Arnd Bergmann [Thu, 19 Oct 2017 15:42:30 +0000 (17:42 +0200)]
Merge tag 'v4.14-rockchip-dts64fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into fixes
Pull "Rockchip dts64 Fixes for 4.14 part 2" from Heiko Stübner:
The vqmmc voltages on rk3399 pose a risk for the chip if they
exceed 3.0V, so they got fixed to not be at 3.3V
And Arnd found a typo in the recently added iommu nodes.
* tag 'v4.14-rockchip-dts64fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip:
arm64: dts: rockchip: fix typo in iommu nodes
arm64: dts: rockchip: correct vqmmc voltage for rk3399 platforms
Arnd Bergmann [Thu, 19 Oct 2017 15:41:22 +0000 (17:41 +0200)]
Merge tag 'imx-fixes-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes
Pull "i.MX fixes for 4.14" from Shawn Guo:
- Fix the legacy PCI interrupt numbers for i.MX7. The numbers were
wrongly coded in an inverted order than what Reference Manual tells.
It causes problem for PCI devices using legacy interrupt.
* tag 'imx-fixes-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
ARM: dts: imx7d: Invert legacy PCI irq mapping
Arnd Bergmann [Thu, 19 Oct 2017 15:40:11 +0000 (17:40 +0200)]
Merge tag 'mvebu-fixes-4.14-2' of git://git.infradead.org/linux-mvebu into fixes
Pull "mvebu fixes for 4.14 (part 2)" from Gregory CLEMENT
Two device tree related fixes:
- One on Armada 38x using a other compatible string for I2C in order
to cover an errata.
- One for Armada 7K/8K fixing a typo on interrupt-map property for
PCIe leading to fail PME and AER root port service initialization
And the last one for the mbus fixing the window size calculation when
it exceed 32bits
* tag 'mvebu-fixes-4.14-2' of git://git.infradead.org/linux-mvebu:
bus: mbus: fix window size calculation for 4GB windows
ARM: dts: Fix I2C repeated start issue on Armada-38x
arm64: dts: marvell: fix interrupt-map property for Armada CP110 PCIe controller
Arnd Bergmann [Thu, 19 Oct 2017 15:36:08 +0000 (17:36 +0200)]
Merge tag 'at91-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/nferre/linux-at91 into fixes
Fixes: second batch for 4.14:
- one DT phy address fix for the new sama5d27 som1 ek
- two DT ADC patches that were forgotten while moving to
hardware triggers for sama5d2 (iio changes already applied)
* tag 'at91-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/nferre/linux-at91:
ARM: dts: at91: sama5d2: add ADC hw trigger edge type
ARM: dts: at91: sama5d2_xplained: enable ADTRG pin
ARM: dts: at91: at91-sama5d27_som1: fix PHY ID
Arnd Bergmann [Thu, 19 Oct 2017 15:30:31 +0000 (17:30 +0200)]
Merge tag 'arm-soc/for-4.14/devicetree-fixes' of http://github.com/Broadcom/stblinux into fixes
Pull "Broadcom devicetree fixes for 4.14" from Florian Fainelli:
This pull request contains Broadcom ARM-based SoC Device Tree fixes for 4.14,
please pull the following:
- Loic fixes the console path on the Raspberry Pi 3 which was not correctly set
and would cause all sorts of confusion between the Bluetooth controller and the
kernel console
* tag 'arm-soc/for-4.14/devicetree-fixes' of http://github.com/Broadcom/stblinux:
ARM: dts: bcm283x: Fix console path on RPi3
Xin Long [Tue, 17 Oct 2017 15:26:10 +0000 (23:26 +0800)]
sctp: do not peel off an assoc from one netns to another one
Now when peeling off an association to the sock in another netns, all
transports in this assoc are not to be rehashed and keep use the old
key in hashtable.
As a transport uses sk->net as the hash key to insert into hashtable,
it would miss removing these transports from hashtable due to the new
netns when closing the sock and all transports are being freeed, then
later an use-after-free issue could be caused when looking up an asoc
and dereferencing those transports.
This is a very old issue since very beginning, ChunYu found it with
syzkaller fuzz testing with this series:
This patch is to block this call when peeling one assoc off from one
netns to another one, so that the netns of all transport would not
go out-sync with the key in hashtable.
Note that this patch didn't fix it by rehashing transports, as it's
difficult to handle the situation when the tuple is already in use
in the new netns. Besides, no one would like to peel off one assoc
to another netns, considering ipaddrs, ifaces, etc. are usually
different.
====================
bpf: Fix for BPF devmap percpu allocation splat
The set fixes a splat in devmap percpu allocation when we alloc
the flush bitmap. Patch 1 is a prerequisite for the fix in patch 2,
patch 1 is rather small, so if this could be routed via -net, for
example, with Tejun's Ack that would be good. Patch 3 gets rid of
remaining PCPU_MIN_UNIT_SIZE checks, which are percpu allocator
internals and should not be used.
====================
Daniel Borkmann [Tue, 17 Oct 2017 14:55:54 +0000 (16:55 +0200)]
bpf: do not test for PCPU_MIN_UNIT_SIZE before percpu allocations
PCPU_MIN_UNIT_SIZE is an implementation detail of the percpu
allocator. Given we support __GFP_NOWARN now, lets just let
the allocation request fail naturally instead. The two call
sites from BPF mistakenly assumed __GFP_NOWARN would work, so
no changes needed to their actual __alloc_percpu_gfp() calls
which use the flag already.
Daniel Borkmann [Tue, 17 Oct 2017 14:55:53 +0000 (16:55 +0200)]
bpf: fix splat for illegal devmap percpu allocation
It was reported that syzkaller was able to trigger a splat on
devmap percpu allocation due to illegal/unsupported allocation
request size passed to __alloc_percpu():
This was due to too large max_entries for the map such that we
surpassed the upper limit of PCPU_MIN_UNIT_SIZE. It's fine to
fail naturally here, so switch to __alloc_percpu_gfp() and pass
__GFP_NOWARN instead.
Daniel Borkmann [Tue, 17 Oct 2017 14:55:52 +0000 (16:55 +0200)]
mm, percpu: add support for __GFP_NOWARN flag
Add an option for pcpu_alloc() to support __GFP_NOWARN flag.
Currently, we always throw a warning when size or alignment
is unsupported (and also dump stack on failed allocation
requests). The warning itself is harmless since we return
NULL anyway for any failed request, which callers are
required to handle anyway. However, it becomes harmful when
panic_on_warn is set.
The rationale for the WARN() in pcpu_alloc() is that it can
be tracked when larger than supported allocation requests are
made such that allocations limits can be tweaked if warranted.
This makes sense for in-kernel users, however, there are users
of pcpu allocator where allocation size is derived from user
space requests, e.g. when creating BPF maps. In these cases,
the requests should fail gracefully without throwing a splat.
The current work-around was to check allocation size against
the upper limit of PCPU_MIN_UNIT_SIZE from call-sites for
bailing out prior to a call to pcpu_alloc() in order to
avoid throwing the WARN(). This is bad in multiple ways since
PCPU_MIN_UNIT_SIZE is an implementation detail, and having
the checks on call-sites only complicates the code for no
good reason. Thus, lets fix it generically by supporting the
__GFP_NOWARN flag that users can then use with calling the
__alloc_percpu_gfp() helper instead.
Netanel Belgazal [Tue, 17 Oct 2017 07:33:05 +0000 (07:33 +0000)]
net: ena: fix wrong max Tx/Rx queues on ethtool
ethtool ena_get_channels() expose the max number of queues as the max
number of queues ENA supports (128 queues) and not the actual number
of created queues.
can: gs_usb: fix busy loop if no more TX context is available
If sending messages with no cable connected, it quickly happens that
there is no more TX context available. Then "gs_can_start_xmit()"
returns with "NETDEV_TX_BUSY" and the upper layer does retry
immediately keeping the CPU busy. To fix that issue, I moved
"atomic_dec(&dev->active_tx_urbs)" from "gs_usb_xmit_callback()" to
the TX done handling in "gs_usb_receive_bulk_callback()". Renaming
"active_tx_urbs" to "active_tx_contexts" and moving it into
"gs_[alloc|free]_tx_context()" would also make sense.
Stefan Mätje [Wed, 18 Oct 2017 11:25:17 +0000 (13:25 +0200)]
can: esd_usb2: Fix can_dlc value for received RTR, frames
The dlc member of the struct rx_msg contains also the ESD_RTR flag to
mark received RTR frames. Without the fix the can_dlc value for received
RTR frames would always be set to 8 by get_can_dlc() instead of the
received value.
Colin Ian King [Fri, 8 Sep 2017 15:02:35 +0000 (16:02 +0100)]
can: bcm: check for null sk before deferencing it via the call to sock_net
The assignment of net via call sock_net will dereference sk. This
is performed before a sanity null check on sk, so there could be
a potential null dereference on the sock_net call if sk is null.
Fix this by assigning net after the sk null check. Also replace
the sk == NULL with the more usual !sk idiom.
Detected by CoverityScan CID#1431862 ("Dereference before null check")
Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM protocol") Signed-off-by: Colin Ian King <[email protected]> Acked-by: Oliver Hartkopp <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]>
Add FLEXCAN_QUIRK_BROKEN_PERR_STATE for better description of the
missing error passive interrupt quirk.
Error interrupt flooding may happen if the broken error state quirk fix
is enabled. For example, in case there is singled out node on the bus
and the node sends a frame, then error interrupt flooding happens and
will not stop because the node cannot go to bus off. The flooding will
stop after another node connected to the bus again.
If high bitrate configured on the low end system, then the flooding
may causes performance issue, hence, this patch mitigates this by:
1. disable error interrupt upon error passive state transition
2. re-enable error interrupt upon error warning state transition
3. disable/enable error interrupt upon error active state transition
depends on FLEXCAN_QUIRK_BROKEN_WERR_STATE
In this way, the driver is still able to report correct state
transitions without additional latency. When there are bus problems,
flooding of error interrupts is limited to the number of frames required
to change state from error warning to error passive if the core has
[TR]WRN_INT connected (FLEXCAN_QUIRK_BROKEN_WERR_STATE is not enabled),
otherwise, the flooding is limited to the number of frames required to
change state from error active to error passive.
Daniel Drake [Mon, 2 Oct 2017 04:00:54 +0000 (12:00 +0800)]
pinctrl/amd: fix masking of GPIO interrupts
On Asus laptop models X505BA, X505BP, X542BA and X542BP, the i2c-hid
touchpad (using a GPIO for interrupts) becomes unresponsive after a
few minutes of usage, or after placing two fingers on the touchpad,
which seems to have the effect of queuing up a large amount of input
data to be transferred.
When the touchpad is in unresponsive state, we observed that the GPIO
level-triggered interrupt is still at it's active level, however the
pinctrl-amd driver is not receiving/dispatching more interrupts at this
point.
After the initial interrupt arrives, amd_gpio_irq_mask() is called
however we then see amd_gpio_irq_handler() being called repeatedly for
the same irq; the interrupt mask is not taking effect because of the
following sequence of events:
- amd_gpio_irq_handler fires, reads and caches pin reg
- amd_gpio_irq_handler calls generic_handle_irq()
- During IRQ handling, amd_gpio_irq_mask() is called and modifies pin reg
- amd_gpio_irq_handler clears interrupt by writing cached value
The stale cached value written at the final stage undoes the masking.
Fix this by re-reading the register before clearing the interrupt.
I also spotted that the interrupt-clearing code can race against
amd_gpio_irq_mask() / amd_gpio_irq_unmask(), so add locking there.
Presumably this race was leading to the loss of interrupts.
After these changes, the touchpad appears to be working fine.
Mathias Nyman [Tue, 17 Oct 2017 13:07:33 +0000 (16:07 +0300)]
usb: hub: Allow reset retry for USB2 devices on connect bounce
If the connect status change is set during reset signaling, but
the status remains connected just retry port reset.
This solves an issue with connecting a 90W HP Thunderbolt 3 dock
with a Lenovo Carbon x1 (5th generation) which causes a 30min loop
of a high speed device being re-discovererd before usb ports starts
working.
[...]
[ 389.023845] usb 3-1: new high-speed USB device number 55 using xhci_hcd
[ 389.491841] usb 3-1: new high-speed USB device number 56 using xhci_hcd
[ 389.959928] usb 3-1: new high-speed USB device number 57 using xhci_hcd
[...]
This is caused by a high speed device that doesn't successfully go to the
enabled state after the second port reset. Instead the connection bounces
(connected, with connect status change), bailing out completely from
enumeration just to restart from scratch.
__cmpxchg_u64 is built and used outside CONFIG_64BIT and thus needs to
be exported. This fixes the following build error seen when building
parisc:allmodconfig.
parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
As discussed on the debian-hppa list, double-wordcompare and exchange
operations fail on 32-bit kernels. Looking at the code, I realized that
the ",ma" completer does the wrong thing in the "ldw,ma 4(%r26), %r29"
instruction. This increments %r26 and causes the following store to
write to the wrong location.
Note by Helge Deller:
The patch applies cleanly to stable kernel series if this upstream
commit is merged in advance: f4125cfdb300 ("parisc: Avoid trashing sr2 and sr3 in LWS code").
Dave Airlie [Thu, 19 Oct 2017 05:00:47 +0000 (15:00 +1000)]
Merge tag 'drm-intel-fixes-2017-10-18-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
Fix for stable:
- Fix DDI translation tables for BDW (Chris).
Critical fix:
- Fix GPU Hang on GVT (Changbin).
Other fixes:
- Fix eviction when GGTT is idle (Chris).
- CNL PLL fixes (Rodrigo).
- Fix pwrite into shmemfs (Chris).
- Mask bits for BXT and CHV L3 Workaround
WaProgramL3SqcReg1Default (Oscar).
* tag 'drm-intel-fixes-2017-10-18-1' of git://anongit.freedesktop.org/drm/drm-intel:
drm/i915: Use a mask when applying WaProgramL3SqcReg1Default
drm/i915: Report -EFAULT before pwrite fast path into shmemfs
drm/i915/cnl: Fix PLL initialization for HDMI.
drm/i915/cnl: Fix PLL mapping.
drm/i915: Use bdw_ddi_translations_fdi for Broadwell
drm/i915: Fix eviction when the GGTT is idle but full
drm/i915/gvt: Fix GPU hang after reusing vGPU instance across different guest OS
Colin Ian King [Mon, 4 Sep 2017 17:50:05 +0000 (18:50 +0100)]
commoncap: move assignment of fs_ns to avoid null pointer dereference
The pointer fs_ns is assigned from inode->i_ib->s_user_ns before
a null pointer check on inode, hence if inode is actually null we
will get a null pointer dereference on this assignment. Fix this
by only dereferencing inode after the null pointer check on
inode.
Detected by CoverityScan CID#1455328 ("Dereference before null check")
Chanwoo Choi [Thu, 19 Oct 2017 00:28:36 +0000 (17:28 -0700)]
Input: stmfts - fix setting ABS_MT_POSITION_* maximum size
The commit 78bcac7b2ae1e ("Input: add support for the STMicroelectronics
FingerTip touchscreen) used the 'touchscreen_parse_properties()' helper
function in order to get the value of common properties.
But, commit 78bcac7b2ae1e didn't set the capability of ABS_MT_POSITION_*
before calling touchscreen_parse_properties(). In result, the max_x and
max_y of 'struct touchscreen_properties' were not set.
Fixes: 78bcac7b2ae1e ("Input: add support for the STMicroelectronics FingerTip touchscreen") Cc: [email protected] Signed-off-by: Chanwoo Choi <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]>
Step config setting for 5 wire touchscreen is incorrect for Y coordinates.
It was broken while we moved to DT. If you look close at the offending
commit bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made
configurable"), the change was:
Pavel Roskin [Sat, 23 Sep 2017 20:10:33 +0000 (13:10 -0700)]
drm/nouveau/fbcon: fix oops without fbdev emulation
This is similar to an earlier commit 52dfcc5ccfbb ("drm/nouveau: fix for
disabled fbdev emulation"), but protects all occurrences of helper.fbdev
in the source.
I see oops in nouveau_fbcon_accel_save_disable() called from
nouveau_fbcon_set_suspend_work() on Linux 3.13 when
CONFIG_DRM_FBDEV_EMULATION option is disabled.
Linus Torvalds [Wed, 18 Oct 2017 18:51:50 +0000 (14:51 -0400)]
Merge tag 'xfs-4.14-fixes-6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Darrick Wong:
- fix some more CONFIG_XFS_RT related build problems
- fix data loss when writeback at eof races eofblocks gc and loses
- invalidate page cache after fs finishes a dio write
- remove dirty page state when invalidating pages so releasepage does
the right thing when handed a dirty page
* tag 'xfs-4.14-fixes-6' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: move two more RT specific functions into CONFIG_XFS_RT
xfs: trim writepage mapping to within eof
fs: invalidate page cache after end_io() in dio completion
xfs: cancel dirty pages on invalidation
Linus Torvalds [Wed, 18 Oct 2017 18:43:40 +0000 (14:43 -0400)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
"Three small fixes:
- A fix for skd, it was using kfree() to free a structure allocate
with kmem_cache_alloc().
- Stable fix for nbd, fixing a regression using the normal ioctl
based tools.
- Fix for a previous fix in this series, that fixed up
inconsistencies between buffered and direct IO"
* 'for-linus' of git://git.kernel.dk/linux-block:
fs: Avoid invalidation in interrupt context in dio_complete()
nbd: don't set the device size until we're connected
skd: Use kmem_cache_free
Alan Stern [Wed, 18 Oct 2017 16:49:38 +0000 (12:49 -0400)]
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor(). The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.
This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.
Oscar Mateo [Tue, 17 Oct 2017 20:25:45 +0000 (13:25 -0700)]
drm/i915: Use a mask when applying WaProgramL3SqcReg1Default
Otherwise we are blasting other bits in GEN8_L3SQCREG1 that might be important
(although we probably aren't at the moment because 0 seems to be the default
for all the other bits).
Chris Wilson [Mon, 16 Oct 2017 20:27:32 +0000 (21:27 +0100)]
drm/i915: Report -EFAULT before pwrite fast path into shmemfs
When pwriting into shmemfs, the fast path pagecache_write does not
notice when it is writing to beyond the end of the truncated shmemfs
inode. Report -EFAULT directly when we try to use pwrite into the
!I915_MADV_WILLNEED object.
Phil Elwell [Sun, 24 Sep 2017 14:20:49 +0000 (15:20 +0100)]
staging: bcm2835-audio: Fix memory corruption
The previous commit (0adbfd46) fixed a memory leak but also freed a
block in the success case, causing a stale pointer to be used with
potentially fatal results. Only free the vchi_instance block in the
case that vchi_connect fails; once connected, the instance is
retained for subsequent connections.
Simplifying the code by removing a bunch of gotos and returning errors
directly.
Signed-off-by: Phil Elwell <[email protected]> Fixes: 0adbfd4694c2 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()") Cc: stable <[email protected]> # 4.12+ Tested-by: Stefan Wahren <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Jakub Kicinski [Mon, 16 Oct 2017 18:16:55 +0000 (11:16 -0700)]
bpf: disallow arithmetic operations on context pointer
Commit f1174f77b50c ("bpf/verifier: rework value tracking")
removed the crafty selection of which pointer types are
allowed to be modified. This is OK for most pointer types
since adjust_ptr_min_max_vals() will catch operations on
immutable pointers. One exception is PTR_TO_CTX which is
now allowed to be offseted freely.
The intent of aforementioned commit was to allow context
access via modified registers. The offset passed to
->is_valid_access() verifier callback has been adjusted
by the value of the variable offset.
What is missing, however, is taking the variable offset
into account when the context register is used. Or in terms
of the code adding the offset to the value passed to the
->convert_ctx_access() callback. This leads to the following
eBPF user code:
Offset 8 is corresponding to 180 in the kernel, but offset
76 is valid too. Verifier will "accept" access to offset
68+8=76 but then "convert" access to offset 8 as 180.
Effective access to offset 248 is beyond the kernel context.
(This is a __sk_buff example on a debug-heavy kernel -
packet mark is 8 -> 180, 76 would be data.)
Dereferencing the modified context pointer is not as easy
as dereferencing other types, because we have to translate
the access to reading a field in kernel structures which is
usually at a different offset and often of a different size.
To allow modifying the pointer we would have to make sure
that given eBPF instruction will always access the same
field or the fields accessed are "compatible" in terms of
offset and size...
Disallow dereferencing modified context pointers and add
to selftests the test case described here.
Johannes Berg [Mon, 16 Oct 2017 15:09:53 +0000 (17:09 +0200)]
netlink: fix netlink_ack() extack race
It seems that it's possible to toggle NETLINK_F_EXT_ACK
through setsockopt() while another thread/CPU is building
a message inside netlink_ack(), which could then trigger
the WARN_ON()s I added since if it goes from being turned
off to being turned on between allocating and filling the
message, the skb could end up being too small.
Avoid this whole situation by storing the value of this
flag in a separate variable and using that throughout the
function instead.
Fixes: 2d4bc93368f5 ("netlink: extended ACK reporting") Signed-off-by: Johannes Berg <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Ido Schimmel [Mon, 16 Oct 2017 14:28:28 +0000 (16:28 +0200)]
mlxsw: core: Fix possible deadlock
When an EMAD is transmitted, a timeout work item is scheduled with a
delay of 200ms, so that another EMAD will be retried until a maximum of
five retries.
In certain situations, it's possible for the function waiting on the
EMAD to be associated with a work item that is queued on the same
workqueue (`mlxsw_core`) as the timeout work item. This results in
flushing a work item on the same workqueue.
According to commit e159489baa71 ("workqueue: relax lockdep annotation
on flush_work()") the above may lead to a deadlock in case the workqueue
has only one worker active or if the system in under memory pressure and
the rescue worker is in use. The latter explains the very rare and
random nature of the lockdep splats we have been seeing:
Fix this by creating another workqueue for EMAD timeouts, thereby
preventing the situation of a work item trying to flush a work item
queued on the same workqueue.
Fixes: caf7297e7ab5f ("mlxsw: core: Introduce support for asynchronous EMAD register access") Signed-off-by: Ido Schimmel <[email protected]> Reported-by: Jiri Pirko <[email protected]> Signed-off-by: Jiri Pirko <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Linus Torvalds [Wed, 18 Oct 2017 10:47:59 +0000 (06:47 -0400)]
Merge tag 'enforcement-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull enforcement policy update from Greg KH:
"Documentation: Add a file explaining the requested Linux kernel
license enforcement policy
Here's a new file to the kernel's Documentation directory. It adds a
short document describing the views of how the Linux kernel community
feels about enforcing the license of the kernel.
The patch has been reviewed by a large number of kernel developers
already, as seen by their acks on the patch, and their agreement of
the statement with their names on it. The location of the file was
also agreed upon by the Documentation maintainer, so all should be
good there.
For some background information about this statement, see this article
written by some of the kernel developers involved in drafting it:
If anyone has any further questions about it, please let me, and the
TAB members, know and we will be glad to help answer them"
* tag 'enforcement-4.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
Documentation: Add a file explaining the Linux kernel license enforcement policy
Linus Torvalds [Wed, 18 Oct 2017 10:45:52 +0000 (06:45 -0400)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
"Two bug fixes:
- A fix for cputime accounting vs CPU hotplug
- Add two options to zfcpdump_defconfig to make SCSI dump work again"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390: fix zfcpdump-config
s390/cputime: fix guest/irq/softirq times after CPU hotplug
This would cause an oops. The issue is that I added another trace
event sample that reused a reg function of another trace event to
create a thread to call the tracepoints. The problem was that the reg
function couldn't handle nested calls (reg; reg; unreg; unreg;) and
created two threads (instead of one) and only removed one on exit.
This isn't a critical bug as the bug is only in sample code. But
sample code should be free of known bugs to prevent others from
copying it. This is why this is also marked for stable"
* tag 'trace-v4.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
tracing/samples: Fix creation and deletion of simple_thread_fn creation
The commit 99b5c5bb9a54 ("ALSA: hda - Remove the use of set_fs()")
converted the get_kctl_0dB_offset() call for killing set_fs() usage in
HD-audio codec code. The conversion assumed that the TLV callback
used in HD-audio code is only snd_hda_mixer_amp() and applies the TLV
calculation locally.
Although this assumption is correct, and all slave kctls are actually
with that callback, the current code is still utterly buggy; it
doesn't hit this condition and falls back to the next check. It's
because the function gets called after adding slave kctls to vmaster.
By assigning a slave kctl, the slave kctl object is faked inside
vmaster code, and the whole kctl ops are overridden. Thus the
callback op points to a different value from what we've assumed.
More badly, as reported by the KERNEXEC and UDEREF features of PaX,
the code flow turns into the unexpected pitfall. The next fallback
check is SNDRV_CTL_ELEM_ACCESS_TLV_READ access bit, and this always
hits for each kctl with TLV. Then it evaluates the callback function
pointer wrongly as if it were a TLV array. Although currently its
side-effect is fairly limited, this incorrect reference may lead to an
unpleasant result.
For addressing the regression, this patch introduces a new helper to
vmaster code, snd_ctl_apply_vmaster_slaves(). This works similarly
like the existing map_slaves() in hda_codec.c: it loops over the slave
list of the given master, and applies the given function to each
slave. Then the initializer function receives the right kctl object
and we can compare the correct pointer instead of the faked one.
Also, for catching the similar breakage in future, give an error
message when the unexpected TLV callback is found and bail out
immediately.
Takashi Iwai [Tue, 17 Oct 2017 09:58:17 +0000 (11:58 +0200)]
ALSA: hda: Remove superfluous '-' added by printk conversion
While converting the error messages to the standard macros in the
commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a
superfluous '-' slipped in the code mistakenly. Its influence is
almost negligible, merely shows a dB value as negative integer instead
of positive integer (or vice versa) in the rare error message.
So let's kill this embarrassing byte to show more correct value.
Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk") Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>
Leonard Crestez [Fri, 13 Oct 2017 16:37:31 +0000 (19:37 +0300)]
regulator: rn5t618: Do not index regulator_desc arrays by id
The regulator_desc arrays in this driver are indexed by RN5T618_*
constants and some elements can be missing. This causes probe failures
on older models:
rn5t618-regulator rn5t618-regulator: failed to register (null) regulator
rn5t618-regulator: probe of rn5t618-regulator failed with error -22
Fix this by making the arrays flat. This also saves a little memory
because the regulator_desc arrays become smaller.
Signed-off-by: Leonard Crestez <[email protected]> Fixes: 83b2a3c2ab24 ("regulator: rn5t618: add RC5T619 PMIC support") Signed-off-by: Mark Brown <[email protected]>
Eric Biggers [Wed, 27 Sep 2017 19:50:46 +0000 (12:50 -0700)]
KEYS: load key flags and expiry time atomically in proc_keys_show()
In proc_keys_show(), the key semaphore is not held, so the key ->flags
and ->expiry can be changed concurrently. We therefore should read them
atomically just once.
Eric Biggers [Wed, 27 Sep 2017 19:50:45 +0000 (12:50 -0700)]
KEYS: Load key expiry time atomically in keyring_search_iterator()
Similar to the case for key_validate(), we should load the key ->expiry
once atomically in keyring_search_iterator(), since it can be changed
concurrently with the flags whenever the key semaphore isn't held.
Eric Biggers [Wed, 27 Sep 2017 19:50:44 +0000 (12:50 -0700)]
KEYS: load key flags and expiry time atomically in key_validate()
In key_validate(), load the flags and expiry time once atomically, since
these can change concurrently if key_validate() is called without the
key semaphore held. And we don't want to get inconsistent results if a
variable is referenced multiple times. For example, key->expiry was
referenced in both 'if (key->expiry)' and in 'if (now.tv_sec >=
key->expiry)', making it theoretically possible to see a spurious
EKEYEXPIRED while the expiration time was being removed, i.e. set to 0.
David Howells [Thu, 12 Oct 2017 15:00:41 +0000 (16:00 +0100)]
KEYS: don't let add_key() update an uninstantiated key
Currently, when passed a key that already exists, add_key() will call the
key's ->update() method if such exists. But this is heavily broken in the
case where the key is uninstantiated because it doesn't call
__key_instantiate_and_link(). Consequently, it doesn't do most of the
things that are supposed to happen when the key is instantiated, such as
setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
awakening tasks waiting on it, and incrementing key->user->nikeys.
It also never takes key_construction_mutex, which means that
->instantiate() can run concurrently with ->update() on the same key. In
the case of the "user" and "logon" key types this causes a memory leak, at
best. Maybe even worse, the ->update() methods of the "encrypted" and
"trusted" key types actually just dereference a NULL pointer when passed an
uninstantiated key.
Change key_create_or_update() to wait interruptibly for the key to finish
construction before continuing.
This patch only affects *uninstantiated* keys. For now we still allow a
negatively instantiated key to be updated (thereby positively
instantiating it), although that's broken too (the next patch fixes it)
and I'm not sure that anyone actually uses that functionality either.
Here is a simple reproducer for the bug using the "encrypted" key type
(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
pertained to more than just the "encrypted" key type:
David Howells [Wed, 4 Oct 2017 15:43:25 +0000 (16:43 +0100)]
KEYS: Fix race between updating and finding a negative key
Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
error into one field such that:
(1) The instantiation state can be modified/read atomically.
(2) The error can be accessed atomically with the state.
(3) The error isn't stored unioned with the payload pointers.
This deals with the problem that the state is spread over three different
objects (two bits and a separate variable) and reading or updating them
atomically isn't practical, given that not only can uninstantiated keys
change into instantiated or rejected keys, but rejected keys can also turn
into instantiated keys - and someone accessing the key might not be using
any locking.
The main side effect of this problem is that what was held in the payload
may change, depending on the state. For instance, you might observe the
key to be in the rejected state. You then read the cached error, but if
the key semaphore wasn't locked, the key might've become instantiated
between the two reads - and you might now have something in hand that isn't
actually an error code.
The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
code if the key is negatively instantiated. The key_is_instantiated()
function is replaced with key_is_positive() to avoid confusion as negative
keys are also 'instantiated'.
Additionally, barriering is included:
(1) Order payload-set before state-set during instantiation.
(2) Order state-read before payload-read when using the key.
Further separate barriering is necessary if RCU is being used to access the
payload content after reading the payload pointers.
Chun-Yi Lee [Wed, 4 Oct 2017 08:45:09 +0000 (16:45 +0800)]
KEYS: checking the input id parameters before finding asymmetric key
For finding asymmetric key, the input id_0 and id_1 parameters can
not be NULL at the same time. This patch adds the BUG_ON checking
for id_0 and id_1.
Chun-Yi Lee [Wed, 4 Oct 2017 11:18:22 +0000 (19:18 +0800)]
KEYS: Fix the wrong index when checking the existence of second id
Fix the wrong index number when checking the existence of second
id in function of finding asymmetric key. The id_1 is the second
id that the index in array must be 1 but not 0.
Arnd Bergmann [Wed, 4 Oct 2017 10:27:00 +0000 (12:27 +0200)]
security/keys: BIG_KEY requires CONFIG_CRYPTO
The recent rework introduced a possible randconfig build failure
when CONFIG_CRYPTO configured to only allow modules:
security/keys/big_key.o: In function `big_key_crypt':
big_key.c:(.text+0x29f): undefined reference to `crypto_aead_setkey'
security/keys/big_key.o: In function `big_key_init':
big_key.c:(.init.text+0x1a): undefined reference to `crypto_alloc_aead'
big_key.c:(.init.text+0x45): undefined reference to `crypto_aead_setauthsize'
big_key.c:(.init.text+0x77): undefined reference to `crypto_destroy_tfm'
crypto/gcm.o: In function `gcm_hash_crypt_remain_continue':
gcm.c:(.text+0x167): undefined reference to `crypto_ahash_finup'
crypto/gcm.o: In function `crypto_gcm_exit_tfm':
gcm.c:(.text+0x847): undefined reference to `crypto_destroy_tfm'
When we 'select CRYPTO' like the other users, we always get a
configuration that builds.
Fixes: 428490e38b2e ("security/keys: rewrite all of big_key crypto") Signed-off-by: Arnd Bergmann <[email protected]> Signed-off-by: David Howells <[email protected]>
Ben Hutchings [Tue, 17 Oct 2017 23:45:49 +0000 (00:45 +0100)]
ALSA: seq: Enable 'use' locking in all configurations
The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is
enabled. This might once have been OK in non-preemptible
configurations, but even in that case snd_seq_read() may sleep while
relying on a 'use' lock. So always use the proper implementations.
Tony Lindgren [Mon, 16 Oct 2017 21:06:14 +0000 (14:06 -0700)]
i2c: omap: Fix error handling for clk_get()
Otherwise we can get the following if the fck alias is missing:
Unable to handle kernel paging request at virtual address fffffffe
...
PC is at clk_get_rate+0x8/0x10
LR is at omap_i2c_probe+0x278/0x6ec
...
[<c056eb08>] (clk_get_rate) from [<c06f4f08>] (omap_i2c_probe+0x278/0x6ec)
[<c06f4f08>] (omap_i2c_probe) from [<c0610944>] (platform_drv_probe+0x50/0xb0)
[<c0610944>] (platform_drv_probe) from [<c060e900>] (driver_probe_device+0x264/0x2ec)
[<c060e900>] (driver_probe_device) from [<c060cda0>] (bus_for_each_drv+0x70/0xb8)
[<c060cda0>] (bus_for_each_drv) from [<c060e5b0>] (__device_attach+0xcc/0x13c)
[<c060e5b0>] (__device_attach) from [<c060db10>] (bus_probe_device+0x88/0x90)
[<c060db10>] (bus_probe_device) from [<c060df68>] (deferred_probe_work_func+0x4c/0x14c)
Linus Torvalds [Tue, 17 Oct 2017 19:54:41 +0000 (15:54 -0400)]
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"Four mostly error leg fixes and one more important regression in a
prior commit (the qla2xxx one)"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: fc: check for rport presence in fc_block_scsi_eh
scsi: qla2xxx: Fix uninitialized work element
scsi: libiscsi: fix shifting of DID_REQUEUE host byte
scsi: libfc: fix a deadlock in fc_rport_work
scsi: fixup kernel warning during rmmod()
tracing/samples: Fix creation and deletion of simple_thread_fn creation
Commit 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and
DEFINE_EVENT()") added template examples for all the events. It created a
DEFINE_EVENT_FN() example which reused the foo_bar_reg and foo_bar_unreg
functions.
Enabling both the TRACE_EVENT_FN() and DEFINE_EVENT_FN() example trace
events caused the foo_bar_reg to be called twice, creating the test thread
twice. The foo_bar_unreg would remove it only once, even if it was called
multiple times, leaving a thread existing when the module is unloaded,
causing an oops.
Add a ref count and allow foo_bar_reg() and foo_bar_unreg() be called by
multiple trace events.
Cc: [email protected] Fixes: 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and DEFINE_EVENT()") Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Arnd Bergmann [Tue, 10 Oct 2017 08:56:01 +0000 (10:56 +0200)]
arm64: dts: rockchip: fix typo in iommu nodes
The latest dtc warns about an extraneous cell in the interrupt
property of two of the iommu device nodes:
Warning (interrupts_property): interrupts size is (16), expected multiple of 12 in /iommu@ff373f00
Warning (interrupts_property): interrupts size is (16), expected multiple of 12 in /iommu@ff900800
Shawn Lin [Tue, 17 Oct 2017 03:38:04 +0000 (11:38 +0800)]
arm64: dts: rockchip: correct vqmmc voltage for rk3399 platforms
The vcc_sd or vcc_sdio used for IO voltage for sdmmc and sdio
interface on rk3399 platform have a limitation that it can't be
larger than 3.0v, otherwise it has a potential risk for the chip.
Correct all of them.
Fixes: 171582e00db1 ("arm64: dts: rockchip: add support for firefly-rk3399 board") Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") Fixes: 8164a84cca12 ("arm64: dts: rockchip: Add support for rk3399 sapphire SOM") Cc: [email protected] Signed-off-by: Shawn Lin <[email protected]> Tested-by: Klaus Goger <[email protected]> Signed-off-by: Heiko Stuebner <[email protected]>
Lukas Czerner [Tue, 17 Oct 2017 14:43:09 +0000 (08:43 -0600)]
fs: Avoid invalidation in interrupt context in dio_complete()
Currently we try to defer completion of async DIO to the process context
in case there are any mapped pages associated with the inode so that we
can invalidate the pages when the IO completes. However the check is racy
and the pages can be mapped afterwards. If this happens we might end up
calling invalidate_inode_pages2_range() in dio_complete() in interrupt
context which could sleep. This can be reproduced by generic/451.
Fix this by passing the information whether we can or can't invalidate
to the dio_complete(). Thanks Eryu Guan for reporting this and Jan Kara
for suggesting a fix.
Bin Liu [Tue, 17 Oct 2017 13:22:25 +0000 (08:22 -0500)]
MAINTAINERS: fix git tree url for musb module
Commit 3b2435192fe91 ("MAINTAINERS: drop OMAP USB and MUSB
maintainership") switched the maintainer for musb module, but didn't
update the git tree location.
Delete the git tree information, since the current maintainer doesn't
have a public tree.
Namhyung Kim [Tue, 17 Oct 2017 13:29:00 +0000 (22:29 +0900)]
perf buildid-list: Fix crash when processing PERF_RECORD_NAMESPACE
Thomas reported that 'perf buildid-list' gets a SEGFAULT due to NULL
pointer deref when he ran it on a data with namespace events. It was
because the buildid_id__mark_dso_hit_ops lacks the namespace event
handler and perf_too__fill_default() didn't set it.
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: dnf debuginfo-install audit-libs-2.7.7-1.fc25.s390x bzip2-libs-1.0.6-21.fc25.s390x elfutils-libelf-0.169-1.fc25.s390x
+elfutils-libs-0.169-1.fc25.s390x libcap-ng-0.7.8-1.fc25.s390x numactl-libs-2.0.11-2.ibm.fc25.s390x openssl-libs-1.1.0e-1.1.ibm.fc25.s390x perl-libs-5.24.1-386.fc25.s390x
+python-libs-2.7.13-2.fc25.s390x slang-2.3.0-7.fc25.s390x xz-libs-5.2.3-2.fc25.s390x zlib-1.2.8-10.fc25.s390x
(gdb) where
#0 0x0000000000000000 in ?? ()
#1 0x00000000010fad6a in machines__deliver_event (machines=<optimized out>, machines@entry=0x2c6fd18,
evlist=<optimized out>, event=event@entry=0x3fffdf00470, sample=0x3ffffffe880, sample@entry=0x3ffffffe888,
tool=tool@entry=0x1312968 <build_id.mark_dso_hit_ops>, file_offset=1136) at util/session.c:1287
#2 0x00000000010fbf4e in perf_session__deliver_event (file_offset=1136, tool=0x1312968 <build_id.mark_dso_hit_ops>,
sample=0x3ffffffe888, event=0x3fffdf00470, session=0x2c6fc30) at util/session.c:1340
#3 perf_session__process_event (session=0x2c6fc30, session@entry=0x0, event=event@entry=0x3fffdf00470,
file_offset=file_offset@entry=1136) at util/session.c:1522
#4 0x00000000010fddde in __perf_session__process_events (file_size=11880, data_size=<optimized out>,
data_offset=<optimized out>, session=0x0) at util/session.c:1899
#5 perf_session__process_events (session=0x0, session@entry=0x2c6fc30) at util/session.c:1953
#6 0x000000000103b2ac in perf_session__list_build_ids (with_hits=<optimized out>, force=<optimized out>)
at builtin-buildid-list.c:83
#7 cmd_buildid_list (argc=<optimized out>, argv=<optimized out>) at builtin-buildid-list.c:115
#8 0x00000000010a026c in run_builtin (p=0x1311f78 <commands+24>, argc=argc@entry=2, argv=argv@entry=0x3fffffff3c0)
at perf.c:296
#9 0x000000000102bc00 in handle_internal_command (argv=<optimized out>, argc=2) at perf.c:348
#10 run_argv (argcp=<synthetic pointer>, argv=<synthetic pointer>) at perf.c:392
#11 main (argc=<optimized out>, argv=0x3fffffff3c0) at perf.c:536
(gdb)
Fix it by adding a stub event handler for namespace event.
Committer testing:
Further clarifying, plain using 'perf buildid-list' will not end up in a
SEGFAULT when processing a perf.data file with namespace info:
It is only when one asks for checking what of those entries actually had
samples, i.e. when we use either -H or --with-hits, that we will process
all the PERF_RECORD_ events, and since tools/perf/builtin-buildid-list.c
neither explicitely set a perf_tool.namespaces() callback nor the
default stub was set that we end up, when processing a
PERF_RECORD_NAMESPACE record, causing a SEGFAULT:
Taeung Song [Fri, 13 Oct 2017 15:10:12 +0000 (00:10 +0900)]
perf record: Fix documentation for a inexistent option '-l'
'perf record' had a '-l' option that meant "scale counter values" a very
long time ago, but it currently belongs to 'perf stat' as '-c'. So
remove it. I found this problem in the below case.
Felipe Balbi [Tue, 3 Oct 2017 08:16:43 +0000 (11:16 +0300)]
usb: quirks: add quirk for WORLDE MINI MIDI keyboard
This keyboard doesn't implement Get String descriptors properly even
though string indexes are valid. What happens is that when requesting
for the String descriptor, the device disconnects and
reconnects. Without this quirk, this loop will continue forever.
Linus Torvalds [Tue, 17 Oct 2017 10:23:09 +0000 (06:23 -0400)]
Merge tag 'media/v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fixes from Mauro Carvalho Chehab:
"Core fixes:
- cec: Respond to unregistered initiators, when applicable
- dvb_frontend: only use kref after initialized
Driver-specific fixes:
- qcom, camss: Make function vfe_set_selection static
- qcom: VIDEO_QCOM_CAMSS should depend on HAS_DMA
- s5p-cec: add NACK detection support
- media: staging/imx: Fix uninitialized variable warning
- dib3000mc: i2c transfers over usb cannot be done from stack
- venus: init registered list on streamoff"
* tag 'media/v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
media: dvb_frontend: only use kref after initialized
media: platform: VIDEO_QCOM_CAMSS should depend on HAS_DMA
media: cec: Respond to unregistered initiators, when applicable
media: s5p-cec: add NACK detection support
media: staging/imx: Fix uninitialized variable warning
media: qcom: camss: Make function vfe_set_selection static
media: venus: init registered list on streamoff
media: dvb: i2c transfers over usb cannot be done from stack
Jonathan Liu [Tue, 10 Oct 2017 03:46:13 +0000 (22:46 -0500)]
usb: musb: sunxi: Explicitly release USB PHY on exit
This fixes a kernel oops when unloading the driver due to usb_put_phy
being called after usb_phy_generic_unregister when the device is
detached. Calling usb_phy_generic_unregister causes x->dev->driver to
be NULL in usb_put_phy and results in a NULL pointer dereference.
Jonathan Liu [Tue, 10 Oct 2017 03:46:12 +0000 (22:46 -0500)]
usb: musb: Check for host-mode using is_host_active() on reset interrupt
The sunxi musb has a bug where sometimes it will generate a babble
error on device disconnect instead of a disconnect IRQ. When this
happens the musb controller switches from host mode to device mode
(it clears MUSB_DEVCTL_HM/MUSB_DEVCTL_SESSION and sets
MUSB_DEVCTL_BDEVICE) and gets stuck in this state.
The babble error is misdetected as a bus reset because MUSB_DEVCTL_HM
was cleared.
To fix this, use is_host_active() rather than (devctl & MUSB_DEVCTL_HM)
to detect babble error so that sunxi musb babble recovery can handle it
by restoring the mode. This information is provided by the driver logic
and does not rely on register contents.
Alexandre Bailon [Tue, 10 Oct 2017 03:46:11 +0000 (22:46 -0500)]
usb: musb: musb_cppi41: Configure the number of channels for DA8xx
Currently, the number of channels is set to 15 but in the case of DA8xx,
the number of channels is 4.
Update the driver to configure the number of channels at runtime.
Alexandre Bailon [Tue, 10 Oct 2017 03:46:10 +0000 (22:46 -0500)]
usb: musb: musb_cppi41: Fix cppi41_set_dma_mode() for DA8xx
The way to configure the DMA mode on DA8xx is different from DSPS.
Add a new function to configure DMA mode on DA8xx and use a callback
to call the right function based on the platform.
Alexandre Bailon [Tue, 10 Oct 2017 03:46:09 +0000 (22:46 -0500)]
usb: musb: musb_cppi41: Fix the address of teardown and autoreq registers
The DA8xx and DSPS platforms don't use the same address for few registers.
On Da8xx, this is causing some issues (e.g. teardown that doesn't work).
Configure the address of the register during the init and use them instead
of constants.
Johan Hovold [Tue, 10 Oct 2017 03:46:08 +0000 (22:46 -0500)]
USB: musb: fix late external abort on suspend
The musb delayed irq work was never flushed on suspend, something which
since 4.9 can lead to an external abort if the work is scheduled after
the grandparent's clock has been disabled:
PM: Suspending system (mem)
PM: suspend of devices complete after 125.224 msecs
PM: suspend devices took 0.132 seconds
PM: late suspend of devices complete after 7.423 msecs
PM: noirq suspend of devices complete after 7.083 msecs
suspend debug: Waiting for 5 second(s).
Unhandled fault: external abort on non-linefetch (0x1008) at 0xd0262c60
...
[<c054880c>] (musb_default_readb) from [<c0547b5c>] (musb_irq_work+0x48/0x220)
[<c0547b5c>] (musb_irq_work) from [<c014f8a4>] (process_one_work+0x1f4/0x758)
[<c014f8a4>] (process_one_work) from [<c014fe5c>] (worker_thread+0x54/0x514)
[<c014fe5c>] (worker_thread) from [<c015704c>] (kthread+0x128/0x158)
[<c015704c>] (kthread) from [<c0109330>] (ret_from_fork+0x14/0x24)
Commit 2bff3916fda9 ("usb: musb: Fix PM for hub disconnect") started
scheduling musb_irq_work with a delay of up to a second and with
retries thereby making this easy to trigger, for example, by suspending
shortly after a disconnect.
Note that we set a flag to prevent the irq work from rescheduling itself
during suspend and instead process a disconnect immediately. This takes
care of the case where we are disconnected shortly before suspending.
However, when in host mode, a disconnect while suspended will still
go unnoticed and thus prevent the controller from runtime suspending
upon resume as the session bit is always set. This will need to be
addressed separately.
Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support") Fixes: 467d5c980709 ("usb: musb: Implement session bit based runtime PM for musb-core") Fixes: 2bff3916fda9 ("usb: musb: Fix PM for hub disconnect") Cc: stable <[email protected]> # 4.9 Cc: Felipe Balbi <[email protected]> Cc: Tony Lindgren <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Tested-by: Tony Lindgren <[email protected]> Signed-off-by: Bin Liu <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Johan Hovold [Tue, 10 Oct 2017 03:46:07 +0000 (22:46 -0500)]
USB: musb: fix session-bit runtime-PM quirk
The current session-bit quirk implementation does not prevent the retry
counter from underflowing, something which could break runtime PM and
keep the device active for a very long time (about 2^32 seconds) after a
disconnect.
This notably breaks the B-device timeout case, but could potentially
cause problems also when the controller is operating as an A-device.
Maksim Salau [Wed, 11 Oct 2017 08:10:52 +0000 (11:10 +0300)]
usb: cdc_acm: Add quirk for Elatec TWN3
Elatec TWN3 has the union descriptor on data interface. This results in
failure to bind the device to the driver with the following log:
usb 1-1.2: new full speed USB device using streamplug-ehci and address 4
usb 1-1.2: New USB device found, idVendor=09d8, idProduct=0320
usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1.2: Product: RFID Device (COM)
usb 1-1.2: Manufacturer: OEM
cdc_acm 1-1.2:1.0: Zero length descriptor references
cdc_acm: probe of 1-1.2:1.0 failed with error -22
Adding the NO_UNION_NORMAL quirk for the device fixes the issue.
`lsusb -v` of the device:
Bus 001 Device 003: ID 09d8:0320
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 32
idVendor 0x09d8
idProduct 0x0320
bcdDevice 3.00
iManufacturer 1 OEM
iProduct 2 RFID Device (COM)
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 67
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 250mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 2
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 0
CDC Header:
bcdCDC 1.10
CDC Call Management:
bmCapabilities 0x03
call management
use DataInterface
bDataInterface 1
CDC ACM:
bmCapabilities 0x06
sends break
line coding and serial state
CDC Union:
bMasterInterface 0
bSlaveInterface 1
Device Status: 0x0000
(Bus Powered)
Hans de Goede [Mon, 16 Oct 2017 14:21:19 +0000 (16:21 +0200)]
USB: devio: Revert "USB: devio: Don't corrupt user memory"
Taking the uurb->buffer_length userspace passes in as a maximum for the
actual urbs transfer_buffer_length causes 2 serious issues:
1) It breaks isochronous support for all userspace apps using libusb,
as existing libusb versions pass in 0 for uurb->buffer_length,
relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc
descriptors passed in added together as buffer length.
This for example causes redirection of USB audio and Webcam's into
virtual machines using qemu-kvm to no longer work. This is a userspace
ABI break and as such must be reverted.
Note that the original commit does not protect other users / the
kernels memory, it only stops the userspace process making the call
from shooting itself in the foot.
2) It may cause the kernel to program host controllers to DMA over random
memory. Just as the devio code used to only look at the iso_packet_desc
lenghts, the host drivers do the same, relying on the submitter of the
urbs to make sure the entire buffer is large enough and not checking
transfer_buffer_length.
But the "USB: devio: Don't corrupt user memory" commit now takes the
userspace provided uurb->buffer_length for the buffer-size while copying
over the user-provided iso_packet_desc lengths 1:1, allowing the user
to specify a small buffer size while programming the host controller to
dma a lot more data.
(Atleast the ohci, uhci, xhci and fhci drivers do not check
transfer_buffer_length for isoc transfers.)
This reverts commit fa1ed74eb1c2 ("USB: devio: Don't corrupt user memory")
fixing both these issues.
Merge tag 'phy-for-4.14-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/kishon/linux-phy into usb-linus
Kishon writes:
phy: for 4.14 -rc
*) Handle error return values in rockchip-typec and tegra-xusb
*) Fix MUX error check and ioremap_resource error check in mvebu-cp110-comphy
*) Fix NULL pointer dereference error in phy-mtk-tphy
*) Make sure pipe selector is not set to incompatible value
*) Fix flaky aux channel communication with rockchip-typec PHY
*) Fix DP monitors detection issue in rockchip-typec PHY
Mayank Rana [Fri, 6 Oct 2017 14:45:30 +0000 (17:45 +0300)]
usb: xhci: Handle error condition in xhci_stop_device()
xhci_stop_device() calls xhci_queue_stop_endpoint() multiple times
without checking the return value. xhci_queue_stop_endpoint() can
return error if the HC is already halted or unable to queue commands.
This can cause a deadlock condition as xhci_stop_device() would
end up waiting indefinitely for a completion for the command that
didn't get queued. Fix this by checking the return value and bailing
out of xhci_stop_device() in case of error. This patch happens to fix
potential memory leaks of the allocated command structures as well.
projects / linux.git / log