Commit Graph

648775 Commits

Author SHA1 Message Date
Arnd Bergmann
cb2cc43681 Qualcomm ARM64 Fixes for v4.10-rc1
* Fix instability in MSM8996 due to incorrect carveouts
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYZCY7AAoJEFKiBbHx2RXVWy4QAKZgRPXVFTqjJxCGjDKpenU9
 aNN+aaIla0gMXDwhaY7XcC32fkZi8vcMq7ba4veHrgCMxu6tmhTy4UsBGeNXhM6a
 MbNJpXlg3MfaQk44eOtX9qkqR8oDDCTU8qpey7ozJ7i+zNQW7oeAeK3chIC97EFp
 G/9gad9mTrWQTVcXu0w0rnp9y8yPkXysqsM4itsvqY8YwB4JjVosq0M3cfM6n8QJ
 XxVSPeL2fRQ3EUnmCaJqTIM3JvxxWQfxqdwh9jJmadjU6A9NSXmyzkixH+RLjxWe
 QOehzOLrbAFGEQhPFRKltMwgKYhjgnmAV8y4f3dIBoGAq30fYAzU074a7BAW5ZaO
 N/wtTRYoYjUC5GNZDrwiLG6xr3/IOCqBQg24dPvmCwj3Nu7KFRpRdvW91EhuZvuJ
 FT2nPJTTnkiMlG1CeCXp/1APo26ff5DEcHug72vBdmYVx0AnxHR0JB4W5L4IzqVQ
 B29UWJVseT+/iz2o0sd9vmsCymw1HPHvAipAo1XRQ3sA25paYCDG+Wa9i1oLnzkK
 RwBj/XmvziNTjQ7Yu86SEEykr7EEfCvsT64W3T1v0M0gCqRKK9Tcpm3kLrsxqnns
 gsmbjY2bAgb10ub/SBu0m2mLP9EBg1qck2N9DcMAuaijvcTpGGz8772ByrIwQCaO
 GCTJVDoYwCQACEpRoyGs
 =DEnv
 -----END PGP SIGNATURE-----

Merge tag 'qcom-fixes-for-4.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux into fixes

Qualcomm ARM64 Fixes for v4.10-rc1

* Fix instability in MSM8996 due to incorrect carveouts

* tag 'qcom-fixes-for-4.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux:
  arm64: dts: msm8996: Add required memory carveouts
2017-01-04 16:10:38 +01:00
Arnd Bergmann
84cc8ca1fd Renesas ARM Based SoC Fixes for v4.10
* Provide sd0_uhs node
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYTl4ZAAoJENfPZGlqN0++vTQP/0hIiDC3Jeb7bkpAX+ZuzHq6
 XG/TK5cHaho7Xep/eitlc8gxmO8kL/j5UJIExb0WoBW31QmPhymZnrBiKGHand3Q
 OjpmVhK9FeWXcQs4QvL9Lp82Z7qWMaTMhaYDucpd2b4P4GUfpAd3zccsbvqP156k
 tG71mYAPIRmXFZgJ+ih57ytwNklSlEm4/84/7oklmNU4Pi0EMyC2eB9DJInMUeyq
 QH+8KEx5TBaimHBeGvgYnihIyk3WwoB1ULrZlaOQ/FfjnnK7TZdWhWt4gZUys7qi
 GCmbhWR6qoovKxEg9j3cBO1wgWg6AXLrNxs/F1IUBDRViVUFzxJS/14/eW5SfRG3
 b7VWm0xpC8RkOaA8yHD4nkpuqXlROVHr0EUkZ9ny6QflEDL8/Pg2SUJCZr7xCFUN
 vVyWM1Do/R1ogSmR+Z1RO8omgJEoztFnzNc7d4q9fRAB4o8512oJ1xJFHpv6y3XW
 wYRA/SiksEFoYnDXcSkBd2ZMZTiKNvhPWv3yPbP6nJxOpEF6/OWS7VBpGRisLjVk
 EksoLn+WliC+1nRrc/S0Nf1YmY8tc62Pg1FwwniS8uTYQFrPNEbc/V/mNU2Sfv/y
 ZPnhv6Km33q9xwB0Q94vHLIXMXuaaM90XCT9fSemIoUiDj8lcjE+WYQLxn6WG8ii
 a0JlaFlvVkfqYqQFC/cX
 =XZkS
 -----END PGP SIGNATURE-----

Merge tag 'renesas-fixes-for-v4.10' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into fixes

Renesas ARM Based SoC Fixes for v4.10

* Provide sd0_uhs node

* tag 'renesas-fixes-for-v4.10' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas:
  arm64: dts: h3ulcb: Provide sd0_uhs node
2017-01-04 16:08:28 +01:00
Huang Rui
432abf68a7 iommu/amd: Fix the left value check of cmd buffer
The generic command buffer entry is 128 bits (16 bytes), so the offset
of tail and head pointer should be 16 bytes aligned and increased with
0x10 per command.

When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.

So when left space of cmd buf should be able to store only two
command, we should be issued one COMPLETE_WAIT additionally to wait
all older commands completed. Then the left space should be increased
after IOMMU fetching from cmd buf.

So left check value should be left <= 0x20 (two commands).

Signed-off-by: Huang Rui <ray.huang@amd.com>
Fixes: ac0ea6e92b ('x86/amd-iommu: Improve handling of full command buffer')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-01-04 15:22:22 +01:00
Jacob Pan
65ca7f5f7d iommu/vt-d: Fix pasid table size encoding
Different encodings are used to represent supported PASID bits
and number of PASID table entries.
The current code assigns ecap_pss directly to extended context
table entry PTS which is wrong and could result in writing
non-zero bits to the reserved fields. IOMMU fault reason
11 will be reported when reserved bits are nonzero.
This patch converts ecap_pss to extend context entry pts encoding
based on VT-d spec. Chapter 9.4 as follows:
 - number of PASID bits = ecap_pss + 1
 - number of PASID table entries = 2^(pts + 5)
Software assigned limit of pasid_max value is also respected to
match the allocation limitation of PASID table.

cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
cc: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Tested-by: Mika Kuoppala <mika.kuoppala@intel.com>
Fixes: 2f26e0a9c9 ('iommu/vt-d: Add basic SVM PASID support')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-01-04 15:18:57 +01:00
Xunlei Pang
aec0e86172 iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped
We met the DMAR fault both on hpsa P420i and P421 SmartArray controllers
under kdump, it can be steadily reproduced on several different machines,
the dmesg log is like:
HP HPSA Driver (v 3.4.16-0)
hpsa 0000:02:00.0: using doorbell to reset controller
hpsa 0000:02:00.0: board ready after hard reset.
hpsa 0000:02:00.0: Waiting for controller to respond to no-op
DMAR: Setting identity map for device 0000:02:00.0 [0xe8000 - 0xe8fff]
DMAR: Setting identity map for device 0000:02:00.0 [0xf4000 - 0xf4fff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6e000 - 0xbdf6efff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6f000 - 0xbdf7efff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf7f000 - 0xbdf82fff]
DMAR: Setting identity map for device 0000:02:00.0 [0xbdf83000 - 0xbdf84fff]
DMAR: DRHD: handling fault status reg 2
DMAR: [DMA Read] Request device [02:00.0] fault addr fffff000 [fault reason 06] PTE Read access is not set
hpsa 0000:02:00.0: controller message 03:00 timed out
hpsa 0000:02:00.0: no-op failed; re-trying

After some debugging, we found that the fault addr is from DMA initiated at
the driver probe stage after reset(not in-flight DMA), and the corresponding
pte entry value is correct, the fault is likely due to the old iommu caches
of the in-flight DMA before it.

Thus we need to flush the old cache after context mapping is setup for the
device, where the device is supposed to finish reset at its driver probe
stage and no in-flight DMA exists hereafter.

I'm not sure if the hardware is responsible for invalidating all the related
caches allocated in the iommu hardware before, but seems not the case for hpsa,
actually many device drivers have problems in properly resetting the hardware.
Anyway flushing (again) by software in kdump kernel when the device gets context
mapped which is a quite infrequent operation does little harm.

With this patch, the problematic machine can survive the kdump tests.

CC: Myron Stowe <myron.stowe@gmail.com>
CC: Joseph Szczypek <jszczype@redhat.com>
CC: Don Brace <don.brace@microsemi.com>
CC: Baoquan He <bhe@redhat.com>
CC: Dave Young <dyoung@redhat.com>
Fixes: 091d42e43d ("iommu/vt-d: Copy translation tables from old kernel")
Fixes: dbcd861f25 ("iommu/vt-d: Do not re-use domain-ids from the old kernel")
Fixes: cf484d0e69 ("iommu/vt-d: Mark copied context entries")
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Tested-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-01-04 15:14:04 +01:00
Arvind Yadav
4dcd19bfab video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap
Here, If devm_ioremap will fail. It will return NULL.
Kernel can run into a NULL-pointer dereference.
This error check will avoid NULL pointer dereference.

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Acked-by: Yoichi Yuasa <yuasa@linux-mips.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2017-01-04 12:58:45 +01:00
Bartlomiej Zolnierkiewicz
04f6152d9f MAINTAINERS: add myself as maintainer of fbdev
I would like to help with fbdev maintenance.  I can dedicate some time
for reviewing and handling patches but won't have time for much more.

The subsystem will remain in maintenance mode (no new drivers will be
added to it).

Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2017-01-04 12:58:44 +01:00
Daniel Vetter
ef426c1038 Merge tag 'drm-misc-next-2016-12-30' of git://anongit.freedesktop.org/git/drm-misc into drm-intel-next-queued
Directly merge drm-misc into drm-intel since Dave is on vacation and
we need the various drm-misc patches (fb format rework, drm mm fixes,
selftest framework and others). Also pulled back -rc2 in first to
resync with drm-intel-fixes and make sure I can reuse the exact rerere
solutions from drm-tip for safety, and because I'm lazy.

Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
2017-01-04 11:41:10 +01:00
Daniel Vetter
a402eae64d Linux 4.10-rc2
-----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJYaYNlAAoJEHm+PkMAQRiGtCUH/18PMUJpHqRKjxL3Yscw+QZC
 RmGlD/hwBRLUSgiTCfURNGKP4QZv2kQW7BGsGC72oL01lmxozsU72ixUIO+wXzDY
 K2b0OOKGZZWzFtaVm7Qs+5JhHAEKZcT046mLD8sjJuqkrFAhmNLKdwHjihKBEkm9
 J3s2tpdXdN0x/Uyga/GY9khEYIrvLPeBoKSz+JXcQKdC0iq3/+PMpWnN47QCNScr
 7azojkJkj/rs2cqVdOi7Wbh6PSqIvPsl8E3qJefpaVJF/IQaU1pFdy5g8kYm4V7T
 fr6HgIbuN4EQWdN/5cgKrUdpQyV7D8iYx02klk4R8WgfS0QMYoUcsg+XsTd02TI=
 =OhGe
 -----END PGP SIGNATURE-----

Merge tag 'v4.10-rc2' into drm-intel-next-queued

Backmerge Linux 4.10-rc2 to resync with our -fixes cherry-picks. I've
done the backmerge directly because Dave is on vacation.

Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
2017-01-04 11:35:18 +01:00
Takashi Iwai
85bcf96cab ALSA: hda - Fix up GPIO for ASUS ROG Ranger
ASUS ROG Ranger VIII with ALC1150 codec requires the extra GPIO pin to
up for the front panel.  Just use the existing fixup for setting up
the GPIO pins.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189411
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-01-04 11:26:19 +01:00
Daniel Vetter
24835e442f drm: reference count event->completion
When writing the generic nonblocking commit code I assumed that
through clever lifetime management I can assure that the completion
(stored in drm_crtc_commit) only gets freed after it is completed. And
that worked.

I also wanted to make nonblocking helpers resilient against driver
bugs, by having timeouts everywhere. And that worked too.

Unfortunately taking boths things together results in oopses :( Well,
at least sometimes: What seems to happen is that the drm event hangs
around forever stuck in limbo land. The nonblocking helpers eventually
time out, move on and release it. Now the bug I tested all this
against is drivers that just entirely fail to deliver the vblank
events like they should, and in those cases the event is simply
leaked. But what seems to happen, at least sometimes, on i915 is that
the event is set up correctly, but somohow the vblank fails to fire in
time. Which means the event isn't leaked, it's still there waiting for
eventually a vblank to fire. That tends to happen when re-enabling the
pipe, and then the trap springs and the kernel oopses.

The correct fix here is simply to refcount the crtc commit to make
sure that the event sticks around even for drivers which only
sometimes fail to deliver vblanks for some arbitrary reasons. Since
crtc commits are already refcounted that's easy to do.

References: https://bugs.freedesktop.org/show_bug.cgi?id=96781
Cc: Jim Rees <rees@umich.edu>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161221102331.31033-1-daniel.vetter@ffwll.ch
2017-01-04 11:03:06 +01:00
Daniel Vetter
7800fb69dd drm/i915: Update comment that sets I915_MODE_FLAG_INHERITED
The code was moved, but the comment not updated. It confused me.

Fixes: 7f4c62840c ("drm/i915: Assign hwmode after encoder state readout")
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Patrik Jakobsson <patrik.jakobsson@linux.intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161219082423.27798-6-daniel.vetter@ffwll.ch
2017-01-04 10:57:23 +01:00
Johan Hovold
ef079936d3 USB: serial: ti_usb_3410_5052: fix NULL-deref at open
Fix NULL-pointer dereference in open() should a malicious device lack
the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
..
[<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:43:57 +01:00
Johan Hovold
cc09092482 USB: serial: spcp8x5: fix NULL-deref at open
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]

Fixes: 619a6f1d14 ("USB: add usb-serial spcp8x5 driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:43:57 +01:00
Johan Hovold
f09d1886a4 USB: serial: quatech2: fix sleep-while-atomic in close
The write URB was being killed using the synchronous interface while
holding a spin lock in close().

Simply drop the lock and busy-flag update, something which would have
been taken care of by the completion handler if the URB was in flight.

Fixes: f7a33e608d ("USB: serial: add quatech2 usb to serial driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:43:56 +01:00
Johan Hovold
76ab439ed1 USB: serial: pl2303: fix NULL-deref at open
Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at pl2303_open+0x38/0xec [pl2303]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:43:56 +01:00
Johan Hovold
5afeef2366 USB: serial: oti6858: fix NULL-deref at open
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at oti6858_open+0x30/0x1d0 [oti6858]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 49cdee0ed0 ("USB: oti6858 usb-serial driver (in Nokia CA-42
cable)")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:43:48 +01:00
Johan Hovold
a5bc01949e USB: serial: omninet: fix NULL-derefs at open and disconnect
Fix NULL-pointer dereferences at open() and disconnect() should the
device lack the expected bulk-out endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 000000b4
...
[c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
[<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
[<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
[<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
[<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])

Unable to handle kernel NULL pointer dereference at virtual address 00000234
...
[<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:21 +01:00
Johan Hovold
472d7e55d5 USB: serial: mos7840: fix misleading interrupt-URB comment
The interrupt URB is killed at final port close since commit
0de9a7024e ("USB: overhaul of mos7840 driver").

Fixes: 0de9a7024e ("USB: overhaul of mos7840 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:21 +01:00
Johan Hovold
fc43e651bf USB: serial: mos7840: remove unused write URB
Remove code to manage a write URB that was never allocated.

Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:20 +01:00
Johan Hovold
5c75633ef7 USB: serial: mos7840: fix NULL-deref at open
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at mos7840_open+0x88/0x8dc [mos7840]

Note that we continue to treat the interrupt-in endpoint as optional for
now.

Fixes: 3f5429746d ("USB: Moschip 7840 USB-Serial Driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:20 +01:00
Johan Hovold
9da049bced USB: serial: mos7720: remove obsolete port initialisation
Since commit b69578df7e ("USB: usbserial: mos7720: add support for
parallel port on moschip 7715"), the interrupt urb is no longer
submitted at first port open and the endpoint-address initialisation at
port-probe is no longer used.

Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:20 +01:00
Johan Hovold
fde1faf872 USB: serial: mos7720: fix parallel probe
A static usb-serial-driver structure that is used to initialise the
interrupt URB was modified during probe depending on the currently
probed device type, something which could break a parallel probe of a
device of a different type.

Fix this up by overriding the default completion callback for MCS7715
devices in attach() instead. We may want to use two usb-serial driver
instances for the two types later.

Fixes: fb088e335d ("USB: serial: add support for serial port on the
moschip 7715")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:20 +01:00
Johan Hovold
75dd211e77 USB: serial: mos7720: fix parport use-after-free on probe errors
Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.

Fixes: b69578df7e ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:19 +01:00
Johan Hovold
91a1ff4d53 USB: serial: mos7720: fix use-after-free on probe errors
The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:

Unable to handle kernel paging request at virtual address 6b6b6be7
...
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)

Fixes: b69578df7e ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:19 +01:00
Johan Hovold
b05aebc25f USB: serial: mos7720: fix NULL-deref at open
Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
[<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 0f64478cbc ("USB: add USB serial mos7720 driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:19 +01:00
Johan Hovold
21ce578402 USB: serial: kobil_sct: fix NULL-deref in write
Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000054
...
PC is at kobil_write+0x144/0x2a0 [kobil_sct]

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:18 +01:00
Johan Hovold
5d9b0f859b USB: serial: keyspan_pda: verify endpoints at probe
Check for the expected endpoints in attach() and fail loudly if not
present.

Note that failing to do this appears to be benign since da280e3488
("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
NULL-pointer dereference in write() by never marking a non-existent
write-urb as free.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>	# < v3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:18 +01:00
Johan Hovold
90507d54f7 USB: serial: iuu_phoenix: fix NULL-deref at open
Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at iuu_open+0x78/0x59c [iuu_phoenix]

Fixes: 07c3b1a100 ("USB: remove broken usb-serial num_endpoints
check")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:18 +01:00
Johan Hovold
e35d6d7c4e USB: serial: io_ti: bind to interface after fw download
Bind to the interface, but do not register any ports, after having
downloaded the firmware. The device will still disconnect and
re-enumerate, but this way we avoid an error messages from being logged
as part of the process:

io_ti: probe of 1-1.3:1.0 failed with error -5

Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:17 +01:00
Johan Hovold
2330d0a853 USB: serial: io_ti: fix I/O after disconnect
Cancel the heartbeat work on driver unbind in order to avoid I/O after
disconnect in case the port is held open.

Note that the cancel in release() is still needed to stop the heartbeat
after late probe errors.

Fixes: 26c78daade ("USB: io_ti: Add heartbeat to keep idle EP/416
ports from disconnecting")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:17 +01:00
Johan Hovold
4f9785cc99 USB: serial: io_ti: fix another NULL-deref at open
In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
[<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:16 +01:00
Johan Hovold
a323fefc6f USB: serial: io_ti: fix NULL-deref at open
Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
[<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:16 +01:00
Johan Hovold
0dd408425e USB: serial: io_edgeport: fix NULL-deref at open
Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000028
...
PC is at edge_open+0x24c/0x3e8 [io_edgeport]

Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:15 +01:00
Johan Hovold
c4ac4496e8 USB: serial: garmin_gps: fix memory leak on failed URB submit
Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:15 +01:00
Johan Hovold
3dca01114d USB: serial: cyberjack: fix NULL-deref at open
Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at cyberjack_open+0x40/0x9c [cyberjack]

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04 10:37:14 +01:00
Arvind Yadav
4b0ea93f25 gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap
Here, pci_iomap can fail, handle this case and return -ENOMEM.

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1483443027-13444-1-git-send-email-arvind.yadav.cs@gmail.com
2017-01-04 10:15:37 +01:00
Gabriel Krisman Bertazi
5692650027 drm: Document deprecated load/unload hook
v2:
 - Replace discouraged with deprecated
 - Link to new initialization/teardown functions

Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20170102142008.22174-3-krisman@collabora.co.uk
2017-01-04 09:55:57 +01:00
Randy Dunlap
a5ad0fd852 drm: nouveau: fix build when LEDS_CLASS=m
Fix build errors in nouveau driver when CONFIG_LEDS_CLASS=m and
CONFIG_DRM_NOUVEAU=y.
If LEDS_CLASS is enabled, DRM_NOUVEAU is restricted to the same
kconfig value as LEDS_CLASS.

drivers/built-in.o: In function `nouveau_do_suspend':
nouveau_drm.c:(.text+0x2030b1): undefined reference to `nouveau_led_suspend'
drivers/built-in.o: In function `nouveau_do_resume':
nouveau_drm.c:(.text+0x2034ca): undefined reference to `nouveau_led_resume'
drivers/built-in.o: In function `nouveau_drm_unload':
nouveau_drm.c:(.text+0x203a15): undefined reference to `nouveau_led_fini'
drivers/built-in.o: In function `nouveau_drm_load':
nouveau_drm.c:(.text+0x204423): undefined reference to `nouveau_led_init'

BTW, this line in Kbuild:
nouveau-$(CONFIG_LEDS_CLASS) += nouveau_led.o
does nothing when CONFIG_LEDS_CLASS=m and CONFIG_DRM_NOUVEAU=y.

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: Martin Peres <martin.peres@free.fr>
Cc: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/029a1ec5-48ac-a3ce-3106-430e0f2584bb@infradead.org
2017-01-04 09:55:57 +01:00
Carlos Maiolino
ff97f2399e xfs: fix max_retries _show and _store functions
max_retries _show and _store functions should test against cfg->max_retries,
not cfg->retry_timeout

Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03 20:34:17 -08:00
Darrick J. Wong
721a0edfbe xfs: update MAINTAINERS
I am taking over as XFS maintainer from Dave Chinner[1], so update
contact information and git tree pointers.

[1] http://lkml.iu.edu/hypermail/linux/kernel/1612.1/04390.html

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03 18:58:30 -08:00
Christoph Hellwig
a1b7a4dea6 xfs: fix crash and data corruption due to removal of busy COW extents
There is a race window between write_cache_pages calling
clear_page_dirty_for_io and XFS calling set_page_writeback, in which
the mapping for an inode is tagged neither as dirty, nor as writeback.

If the COW shrinker hits in exactly that window we'll remove the delayed
COW extents and writepages trying to write it back, which in release
kernels will manifest as corruption of the bmap btree, and in debug
kernels will trip the ASSERT about now calling xfs_bmapi_write with the
COWFORK flag for holes.  A complex customer load manages to hit this
window fairly reliably, probably by always having COW writeback in flight
while the cow shrinker runs.

This patch adds another check for having the I_DIRTY_PAGES flag set,
which is still set during this race window.  While this fixes the problem
I'm still not overly happy about the way the COW shrinker works as it
still seems a bit fragile.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03 18:39:33 -08:00
Darrick J. Wong
20e73b000b xfs: use the actual AG length when reserving blocks
We need to use the actual AG length when making per-AG reservations,
since we could otherwise end up reserving more blocks out of the last
AG than there are actual blocks.

Complained-about-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2017-01-03 18:39:33 -08:00
Darrick J. Wong
7a21272b08 xfs: fix double-cleanup when CUI recovery fails
Dan Carpenter reported a double-free of rcur if _defer_finish fails
while we're recovering CUI items.  Fix the error recovery to prevent
this.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03 18:39:32 -08:00
David Ahern
926d93a33e net: vrf: Add missing Rx counters
The move from rx-handler to L3 receive handler inadvertantly dropped the
rx counters. Restore them.

Fixes: 74b20582ac ("net: l3mdev: Add hook in ip and ipv6")
Reported-by: Dinesh Dutt <ddutt@cumulusnetworks.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-03 18:51:40 -05:00
Jeff Moyer
7158339d4c block: fix up io_poll documentation
/sys/block/<dev>/queue/io_poll is a boolean.  Fix the docs.

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-03 16:47:13 -07:00
Jan Kara
be29d20f3f audit: Fix sleep in atomic
Audit tree code was happily adding new notification marks while holding
spinlocks. Since fsnotify_add_mark() acquires group->mark_mutex this can
lead to sleeping while holding a spinlock, deadlocks due to lock
inversion, and probably other fun. Fix the problem by acquiring
group->mark_mutex earlier.

CC: Paul Moore <paul@paul-moore.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-01-03 15:56:38 -05:00
Rodrigo Vivi
5390974f98 drm/i915: Update SKL SRV GT4 pci ids reference.
No functional changes. Apparently spec has been changed
the valid table showing 0x192A as Server GT4
while 0x193A is Server GT4e.

Libdrm and Mesa already have this right. So let's fix the ref here.

Cc: Ben Widawsky <benjamin.widawsky@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Ben Widawsky <benjamin.widawsky@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1483471672-10450-1-git-send-email-rodrigo.vivi@intel.com
2017-01-03 12:52:10 -08:00
Kees Cook
81d873a871 gcc-plugins: update gcc-common.h for gcc-7
This updates gcc-common.h from Emese Revfy for gcc 7. This fixes issues seen
by Kugan and Arnd. Build tested with gcc 5.4 and 7 snapshot.

Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
2017-01-03 12:08:59 -08:00
Kees Cook
9988f4d577 latent_entropy: fix ARM build error on earlier gcc
This fixes build errors seen on gcc-4.9.3 or gcc-5.3.1 for an ARM:

arm-soc/init/initramfs.c: In function 'error':
arm-soc/init/initramfs.c:50:1: error: unrecognizable insn:
 }
 ^
(insn 26 25 27 5 (set (reg:SI 111 [ local_entropy.243 ])
        (rotatert:SI (reg:SI 116 [ local_entropy.243 ])
            (const_int -30 [0xffffffffffffffe2]))) -1
     (nil))

Patch from PaX Team <pageexec@freemail.hu>

Reported-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Brad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
2017-01-03 12:08:59 -08:00