author: Tony Lindgren <tony@atomide.com>
Date: Tue Jan 3 18:13:48 2017 -0600
usb: musb: Fix trying to free already-free IRQ 4
commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.
When unloading omap2430, we can get the following splat:
WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
...
[<c01a8b78>] (free_irq) from [<bf0aea84>]
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]
(platform_drv_remove+0x24/0x3c)
...
This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.
Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren <tony@atomide.com>
[b-liu@ti.com: added Fixes tag]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5e3c2920e9f2f21d132df92318c5df2751da0b1f
Author: Roger Quadros <rogerq@ti.com>
Date: Tue Jan 3 14:32:09 2017 +0200
usb: dwc3: gadget: Fix full speed mode
commit 9418ee15f718939aa7e650fd586d73765eb21f20 upstream.
DCFG.DEVSPD == 0x3 is not valid and we need to set
DCFG.DEVSPD to 0x1 for full speed mode. Same goes for
DSTS.CONNECTSPD.
Old databooks had 0x3 for full speed in 48MHz mode for
USB1.1 transceivers which was never supported. Newer databooks
don't mention 0x3 at all.
Cc: John Youn <John.Youn@synopsys.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 81f1f24d1873f56c6810fcc1ca5d2ae965c01dfc
Author: Hans de Goede <hdegoede@redhat.com>
Date: Tue Dec 27 13:13:42 2016 +0200
usb: dwc3: pci: Fix dr_mode misspelling
commit 51c1685d956221576e165dd88a20063b169bae5a upstream.
usb_get_dr_mode() expects the device-property to be spelled
"dr_mode" not "dr-mode".
Spelling it properly fixes the following warning showing up in dmesg:
[ 8704.500545] dwc3 dwc3.2.auto: Configuration mismatch. dr_mode forced to gadget
Signed-off-by: Hans de Goede <hdegoede@redhat.com
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6af3ba285acb67b092f6f40033f6ab848eba1a15
Author: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Date: Fri Apr 1 17:13:12 2016 +0300
usb: dwc3: pci: add Intel Gemini Lake PCI ID
commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream.
Intel Gemini Lake SoC has the same DWC3 than Broxton. Add
the new ID to the supported Devices.
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 63d92d10a8208afeed87522a4b4b09e309c8622a
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date: Tue Jan 3 18:28:51 2017 +0200
xhci: Fix race related to abort operation
commit 1c111b6c3844a142e03bcfc2fa17bfbdea08e9dc upstream.
Current abort operation has race.
xhci_handle_command_timeout()
xhci_abort_cmd_ring()
xhci_write_64(CMD_RING_ABORT)
xhci_handshake(5s)
do {
check CMD_RING_RUNNING
udelay(1)
...
COMP_CMD_ABORT event
COMP_CMD_STOP event
xhci_handle_stopped_cmd_ring()
restart cmd_ring
CMD_RING_RUNNING become 1 again
} while ()
return -ETIMEDOUT
xhci_write_64(CMD_RING_ABORT)
/* can abort random command */
To do abort operation correctly, we have to wait both of COMP_CMD_STOP
event and negation of CMD_RING_RUNNING.
But like above, while timeout handler is waiting negation of
CMD_RING_RUNNING, event handler can restart cmd_ring. So timeout
handler never be notice negation of CMD_RING_RUNNING, and retry of
CMD_RING_ABORT can abort random command (BTW, I guess retry of
CMD_RING_ABORT was workaround of this race).
To fix this race, this moves xhci_handle_stopped_cmd_ring() to
xhci_abort_cmd_ring(). And timeout handler waits COMP_CMD_STOP event.
At this point, timeout handler is owner of cmd_ring, and safely
restart cmd_ring by using xhci_handle_stopped_cmd_ring().
[FWIW, as bonus, this way would be easily extend to add CMD_RING_PAUSE
operation]
[locks edited as patch is rebased on other locking fixes -Mathias]
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 799dfdeb33a0f8d08c4a6d6781b20a4011825ee4
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date: Tue Jan 3 18:28:50 2017 +0200
xhci: Use delayed_work instead of timer for command timeout
commit cb4d5ce588c5ff68e0fdd30370a0e6bc2c0a736b upstream.
This is preparation to fix abort operation race (See "xhci: Fix race
related to abort operation"). To make timeout sleepable, use
delayed_work instead of timer.
[change a newly added pending timer fix to pending work -Mathias]
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6db52153fea3c4cca32712106202955d034e7fad
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Nov 10 22:33:17 2016 +0300
usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream.
We normally use the passed in gfp flags for allocations, it's just these
two which were missed.
Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()")
Cc: Mathias Nyman <mathias.nyman@intel.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1bd67e85edf1826afbc592028bce941e0425f2dc
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:53 2017 +0100
USB: serial: mos7720: fix parallel probe
commit fde1faf872ed86d88e245191bc15a8e57368cd1c upstream.
A static usb-serial-driver structure that is used to initialise the
interrupt URB was modified during probe depending on the currently
probed device type, something which could break a parallel probe of a
device of a different type.
Fix this up by overriding the default completion callback for MCS7715
devices in attach() instead. We may want to use two usb-serial driver
instances for the two types later.
Fixes: fb088e335d78 ("USB: serial: add support for serial port on the moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6ea44fb2183c6e4c4c7888e35498717f9d637c39
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:52 2017 +0100
USB: serial: mos7720: fix parport use-after-free on probe errors
commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream.
Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.
Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e7cf756c89326f8dcee8a109d092d73acc59d72e
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:51 2017 +0100
USB: serial: mos7720: fix use-after-free on probe errors
commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream.
The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:
Unable to handle kernel paging request at virtual address 6b6b6be7
...
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)
Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ac81f1fa956f217b5a111631b81e7d7c9b6ebd73
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:50 2017 +0100
USB: serial: mos7720: fix NULL-deref at open
commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream.
Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
[<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bd52ddb0996af221523f7572840c6875bc0d4b8b
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:55 2017 +0100
USB: serial: mos7840: fix NULL-deref at open
commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at mos7840_open+0x88/0x8dc [mos7840]
Note that we continue to treat the interrupt-in endpoint as optional for
now.
Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9de856caff86c18f092a03a16f06f1422796be94
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:49 2017 +0100
USB: serial: kobil_sct: fix NULL-deref in write
commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream.
Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:
Unable to handle kernel NULL pointer dereference at virtual address 00000054
...
PC is at kobil_write+0x144/0x2a0 [kobil_sct]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b2aa55142ea5cff7217f2633e85602d2279ff92e
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:40 2017 +0100
USB: serial: cyberjack: fix NULL-deref at open
commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream.
Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at cyberjack_open+0x40/0x9c [cyberjack]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4de811c61ac562295adae03c06f581c167efd307
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:59 2017 +0100
USB: serial: oti6858: fix NULL-deref at open
commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at oti6858_open+0x30/0x1d0 [oti6858]
Note that a missing interrupt-in endpoint would have caused open() to
fail.
Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42
cable)")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 65914eeb39f47f44766b62a008e632b077b21100
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:42 2017 +0100
USB: serial: io_edgeport: fix NULL-deref at open
commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream.
Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.
Unable to handle kernel NULL pointer dereference at virtual address 00000028
...
PC is at edge_open+0x24c/0x3e8 [io_edgeport]
Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2e5167b239e62bce68e839dc53fffa8d8d2dd7e4
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:40:03 2017 +0100
USB: serial: ti_usb_3410_5052: fix NULL-deref at open
commit ef079936d3cd09e63612834fe2698eeada0d8e3f upstream.
Fix NULL-pointer dereference in open() should a malicious device lack
the expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
..
[<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0556702bf34e6c464b7ca0e14f66a87e8959aea0
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:41 2017 +0100
USB: serial: garmin_gps: fix memory leak on failed URB submit
commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream.
Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9401cc62b7f5acbb65d689e4da2b1b00c85861c3
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:47 2017 +0100
USB: serial: iuu_phoenix: fix NULL-deref at open
commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream.
Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at iuu_open+0x78/0x59c [iuu_phoenix]
Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints
check")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 69017618a61ea173bea773a4934a63030ac9998f
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:45 2017 +0100
USB: serial: io_ti: fix I/O after disconnect
commit 2330d0a853da260d8a9834a70df448032b9ff623 upstream.
Cancel the heartbeat work on driver unbind in order to avoid I/O after
disconnect in case the port is held open.
Note that the cancel in release() is still needed to stop the heartbeat
after late probe errors.
Fixes: 26c78daade0f ("USB: io_ti: Add heartbeat to keep idle EP/416 ports from disconnecting")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a66274a9b2f4d570cdb4f44417bfc7efd97a8bab
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:44 2017 +0100
USB: serial: io_ti: fix another NULL-deref at open
commit 4f9785cc99feeb3673993b471f646b4dbaec2cc1 upstream.
In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
[<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 32631d1a739f919db4dea05c98543fa4fcfcb7c6
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:43 2017 +0100
USB: serial: io_ti: fix NULL-deref at open
commit a323fefc6f5079844dc62ffeb54f491d0242ca35 upstream.
Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
[<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b5264ea24484c8d34a0db7ed9085ab41cfc00576
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:40:02 2017 +0100
USB: serial: spcp8x5: fix NULL-deref at open
commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]
Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dda7611ec4a5ced89cebb3a9c48afc9c846a1f83
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:48 2017 +0100
USB: serial: keyspan_pda: verify endpoints at probe
commit 5d9b0f859babe96175cd33d7162a9463a875ffde upstream.
Check for the expected endpoints in attach() and fail loudly if not
present.
Note that failing to do this appears to be benign since da280e348866
("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
NULL-pointer dereference in write() by never marking a non-existent
write-urb as free.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 69c415ed5c98c03e7f12c5e2cd7d7e5f7708e4f4
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:40:00 2017 +0100
USB: serial: pl2303: fix NULL-deref at open
commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream.
Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at pl2303_open+0x38/0xec [pl2303]
Note that a missing interrupt-in endpoint would have caused open() to
fail.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2a4ae7bc3d8d8e4b92dbac37c90ba1708e7e5c80
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:40:01 2017 +0100
USB: serial: quatech2: fix sleep-while-atomic in close
commit f09d1886a41e9063b43da493ef0e845ac8afd2fa upstream.
The write URB was being killed using the synchronous interface while
holding a spin lock in close().
Simply drop the lock and busy-flag update, something which would have
been taken care of by the completion handler if the URB was in flight.
Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6ae3e89aa6b1cc3ae129922c7132ffea0aa6b19c
Author: Johan Hovold <johan@kernel.org>
Date: Tue Jan 3 16:39:58 2017 +0100
USB: serial: omninet: fix NULL-derefs at open and disconnect
commit a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e upstream.
Fix NULL-pointer dereferences at open() and disconnect() should the
device lack the expected bulk-out endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 000000b4
...
[c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
[<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
[<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
[<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
[<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])
Unable to handle kernel NULL pointer dereference at virtual address 00000234
...
[<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9acba5179d6c08f5499de52cb543d2b2fbb98cc2
Author: Pan Bian <bianpan2016@163.com>
Date: Tue Jan 3 18:28:45 2017 +0200
usb: return error code when platform_get_irq fails
commit 28bedb5ae463b9f7e5195cbc93f1795e374bdef8 upstream.
In function xhci_mtk_probe(), variable ret takes the return value. Its
value should be negative on failures. However, when the call to function
platform_get_irq() fails, it does not set the error code, and 0 will be
returned. 0 indicates no error. As a result, the callers of function
xhci_mtk_probe() will not be able to detect the error. This patch fixes
the bug by assigning the return value of platform_get_irq() to variable
ret if it fails.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cb02cce9a7f8eea6f6c8432f296074d20829ff0f
Author: Lu Baolu <baolu.lu@linux.intel.com>
Date: Tue Jan 3 18:28:49 2017 +0200
usb: xhci: hold lock over xhci_abort_cmd_ring()
commit 4dea70778c0f48b4385c7720c363ec8d37a401b4 upstream.
In command timer function, xhci_handle_command_timeout(), xhci->lock
is unlocked before call into xhci_abort_cmd_ring(). This might cause
race between the timer function and the event handler.
The xhci_abort_cmd_ring() function sets the CMD_RING_ABORT bit in the
command register and polling it until the setting takes effect. A stop
command ring event might be handled between writing the abort bit and
polling for it. The event handler will restart the command ring, which
causes the failure of polling, and we ever believed that we failed to
stop it.
As a bonus, this also fixes some issues of calling functions without
locking in xhci_handle_command_timeout().
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e6c400bb58220c46a2e5e616a1fbf756f011489
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Tue Jan 3 18:28:48 2017 +0200
xhci: Handle command completion and timeout race
commit a5a1b9514154437aa1ed35c291191f82fd3e941a upstream.
If we get a command completion event at the same time as the command
timeout work starts on another cpu we might end up aborting the wrong
command.
If the command completion takes the xhci lock before the timeout work, it
will handle the command, pick the next command, mark it as current_cmd, and
re-queue the timeout work. When the timeout work finally gets the lock
It will start aborting the wrong command.
This case can be resolved by checking if the timeout work is pending inside
the timeout function itself. A new timeout work can only be pending if the
command completed and a new command was queued.
If there are no more commands pending then command completion will set
the current_cmd to NULL, which is already handled in the timeout work.
Reported-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 78ccc1966c9e3dc379a89fb3efb06db35a297680
Author: Baolin Wang <baolin.wang@linaro.org>
Date: Tue Jan 3 18:28:47 2017 +0200
usb: host: xhci: Fix possible wild pointer when handling abort command
commit 2a7cfdf37b7c08ac29df4c62ea5ccb01474b6597 upstream.
When current command was supposed to be aborted, host will free the command
in handle_cmd_completion() function. But it might be still referenced by
xhci->current_cmd, which need to set NULL.
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a2118d0974095b994a8aa7b32a6a213b961f4f3e
Author: Lu Baolu <baolu.lu@linux.intel.com>
Date: Tue Jan 3 18:28:44 2017 +0200
usb: xhci: fix return value of xhci_setup_device()
commit 90797aee5d6902b49a453c97d83c326408aeb5a8 upstream.
xhci_setup_device() should return failure with correct error number
when xhci host has died, removed or halted.
During usb device enumeration, if usb host is not accessible (died,
removed or halted), the hc_driver->address_device() should return
a corresponding error code to usb core. But current xhci driver just
returns success. This misleads usb core to continue the enumeration
by reading the device descriptor, which will result in failure, and
users will get a misleading message like "device descriptor read/8,
error -110".
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3bf5e7410178eb0f95f2c51c984d67b77a8e61d3
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date: Tue Jan 3 18:28:43 2017 +0200
xhci: free xhci virtual devices with leaf nodes first
commit ee8665e28e8d90ce69d4abe5a469c14a8707ae0e upstream.
the tt_info provided by a HS hub might be in use to by a child device
Make sure we free the devices in the correct order.
This is needed in special cases such as when xhci controller is
reset when resuming from hibernate, and all virt_devices are freed.
Also free the virt_devices starting from max slot_id as children
more commonly have higher slot_id than parent.
Reported-by: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40359f91569496e77494116dddf8dd317f29d9e5
Author: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
Date: Tue Jan 3 18:28:52 2017 +0200
usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake
commit 6c97cfc1a097b1e0786c836e92b7a72b4d031e25 upstream.
Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK.
Adding its PCI ID to quirk.
Signed-off-by: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9da8e3e48e8805810096f1fbd9e764c0baece561
Author: Lu Baolu <baolu.lu@linux.intel.com>
Date: Tue Jan 3 18:28:46 2017 +0200
usb: xhci: fix possible wild pointer
commit 2b985467371a58ae44d76c7ba12b0951fee6ed98 upstream.
handle_cmd_completion() frees a command structure which might be still
referenced by xhci->current_cmd.
This might cause problem when xhci->current_cmd is accessed after that.
A real-life case could be like this. The host takes a very long time to
respond to a command, and the command timer is fired at the same time
when the command completion event arrives. The command completion
handler frees xhci->current_cmd before the timer function can grab
xhci->lock. Afterward, timer function grabs the lock and go ahead with
checking and setting members of xhci->current_cmd.
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9bdd47c53b7cf79f68ef5038e9494261f060f64e
Author: Felipe Balbi <felipe.balbi@linux.intel.com>
Date: Fri Dec 23 14:40:40 2016 +0200
usb: dwc3: core: avoid Overflow events
commit e71d363d9c611c99fb78f53bfee99616e7fe352c upstream.
Now that we're handling so many transfers at a time
and for some dwc3 revisions LPM events *must* be
enabled, we can fall into a situation where too many
events fire and we start receiving Overflow events.
Let's do what XHCI does and allocate a full page for
the Event Ring, this will avoid any future issues.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2b95c939cb88c3182e9dd681d4cf40b70985b8a5
Author: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Tue Dec 20 19:52:16 2016 +0100
usb: gadget: composite: Test get_alt() presence instead of set_alt()
commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.
By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.
After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.
Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.
Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 735daeec9e6062cad8aab412d0c04d26ae8e13e7
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Wed Dec 14 14:55:56 2016 -0500
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.
The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things. But it
doesn't handle ep0. As a result, fuzz testing can generate a WARNING
like the following:
WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
[<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
[<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
[<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
[<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
[<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357
This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 05b0f2fc3c2f9efda47439557e0d51faca7e43ed
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Mon Dec 19 12:03:41 2016 -0500
USB: fix problems with duplicate endpoint addresses
commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.
When checking a new device's descriptors, the USB core does not check
for duplicate endpoint addresses. This can cause a problem when the
sysfs files for those endpoints are created; trying to create multiple
files with the same name will provoke a WARNING:
WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
sysfs: cannot create duplicate filename
'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
Kernel panic - not syncing: panic_on_warn set ...
CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
[<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
[<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
[<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
[<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
[< inline >] create_dir lib/kobject.c:71
[<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
[< inline >] kobject_add_varg lib/kobject.c:366
[<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
[<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
[<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
[<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
[<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
[<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
[<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
[<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263
This patch prevents the problem by checking for duplicate endpoint
addresses during enumeration and skipping any duplicates.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit da4543b3bce001ccc8a283ed64933dea13fb7b77
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Fri Dec 9 15:24:24 2016 -0500
USB: gadgetfs: fix checks of wTotalLength in config descriptors
commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.
Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user. In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).
This patch adds the additional check and fixes the existing check. It
may do a little more than strictly necessary, but one extra check
won't hurt.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 46427c247b6204f95d7406df9f43843306b0b7ab
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Fri Dec 9 15:18:43 2016 -0500
USB: gadgetfs: fix use-after-free bug
commit add333a81a16abbd4f106266a2553677a165725f upstream.
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:
BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
<IRQ> [ 201.343209] [< inline >] __dump_stack lib/dump_stack.c:15
<IRQ> [ 201.343209] [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[< inline >] kasan_report mm/kasan/report.c:306
[<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
[< inline >] config_buf drivers/usb/gadget/legacy/inode.c:1298
[<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
[<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
[<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
[< inline >] expire_timers kernel/time/timer.c:1348
[<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
[<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
[<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284
The cause of the bug is subtle. The dev_config() routine gets called
twice by the fuzzer. The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set. But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.
The second time dev_config() is called, the user data contains only a
full-speed config descriptor. But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config. Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.
The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b946777664dba9e3d5712073c173544c12762351
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Fri Dec 9 15:17:46 2016 -0500
USB: gadgetfs: fix unbounded memory allocation bug
commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:
BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
[< inline >] check_memory_region_inline mm/kasan/kasan.c:308
[<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
[<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
[< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689
[< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
[<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
[<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
[<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
[< inline >] SYSC_write fs/read_write.c:607
[<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
[<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.
This patch fixes the warning. It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 404954e5b8a675ea5b4ef4dc4c5a74b1ff3ad410
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue Dec 6 08:36:29 2016 +0100
usb: gadgetfs: restrict upper bound on device configuration size
commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.
Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.
So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 72271ae49d6bf4011f5861fcae9e29dfbf87fb65
Author: Oliver Neukum <oneukum@suse.com>
Date: Mon Jan 2 15:26:17 2017 +0100
usb: storage: unusual_uas: Add JMicron JMS56x to unusual device
commit 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 upstream.
This device gives the following error on detection.
xhci_hcd 0000:00:11.0: ERROR Transfer event for disabled endpoint or
incorrect stream ring
The same error is not seen when it is added to unusual_device
list with US_FL_NO_REPORT_OPCODES passed.
Signed-off-by: George Cherian <george.cherian@cavium.com>
Signed-off-by: Oliver Neukum <oneukun@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4a37dbe68289b5bddb43656385a230d13d56f6dc
Author: Bin Liu <b-liu@ti.com>
Date: Tue Jan 3 18:13:47 2017 -0600
usb: musb: dsps: implement clear_ep_rxintr() callback
commit c48400baa02155a5ddad63e8554602e48782278c upstream.
During dma teardown for dequque urb, if musb load is high, musb might
generate bogus rx ep interrupt even when the rx fifo is flushed. In such
case any of the follow log messages could happen.
musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0
musb_host_rx 1936: RX3 dma busy, csr 2020
As mentioned in the current inline comment, clearing ep interrupt in the
teardown path avoids the bogus interrupt, so implement clear_ep_rxintr()
callback.
This bug seems to be existing since the initial driver for musb support,
but I only validated the fix back to v4.1, so only cc stable for v4.1+.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5de2dd7f1be18c1ee72c4aa4aeccb191982c1e7c
Author: Bin Liu <b-liu@ti.com>
Date: Tue Jan 3 18:13:46 2017 -0600
usb: musb: core: add clear_ep_rxintr() to musb_platform_ops
commit 6def85a396ce7796bd9f4561c6ae8138833f7a52 upstream.
During dma teardown for dequque urb, if musb load is high, musb might
generate bogus rx ep interrupt even when the rx fifo is flushed. In such
case any of the follow log messages could happen.
musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0
musb_host_rx 1936: RX3 dma busy, csr 2020
As mentioned in the current inline comment, clearing ep interrupt in the
teardown path avoids the bogus interrupt.
Clearing ep interrupt is platform dependent, so this patch adds a
platform callback to allow glue driver to clear the ep interrupt.
This bug seems to be existing since the initial driver for musb support,
but I only validated the fix back to v4.1, so only cc stable for v4.1+.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 84fd8feb5bb50508ba336c7eaf2f377e0b241521
Author: James Hogan <james.hogan@imgtec.com>
Date: Tue Jan 3 17:43:01 2017 +0000
KVM: MIPS: Flush KVM entry code from icache globally
commit 32eb12a6c11034867401d56b012e3c15d5f8141e upstream.
Flush the KVM entry code from the icache on all CPUs, not just the one
that built the entry code.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim KrÄmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim KrÄmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 26a401a6a52f7b838ce65b3b48e314c0a4aaa348
Author: James Hogan <james.hogan@imgtec.com>
Date: Tue Jan 3 17:43:00 2017 +0000
KVM: MIPS: Don't clobber CP0_Status.UX
commit 4c881451d3017033597ea186cf79ae41a73e1ef8 upstream.
On 64-bit kernels, MIPS KVM will clear CP0_Status.UX to prevent the
guest (running in user mode) from accessing the 64-bit memory segments.
However the previous value of CP0_Status.UX is never restored when
exiting from the guest.
If the user process uses 64-bit addressing (the n64 ABI) this can result
in address error exceptions from the kernel if it needs to deliver a
signal before returning to user mode, as the kernel will need to write a
sigframe to high user addresses on the user stack which are disallowed
by CP0_Status.UX=0.
This is fixed by explicitly setting SX and UX again when exiting from
the guest, and explicitly clearing those bits when returning to the
guest. Having the SX and UX bits set when handling guest exits (rather
than only when exiting to userland) will be helpful when we support VZ,
since we shouldn't need to directly read or write guest memory, so it
will be valid for cache management IPIs to access host user addresses.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim KrÄmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim KrÄmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f39969ab0418a9ef7da3f6e571359449b3497d83
Author: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Date: Sat Dec 24 10:00:42 2016 +0100
KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS
commit 6ef4e07ecd2db21025c446327ecf34414366498b upstream.
Otherwise, mismatch between the smm bit in hflags and the MMU role
can cause a NULL pointer dereference.
Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fe4fc2d67d0bfa0a1b5178e4f3c0f3ae7b29f737
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date: Wed Dec 21 16:45:47 2016 +0200
drm/i915: Initialize overlay->last_flip properly
commit a6d3e7d35d088b2aabad1688b740e17bfdf566c5 upstream.
Initialize overlay->last_flip properly instead of leaving it zeroed.
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Fixes: 0d9bdd886f29 ("drm/i915: Convert intel_overlay to request tracking")
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161221144547.27319-1-ville.syrjala@linux.intel.com
(cherry picked from commit 330afdb1df0f3fb48583105493a8f4f8d9e3af36)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f0f7f38e80688776a21e6a91025a4851c06c6ee3
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date: Tue Dec 20 18:51:17 2016 +0200
drm/i915: Force VDD off on the new power seqeuencer before starting to use it
commit 8581f1b5ee0837e55197f036406bc99746ac94b2 upstream.
Apparently some VLV BIOSen like to leave the VDD force bit enabled
even for power seqeuncers that aren't properly hooked up to any
port. That will result in a imbalance in the AUX power domain
refcount when we stat to use said power sequencer as edp_panel_vdd_on()
will not grab the power domain reference if it sees that the VDD is
already on.
To fix this let's make sure we turn off the VDD force bit when we
initialize the power sequencer registers. That is, unless it's
being done from the init path since there we are actually
initializing the registers for the current power sequencer and
we don't want to turn VDD off needlessly as that would require
waiting for the power cycle delay before we turn it back on.
This fixes the following kind of warnings:
WARNING: CPU: 0 PID: 123 at ../drivers/gpu/drm/i915/intel_runtime_pm.c:1455 intel_display_power_put+0x13a/0x170 [i915]()
WARN_ON(!power_domains->domain_use_count[domain])
...
v2: Fix typos in comment (David)
Cc: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Tested-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98695
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161220165117.24801-1-ville.syrjala@linux.intel.com
Reviewed-by: David Weinehall <david.weinehall@linux.intel.com>
(cherry picked from commit 5d5ab2d26f32bdaa5872b938658e0bf8d341bc4c)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 73d4256359899b239a8bb58546369afebeb4fc40
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date: Wed Dec 7 19:28:03 2016 +0200
drm/i915: Fix oops in overlay due to frontbuffer tracking
commit 9169757ae67bc927750ae907624e65cc15b4fe5a upstream.
The vma will be NULL if the overlay was previously off, so
dereferencing it will oops. Check for NULL before doing that.
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Fixes: 9b3b7841b86d ("drm/i915/overlay: Use VMA as the primary tracker for images")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1481131693-27993-2-git-send-email-ville.syrjala@linux.intel.com
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit 4a15cdbbc55463e55a7cdcf33f84ccc742ca9c29)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5652dd3f005d7947c588ced586e09c48d68be7ae
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date: Wed Dec 7 17:56:47 2016 +0000
drm/i915: Fix oopses in the overlay code due to i915_gem_active stuff
commit b72eb5ffa6d8601d9ba72619d75fb5b27723743a upstream.
The i915_gem_active stuff doesn't like a NULL ->retire hook, but
the overlay code can set it to NULL. That obviously ends up oopsing.
Fix it by introducing a new helper to assign the retirement callback
that will switch out the NULL function pointer with
i915_gem_retire_noop.
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Fixes: 0d9bdd886f29 ("drm/i915: Convert intel_overlay to request tracking")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: http://patchwork.freedesktop.org/patch/msgid/20161207175647.10018-1-chris@chris-wilson.co.uk
(cherry picked from commit ecd9caa0522db5a6b03ac8858c42067ef9d8323b)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8f8157c2a72af9cbd0e868ef64b90565b818a445
Author: Kees Cook <keescook@chromium.org>
Date: Fri Dec 16 11:36:06 2016 -0800
gcc-plugins: update gcc-common.h for gcc-7
commit 81d873a87114b05dbb74d1fbf0c4322ba4bfdee4 upstream.
This updates gcc-common.h from Emese Revfy for gcc 7. This fixes issues seen
by Kugan and Arnd. Build tested with gcc 5.4 and 7 snapshot.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8c775affbbd69486588ee3105e7fe357874d33fb
Author: Michal Marek <mmarek@suse.com>
Date: Tue Jan 3 13:49:42 2017 +0100
asm-prototypes: Clear any CPP defines before declaring the functions
commit c7858bf16c0b2cc62f475f31e6df28c3a68da1d6 upstream.
The asm-prototypes.h file is used to provide dummy function declarations
for genksyms, when processing asm files with EXPORT_SYMBOL. Make sure
that any architecture defines get out of our way. x86 currently has an
issue with memcpy on 64bit with CONFIG_KMEMCHECK=y and with
memset/__memset on 32bit:
$ cat init/test.c
#include <asm/asm-prototypes.h>
$ make -s init/test.o
In file included from ./arch/x86/include/asm/string.h:4:0,
from ./include/linux/string.h:18,
from ./include/linux/bitmap.h:8,
from ./include/linux/cpumask.h:11,
from ./arch/x86/include/asm/cpumask.h:4,
from ./arch/x86/include/asm/msr.h:10,
from ./arch/x86/include/asm/processor.h:20,
from ./arch/x86/include/asm/cpufeature.h:4,
from ./arch/x86/include/asm/thread_info.h:52,
from ./include/linux/thread_info.h:25,
from ./arch/x86/include/asm/preempt.h:6,
from ./include/linux/preempt.h:59,
from ./include/linux/spinlock.h:50,
from ./include/linux/seqlock.h:35,
from ./include/linux/time.h:5,
from ./include/uapi/linux/timex.h:56,
from ./include/linux/timex.h:56,
from ./include/linux/sched.h:19,
from ./include/linux/uaccess.h:4,
from ./arch/x86/include/asm/asm-prototypes.h:2,
from init/test.c:1:
./arch/x86/include/asm/string_64.h:52:47: error: expected declaration specifiers or ‘...’ before ‘(’ token
#define memcpy(dst, src, len) __inline_memcpy((dst), (src), (len))
./include/asm-generic/asm-prototypes.h:6:14: note: in expansion of macro ‘memcpy’
extern void *memcpy(void *, const void *, __kernel_size_t);
^
...
During real build, this manifests itself by genksyms segfaulting.
Fixes: 334bb7738764 ("x86/kbuild: enable modversions for symbols exported from asm")
Reported-and-tested-by: Borislav Petkov <bp@alien8.de>
Cc: Adam Borowski <kilobyte@angband.pl>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5e7598a625eead50e6d783797de828fe22e86f25
Author: Johannes Berg <johannes.berg@intel.com>
Date: Mon Jan 2 11:19:29 2017 +0100
mac80211: initialize fast-xmit 'info' later
commit 35f432a03e41d3bf08c51ede917f94e2288fbe8c upstream.
In ieee80211_xmit_fast(), 'info' is initialized to point to the skb
that's passed in, but that skb may later be replaced by a clone (if
it was shared), leading to an invalid pointer.
This can lead to use-after-free and also later crashes since the
real SKB's info->hw_queue doesn't get initialized properly.
Fix this by assigning info only later, when it's needed, after the
skb replacement (may have) happened.
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3c4eef31670361212d4f762c9420fa9a4ff160c0
Author: Shyam Sundar S K <ssundark@amd.com>
Date: Thu Dec 8 17:31:14 2016 +0530
pinctrl/amd: Set the level based on ACPI tables
commit 2983f296f2327bc517e3b29344fce82271160197 upstream.
In the function amd_gpio_irq_set_type, read the values from
the ACPI table to set the level and drop the settings passed
by the client.
Reviewed-by: Pankaj Sen <Pankaj.Sen@amd.com>
Reviewed-by: Nitesh Kumar Agrawal <Nitesh-kumar.Agrawal@amd.com>
Reviewed-by: Shah, Nehal-bakulchandra <Nehal-bakulchandra.Shah@amd.com>
Signed-off-by: Shyam-sundar S-k <Shyam-sundar.S-k@amd.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7b1b7951d9d08a7b9ec19354fa8f33b5d1e9ddb
Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Date: Wed Dec 7 16:22:16 2016 +0100
ARM: davinci: da850: don't add emac clock to lookup table twice
commit ef37427ac5677331145ab27a17e6f5f1b43f0c11 upstream.
Similarly to the aemif clock - this screws up the linked list of clock
children. Create a separate clock for mdio inheriting the rate from
emac_clk.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
[nsekhar@ti.com: add a comment over mdio_clk to explaing its existence +
commit headline updates]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5f390df2baf73050b7af522ded2b2e070d21caa2
Author: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Date: Tue Dec 27 08:57:59 2016 -0800
HID: sensor-hub: Move the memset to sensor_hub_get_feature()
commit 143fca77cce906d35f7a60ccef648e888df589f2 upstream.
While applying patch d443a0aa3a29: "HID: hid-sensor-hub: clear memory to
avoid random data", there was some issues in applying correct version of
the patch. This resulted in the breakage of sensor functions as all
request like power-up will be reset by the memset() in the function
sensor_hub_set_feature().
The reset of caller buffer should be in the function
sensor_hub_get_feature(), not in the sensor_hub_set_feature().
Fixes: d443a0aa3a29 ("HID: hid-sensor-hub: clear memory to avoid random data")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0c8033357b1d8fc4bba43cf1f87d2f61f3dd3fd2
Author: Helge Deller <deller@gmx.de>
Date: Mon Dec 26 12:46:01 2016 +0100
parisc: Mark cr16 clocksource unstable on SMP systems
commit 41744213602a206f24adcb4a2b7551db3c700e72 upstream.
The cr16 interval timer of each CPU is not syncronized to other cr16
timers in other CPUs in a SMP system. So, delay the registration of the
cr16 clocksource until all CPUs have been detected and then - if we are
on a SMP machine - mark the cr16 clocksource as unstable and lower it's
rating before registering it at the clocksource framework.
This patch fixes the stalled CPU warnings which we have seen since
introduction of the cr16 clocksource.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e569eef6298adbcc98ca029cc6763b1d854b1bed
Author: Helge Deller <deller@gmx.de>
Date: Mon Jan 2 17:43:15 2017 +0100
parisc: Add line-break when printing segfault info
commit b4a9eb4cd5966c8aad3d007d206a2cbda97d6928 upstream.
Add a leading line break else printed line gets too long.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d259b685373231b8c85f95633e0a702352077ef6
Author: Eric Biggers <ebiggers@google.com>
Date: Mon Dec 19 14:20:13 2016 -0800
fscrypt: fix renaming and linking special files
commit 42d97eb0ade31e1bc537d086842f5d6e766d9d51 upstream.
Attempting to link a device node, named pipe, or socket file into an
encrypted directory through rename(2) or link(2) always failed with
EPERM. This happened because fscrypt_has_permitted_context() saw that
the file was unencrypted and forbid creating the link. This behavior
was unexpected because such files are never encrypted; only regular
files, directories, and symlinks can be encrypted.
To fix this, make fscrypt_has_permitted_context() always return true on
special files.
This will be covered by a test in my encryption xfstests patchset.
Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit be4e3aec56679ecf0c7d4130c976c838a4855ef8
Author: Ioan-Adrian Ratiu <adi@adirat.com>
Date: Thu Jan 5 00:37:46 2017 +0200
ALSA: usb-audio: Fix irq/process data synchronization
commit 1d0f953086f090a022f2c0e1448300c15372db46 upstream.
Commit 16200948d83 ("ALSA: usb-audio: Fix race at stopping the stream") was
incomplete causing another more severe kernel panic, so it got reverted.
This fixes both the original problem and its fallout kernel race/crash.
The original fix is to move the endpoint member NULL clearing logic inside
wait_clear_urbs() so the irq triggering the urb completion doesn't call
retire_capture/playback_urb() after the NULL clearing and generate a panic.
However this creates a new race between snd_usb_endpoint_start()'s call
to wait_clear_urbs() and the irq urb completion handler which again calls
retire_capture/playback_urb() leading to a new NULL dereference.
We keep the EP deactivation code in snd_usb_endpoint_start() because
removing it will break the EP reference counting (see [1] [2] for info),
however we don't need the "can_sleep" mechanism anymore because a new
function was introduced (snd_usb_endpoint_sync_pending_stop()) which
synchronizes pending stops and gets called inside the pcm prepare callback.
It also makes sense to remove can_sleep because it was also removed from
deactivate_urbs() signature in [3] so we benefit from more simplification.
[1] commit 015618b90 ("ALSA: snd-usb: Fix URB cancellation at stream start")
[2] commit e9ba389c5 ("ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream")
[3] commit ccc1696d5 ("ALSA: usb-audio: simplify endpoint deactivation code")
Fixes: f8114f8583bb ("Revert "ALSA: usb-audio: Fix race at stopping the stream"")
Signed-off-by: Ioan-Adrian Ratiu <adi@adirat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5b2c3cafcafc38a9cdf789d7d3a515eae88bdb3b
Author: Takashi Iwai <tiwai@suse.de>
Date: Wed Jan 4 21:38:16 2017 +0100
ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
commit c7efff9284dfde95a11aaa811c9d8ec8167f0f6e upstream.
Although the old quirk table showed ASUS X71SL with ALC663 codec being
compatible with asus-mode3 fixup, the bugzilla reporter explained that
asus-model8 fits better for the dual headphone controls. So be it.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191781
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 71c88fc3bde7582c551aaa0a2db0aefb3c98aa62
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Dec 6 16:20:36 2016 +0100
ALSA: hda - Fix up GPIO for ASUS ROG Ranger
commit 85bcf96caba8b4a7c0805555638629ba3c67ea0c upstream.
ASUS ROG Ranger VIII with ALC1150 codec requires the extra GPIO pin to
up for the front panel. Just use the existing fixup for setting up
the GPIO pins.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189411
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 755259ba2a3a40f67d36325a1b34d8f0a1d63894
Author: Florian Fainelli <f.fainelli@gmail.com>
Date: Wed Dec 14 17:13:24 2016 -0800
staging: octeon: Call SET_NETDEV_DEV()
commit e7c9a3d9e432200fd4c17855c2c23ac784d6e833 upstream.
The Octeon driver calls into PHYLIB which now checks for
net_device->dev.parent, so make sure we do set it before calling into
any MDIO/PHYLIB related function.
Fixes: ec988ad78ed6 ("phy: Don't increment MDIO bus refcount unless it's a different owner")
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ea991c8354c3dab7f7fe6c3a747bc473b9c935e2
Author: Marcin Niestroj <m.niestroj@grinn-global.com>
Date: Thu Dec 8 15:22:58 2016 +0100
iio: bmi160: Fix time needed to sleep after command execution
commit 01d1f7a99e457952aa51849ed7c1cc4ced7bca4b upstream.
Datasheet specifies typical and maximum execution times for which CMD
register is occupied after previous command execution. We took these
values as minimum and maximum time for usleep_range() call before making
a new command execution.
To be sure, that the CMD register is no longer occupied we need to wait
*at least* the maximum time specified by datasheet.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7090b8da3836ea69c79da8d71141a318269c26a8
Author: Akinobu Mita <akinobu.mita@gmail.com>
Date: Thu Dec 29 02:16:36 2016 +0900
iio: max44000: correct value in illuminance_integration_time_available
commit b4e8a0eb718749455601fa7b283febc42cca8957 upstream.
According to the datasheet, the shortest available integration time for
ALS ADC conversion is 1.5625ms but illuminance_integration_time_available
sysfs file shows wrong value.
Cc: Crestez Dan Leonard <leonard.crestez@intel.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: Hartmut Knaack <knaack.h@gmx.de>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Fixes: d5d8f49b6 ("max44000: Expose ambient sensor scaling")
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cf49219364fd1529567fba45b22eee98b4f0e6c5
Author: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
Date: Wed Nov 16 22:15:28 2016 +0100
iio: common: st_sensors: fix channel data parsing
commit 65c8aea07de11b6507efa175edb44bd8b4488218 upstream.
Using realbits as i2c/spi read len, when that value is not byte aligned
(e.g 12 bits), lead to skip msb part of out data registers.
Fix this taking into account scan_type.shift in addition to
scan_type.realbits as read length:
read_len = DIV_ROUND_UP(realbits + shift, 8)
This fix has been tested on 8, 12, 16, 24 bit sensors
Fixes: e7385de5291e ("iio:st_sensors: align on storagebits boundaries")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
Tested-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>