1. 14 Jun, 2017 40 commits
    • Quinn Tran's avatar
      scsi: qla2xxx: Fix NULL pointer access due to redundant fc_host_port_name call · 21fffaa1
      Quinn Tran authored
      commit 0ea88662 upstream.
      
      Remove redundant fc_host_port_name calls to prevent early access of
      scsi_host->shost_data buffer. This prevent null pointer access.
      
      Following stack trace is seen:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000008
      IP: qla24xx_report_id_acquisition+0x22d/0x3a0 [qla2xxx]
      Signed-off-by: default avatarQuinn Tran <quinn.tran@cavium.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21fffaa1
    • Sawan Chandak's avatar
      scsi: qla2xxx: Fix crash due to mismatch mumber of Q-pair creation for Multi queue · 96e0d455
      Sawan Chandak authored
      commit b95b9452 upstream.
      
      when driver is loaded with Multi Queue enabled, it was noticed that
      there was one less queue pair created.
      
      Following message would indicate this:
      
      "No resources to create additional q pair."
      
      The result of one less queue pair means that system can crash, if the
      block mq layer thinks there is an extra hardware queue available, and
      the driver will use a NULL ptr qpair in that instance.
      
      Following stack trace is seen in one of the crash:
      
      irq_create_affinity_masks+0x98/0x530
      irq_create_affinity_masks+0x98/0x530
      __pci_enable_msix+0x321/0x4e0
      mutex_lock+0x12/0x40
      pci_alloc_irq_vectors_affinity+0xb5/0x140
      qla24xx_enable_msix+0x79/0x530 [qla2xxx]
      qla2x00_request_irqs+0x61/0x2d0 [qla2xxx]
      qla2x00_probe_one+0xc73/0x2390 [qla2xxx]
      ida_simple_get+0x98/0x100
      kernfs_next_descendant_post+0x40/0x50
      local_pci_probe+0x45/0xa0
      pci_device_probe+0xfc/0x140
      driver_probe_device+0x2c5/0x470
      __driver_attach+0xdd/0xe0
      driver_probe_device+0x470/0x470
      bus_for_each_dev+0x6c/0xc0
      driver_attach+0x1e/0x20
      bus_add_driver+0x45/0x270
      driver_register+0x60/0xe0
      __pci_register_driver+0x4c/0x50
      qla2x00_module_init+0x1ce/0x21e [qla2xxx]
      Signed-off-by: default avatarSawan Chandak <sawan.chandak@cavium.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96e0d455
    • himanshu.madhani@cavium.com's avatar
      scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX... · 083dca44
      himanshu.madhani@cavium.com authored
      scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX leaving system unresponsive
      
      commit cb590700 upstream.
      
      Following messages are seen into system logs
      
      qla2xxx [0000:09:00.0]-00af:9: Performing ISP error recovery - ha=ffff98315ee30000.
      qla2xxx [0000:09:00.0]-504b:9: RISC paused -- HCCR=40, Dumping firmware.
      qla2xxx [0000:09:00.0]-d009:9: Firmware has been previously dumped (ffffba488c001000) -- ignoring request.
      qla2xxx [0000:09:00.0]-504b:9: RISC paused -- HCCR=40, Dumping firmware.
      
      See Bugzilla for details
      https://bugzilla.kernel.org/show_bug.cgi?id=195285
      
      Fixes: d7459527 ("scsi: qla2xxx: Add multiple queue pair functionality.")
      Reported-by: default avatarLaurence Oberman <loberman@redhat.com>
      Reported-by: default avatarAnthony Bloodoff <anthony.bloodoff@gmail.com>
      Tested-by: default avatarLaurence Oberman <loberman@redhat.com>
      Tested-by: default avatarAnthony Bloodoff <anthony.bloodoff@gmail.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Signed-off-by: default avatarGiridhar Malavali <giridhar.malavali@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      083dca44
    • Johannes Thumshirn's avatar
      scsi: qla2xxx: don't disable a not previously enabled PCI device · daa15f6f
      Johannes Thumshirn authored
      commit ddff7ed4 upstream.
      
      When pci_enable_device() or pci_enable_device_mem() fail in
      qla2x00_probe_one() we bail out but do a call to
      pci_disable_device(). This causes the dev_WARN_ON() in
      pci_disable_device() to trigger, as the device wasn't enabled
      previously.
      
      So instead of taking the 'probe_out' error path we can directly return
      *iff* one of the pci_enable_device() calls fails.
      
      Additionally rename the 'probe_out' goto label's name to the more
      descriptive 'disable_device'.
      Signed-off-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Fixes: e315cd28 ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
      Reviewed-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Reviewed-by: default avatarGiridhar Malavali <giridhar.malavali@cavium.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      daa15f6f
    • Marc Zyngier's avatar
      KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages · 2bae71aa
      Marc Zyngier authored
      commit d6dbdd3c upstream.
      
      Under memory pressure, we start ageing pages, which amounts to parsing
      the page tables. Since we don't want to allocate any extra level,
      we pass NULL for our private allocation cache. Which means that
      stage2_get_pud() is allowed to fail. This results in the following
      splat:
      
      [ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008
      [ 1520.417741] pgd = ffff810f52fef000
      [ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000
      [ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP
      [ 1520.435156] Modules linked in:
      [ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G        W       4.12.0-rc4-00027-g1885c397eaec #7205
      [ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016
      [ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000
      [ 1520.469666] PC is at stage2_get_pmd+0x34/0x110
      [ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0
      [ 1520.478917] pc : [<ffff0000080b137c>] lr : [<ffff0000080b149c>] pstate: 40000145
      [ 1520.486325] sp : ffff800ce04e33d0
      [ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064
      [ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000
      [ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000
      [ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000
      [ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000
      [ 1520.516274] x19: 0000000058264000 x18: 0000000000000000
      [ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70
      [ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008
      [ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002
      [ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940
      [ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200
      [ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000
      [ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000
      [ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008
      [ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c
      [ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000)
      [...]
      [ 1521.510735] [<ffff0000080b137c>] stage2_get_pmd+0x34/0x110
      [ 1521.516221] [<ffff0000080b149c>] kvm_age_hva_handler+0x44/0xf0
      [ 1521.522054] [<ffff0000080b0610>] handle_hva_to_gpa+0xb8/0xe8
      [ 1521.527716] [<ffff0000080b3434>] kvm_age_hva+0x44/0xf0
      [ 1521.532854] [<ffff0000080a58b0>] kvm_mmu_notifier_clear_flush_young+0x70/0xc0
      [ 1521.539992] [<ffff000008238378>] __mmu_notifier_clear_flush_young+0x88/0xd0
      [ 1521.546958] [<ffff00000821eca0>] page_referenced_one+0xf0/0x188
      [ 1521.552881] [<ffff00000821f36c>] rmap_walk_anon+0xec/0x250
      [ 1521.558370] [<ffff000008220f78>] rmap_walk+0x78/0xa0
      [ 1521.563337] [<ffff000008221104>] page_referenced+0x164/0x180
      [ 1521.569002] [<ffff0000081f1af0>] shrink_active_list+0x178/0x3b8
      [ 1521.574922] [<ffff0000081f2058>] shrink_node_memcg+0x328/0x600
      [ 1521.580758] [<ffff0000081f23f4>] shrink_node+0xc4/0x328
      [ 1521.585986] [<ffff0000081f2718>] do_try_to_free_pages+0xc0/0x340
      [ 1521.592000] [<ffff0000081f2a64>] try_to_free_pages+0xcc/0x240
      [...]
      
      The trivial fix is to handle this NULL pud value early, rather than
      dereferencing it blindly.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarChristoffer Dall <cdall@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2bae71aa
    • Omar Sandoval's avatar
      Btrfs: fix delalloc accounting leak caused by u32 overflow · 7751d94d
      Omar Sandoval authored
      commit 70e7af24 upstream.
      
      btrfs_calc_trans_metadata_size() does an unsigned 32-bit multiplication,
      which can overflow if num_items >= 4 GB / (nodesize * BTRFS_MAX_LEVEL * 2).
      For a nodesize of 16kB, this overflow happens at 16k items. Usually,
      num_items is a small constant passed to btrfs_start_transaction(), but
      we also use btrfs_calc_trans_metadata_size() for metadata reservations
      for extent items in btrfs_delalloc_{reserve,release}_metadata().
      
      In drop_outstanding_extents(), num_items is calculated as
      inode->reserved_extents - inode->outstanding_extents. The difference
      between these two counters is usually small, but if many delalloc
      extents are reserved and then the outstanding extents are merged in
      btrfs_merge_extent_hook(), the difference can become large enough to
      overflow in btrfs_calc_trans_metadata_size().
      
      The overflow manifests itself as a leak of a multiple of 4 GB in
      delalloc_block_rsv and the metadata bytes_may_use counter. This in turn
      can cause early ENOSPC errors. Additionally, these WARN_ONs in
      extent-tree.c will be hit when unmounting:
      
          WARN_ON(fs_info->delalloc_block_rsv.size > 0);
          WARN_ON(fs_info->delalloc_block_rsv.reserved > 0);
          WARN_ON(space_info->bytes_pinned > 0 ||
                  space_info->bytes_reserved > 0 ||
                  space_info->bytes_may_use > 0);
      
      Fix it by casting nodesize to a u64 so that
      btrfs_calc_trans_metadata_size() does a full 64-bit multiplication.
      While we're here, do the same in btrfs_calc_trunc_metadata_size(); this
      can't overflow with any existing uses, but it's better to be safe here
      than have another hard-to-debug problem later on.
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7751d94d
    • Jeff Mahoney's avatar
      btrfs: fix race with relocation recovery and fs_root setup · acccdbef
      Jeff Mahoney authored
      commit a9b3311e upstream.
      
      If we have to recover relocation during mount, we'll ultimately have to
      evict the orphan inode.  That goes through the reservation dance, where
      priority_reclaim_metadata_space and flush_space expect fs_info->fs_root
      to be valid.  That's the next thing to be set up during mount, so we
      crash, almost always in flush_space trying to join the transaction
      but priority_reclaim_metadata_space is possible as well.  This call
      path has been problematic in the past WRT whether ->fs_root is valid
      yet.  Commit 957780eb (Btrfs: introduce ticketed enospc
      infrastructure) added new users that are called in the direct path
      instead of the async path that had already been worked around.
      
      The thing is that we don't actually need the fs_root, specifically, for
      anything.  We either use it to determine whether the root is the
      chunk_root for use in choosing an allocation profile or as a root to pass
      btrfs_join_transaction before immediately committing it.  Anything that
      isn't the chunk root works in the former case and any root works in
      the latter.
      
      A simple fix is to use a root we know will always be there: the
      extent_root.
      
      Fixes: 957780eb (Btrfs: introduce ticketed enospc infrastructure)
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acccdbef
    • Jeff Mahoney's avatar
      btrfs: fix memory leak in update_space_info failure path · 5ca9daf7
      Jeff Mahoney authored
      commit 896533a7 upstream.
      
      If we fail to add the space_info kobject, we'll leak the memory
      for the percpu counter.
      
      Fixes: 6ab0a202 (btrfs: publish allocation data in sysfs)
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ca9daf7
    • David Sterba's avatar
      btrfs: use correct types for page indices in btrfs_page_exists_in_range · 6bc3d6a6
      David Sterba authored
      commit cc2b702c upstream.
      
      Variables start_idx and end_idx are supposed to hold a page index
      derived from the file offsets. The int type is not the right one though,
      offsets larger than 1 << 44 will get silently trimmed off the high bits.
      (1 << 44 is 16TiB)
      
      What can go wrong, if start is below the boundary and end gets trimmed:
      - if there's a page after start, we'll find it (radix_tree_gang_lookup_slot)
      - the final check "if (page->index <= end_idx)" will unexpectedly fail
      
      The function will return false, ie. "there's no page in the range",
      although there is at least one.
      
      btrfs_page_exists_in_range is used to prevent races in:
      
      * in hole punching, where we make sure there are not pages in the
        truncated range, otherwise we'll wait for them to finish and redo
        truncation, but we're going to replace the pages with holes anyway so
        the only problem is the intermediate state
      
      * lock_extent_direct: we want to make sure there are no pages before we
        lock and start DIO, to prevent stale data reads
      
      For practical occurence of the bug, there are several constaints.  The
      file must be quite large, the affected range must cross the 16TiB
      boundary and the internal state of the file pages and pending operations
      must match.  Also, we must not have started any ordered data in the
      range, otherwise we don't even reach the buggy function check.
      
      DIO locking tries hard in several places to avoid deadlocks with
      buffered IO and avoids waiting for ranges. The worst consequence seems
      to be stale data read.
      
      CC: Liu Bo <bo.li.liu@oracle.com>
      Fixes: fc4adbff ("btrfs: Drop EXTENT_UPTODATE check in hole punching and direct locking")
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bc3d6a6
    • Vaibhav Jain's avatar
      cxl: Avoid double free_irq() for psl,slice interrupts · 574ab1b8
      Vaibhav Jain authored
      commit b3aa20ba upstream.
      
      During an eeh call to cxl_remove can result in double free_irq of
      psl,slice interrupts. This can happen if perst_reloads_same_image == 1
      and call to cxl_configure_adapter() fails during slot_reset
      callback. In such a case we see a kernel oops with following back-trace:
      
      Oops: Kernel access of bad area, sig: 11 [#1]
      Call Trace:
        free_irq+0x88/0xd0 (unreliable)
        cxl_unmap_irq+0x20/0x40 [cxl]
        cxl_native_release_psl_irq+0x78/0xd8 [cxl]
        pci_deconfigure_afu+0xac/0x110 [cxl]
        cxl_remove+0x104/0x210 [cxl]
        pci_device_remove+0x6c/0x110
        device_release_driver_internal+0x204/0x2e0
        pci_stop_bus_device+0xa0/0xd0
        pci_stop_and_remove_bus_device+0x28/0x40
        pci_hp_remove_devices+0xb0/0x150
        pci_hp_remove_devices+0x68/0x150
        eeh_handle_normal_event+0x140/0x580
        eeh_handle_event+0x174/0x360
        eeh_event_handler+0x1e8/0x1f0
      
      This patch fixes the issue of double free_irq by checking that
      variables that hold the virqs (err_hwirq, serr_hwirq, psl_virq) are
      not '0' before un-mapping and resetting these variables to '0' when
      they are un-mapped.
      Signed-off-by: default avatarVaibhav Jain <vaibhav@linux.vnet.ibm.com>
      Reviewed-by: default avatarAndrew Donnellan <andrew.donnellan@au1.ibm.com>
      Acked-by: default avatarFrederic Barrat <fbarrat@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      574ab1b8
    • Frederic Barrat's avatar
      cxl: Fix error path on bad ioctl · 0c94348b
      Frederic Barrat authored
      commit cec422c1 upstream.
      
      Fix error path if we can't copy user structure on CXL_IOCTL_START_WORK
      ioctl. We shouldn't unlock the context status mutex as it was not
      locked (yet).
      
      Fixes: 0712dc7e ("cxl: Fix issues when unmapping contexts")
      Signed-off-by: default avatarFrederic Barrat <fbarrat@linux.vnet.ibm.com>
      Reviewed-by: default avatarVaibhav Jain <vaibhav@linux.vnet.ibm.com>
      Reviewed-by: default avatarAndrew Donnellan <andrew.donnellan@au1.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0c94348b
    • Al Viro's avatar
      excessive checks in ufs_write_failed() and ufs_evict_inode() · 4907e3bb
      Al Viro authored
      commit babef37d upstream.
      
      As it is, short copy in write() to append-only file will fail
      to truncate the excessive allocated blocks.  As the matter of
      fact, all checks in ufs_truncate_blocks() are either redundant
      or wrong for that caller.  As for the only other caller
      (ufs_evict_inode()), we only need the file type checks there.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4907e3bb
    • Al Viro's avatar
    • Al Viro's avatar
      ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() · c12c0c4f
      Al Viro authored
      commit 940ef1a0 upstream.
      
      ... and it really needs splitting into "new" and "extend" cases, but that's for
      later
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c12c0c4f
    • Al Viro's avatar
      ufs: set correct ->s_maxsize · 728154e9
      Al Viro authored
      commit 6b0d144f upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      728154e9
    • Al Viro's avatar
      ufs: restore maintaining ->i_blocks · d426b957
      Al Viro authored
      commit eb315d2a upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d426b957
    • Al Viro's avatar
      fix ufs_isblockset() · 386e884c
      Al Viro authored
      commit 414cf718 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      386e884c
    • Al Viro's avatar
      ufs: restore proper tail allocation · 823c065a
      Al Viro authored
      commit 8785d84d upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      823c065a
    • Tejun Heo's avatar
      cpuset: consider dying css as offline · 9be0c9d6
      Tejun Heo authored
      commit 41c25707 upstream.
      
      In most cases, a cgroup controller don't care about the liftimes of
      cgroups.  For the controller, a css becomes online when ->css_online()
      is called on it and offline when ->css_offline() is called.
      
      However, cpuset is special in that the user interface it exposes cares
      whether certain cgroups exist or not.  Combined with the RCU delay
      between cgroup removal and css offlining, this can lead to user
      visible behavior oddities where operations which should succeed after
      cgroup removals fail for some time period.  The effects of cgroup
      removals are delayed when seen from userland.
      
      This patch adds css_is_dying() which tests whether offline is pending
      and updates is_cpuset_online() so that the function returns false also
      while offline is pending.  This gets rid of the userland visible
      delays.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Link: http://lkml.kernel.org/r/327ca1f5-7957-fbb9-9e5f-9ba149d40ba2@oracle.comSigned-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9be0c9d6
    • Ulrik De Bie's avatar
      Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled · 48b2c7c8
      Ulrik De Bie authored
      commit 47eb0c8b upstream.
      
      The Lifebook E546 and E557 touchpad were also not functioning and
      worked after running:
      
              echo "1" > /sys/devices/platform/i8042/serio2/crc_enabled
      
      Add them to the list of machines that need this workaround.
      Signed-off-by: default avatarUlrik De Bie <ulrik.debie-os@e2big.org>
      Reviewed-by: default avatarArjan Opmeer <arjan@opmeer.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48b2c7c8
    • Waiman Long's avatar
      cgroup: Prevent kill_css() from being called more than once · f3c1dfa8
      Waiman Long authored
      commit 33c35aa4 upstream.
      
      The kill_css() function may be called more than once under the condition
      that the css was killed but not physically removed yet followed by the
      removal of the cgroup that is hosting the css. This patch prevents any
      harmm from being done when that happens.
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3c1dfa8
    • Sean Young's avatar
      rc-core: race condition during ir_raw_event_register() · d31fff8c
      Sean Young authored
      commit 963761a0 upstream.
      
      A rc device can call ir_raw_event_handle() after rc_allocate_device(),
      but before rc_register_device() has completed. This is racey because
      rcdev->raw is set before rcdev->raw->thread has a valid value.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d31fff8c
    • Sui Chen's avatar
      ahci: Acer SA5-271 SSD Not Detected Fix · d9f48c46
      Sui Chen authored
      commit 8bfd1743 upstream.
      
      (Correction in this resend: fixed function name acer_sa5_271_workaround; fixed
       the always-true condition in the function; fixed description.)
      
      On the Acer Switch Alpha 12 (model number: SA5-271), the internal SSD may not
      get detected because the port_map and CAP.nr_ports combination causes the driver
      to skip the port that is actually connected to the SSD. More specifically,
      either all SATA ports are identified as DUMMY, or all ports get ``link down''
      and never get up again.
      
      This problem occurs occasionally. When this problem occurs, CAP may hold a
      value of 0xC734FF00 or 0xC734FF01 and port_map may hold a value of 0x00 or 0x01.
      When this problem does not occur, CAP holds a value of 0xC734FF02 and port_map
      may hold a value of 0x07. Overriding the CAP value to 0xC734FF02 and port_map to
      0x7 significantly reduces the occurrence of this problem.
      
      Link: https://bugzilla.kernel.org/attachment.cgi?id=253091Signed-off-by: default avatarSui Chen <suichen6@gmail.com>
      Tested-by: default avatarDamian Ivanov <damianatorrpm@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d9f48c46
    • Rob Clark's avatar
      drm/msm/mdp5: use __drm_atomic_helper_plane_duplicate_state() · 39d584db
      Rob Clark authored
      commit 786813c3 upstream.
      
      Somehow the helper was never retrofitted for mdp5.  Which meant when
      plane_state->fence was added, it could get copied into new state in
      mdp5_plane_duplicate_state().
      
      If an update to disable the plane (for example on rmfb) managed to sneak
      in after an nonblock update had swapped state, but before it was
      committed, we'd get a splat:
      
          WARNING: CPU: 1 PID: 69 at ../drivers/gpu/drm/drm_atomic_helper.c:1061 drm_atomic_helper_wait_for_fences+0xe0/0xf8
         Modules linked in:
      
         CPU: 1 PID: 69 Comm: kworker/1:1 Tainted: G        W       4.11.0-rc8+ #1187
         Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
         Workqueue: events drm_mode_rmfb_work_fn
         task: ffffffc036560d00 task.stack: ffffffc036550000
         PC is at drm_atomic_helper_wait_for_fences+0xe0/0xf8
         LR is at complete_commit.isra.1+0x44/0x1c0
         pc : [<ffffff80084f6040>] lr : [<ffffff800854176c>] pstate: 20000145
         sp : ffffffc036553b60
         x29: ffffffc036553b60 x28: ffffffc0264e6a00
         x27: ffffffc035659000 x26: 0000000000000000
         x25: ffffffc0240e8000 x24: 0000000000000038
         x23: 0000000000000000 x22: ffffff800858f200
         x21: ffffffc0240e8000 x20: ffffffc02f56a800
         x19: 0000000000000000 x18: 0000000000000000
         x17: 0000000000000000 x16: 0000000000000000
         x15: 0000000000000000 x14: ffffffc00a192700
         x13: 0000000000000004 x12: 0000000000000000
         x11: ffffff80089a1690 x10: 00000000000008f0
         x9 : ffffffc036553b20 x8 : ffffffc036561650
         x7 : ffffffc03fe6cb40 x6 : 0000000000000000
         x5 : 0000000000000001 x4 : 0000000000000002
         x3 : ffffffc035659000 x2 : ffffffc0240e8c80
         x1 : 0000000000000000 x0 : ffffffc02adbe588
      
         ---[ end trace 13aeec77c3fb55e2 ]---
         Call trace:
         Exception stack(0xffffffc036553990 to 0xffffffc036553ac0)
         3980:                                   0000000000000000 0000008000000000
         39a0: ffffffc036553b60 ffffff80084f6040 0000000000004ff0 0000000000000038
         39c0: ffffffc0365539d0 ffffff800857e098 ffffffc036553a00 ffffff800857e1b0
         39e0: ffffffc036553a10 ffffff800857c554 ffffffc0365e8400 ffffffc0365e8400
         3a00: ffffffc036553a20 ffffff8008103358 000000000001aad7 ffffff800851b72c
         3a20: ffffffc036553a50 ffffff80080e9228 ffffffc02adbe588 0000000000000000
         3a40: ffffffc0240e8c80 ffffffc035659000 0000000000000002 0000000000000001
         3a60: 0000000000000000 ffffffc03fe6cb40 ffffffc036561650 ffffffc036553b20
         3a80: 00000000000008f0 ffffff80089a1690 0000000000000000 0000000000000004
         3aa0: ffffffc00a192700 0000000000000000 0000000000000000 0000000000000000
         [<ffffff80084f6040>] drm_atomic_helper_wait_for_fences+0xe0/0xf8
         [<ffffff800854176c>] complete_commit.isra.1+0x44/0x1c0
         [<ffffff8008541c64>] msm_atomic_commit+0x32c/0x350
         [<ffffff8008516230>] drm_atomic_commit+0x50/0x60
         [<ffffff8008517548>] drm_atomic_remove_fb+0x158/0x250
         [<ffffff80085186d0>] drm_framebuffer_remove+0x50/0x158
         [<ffffff8008518818>] drm_mode_rmfb_work_fn+0x40/0x58
         [<ffffff80080d5668>] process_one_work+0x1d0/0x378
         [<ffffff80080d5a54>] worker_thread+0x244/0x488
         [<ffffff80080db7fc>] kthread+0xfc/0x128
         [<ffffff8008082ec0>] ret_from_fork+0x10/0x50
      
      Fixes: 96260142 ("drm/fence: add in-fences support")
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Reported-by: default avatarStanimir Varbanov <stanimir.varbanov@linaro.org>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39d584db
    • Eric Anholt's avatar
      drm/msm: Expose our reservation object when exporting a dmabuf. · a5ab52b3
      Eric Anholt authored
      commit 43523eba upstream.
      
      Without this, polling on the dma-buf (and presumably other devices
      synchronizing against our rendering) would return immediately, even
      while the BO was busy.
      Signed-off-by: default avatarEric Anholt <eric@anholt.net>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Rob Clark <robdclark@gmail.com>
      Cc: linux-arm-msm@vger.kernel.org
      Cc: freedreno@lists.freedesktop.org
      Reviewed-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a5ab52b3
    • Nicholas Bellinger's avatar
      target: Re-add check to reject control WRITEs with overflow data · 0354d1d6
      Nicholas Bellinger authored
      commit 4ff83daa upstream.
      
      During v4.3 when the overflow/underflow check was relaxed by
      commit c72c5250:
      
        commit c72c5250
        Author: Roland Dreier <roland@purestorage.com>
        Date:   Wed Jul 22 15:08:18 2015 -0700
      
             target: allow underflow/overflow for PR OUT etc. commands
      
      to allow underflow/overflow for Windows compliance + FCP, a
      consequence was to allow control CDBs to process overflow
      data for iscsi-target with immediate data as well.
      
      As per Roland's original change, continue to allow underflow
      cases for control CDBs to make Windows compliance + FCP happy,
      but until overflow for control CDBs is supported tree-wide,
      explicitly reject all control WRITEs with overflow following
      pre v4.3.y logic.
      Reported-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Roland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0354d1d6
    • David Arcari's avatar
      cpufreq: cpufreq_register_driver() should return -ENODEV if init fails · 0eedb783
      David Arcari authored
      commit 6c770036 upstream.
      
      For a driver that does not set the CPUFREQ_STICKY flag, if all of the
      ->init() calls fail, cpufreq_register_driver() should return an error.
      This will prevent the driver from loading.
      
      Fixes: ce1bcfe9 (cpufreq: check cpufreq_policy_list instead of scanning policies for all CPUs)
      Signed-off-by: default avatarDavid Arcari <darcari@redhat.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0eedb783
    • Jason A. Donenfeld's avatar
      random: invalidate batched entropy after crng init · 86f95e53
      Jason A. Donenfeld authored
      commit b169c13d upstream.
      
      It's possible that get_random_{u32,u64} is used before the crng has
      initialized, in which case, its output might not be cryptographically
      secure. For this problem, directly, this patch set is introducing the
      *_wait variety of functions, but even with that, there's a subtle issue:
      what happens to our batched entropy that was generated before
      initialization. Prior to this commit, it'd stick around, supplying bad
      numbers. After this commit, we force the entropy to be re-extracted
      after each phase of the crng has initialized.
      
      In order to avoid a race condition with the position counter, we
      introduce a simple rwlock for this invalidation. Since it's only during
      this awkward transition period, after things are all set up, we stop
      using it, so that it doesn't have an impact on performance.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      86f95e53
    • Pratyush Anand's avatar
      mei: make sysfs modalias format similar as uevent modalias · 0524867e
      Pratyush Anand authored
      commit 6f9193ec upstream.
      
      modprobe is not able to resolve sysfs modalias for mei devices.
      
       # cat
      /sys/class/watchdog/watchdog0/device/watchdog/watchdog0/device/modalias
      mei::05b79a6f-4628-4d7f-899d-a91514cb32ab:
       # modprobe --set-version 4.9.6-200.fc25.x86_64 -R
      mei::05b79a6f-4628-4d7f-899d-a91514cb32ab:
      modprobe: FATAL: Module mei::05b79a6f-4628-4d7f-899d-a91514cb32ab: not
      found in directory /lib/modules/4.9.6-200.fc25.x86_64
       # cat /lib/modules/4.9.6-200.fc25.x86_64/modules.alias | grep
      05b79a6f-4628-4d7f-899d-a91514cb32ab
      alias mei:*:05b79a6f-4628-4d7f-899d-a91514cb32ab:*:* mei_wdt
      
      commit b26864ca ("mei: bus: add client protocol
      version to the device alias"), however sysfs modalias
      is still in formmat mei:S:uuid:*.
      
      This patch equates format of uevent and sysfs modalias so that modprobe
      is able to resolve the aliases.
      
      Fixes: commit b26864ca ("mei: bus: add client protocol version to the device alias")
      Signed-off-by: default avatarPratyush Anand <panand@redhat.com>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0524867e
    • Bart Van Assche's avatar
      block: Avoid that blk_exit_rl() triggers a use-after-free · 67125548
      Bart Van Assche authored
      commit b425e504 upstream.
      
      Since the introduction of .init_rq_fn() and .exit_rq_fn() it is
      essential that the memory allocated for struct request_queue
      stays around until all blk_exit_rl() calls have finished. Hence
      make blk_init_rl() take a reference on struct request_queue.
      
      This patch fixes the following crash:
      
      general protection fault: 0000 [#2] SMP
      CPU: 3 PID: 28 Comm: ksoftirqd/3 Tainted: G      D         4.12.0-rc2-dbg+ #2
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      task: ffff88013a108040 task.stack: ffffc9000071c000
      RIP: 0010:free_request_size+0x1a/0x30
      RSP: 0018:ffffc9000071fd38 EFLAGS: 00010202
      RAX: 6b6b6b6b6b6b6b6b RBX: ffff880067362a88 RCX: 0000000000000003
      RDX: ffff880067464178 RSI: ffff880067362a88 RDI: ffff880135ea4418
      RBP: ffffc9000071fd40 R08: 0000000000000000 R09: 0000000100180009
      R10: ffffc9000071fd38 R11: ffffffff81110800 R12: ffff88006752d3d8
      R13: ffff88006752d3d8 R14: ffff88013a108040 R15: 000000000000000a
      FS:  0000000000000000(0000) GS:ffff88013fd80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa8ec1edb00 CR3: 0000000138ee8000 CR4: 00000000001406e0
      Call Trace:
       mempool_destroy.part.10+0x21/0x40
       mempool_destroy+0xe/0x10
       blk_exit_rl+0x12/0x20
       blkg_free+0x4d/0xa0
       __blkg_release_rcu+0x59/0x170
       rcu_process_callbacks+0x260/0x4e0
       __do_softirq+0x116/0x250
       smpboot_thread_fn+0x123/0x1e0
       kthread+0x109/0x140
       ret_from_fork+0x31/0x40
      
      Fixes: commit e9c787e6 ("scsi: allocate scsi_cmnd structures as part of struct request")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      67125548
    • Matt Ranostay's avatar
      iio: proximity: as3935: fix iio_trigger_poll issue · 698aa720
      Matt Ranostay authored
      commit 9122b54f upstream.
      
      Using iio_trigger_poll() can oops when multiple interrupts
      happen before the first is handled.
      
      Use iio_trigger_poll_chained() instead and use the timestamp
      when processed, since it will be in theory be 2 ms max latency.
      
      Fixes: 24ddb0e4 ("iio: Add AS3935 lightning sensor support")
      Signed-off-by: default avatarMatt Ranostay <matt.ranostay@konsulko.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      698aa720
    • Matt Ranostay's avatar
      iio: proximity: as3935: fix AS3935_INT mask · 71c0950c
      Matt Ranostay authored
      commit 275292d3 upstream.
      
      AS3935 interrupt mask has been incorrect so valid lightning events
      would never trigger an buffer event. Also noise interrupt should be
      BIT(0).
      
      Fixes: 24ddb0e4 ("iio: Add AS3935 lightning sensor support")
      Signed-off-by: default avatarMatt Ranostay <matt.ranostay@konsulko.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71c0950c
    • Marcin Niestroj's avatar
      iio: trigger: fix NULL pointer dereference in iio_trigger_write_current() · 7b5d3c1a
      Marcin Niestroj authored
      commit 4eecbe81 upstream.
      
      In case oldtrig == trig == NULL (which happens when we set none
      trigger, when there is already none set) there is a NULL pointer
      dereference during iio_trigger_put(trig). Below is kernel output when
      this occurs:
      
      [   26.741790] Unable to handle kernel NULL pointer dereference at virtual address 00000000
      [   26.750179] pgd = cacc0000
      [   26.752936] [00000000] *pgd=8adc6835, *pte=00000000, *ppte=00000000
      [   26.759531] Internal error: Oops: 17 [#1] SMP ARM
      [   26.764261] Modules linked in: usb_f_ncm u_ether usb_f_acm u_serial usb_f_fs libcomposite configfs evbug
      [   26.773844] CPU: 0 PID: 152 Comm: synchro Not tainted 4.12.0-rc1 #2
      [   26.780128] Hardware name: Freescale i.MX6 Ultralite (Device Tree)
      [   26.786329] task: cb1de200 task.stack: cac92000
      [   26.790892] PC is at iio_trigger_write_current+0x188/0x1f4
      [   26.796403] LR is at lock_release+0xf8/0x20c
      [   26.800696] pc : [<c0736f34>]    lr : [<c016efb0>]    psr: 600d0013
      [   26.800696] sp : cac93e30  ip : cac93db0  fp : cac93e5c
      [   26.812193] r10: c0e64fe8  r9 : 00000000  r8 : 00000001
      [   26.817436] r7 : cb190810  r6 : 00000010  r5 : 00000001  r4 : 00000000
      [   26.823982] r3 : 00000000  r2 : 00000000  r1 : cb1de200  r0 : 00000000
      [   26.830528] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [   26.837683] Control: 10c5387d  Table: 8acc006a  DAC: 00000051
      [   26.843448] Process synchro (pid: 152, stack limit = 0xcac92210)
      [   26.849475] Stack: (0xcac93e30 to 0xcac94000)
      [   26.853857] 3e20:                                     00000001 c0736dac c054033c cae6b680
      [   26.862060] 3e40: cae6b680 00000000 00000001 cb3f8610 cac93e74 cac93e60 c054035c c0736db8
      [   26.870264] 3e60: 00000001 c054033c cac93e94 cac93e78 c029bf34 c0540348 00000000 00000000
      [   26.878469] 3e80: cb3f8600 cae6b680 cac93ed4 cac93e98 c029b320 c029bef0 00000000 00000000
      [   26.886672] 3ea0: 00000000 cac93f78 cb2d41fc caed3280 c029b214 cac93f78 00000001 000e20f8
      [   26.894874] 3ec0: 00000001 00000000 cac93f44 cac93ed8 c0221dcc c029b220 c0e1ca39 cb2d41fc
      [   26.903079] 3ee0: cac93f04 cac93ef0 c0183ef0 c0183ab0 cb2d41fc 00000000 cac93f44 cac93f08
      [   26.911282] 3f00: c0225eec c0183ebc 00000001 00000000 c0223728 00000000 c0245454 00000001
      [   26.919485] 3f20: 00000001 caed3280 000e20f8 cac93f78 000e20f8 00000001 cac93f74 cac93f48
      [   26.927690] 3f40: c0223680 c0221da4 c0246520 c0245460 caed3283 caed3280 00000000 00000000
      [   26.935893] 3f60: 000e20f8 00000001 cac93fa4 cac93f78 c0224520 c02235e4 00000000 00000000
      [   26.944096] 3f80: 00000001 000e20f8 00000001 00000004 c0107f84 cac92000 00000000 cac93fa8
      [   26.952299] 3fa0: c0107de0 c02244e8 00000001 000e20f8 0000000e 000e20f8 00000001 fbad2484
      [   26.960502] 3fc0: 00000001 000e20f8 00000001 00000004 beb6b698 00064260 0006421c beb6b4b4
      [   26.968705] 3fe0: 00000000 beb6b450 b6f219a0 b6e2f268 800d0010 0000000e cac93ff4 cac93ffc
      [   26.976896] Backtrace:
      [   26.979388] [<c0736dac>] (iio_trigger_write_current) from [<c054035c>] (dev_attr_store+0x20/0x2c)
      [   26.988289]  r10:cb3f8610 r9:00000001 r8:00000000 r7:cae6b680 r6:cae6b680 r5:c054033c
      [   26.996138]  r4:c0736dac r3:00000001
      [   26.999747] [<c054033c>] (dev_attr_store) from [<c029bf34>] (sysfs_kf_write+0x50/0x54)
      [   27.007686]  r5:c054033c r4:00000001
      [   27.011290] [<c029bee4>] (sysfs_kf_write) from [<c029b320>] (kernfs_fop_write+0x10c/0x224)
      [   27.019579]  r7:cae6b680 r6:cb3f8600 r5:00000000 r4:00000000
      [   27.025271] [<c029b214>] (kernfs_fop_write) from [<c0221dcc>] (__vfs_write+0x34/0x120)
      [   27.033214]  r10:00000000 r9:00000001 r8:000e20f8 r7:00000001 r6:cac93f78 r5:c029b214
      [   27.041059]  r4:caed3280
      [   27.043622] [<c0221d98>] (__vfs_write) from [<c0223680>] (vfs_write+0xa8/0x170)
      [   27.050959]  r9:00000001 r8:000e20f8 r7:cac93f78 r6:000e20f8 r5:caed3280 r4:00000001
      [   27.058731] [<c02235d8>] (vfs_write) from [<c0224520>] (SyS_write+0x44/0x98)
      [   27.065806]  r9:00000001 r8:000e20f8 r7:00000000 r6:00000000 r5:caed3280 r4:caed3283
      [   27.073582] [<c02244dc>] (SyS_write) from [<c0107de0>] (ret_fast_syscall+0x0/0x1c)
      [   27.081179]  r9:cac92000 r8:c0107f84 r7:00000004 r6:00000001 r5:000e20f8 r4:00000001
      [   27.088947] Code: 1a000009 e1a04009 e3a06010 e1a05008 (e5943000)
      [   27.095244] ---[ end trace 06d1dab86d6e6bab ]---
      
      To fix that problem call iio_trigger_put(trig) only when trig is not
      NULL.
      
      Fixes: d5d24bcc ("iio: trigger: close race condition in acquiring trigger reference")
      Signed-off-by: default avatarMarcin Niestroj <m.niestroj@grinn-global.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b5d3c1a
    • Franziska Naepelt's avatar
      iio: light: ltr501 Fix interchanged als/ps register field · 80c8ac6b
      Franziska Naepelt authored
      commit 7cc3bff4 upstream.
      
      The register mapping for the IIO driver for the Liteon Light and Proximity
      sensor LTR501 interrupt mode is interchanged (ALS/PS).
      There is a register called INTERRUPT register (address 0x8F)
      Bit 0 represents PS measurement trigger.
      Bit 1 represents ALS measurement trigger.
      This two bit fields are interchanged within the driver.
      see datasheet page 24:
      http://optoelectronics.liteon.com/upload/download/DS86-2012-0006/S_110_LTR-501ALS-01_PrelimDS_ver1%5B1%5D.pdfSigned-off-by: default avatarFranziska Naepelt <franziska.naepelt@idt.com>
      Fixes: 7ac702b3 ("iio: ltr501: Add interrupt support")
      Acked-by: default avatarPeter Meerwald-Stadler <pmeerw@pmeerw.net>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80c8ac6b
    • Raveendra Padasalagi's avatar
      iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's · 1cb7bbe7
      Raveendra Padasalagi authored
      commit f7d86ecf upstream.
      
      The third argument of devm_request_threaded_irq() is the primary
      handler. It is called in hardirq context and checks whether the
      interrupt is relevant to the device. If the primary handler returns
      IRQ_WAKE_THREAD, the secondary handler (a.k.a. handler thread) is
      scheduled to run in process context.
      
      bcm_iproc_adc.c uses the secondary handler as the primary one
      and the other way around. So this patch fixes the same, along with
      re-naming the secondary handler and primary handler names properly.
      
      Tested on the BCM9583XX iProc SoC based boards.
      
      Fixes: 4324c97e ("iio: Add driver for Broadcom iproc-static-adc")
      Reported-by: default avatarPavel Roskin <plroskin@gmail.com>
      Signed-off-by: default avatarRaveendra Padasalagi <raveendra.padasalagi@broadcom.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cb7bbe7
    • Oleg Drokin's avatar
      staging/lustre/lov: remove set_fs() call from lov_getstripe() · d9b0c955
      Oleg Drokin authored
      commit 0a33252e upstream.
      
      lov_getstripe() calls set_fs(KERNEL_DS) so that it can handle a struct
      lov_user_md pointer from user- or kernel-space.  This changes the
      behavior of copy_from_user() on SPARC and may result in a misaligned
      access exception which in turn oopses the kernel.  In fact the
      relevant argument to lov_getstripe() is never called with a
      kernel-space pointer and so changing the address limits is unnecessary
      and so we remove the calls to save, set, and restore the address
      limits.
      Signed-off-by: default avatarJohn L. Hammond <john.hammond@intel.com>
      Reviewed-on: http://review.whamcloud.com/6150
      Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3221Reviewed-by: default avatarAndreas Dilger <andreas.dilger@intel.com>
      Reviewed-by: default avatarLi Wei <wei.g.li@intel.com>
      Signed-off-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d9b0c955
    • Michael Thalmeier's avatar
      usb: chipidea: debug: check before accessing ci_role · dd8980bb
      Michael Thalmeier authored
      commit 0340ff83 upstream.
      
      ci_role BUGs when the role is >= CI_ROLE_END.
      Signed-off-by: default avatarMichael Thalmeier <michael.thalmeier@hale.at>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd8980bb
    • Jisheng Zhang's avatar
      usb: chipidea: udc: fix NULL pointer dereference if udc_start failed · f2967b72
      Jisheng Zhang authored
      commit aa1f058d upstream.
      
      Fix below NULL pointer dereference. we set ci->roles[CI_ROLE_GADGET]
      too early in ci_hdrc_gadget_init(), if udc_start() fails due to some
      reason, the ci->roles[CI_ROLE_GADGET] check in  ci_hdrc_gadget_destroy
      can't protect us.
      
      We fix this issue by only setting ci->roles[CI_ROLE_GADGET] if
      udc_start() succeed.
      
      [    1.398550] Unable to handle kernel NULL pointer dereference at
      virtual address 00000000
      ...
      [    1.448600] PC is at dma_pool_free+0xb8/0xf0
      [    1.453012] LR is at dma_pool_free+0x28/0xf0
      [    2.113369] [<ffffff80081817d8>] dma_pool_free+0xb8/0xf0
      [    2.118857] [<ffffff800841209c>] destroy_eps+0x4c/0x68
      [    2.124165] [<ffffff8008413770>] ci_hdrc_gadget_destroy+0x28/0x50
      [    2.130461] [<ffffff800840fa30>] ci_hdrc_probe+0x588/0x7e8
      [    2.136129] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
      [    2.142066] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
      [    2.148270] [<ffffff800837f68c>] __device_attach_driver+0x9c/0xf8
      [    2.154563] [<ffffff800837d570>] bus_for_each_drv+0x58/0x98
      [    2.160317] [<ffffff800837f174>] __device_attach+0xc4/0x138
      [    2.166072] [<ffffff800837f738>] device_initial_probe+0x10/0x18
      [    2.172185] [<ffffff800837e58c>] bus_probe_device+0x94/0xa0
      [    2.177940] [<ffffff800837c560>] device_add+0x3f0/0x560
      [    2.183337] [<ffffff8008380d20>] platform_device_add+0x180/0x240
      [    2.189541] [<ffffff800840f0e8>] ci_hdrc_add_device+0x440/0x4f8
      [    2.195654] [<ffffff8008414194>] ci_hdrc_usb2_probe+0x13c/0x2d8
      [    2.201769] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
      [    2.207705] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
      [    2.213910] [<ffffff800837f5ec>] __driver_attach+0xac/0xb0
      [    2.219575] [<ffffff800837d4b0>] bus_for_each_dev+0x60/0xa0
      [    2.225329] [<ffffff800837ec80>] driver_attach+0x20/0x28
      [    2.230816] [<ffffff800837e880>] bus_add_driver+0x1d0/0x238
      [    2.236571] [<ffffff800837fdb0>] driver_register+0x60/0xf8
      [    2.242237] [<ffffff8008380ef4>] __platform_driver_register+0x44/0x50
      [    2.248891] [<ffffff80086fd440>] ci_hdrc_usb2_driver_init+0x18/0x20
      [    2.255365] [<ffffff8008082950>] do_one_initcall+0x38/0x128
      [    2.261121] [<ffffff80086e0d00>] kernel_init_freeable+0x1ac/0x250
      [    2.267414] [<ffffff800852f0b8>] kernel_init+0x10/0x100
      [    2.272810] [<ffffff8008082680>] ret_from_fork+0x10/0x50
      
      Fixes: 3f124d23 ("usb: chipidea: add role init and destroy APIs")
      Signed-off-by: default avatarJisheng Zhang <jszhang@marvell.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2967b72
    • Andrey Smirnov's avatar
      usb: chipidea: imx: Do not access CLKONOFF on i.MX51 · f26ac1fc
      Andrey Smirnov authored
      commit 62b97d50 upstream.
      
      Unlike i.MX53, i.MX51's USBOH3 register file does not implemenent
      registers past offset 0x018, which includes
      MX53_USB_CLKONOFF_CTRL_OFFSET and trying to access that register on
      said platform results in external abort.
      
      Fix it by enabling CLKONOFF accessing codepath only for i.MX53.
      
      Fixes 3be3251d ("usb: chipidea: imx: Disable internal 60Mhz clock with ULPI PHY")
      Cc: cphealy@gmail.com
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: linux-usb@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarAndrey Smirnov <andrew.smirnov@gmail.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f26ac1fc
    • Bin Liu's avatar
      usb: musb: dsps: keep VBUS on for host-only mode · b89de040
      Bin Liu authored
      commit b3addcf0 upstream.
      
      Currently VBUS is turned off while a usb device is detached, and turned
      on again by the polling routine. This short period VBUS loss prevents
      usb modem to switch mode.
      
      VBUS should be constantly on for host-only mode, so this changes the
      driver to not turn off VBUS for host-only mode.
      
      Fixes: 2f3fd2c5 ("usb: musb: Prepare dsps glue layer for PM runtime support")
      Reported-by: default avatarMoreno Bartalucci <moreno.bartalucci@tecnorama.it>
      Acked-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b89de040