Marcel Hasler [Tue, 20 Dec 2016 21:08:13 +0000 (22:08 +0100)]
HID: usbhid: Add quirk for Mayflash/Dragonrise DolphinBar.
The DolphinBar by Mayflash (identified as Dragonrise) needs
HID_QUIRK_MULTI_INPUT to split it up into four input devices. Without this
quirk the adapter is falsely recognized as a tablet. See also bug 115841
(https://bugzilla.kernel.org/show_bug.cgi?id=115841).
ARM: davinci: da8xx: Fix sleeping function called from invalid context
Everytime the usb20 phy is enabled, there is a
"sleeping function called from invalid context" BUG.
In addition, there is a recursive locking happening
because of the recurse call to clk_enable().
clk_enable() from arch/arm/mach-davinci/clock.c uses
spin_lock_irqsave() before to invoke the callback
usb20_phy_clk_enable(). usb20_phy_clk_enable() uses
clk_get() and clk_enable_prepapre() which may sleep.
Replace clk_prepare_enable() by davinci_clk_enable().
ARM: davinci: Make __clk_{enable,disable} functions public
In some cases, there is a need to enable a clock as part of
clock enable callback of a different clock. For example, USB
2.0 PHY clock enable requires USB 2.0 clock to be enabled.
In this case, it is safe to instead call __clk_enable()
since the clock framework lock is already taken. Calling
clk_enable() causes recursive locking error.
A similar case arises in the clock disable path.
To enable such usage, make __clk_{enable,disable} functions
publicly available outside of clock.c. Also, call them
davinci_clk_{enable|disable} now to be consistent with how
other davinci-specific clock functions are named.
Note that these functions are not exported to drivers. They
are meant for usage in platform specific clock management
code.
Johannes Berg [Mon, 2 Jan 2017 10:19:29 +0000 (11:19 +0100)]
mac80211: initialize fast-xmit 'info' later
In ieee80211_xmit_fast(), 'info' is initialized to point to the skb
that's passed in, but that skb may later be replaced by a clone (if
it was shared), leading to an invalid pointer.
This can lead to use-after-free and also later crashes since the
real SKB's info->hw_queue doesn't get initialized properly.
Fix this by assigning info only later, when it's needed, after the
skb replacement (may have) happened.
USB: serial: f81534: detect errors from f81534_logic_to_phy_port()
With gcc 4.1.2:
drivers/usb/serial/f81534.c: In function ‘f81534_port_probe’:
drivers/usb/serial/f81534.c:1250: warning: comparison is always false due to limited range of data type
f81534_logic_to_phy_port() may return a negative error value, which is
ignored by assigning it to u8 f81534_port_private.phy_num.
Use an intermediate variable of type int to fix this.
While at it, forward the actual error code instead of converting it to
-ENODEV, and drop the useless check for F81534_NUM_PORT, as the callee
always returns a valid port number in case of success.
ARM: davinci: da850: fix infinite loop in clk_set_rate()
The aemif clock is added twice to the lookup table in da850.c. This
breaks the children list of pll0_sysclk3 as we're using the same list
links in struct clk. When calling clk_set_rate(), we get stuck in
propagate_rate().
Create a separate clock for nand, inheriting the rate of the aemif
clock and retrieve it in the davinci_nand module.
Felix Hädicke [Thu, 29 Dec 2016 22:02:11 +0000 (23:02 +0100)]
usb: gadget: udc: core: fix return code of usb_gadget_probe_driver()
This fixes a regression which was introduced by commit f1bddbb, by
reverting a small fragment of commit 855ed04.
If the following conditions were met, usb_gadget_probe_driver() returned
0, although the call was unsuccessful:
1. A particular UDC was specified by thge gadget driver (using member
"udc_name" of struct usb_gadget_driver).
2. The UDC with this name is available.
3. Another gadget driver is already bound to this gadget.
4. The gadget driver has the "match_existing_only" flag set.
In this case, the return code variable "ret" is set to 0, the return
code of a strcmp() call (to check for the second condition).
This also fixes an oops which could occur in the following scenario:
1. Two usb gadget instances were configured using configfs.
2. The first gadget configuration was bound to a UDC (using the configfs
attribute "UDC").
3. It was tried to bind the second gadget configuration to the same UDC
in the same way. This operation was then wrongly reported as being
successful.
4. The second gadget configuration's "UDC" attribute is cleared, to
unbind the (not really bound) second gadget configuration from the UDC.
<BUG: unable to handle kernel NULL pointer dereference
at (null)
IP: [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
PGD 41b4c5067
PUD 41a598067
PMD 0
usb: dwc2: fix flags for DMA descriptor allocation in dwc2_hsotg_ep_enable
dwc2_hsotg_ep_enable can be called from interrupt context, so all
allocations should be done with GFP_ATOMIC flags. This fixes following
issue on ARM architecture:
[<c010d830>] (unwind_backtrace) from [<c010a51c>] (show_stack+0x10/0x14)
[<c010a51c>] (show_stack) from [<c032930c>] (dump_stack+0x74/0x94)
[<c032930c>] (dump_stack) from [<c011cd30>] (__warn+0xd4/0x100)
[<c011cd30>] (__warn) from [<c011cd7c>] (warn_slowpath_null+0x20/0x28)
[<c011cd7c>] (warn_slowpath_null) from [<c0187e04>] (smp_call_function_many+0xcc/0x2a4)
[<c0187e04>] (smp_call_function_many) from [<c0188014>] (on_each_cpu_mask+0x38/0xa8)
[<c0188014>] (on_each_cpu_mask) from [<c01ddfe0>] (start_isolate_page_range+0x134/0x1b8)
[<c01ddfe0>] (start_isolate_page_range) from [<c01a3c14>] (alloc_contig_range+0xac/0x2f8)
[<c01a3c14>] (alloc_contig_range) from [<c01de3e4>] (cma_alloc+0xe0/0x1a8)
[<c01de3e4>] (cma_alloc) from [<c0110acc>] (__alloc_from_contiguous+0x38/0xe0)
[<c0110acc>] (__alloc_from_contiguous) from [<c0110ba4>] (cma_allocator_alloc+0x30/0x38)
[<c0110ba4>] (cma_allocator_alloc) from [<c0111034>] (__dma_alloc+0x1c0/0x2c8)
[<c0111034>] (__dma_alloc) from [<c01111b4>] (arm_dma_alloc+0x3c/0x48)
[<c01111b4>] (arm_dma_alloc) from [<c04ad800>] (dwc2_hsotg_ep_enable+0xec/0x46c)
[<c04ad800>] (dwc2_hsotg_ep_enable) from [<c04da610>] (usb_ep_enable+0x2c/0x3c)
[<c04da610>] (usb_ep_enable) from [<c04dc0c0>] (ecm_set_alt+0xa8/0x154)
[<c04dc0c0>] (ecm_set_alt) from [<c04d678c>] (composite_setup+0xd74/0x1540)
[<c04d678c>] (composite_setup) from [<c04ae048>] (dwc2_hsotg_complete_setup+0xb8/0x370)
[<c04ae048>] (dwc2_hsotg_complete_setup) from [<c04d987c>] (usb_gadget_giveback_request+0xc/0x10)
[<c04d987c>] (usb_gadget_giveback_request) from [<c04acafc>] (dwc2_hsotg_complete_request+0x78/0x128)
[<c04acafc>] (dwc2_hsotg_complete_request) from [<c04aed28>] (dwc2_hsotg_epint+0x69c/0x81c)
[<c04aed28>] (dwc2_hsotg_epint) from [<c04af6c4>] (dwc2_hsotg_irq+0xfc/0x748)
[<c04af6c4>] (dwc2_hsotg_irq) from [<c0163264>] (__handle_irq_event_percpu+0x58/0x140)
[<c0163264>] (__handle_irq_event_percpu) from [<c0163368>] (handle_irq_event_percpu+0x1c/0x58)
[<c0163368>] (handle_irq_event_percpu) from [<c01633dc>] (handle_irq_event+0x38/0x5c)
[<c01633dc>] (handle_irq_event) from [<c01666e4>] (handle_fasteoi_irq+0xc4/0x19c)
[<c01666e4>] (handle_fasteoi_irq) from [<c0162a2c>] (generic_handle_irq+0x18/0x28)
[<c0162a2c>] (generic_handle_irq) from [<c0162b40>] (__handle_domain_irq+0x6c/0xe4)
[<c0162b40>] (__handle_domain_irq) from [<c0101470>] (gic_handle_irq+0x50/0x9c)
[<c0101470>] (gic_handle_irq) from [<c010b00c>] (__irq_svc+0x6c/0xa8)
Fixes: 5f54c54b0ba83 ("usb: dwc2: gadget: Add DDMA chain pointers to
dwc2_hsotg_ep structure") Acked-by: John Youn <[email protected]> Signed-off-by: Marek Szyprowski <[email protected]> Signed-off-by: Felipe Balbi <[email protected]>
Calling platform_device_add_properties() replaces existing properties so
the "linux,sysdev_is_parent" property doesn't get set. Add this property
to each platform.
Fixes: d64ff406e51e ("usb: dwc3: use bus->sysdev for DMA configuration") Signed-off-by: John Youn <[email protected]> Signed-off-by: Felipe Balbi <[email protected]>
usb: dwc3: omap: fix race of pm runtime with irq handler in probe
Now races can happen between interrupt handler execution and PM runtime in
error handling code path in probe and in dwc3_omap_remove() which will lead
to system crash:
in probe:
...
err1:
pm_runtime_put_sync(dev);
^^ PM runtime can race with IRQ handler when deferred probing happening
due to extcon
pm_runtime_disable(dev);
return ret;
in dwc3_omap_remove:
...
dwc3_omap_disable_irqs(omap);
^^ IRQs are disabled in HW, but handler may still run
of_platform_depopulate(omap->dev);
pm_runtime_put_sync(&pdev->dev);
^^ PM runtime can race with IRQ handler
pm_runtime_disable(&pdev->dev);
return 0;
So, OMAP DWC3 IRQ need to be disabled before calling
pm_runtime_put() in probe and in dwc3_omap_remove().
Alan Stern [Fri, 9 Dec 2016 20:25:15 +0000 (15:25 -0500)]
USB: gadgetfs: remove unnecessary assignment
The dev_config() routine in gadgetfs has a check that
dev->dev->bNumConfigurations is equal to 1, and then contains a
redundant line of code setting the value to 1. This patch removes the
unnecessary assignment.
Alan Stern [Fri, 9 Dec 2016 20:24:24 +0000 (15:24 -0500)]
USB: gadgetfs: fix checks of wTotalLength in config descriptors
Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user. In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).
This patch adds the additional check and fixes the existing check. It
may do a little more than strictly necessary, but one extra check
won't hurt.
The cause of the bug is subtle. The dev_config() routine gets called
twice by the fuzzer. The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set. But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.
The second time dev_config() is called, the user data contains only a
full-speed config descriptor. But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config. Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.
The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.
Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.
This patch fixes the warning. It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.
Baolin Wang [Thu, 8 Dec 2016 11:55:22 +0000 (19:55 +0800)]
usb: gadget: f_fs: Fix possibe deadlock
When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().
usb: gadgetfs: restrict upper bound on device configuration size
Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.
So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.
Alan Stern [Wed, 14 Dec 2016 19:55:56 +0000 (14:55 -0500)]
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things. But it
doesn't handle ep0. As a result, fuzz testing can generate a WARNING
like the following:
This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.
usb: gadget: f_fs: Document eventfd effect on descriptor format.
When FUNCTIONFS_EVENTFD flag is set, __ffs_data_got_descs reads a 32bits,
little-endian value right after the fixed structure header, and passes it
to eventfd_ctx_fdget. Document this.
Also, rephrase a comment to be affirmative about the role of string
descriptor at index 0. Ref: USB 2.0 spec paragraph "9.6.7 String", and
also checked to still be current in USB 3.0 spec paragraph "9.6.9 String".
usb: gadget: composite: Test get_alt() presence instead of set_alt()
By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.
After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.
Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.
Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it") Cc: stable <[email protected]> Signed-off-by: Krzysztof Opasiak <[email protected]> Signed-off-by: Felipe Balbi <[email protected]>
Hans de Goede [Tue, 27 Dec 2016 11:13:42 +0000 (13:13 +0200)]
usb: dwc3: pci: Fix dr_mode misspelling
usb_get_dr_mode() expects the device-property to be spelled
"dr_mode" not "dr-mode".
Spelling it properly fixes the following warning showing up in dmesg:
[ 8704.500545] dwc3 dwc3.2.auto: Configuration mismatch. dr_mode forced to gadget
Felipe Balbi [Fri, 23 Dec 2016 12:40:40 +0000 (14:40 +0200)]
usb: dwc3: core: avoid Overflow events
Now that we're handling so many transfers at a time
and for some dwc3 revisions LPM events *must* be
enabled, we can fall into a situation where too many
events fire and we start receiving Overflow events.
Let's do what XHCI does and allocate a full page for
the Event Ring, this will avoid any future issues.
Felipe Balbi [Tue, 20 Dec 2016 12:14:40 +0000 (14:14 +0200)]
usb: dwc3: gadget: always unmap EP0 requests
commit 0416e494ce7d ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced") introduced a bug
where we would leak DMA resources which would cause
us to starve the system of them resulting in failing
DMA transfers.
Fix the bug by making sure that we always unmap EP0
requests since those are *always* mapped.
Felipe Balbi [Tue, 20 Dec 2016 11:57:32 +0000 (13:57 +0200)]
usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
For now this is just a cleanup patch, no functional
changes. We will be using the new function to fix a
bug introduced long ago by commit 0416e494ce7d
("usb: dwc3: ep0: correct cache sync issue in case
of ep0_bounced") and further worsened by commit c0bd5456a470 ("usb: dwc3: ep0: handle non maxpacket
aligned transfers > 512")
Stefan Wahren [Sun, 20 Nov 2016 21:26:03 +0000 (21:26 +0000)]
usb: dwc2: fix dwc2_get_device_property for u8 and u16
According to the Devicetree ePAPR [1] the datatypes u8 and u16 are
not defined. So using device_property_read_u16() would result in
a partial read of a 32-bit big-endian integer which is not intended.
So we better read the complete 32-bit value. This fixes a regression
on bcm2835 where the values for g-rx-fifo-size and g-np-tx-fifo-size
always read as zero:
Invalid value 0 for param g-rx-fifo-size
Invalid value 0 for param g-np-tx-fifo-size
Stefan Wahren [Sun, 20 Nov 2016 21:26:02 +0000 (21:26 +0000)]
usb: dwc2: Do not set host parameter in peripheral mode
Since commit "usb: dwc2: Improve handling of host and device hwparams" the
host mode specific hardware parameter aren't initialized in peripheral mode
from the register settings anymore. So we better do not set them in this
case which avoids the following warnings on bcm2835:
256 invalid for host_nperio_tx_fifo_size. Check HW configuration.
512 invalid for host_perio_tx_fifo_size. Check HW configuration.
Fixes: 55e1040e424b ("usb: dwc2: Improve handling of host and device hwparams") Acked-by: John Youn <[email protected]> Signed-off-by: Stefan Wahren <[email protected]> Signed-off-by: Felipe Balbi <[email protected]>
Vladimir Murzin [Fri, 2 Dec 2016 15:05:38 +0000 (15:05 +0000)]
ARM: i.MX: remove map_io callback
There is no need to define map_io only for debug_ll_io_init() since it
is already called in devicemaps_init() if map_io is NULL.
Apart from that, for NOMMU build debug_ll_io_init() is a nop which
leads to following error:
CC arch/arm/mach-imx/mach-imx1.o
arch/arm/mach-imx/mach-imx1.c:40:13: error: 'debug_ll_io_init' undeclared here (not in a function)
.map_io = debug_ll_io_init,
^
make[1]: *** [arch/arm/mach-imx/mach-imx1.o] Error 1
The NANDF_CS2 pad is also part of the wlan-vmmcgrp iomux group.
Removing is from the usdhc2grp group avoids the following error:
imx6q-pinctrl 20e0000.iomuxc: pin MX6Q_PAD_NANDF_CS2 already requested
by regulators:regulator@4; cannot claim for 2194000.usdhc
imx6q-pinctrl 20e0000.iomuxc: pin-187 (2194000.usdhc) status -22
imx6q-pinctrl 20e0000.iomuxc: could not request pin 187
(MX6Q_PAD_NANDF_CS2) from group usdhc2grp on device 20e0000.iomuxc
David S. Miller [Mon, 2 Jan 2017 03:07:25 +0000 (22:07 -0500)]
Merge branch 'l2tp-socket-lookup-fixes'
Guillaume Nault says:
====================
l2tp: socket lookup fixes for l2tp_ip and l2tp_ip6
There are still some cases that aren't correctly handled in the socket
lookup functions of l2tp_ip and l2tp_ip6. This series fixes lookups for
connected sockets and for sockets bound to the IPv6 unspecified
address.
bind() and connect() should now work as expected on IPPROTO_L2TP
sockets. Extra features, like SO_REUSEADDR, remain unsupported.
The matching conditions in __l2tp_ip6_bind_lookup() and
__l2tp_ip_bind_lookup() are getting hard to read. I've kept the single
test approach to make the intend of the patches clear. I'll split the
conditionals once these fixes reach net-next.
====================
Guillaume Nault [Fri, 30 Dec 2016 18:48:20 +0000 (19:48 +0100)]
l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups
For connected sockets, __l2tp_ip{,6}_bind_lookup() needs to check the
remote IP when looking for a matching socket. Otherwise a connected
socket can receive traffic not originating from its peer.
Drop l2tp_ip_bind_lookup() and l2tp_ip6_bind_lookup() instead of
updating their prototype, as these functions aren't used.
Guillaume Nault [Fri, 30 Dec 2016 18:48:19 +0000 (19:48 +0100)]
l2tp: consider '::' as wildcard address in l2tp_ip6 socket lookup
An L2TP socket bound to the unspecified address should match with any
address. If not, it can't receive any packet and __l2tp_ip6_bind_lookup()
can't prevent another socket from binding on the same device/tunnel ID.
While there, rename the 'addr' variable to 'sk_laddr' (local addr), to
make following patch clearer.
Linus Torvalds [Sun, 1 Jan 2017 20:27:05 +0000 (12:27 -0800)]
Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull DAX updates from Dan Williams:
"The completion of Jan's DAX work for 4.10.
As I mentioned in the libnvdimm-for-4.10 pull request, these are some
final fixes for the DAX dirty-cacheline-tracking invalidation work
that was merged through the -mm, ext4, and xfs trees in -rc1. These
patches were prepared prior to the merge window, but we waited for
4.10-rc1 to have a stable merge base after all the prerequisites were
merged.
Quoting Jan on the overall changes in these patches:
"So I'd like all these 6 patches to go for rc2. The first three
patches fix invalidation of exceptional DAX entries (a bug which
is there for a long time) - without these patches data loss can
occur on power failure even though user called fsync(2). The other
three patches change locking of DAX faults so that ->iomap_begin()
is called in a more relaxed locking context and we are safe to
start a transaction there for ext4"
These have received a build success notification from the kbuild
robot, and pass the latest libnvdimm unit tests. There have not been
any -next releases since -rc1, so they have not appeared there"
* 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
ext4: Simplify DAX fault path
dax: Call ->iomap_begin without entry lock during dax fault
dax: Finish fault completely when loading holes
dax: Avoid page invalidation races and unnecessary radix tree traversals
mm: Invalidate DAX radix tree entries only if appropriate
ext2: Return BH_New buffers for zeroed blocks
Eric Biggers [Fri, 30 Dec 2016 23:42:32 +0000 (17:42 -0600)]
net: socket: don't set sk_uid to garbage value in ->setattr()
->setattr() was recently implemented for socket files to sync the socket
inode's uid to the new 'sk_uid' member of struct sock. It does this by
copying over the ia_uid member of struct iattr. However, ia_uid is
actually only valid when ATTR_UID is set in ia_valid, indicating that
the uid is being changed, e.g. by chown. Other metadata operations such
as chmod or utimes leave ia_uid uninitialized. Therefore, sk_uid could
be set to a "garbage" value from the stack.
Fix this by only copying the uid over when ATTR_UID is set.
PM / domains: Fix 'may be used uninitialized' build warning
This patch fixes the following gcc warning:
drivers/base/power/domain.c: In function ‘genpd_runtime_resume’:
drivers/base/power/domain.c:642:14: warning: ‘time_start’ may be used
uninitialized in this function [-Wmaybe-uninitialized]
elapsed_ns = ktime_to_ns(ktime_sub(ktime_get(), time_start)
The same problem (in another function in this same file) was fixed in
commit d33d5a6c88fc (avoid spurious "may be used uninitialized" warning)
cpufreq: intel_pstate: Always keep all limits settings in sync
Make intel_pstate update per-logical-CPU limits when the global
settings are changed to ensure that they are always in sync and
users will not see confusing values in per-logical-CPU sysfs
attributes.
This also fixes the problem that setting the "no_turbo" global
attribute to 1 in the "passive" mode (ie. when intel_pstate acts
as a regular cpufreq driver) when scaling_governor is set to
"performance" has no effect.
cpufreq: intel_pstate: Use locking in intel_cpufreq_verify_policy()
Race conditions are possible if intel_cpufreq_verify_policy()
is executed in parallel with global limits updates from sysfs,
so the invocation of intel_pstate_update_perf_limits() in it
should be carried out under intel_pstate_limits_lock.
cpufreq: intel_pstate: Use locking in intel_pstate_resume()
Theoretically, intel_pstate_resume() may be executed in parallel
with intel_pstate_set_policy(), if the latter is invoked via
cpufreq_update_policy() as a result of a notification, so use
intel_pstate_limits_lock in there too to avoid race conditions.
Which is because we read a raw value for 1g as 64 which is
the nominal 1024 for 1g shifted 4 bits to the left by being
right-aligned rather than left aligned.
Since all other sensors are left aligned, add some code to
set the special DAS (data alignment setting) bit to 1 so that
the right value is now read like this:
The scaling was weird as well: we have a gain of 1000 for 1g
and 3000 for 6g. I don't even remember how I came up with the
old values but they are wrong.
Lorenzo Bianconi [Wed, 16 Nov 2016 21:15:28 +0000 (22:15 +0100)]
iio: common: st_sensors: fix channel data parsing
Using realbits as i2c/spi read len, when that value is not byte aligned
(e.g 12 bits), lead to skip msb part of out data registers.
Fix this taking into account scan_type.shift in addition to
scan_type.realbits as read length:
read_len = DIV_ROUND_UP(realbits + shift, 8)
This fix has been tested on 8, 12, 16, 24 bit sensors
Eric Biggers [Mon, 19 Dec 2016 22:20:13 +0000 (14:20 -0800)]
fscrypt: fix renaming and linking special files
Attempting to link a device node, named pipe, or socket file into an
encrypted directory through rename(2) or link(2) always failed with
EPERM. This happened because fscrypt_has_permitted_context() saw that
the file was unencrypted and forbid creating the link. This behavior
was unexpected because such files are never encrypted; only regular
files, directories, and symlinks can be encrypted.
To fix this, make fscrypt_has_permitted_context() always return true on
special files.
This will be covered by a test in my encryption xfstests patchset.
Akinobu Mita [Wed, 28 Dec 2016 17:16:36 +0000 (02:16 +0900)]
iio: max44000: correct value in illuminance_integration_time_available
According to the datasheet, the shortest available integration time for
ALS ADC conversion is 1.5625ms but illuminance_integration_time_available
sysfs file shows wrong value.
Linus Torvalds [Fri, 30 Dec 2016 17:32:26 +0000 (09:32 -0800)]
Merge tag 'docs-4.10-rc1-fix' of git://git.lwn.net/linux
Pull documentation fixes from Jonathan Corbet:
"Two small fixes:
- A merge error on my part broke the DocBook build. I've
requisitioned one of tglx's frozen sharks for appropriate
disciplinary action and resolved to be more careful about testing
the DocBook stuff as long as it's still around.
- Fix an error in unaligned-memory-access.txt"
* tag 'docs-4.10-rc1-fix' of git://git.lwn.net/linux:
Documentation/unaligned-memory-access.txt: fix incorrect comparison operator
docs: Fix build failure
Sudeep Holla [Tue, 13 Dec 2016 14:24:53 +0000 (14:24 +0000)]
arm64: dts: vexpress: Support GICC_DIR operations
The GICv2 CPU interface registers span across 8K, not 4K as indicated in
the DT. Only the GICC_DIR register is located after the initial 4K
boundary, leaving a functional system but without support for separately
EOI'ing and deactivating interrupts.
After this change the system supports split priority drop and interrupt
deactivation. This patch is based on similar one from Christoffer Dall:
commit 368400e242dc ("ARM: dts: vexpress: Support GICC_DIR operations")
The reason is that the compiler tries to do a comparison of
a 64-bit range. This changes it to convert to a 32-bit number
explicitly first, as newer compilers do for themselves.
Alex Williamson [Fri, 30 Dec 2016 15:13:41 +0000 (08:13 -0700)]
vfio-mdev: Make mdev_parent private
Rather than hoping for good behavior by marking some elements
internal, enforce it by making the entire structure private and
creating an accessor function for the one useful external field.
Alex Williamson [Fri, 30 Dec 2016 15:13:33 +0000 (08:13 -0700)]
vfio-mdev: Fix remove race
Using the mtty mdev sample driver we can generate a remove race by
starting one shell that continuously creates mtty devices and several
other shells all attempting to remove devices, in my case four remove
shells. The fault occurs in mdev_remove_sysfs_files() where the
passed type arg is NULL, which suggests we've received a struct device
in mdev_device_remove() but it's in some sort of teardown state. The
solution here is to make use of the accidentally unused list_head on
the mdev_device such that the mdev core keeps a list of all the mdev
devices. This allows us to validate that we have a valid mdev before
we start removal, remove it from the list to prevent others from
working on it, and if the vendor driver refuses to remove, we can
re-add it to the list.
Alex Williamson [Fri, 30 Dec 2016 15:13:31 +0000 (08:13 -0700)]
vfio/type1: Restore mapping performance with mdev support
As part of the mdev support, type1 now gets a task reference per
vfio_dma and uses that to get an mm reference for the task while
working on accounting. That's correct, but it's not fast. For some
paths, like vfio_pin_pages_remote(), we know we're only called from
user context, so we can restore the lighter weight calls. In other
cases, we're effectively already testing whether we're in the stored
task context elsewhere, extend this vfio_lock_acct() as well.
Christoffer Dall [Sat, 10 Dec 2016 20:13:51 +0000 (21:13 +0100)]
ARM: dts: vexpress: Support GICC_DIR operations
The GICv2 CPU interface registers span across 8K, not 4K as indicated in
the DT. Only the GICC_DIR register is located after the initial 4K
boundary, leaving a functional system but without support for separately
EOI'ing and deactivating interrupts.
After this change the system supports split priority drop and interrupt
deactivation.
firmware: arm_scpi: fix reading sensor values on pre-1.0 SCPI firmwares
The pre-1.0 SCPI firmwares are using single __le32 as sensor value,
while the SCPI v1.0 protocol uses two __le32 as sensor values(64bit)
split into 32bit upper and 32bit lower value.
Using an "struct sensor_value" to read the sensor value on a pre-1.0
SCPI firmware gives garbage in the "hi_val" field.
This patch fixes the issue by reading only the lower 32-bit value for
all pre-1.0 SCPI versions.
Chanwoo Choi [Fri, 30 Dec 2016 04:14:18 +0000 (13:14 +0900)]
pinctrl: samsung: Fix the width of PINCFG_TYPE_DRV bitfields for Exynos5433
This patch fixes the wrong width of PINCFG_TYPE_DRV bitfields for Exynos5433
because PINCFG_TYPE_DRV of Exynos5433 has 4bit fields in the *_DRV
registers. Usually, other Exynos have 2bit field for PINCFG_TYPE_DRV.
Marcin Niestroj [Thu, 8 Dec 2016 14:22:58 +0000 (15:22 +0100)]
iio: bmi160: Fix time needed to sleep after command execution
Datasheet specifies typical and maximum execution times for which CMD
register is occupied after previous command execution. We took these
values as minimum and maximum time for usleep_range() call before making
a new command execution.
To be sure, that the CMD register is no longer occupied we need to wait
*at least* the maximum time specified by datasheet.
David Ahern [Thu, 29 Dec 2016 23:29:03 +0000 (15:29 -0800)]
net: ipv4: dst for local input routes should use l3mdev if relevant
IPv4 output routes already use l3mdev device instead of loopback for dst's
if it is applicable. Change local input routes to do the same.
This fixes icmp responses for unreachable UDP ports which are directed
to the wrong table after commit 9d1a6c4ea43e4 because local_input
routes use the loopback device. Moving from ingress device to loopback
loses the L3 domain causing responses based on the dst to get to lost.
Fixes: 9d1a6c4ea43e4 ("net: icmp_route_lookup should use rt dev to
determine L3 domain") Signed-off-by: David Ahern <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Sergei Shtylyov [Thu, 29 Dec 2016 21:07:38 +0000 (00:07 +0300)]
sh_eth: fix branch prediction in sh_eth_interrupt()
IIUC, likely()/unlikely() should apply to the whole *if* statement's
expression, not a part of it -- fix such expression in sh_eth_interrupt()
accordingly...
Fixes: 283e38db65e7 ("sh_eth: Fix serialisation of interrupt disable with interrupt & NAPI handlers") Signed-off-by: Sergei Shtylyov <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Olof Johansson [Thu, 29 Dec 2016 22:16:07 +0000 (14:16 -0800)]
mm/filemap: fix parameters to test_bit()
mm/filemap.c: In function 'clear_bit_unlock_is_negative_byte':
mm/filemap.c:933:9: error: too few arguments to function 'test_bit'
return test_bit(PG_waiters);
^~~~~~~~
Fixes: b91e1302ad9b ('mm: optimize PageWaiters bit use for unlock_page()') Signed-off-by: Olof Johansson <[email protected]> Brown-paper-bag-by: Linus Torvalds <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
Helge Deller [Tue, 27 Dec 2016 17:03:50 +0000 (18:03 +0100)]
parisc: Drop TIF_RESTORE_SIGMASK and switch to generic code
Commit 7e7814180b33 ("signal: consolidate {TS,TLF}_RESTORE_SIGMASK code")
introduced code with which the "restore sigmask" flag lives in task_struct
instead of ti->flags. Let's use this optimization on parisc too.
Helge Deller [Mon, 26 Dec 2016 11:46:01 +0000 (12:46 +0100)]
parisc: Mark cr16 clocksource unstable on SMP systems
The cr16 interval timer of each CPU is not syncronized to other cr16
timers in other CPUs in a SMP system. So, delay the registration of the
cr16 clocksource until all CPUs have been detected and then - if we are
on a SMP machine - mark the cr16 clocksource as unstable and lower it's
rating before registering it at the clocksource framework.
This patch fixes the stalled CPU warnings which we have seen since
introduction of the cr16 clocksource.
Neil Armstrong [Tue, 6 Dec 2016 14:08:16 +0000 (15:08 +0100)]
pinctrl: meson: fix gpio request disabling other modes
The pinctrl_gpio_request is called with the "full" gpio number, already
containing the base, then meson_pmx_request_gpio is then called with the
final pin number.
Remove the base addition when calling meson_pmx_disable_other_groups.
Jack Morgenstein [Thu, 29 Dec 2016 16:37:13 +0000 (18:37 +0200)]
net/mlx4_core: Fix raw qp flow steering rules under SRIOV
Demoting simple flow steering rule priority (for DPDK) was achieved by
wrapping FW commands MLX4_QP_FLOW_STEERING_ATTACH/DETACH for the PF
as well, and forcing the priority to MLX4_DOMAIN_NIC in the wrapper
function for the PF and all VFs.
In function mlx4_ib_create_flow(), this change caused the main rule
creation for the PF to be wrapped, while it left the associated
tunnel steering rule creation unwrapped for the PF.
This mismatch caused rule deletion failures in mlx4_ib_destroy_flow()
for the PF when the detach wrapper function did not find the associated
tunnel-steering rule (since creation of that rule for the PF did not
go through the wrapper function).
Fix this by setting MLX4_QP_FLOW_STEERING_ATTACH/DETACH to be "native"
(so that the PF invocation does not go through the wrapper), and perform
the required priority demotion for the PF in the mlx4_ib_create_flow()
code path.
Fixes: 48564135cba8 ("net/mlx4_core: Demote simple multicast and broadcast flow steering rules") Signed-off-by: Jack Morgenstein <[email protected]> Signed-off-by: Tariq Toukan <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Slava Shwartsman [Thu, 29 Dec 2016 16:37:12 +0000 (18:37 +0200)]
net/mlx4_en: Fix type mismatch for 32-bit systems
is_power_of_2 expects unsigned long and we pass u64 max_val_cycles,
this will be truncated on 32 bit systems, and the result is not what we
were expecting.
div_u64 expects u32 as a second argument and we pass
max_val_cycles_rounded which is u64 hence it will always be truncated.
Fix was tested on both 64 and 32 bit systems and got same results for
max_val_cycles and max_val_cycles_rounded.
Fixes: 4850cf458157 ("net/mlx4_en: Resolve dividing by zero in 32-bit system") Signed-off-by: Slava Shwartsman <[email protected]> Signed-off-by: Tariq Toukan <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Leon Romanovsky [Thu, 29 Dec 2016 16:37:11 +0000 (18:37 +0200)]
net/mlx4: Remove BUG_ON from ICM allocation routine
This patch removes BUG_ON() macro from mlx4_alloc_icm_coherent()
by checking DMA address alignment in advance and performing proper
folding in case of error.
Single send WQE in RX buffer should be stamped with software
ownership in order to prevent the flow of QP in error in FW
once UPDATE_QP is called.
Fixes: 9f519f68cfff ('mlx4_en: Not using Shared Receive Queues') Signed-off-by: Eugenia Emantayev <[email protected]> Signed-off-by: Tariq Toukan <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Jack Morgenstein [Thu, 29 Dec 2016 16:37:09 +0000 (18:37 +0200)]
net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach
mlx4_QP_FLOW_STEERING_DETACH_wrapper first removes the steering
rule (which results in freeing the rule structure), and then
references a field in this struct (the qp number) when releasing the
busy-status on the rule's qp.
Since this memory was freed, it could reallocated and changed.
Therefore, the qp number in the struct may be incorrect,
so that we are releasing the incorrect qp. This leaves the rule's qp
in the busy state (and could possibly release an incorrect qp as well).
Fix this by saving the qp number in a local variable, for use after
removing the steering rule.
Fixes: 2c473ae7e582 ("net/mlx4_core: Disallow releasing VF QPs which have steering rules") Signed-off-by: Jack Morgenstein <[email protected]> Signed-off-by: Tariq Toukan <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Wei Zhang [Thu, 29 Dec 2016 08:45:04 +0000 (16:45 +0800)]
net: fix incorrect original ingress device index in PKTINFO
When we send a packet for our own local address on a non-loopback
interface (e.g. eth0), due to the change had been introduced from
commit 0b922b7a829c ("net: original ingress device index in PKTINFO"), the
original ingress device index would be set as the loopback interface.
However, the packet should be considered as if it is being arrived via the
sending interface (eth0), otherwise it would break the expectation of the
userspace application (e.g. the DHCPRELEASE message from dhcp_release
binary would be ignored by the dnsmasq daemon, since it come from lo which
is not the interface dnsmasq bind to)
Fixes: 0b922b7a829c ("net: original ingress device index in PKTINFO") Acked-by: David Ahern <[email protected]> Signed-off-by: Wei Zhang <[email protected]> Signed-off-by: David S. Miller <[email protected]>
We miss to check if the netlink message is actually big enough to contain
a struct if_stats_msg.
Add a check to prevent userland from sending us short messages that would
make us access memory beyond the end of the message.
Fixes: 10c9ead9f3c6 ("rtnetlink: add new RTM_GETSTATS message to dump...") Signed-off-by: Mathias Krause <[email protected]> Cc: Roopa Prabhu <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Linus Torvalds [Tue, 27 Dec 2016 19:40:38 +0000 (11:40 -0800)]
mm: optimize PageWaiters bit use for unlock_page()
In commit 62906027091f ("mm: add PageWaiters indicating tasks are
waiting for a page bit") Nick Piggin made our page locking no longer
unconditionally touch the hashed page waitqueue, which not only helps
performance in general, but is particularly helpful on NUMA machines
where the hashed wait queues can bounce around a lot.
However, the "clear lock bit atomically and then test the waiters bit"
sequence turns out to be much more expensive than it needs to be,
because you get a nasty stall when trying to access the same word that
just got updated atomically.
On architectures where locking is done with LL/SC, this would be trivial
to fix with a new primitive that clears one bit and tests another
atomically, but that ends up not working on x86, where the only atomic
operations that return the result end up being cmpxchg and xadd. The
atomic bit operations return the old value of the same bit we changed,
not the value of an unrelated bit.
On x86, we could put the lock bit in the high bit of the byte, and use
"xadd" with that bit (where the overflow ends up not touching other
bits), and look at the other bits of the result. However, an even
simpler model is to just use a regular atomic "and" to clear the lock
bit, and then the sign bit in eflags will indicate the resulting state
of the unrelated bit #7.
So by moving the PageWaiters bit up to bit #7, we can atomically clear
the lock bit and test the waiters bit on x86 too. And architectures
with LL/SC (which is all the usual RISC suspects), the particular bit
doesn't matter, so they are fine with this approach too.
This avoids the extra access to the same atomic word, and thus avoids
the costly stall at page unlock time.
The only downside is that the interface ends up being a bit odd and
specialized: clear a bit in a byte, and test the sign bit. Nick doesn't
love the resulting name of the new primitive, but I'd rather make the
name be descriptive and very clear about the limitation imposed by
trying to work across all relevant architectures than make it be some
generic thing that doesn't make the odd semantics explicit.
So this introduces the new architecture primitive
clear_bit_unlock_is_negative_byte();
and adds the trivial implementation for x86. We have a generic
non-optimized fallback (that just does a "clear_bit()"+"test_bit(7)"
combination) which can be overridden by any architecture that can do
better. According to Nick, Power has the same hickup x86 has, for
example, but some other architectures may not even care.
All these optimizations mean that my page locking stress-test (which is
just executing a lot of small short-lived shell scripts: "make test" in
the git source tree) no longer makes our page locking look horribly bad.
Before all these optimizations, just the unlock_page() costs were just
over 3% of all CPU overhead on "make test". After this, it's down to
0.66%, so just a quarter of the cost it used to be.
(The difference on NUMA is bigger, but there this micro-optimization is
likely less noticeable, since the big issue on NUMA was not the accesses
to 'struct page', but the waitqueue accesses that were already removed
by Nick's earlier commit).
Florian Fainelli [Wed, 28 Dec 2016 23:44:41 +0000 (15:44 -0800)]
net: stmmac: Fix error path after register_netdev move
Commit 5701659004d6 ("net: stmmac: Fix race between stmmac_drv_probe and
stmmac_open") re-ordered how the MDIO bus registration and the network
device are registered, but missed to unwind the MDIO bus registration in
case we fail to register the network device.
Fixes: 5701659004d6 ("net: stmmac: Fix race between stmmac_drv_probe and stmmac_open") Signed-off-by: Florian Fainelli <[email protected]> Acked-by: Kweh, Hock Leong <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Zheng Li [Wed, 28 Dec 2016 15:23:46 +0000 (23:23 +0800)]
ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output
There is an inconsistent conditional judgement between __ip6_append_data
and ip6_finish_output functions, the variable length in __ip6_append_data
just include the length of application's payload and udp6 header, don't
include the length of ipv6 header, but in ip6_finish_output use
(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ipv6 header.
That causes some particular application's udp6 payloads whose length are
between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
though the rst->dev support UFO feature.
Add the length of ipv6 header to length in __ip6_append_data to keep
consistent conditional judgement as ip6_finish_output for ip6 fragment.
This patch adds required memory carveouts so that the kernel does not
access memory that is in use or has been reserved for use by other remote
processors.
net: atm: Fix warnings in net/atm/lec.c when !CONFIG_PROC_FS
This patch fixes the following warnings when CONFIG_PROC_FS is not set:
linux/net/atm/lec.c: In function ‘lane_module_cleanup’:
linux/net/atm/lec.c:1062:27: error: ‘atm_proc_root’ undeclared (first
use in this function)
remove_proc_entry("lec", atm_proc_root);
^
linux/net/atm/lec.c:1062:27: note: each undeclared identifier is
reported only once for each function it appears in
for -stable:
net/mlx5: Check FW limitations on log_max_qp before setting it
net/mlx5: Cancel recovery work in remove flow
net/mlx5: Avoid shadowing numa_node
net/mlx5: Mask destination mac value in ethtool steering rules
net/mlx5: Prevent setting multicast macs for VFs
net/mlx5e: Don't sync netdev state when not registered
net/mlx5e: Disable netdev after close
====================
Saeed Mahameed [Wed, 28 Dec 2016 12:58:42 +0000 (14:58 +0200)]
net/mlx5e: Disable netdev after close
Disable netdev should come after it was closed, although no harm of doing it
before -hence the MLX5E_STATE_DESTROYING bit- but it is more natural this way.
Fixes: 26e59d8077a3 ("net/mlx5e: Implement mlx5e interface attach/detach callbacks") Signed-off-by: Saeed Mahameed <[email protected]> Reviewed-by: Mohamad Haj Yahia <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Saeed Mahameed [Wed, 28 Dec 2016 12:58:41 +0000 (14:58 +0200)]
net/mlx5e: Don't sync netdev state when not registered
Skip setting netdev vxlan ports and netdev rx_mode on driver load
when netdev is not yet registered.
Synchronizing with netdev state is needed only on reset flow where the
netdev remains registered for the whole reset period.
This also fixes an access before initialization of net_device.addr_list_lock
- which for some reason initialized on register_netdev - where we queued
set_rx_mode work on driver load before netdev registration.
Fixes: 26e59d8077a3 ("net/mlx5e: Implement mlx5e interface attach/detach callbacks") Signed-off-by: Saeed Mahameed <[email protected]> Reported-by: Sebastian Ott <[email protected]> Reviewed-by: Mohamad Haj Yahia <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Huy Nguyen [Wed, 28 Dec 2016 12:58:40 +0000 (14:58 +0200)]
net/mlx5e: Check ets capability before initializing ets settings
During the initial setup, the ets command is sent to firmware
without checking if the HCA supports ets. This causes the invalid
command error. Add the ets capiblity check before sending firmware
command to initialize ets settings.
Fixes: e207b7e99176 ("net/mlx5e: ConnectX-4 firmware support for DCBX") Signed-off-by: Huy Nguyen <[email protected]> Signed-off-by: Saeed Mahameed <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Gal Pressman [Wed, 28 Dec 2016 12:58:38 +0000 (14:58 +0200)]
Revert "net/mlx5e: Expose PCIe statistics to ethtool"
This reverts commit 9c7262399ba12825f3ca4b00a76d8d5e77c720f5.
PCIe counters were introduced in a new firmware version, as a result users
with old firmware encountered a syndrome every 200ms due to update stats
work. This feature will be re-introduced later with appropriate capabilities
infrastructure.
Fixes: 9c7262399ba1 ("net/mlx5e: Expose PCIe statistics to ethtool") Signed-off-by: Gal Pressman <[email protected]> Reported-by: Jesper Dangaard Brouer <[email protected]> Signed-off-by: Saeed Mahameed <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Maor Gottlieb [Wed, 28 Dec 2016 12:58:35 +0000 (14:58 +0200)]
net/mlx5: Mask destination mac value in ethtool steering rules
We need to mask the destination mac value with the destination mac
mask when adding steering rule via ethtool.
Fixes: 1174fce8d1410 ('net/mlx5e: Support l3/l4 flow type specs in ethtool flow steering') Signed-off-by: Maor Gottlieb <[email protected]> Signed-off-by: Saeed Mahameed <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Eli Cohen [Wed, 28 Dec 2016 12:58:34 +0000 (14:58 +0200)]
net/mlx5: Avoid shadowing numa_node
Avoid using a local variable named numa_node to avoid shadowing a public
one.
Fixes: db058a186f98 ('net/mlx5_core: Set irq affinity hints') Signed-off-by: Eli Cohen <[email protected]> Signed-off-by: Saeed Mahameed <[email protected]> Signed-off-by: David S. Miller <[email protected]>
projects / linux.git / log