1. 24 Jun, 2017 7 commits
    • Hans Verkuil's avatar
      cec: race fix: don't return -ENONET in cec_receive() · ae505d71
      Hans Verkuil authored
      commit b94aac64 upstream.
      
      When calling CEC_RECEIVE do not check if the adapter is configured.
      Typically CEC_RECEIVE is called after a select() and if that indicates
      that there are messages in the receive queue, then you should always be
      able to dequeue a message.
      
      The race condition here is that a message has been received and is
      queued, so select() tells userspace that a message is available. But
      before the application calls CEC_RECEIVE the adapter is unconfigured
      (e.g. the HDMI cable is removed). Now select will always report that
      there is a message, but calling CEC_RECEIVE will always return -ENONET
      because the adapter is no longer configured and so will never actually
      dequeue the message.
      
      There is really no need for this check, and in fact the ENONET error
      code was never documented for CEC_RECEIVE. This may have been a left-over
      of old code that was never updated.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae505d71
    • Christophe JAILLET's avatar
      vb2: Fix an off by one error in 'vb2_plane_vaddr' · 42e3d6f5
      Christophe JAILLET authored
      commit 5ebb6dd3 upstream.
      
      We should ensure that 'plane_no' is '< vb->num_planes' as done in
      'vb2_plane_cookie' just a few lines below.
      
      Fixes: e23ccc0a ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42e3d6f5
    • Tomasz Wilczyński's avatar
      cpufreq: conservative: Allow down_threshold to take values from 1 to 10 · 72d0ebe1
      Tomasz Wilczyński authored
      commit b8e11f7d upstream.
      
      Commit 27ed3cd2 (cpufreq: conservative: Fix the logic in frequency
      decrease checking) removed the 10 point substraction when comparing the
      load against down_threshold but did not remove the related limit for the
      down_threshold value.  As a result, down_threshold lower than 11 is not
      allowed even though values from 1 to 10 do work correctly too. The
      comment ("cannot be lower than 11 otherwise freq will not fall") also
      does not apply after removing the substraction.
      
      For this reason, allow down_threshold to take any value from 1 to 99
      and fix the related comment.
      
      Fixes: 27ed3cd2 (cpufreq: conservative: Fix the logic in frequency decrease checking)
      Signed-off-by: default avatarTomasz Wilczyński <twilczynski@naver.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72d0ebe1
    • Arnd Bergmann's avatar
      ila_xlat: add missing hash secret initialization · 7f7bc8bf
      Arnd Bergmann authored
      commit 0db47e3d upstream.
      
      While discussing the possible merits of clang warning about unused initialized
      functions, I found one function that was clearly meant to be called but
      never actually is.
      
      __ila_hash_secret_init() initializes the hash value for the ila locator,
      apparently this is intended to prevent hash collision attacks, but this ends
      up being a read-only zero constant since there is no caller. I could find
      no indication of why it was never called, the earliest patch submission
      for the module already was like this. If my interpretation is right, we
      certainly want to backport the patch to stable kernels as well.
      
      I considered adding it to the ila_xlat_init callback, but for best effect
      the random data is read as late as possible, just before it is first used.
      The underlying net_get_random_once() is already highly optimized to avoid
      overhead when called frequently.
      
      Fixes: 7f00feaf ("ila: Add generic ILA translation facility")
      Link: https://www.spinics.net/lists/kernel/msg2527243.htmlSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f7bc8bf
    • Marc Kleine-Budde's avatar
      can: gs_usb: fix memory leak in gs_cmd_reset() · 814001e7
      Marc Kleine-Budde authored
      commit 5cda3ee5 upstream.
      
      This patch adds the missing kfree() in gs_cmd_reset() to free the
      memory that is not used anymore after usb_control_msg().
      
      Cc: Maximilian Schneider <max@schneidersoft.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      814001e7
    • Nicholas Bellinger's avatar
      configfs: Fix race between create_link and configfs_rmdir · 360f227b
      Nicholas Bellinger authored
      commit ba80aa90 upstream.
      
      This patch closes a long standing race in configfs between
      the creation of a new symlink in create_link(), while the
      symlink target's config_item is being concurrently removed
      via configfs_rmdir().
      
      This can happen because the symlink target's reference
      is obtained by config_item_get() in create_link() before
      the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep()
      during configfs_rmdir() shutdown is actually checked..
      
      This originally manifested itself on ppc64 on v4.8.y under
      heavy load using ibmvscsi target ports with Novalink API:
      
      [ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added
      [ 7879.893760] ------------[ cut here ]------------
      [ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs]
      [ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G           O 4.8.17-customv2.22 #12
      [ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000
      [ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870
      [ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700   Tainted: G O     (4.8.17-customv2.22)
      [ 7879.893815] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28222242  XER: 00000000
      [ 7879.893820] CFAR: d000000002c664bc SOFTE: 1
                      GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820
                      GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000
                      GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80
                      GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40
                      GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940
                      GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000
                      GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490
                      GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940
      [ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs]
      [ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
      [ 7879.893842] Call Trace:
      [ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
      [ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460
      [ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490
      [ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170
      [ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390
      [ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec
      [ 7879.893856] Instruction dump:
      [ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000
      [ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000
      [ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]---
      
      To close this race, go ahead and obtain the symlink's target
      config_item reference only after the existing CONFIGFS_USET_DROPPING
      check succeeds.
      
      This way, if configfs_rmdir() wins create_link() will return -ENONET,
      and if create_link() wins configfs_rmdir() will return -EBUSY.
      Reported-by: default avatarBryant G. Ly <bryantly@linux.vnet.ibm.com>
      Tested-by: default avatarBryant G. Ly <bryantly@linux.vnet.ibm.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      360f227b
    • Christoph Hellwig's avatar
      fs: pass on flags in compat_writev · 6b49f163
      Christoph Hellwig authored
      commit 20223f0f upstream.
      
      Fixes: 793b80ef ("vfs: pass a flags argument to vfs_readv/vfs_writev")
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b49f163
  2. 17 Jun, 2017 14 commits
  3. 14 Jun, 2017 19 commits