iscsi-target: Fix use-after-free during TPG session shutdown
This patch fixes a use-after-free bug in iscsit_release_sessions_for_tpg()
where se_portal_group->session_lock was incorrectly released/re-acquired
while walking the active se_portal_group->tpg_sess_list.
The can result in a NULL pointer dereference when iscsit_close_session()
shutdown happens in the normal path asynchronously to this code, causing
a bogus dereference of an already freed list entry to occur.
To address this bug, walk the session list checking for the same state
as before, but move entries to a local list to avoid dropping the lock
while walking the active list.
As before, signal using iscsi_session->session_restatement=1 for those
list entries to be released locally by iscsit_free_session() code.
qla2xxx: terminate exchange when command is aborted by LIO
The newly introduced aborted_task TFO callback has to terminate
exchange with QLogic driver, since command is being deleted and
no status will be queued to the driver at a later point.
This patch also moves the burden of releasing one cmd refcount to
the aborted_task handler.
Changed iSCSI aborted_task logic to satisfy the above requirement.
qla2xxx: drop cmds/tmrs arrived while session is being deleted
If a new initiator (different WWN) shows up on the same fcport, old
initiator's session is scheduled for deletion. But there is a small
window between it being marked with QLA_SESS_DELETION_IN_PROGRESS
and qlt_unret_sess getting called when new session's commands will
keep finding old session in the fcport map.
This patch drops cmds/tmrs if they find session in the progress of
being deleted.
qla2xxx: disable scsi_transport_fc registration in target mode
There are multiple reasons for disabling this:
1. It provides no functional benefit. We pretty much only get a few more
sysfs entries for each port, but all that information is already
available from /sys/kernel/debug/target/qla-session-X
2. It already only works in private-loop mode. By disabling we'll be
getting more uniform behavior with fabric mode.
3. It creates complications for the new PLOGI handling mechanism:
scsi_transport_fc port deletion timer could race with new session
from initiator and cause logout after successful login.
qla2xxx: added sess generations to detect RSCN update races
RSCN processing in qla2xxx driver can run in parallel with ELS/IO
processing. As such the decision to remove disappeared fc port's
session could be stale, because a new login sequence has occurred
since and created a brand new session.
Previous mechanism of dealing with this by delaying deletion request
was prone to erroneous deletions if the event that was supposed to
cancel the deletion never arrived or has been delayed in processing.
New mechanism relies on a time-like generation counter to serialize
RSCN updates relative to ELS/IO updates.
qla2xxx: delay plogi/prli ack until existing sessions are deleted
- keep qla_tgt_sess object on the session list until it's freed
- modify use of sess->deleted flag to differentiate delayed
session deletion that can be cancelled from irreversible one:
QLA_SESS_DELETION_PENDING vs QLA_SESS_DELETION_IN_PROGRESS
- during IN_PROGRESS deletion all newly arrived commands and TMRs will
be rejected, existing commands and TMRs will be terminated when
given by the core to the fabric or simply dropped if session logout
has already happened (logout terminates all existing exchanges)
- new PLOGI will initiate deletion of the following sessions
(unless deletion is already IN_PROGRESS):
- with the same port_name (with logout)
- different port_name, different loop_id but the same port_id
(with logout)
- different port_name, different port_id, but the same loop_id
(without logout)
- additionally each new PLOGI will store imm notify iocb in the
same port_name session being deleted. When deletion process
completes this iocb will be acked. Only the most recent PLOGI
iocb is stored. The older ones will be terminated when replaced.
- new PRLI will initiate deletion of the following sessions
(unless deletion is already IN_PROGRESS):
- different port_name, different port_id, but the same loop_id
(without logout)
qla2xxx: cleanup cmd in qla workqueue before processing TMR
Since cmds go into qla_tgt_wq and TMRs don't, it's possible that TMR
like TASK_ABORT can be queued over the cmd for which it was meant.
To avoid this race, use a per-port list to keep track of cmds that
are enqueued to qla_tgt_wq but not yet processed. When a TMR arrives,
iterate through this list and remove any cmds that match the TMR.
This patch supports TASK_ABORT and LUN_RESET.
Roland Dreier [Tue, 14 Jul 2015 20:00:42 +0000 (16:00 -0400)]
qla2xxx: kill sessions/log out initiator on RSCN and port down events
To fix some issues talking to ESX, this patch modifies the qla2xxx driver
so that it never logs into remote ports. This has the side effect of
getting rid of the "rports" entirely, which means we never log out of
initiators and never tear down sessions when an initiator goes away.
This is mostly OK, except that we can run into trouble if we have
initiator A assigned FC address X:Y:Z by the fabric talking to us, and
then initiator A goes away. Some time (could be a long time) later,
initiator B comes along and also gets FC address X:Y:Z (which is
available again, because initiator A is gone). If initiator B starts
talking to us, then we'll still have the session for initiator A, and
since we look up incoming IO based on the FC address X:Y:Z, initiator B
will end up using ACLs for initiator A.
Fix this by:
1. Handling RSCN events somewhat differently; instead of completely
skipping the processing of fcports, we look through the list, and if
an fcport disappears, we tell the target code the tear down the
session and tell the HBA FW to release the N_Port handle.
2. Handling "port down" events by flushing all of our sessions. The
firmware was already releasing the N_Port handle but we want the
target code to drop all the sessions too.
Quinn Tran [Wed, 10 Jun 2015 15:05:20 +0000 (11:05 -0400)]
qla2xxx: release request queue reservation.
Request IOCB queue element(s) is reserved during
good path IO. Under error condition such as unable
to allocate IOCB handle condition, the IOCB count
that was reserved is not released.
Whoops, we've stumbled back onto group.device_lock and created a
deadlock. There's a low likelihood of ever seeing this play out, but
obviously it needs to be fixed. To do that we can use a reference to
the vfio_device for vfio_group_get_device_fd() rather than holding the
lock. There was a loop in this function, theoretically allowing
multiple devices with the same name, but in practice we don't expect
such a thing to happen and the code is already aborting from the loop
with break on any sort of error rather than continuing and only
parsing the first match anyway, so the loop was effectively unused
already.
Merge tag 'regulator-fix-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"As well as some driver specific fixes there's several fixes here for
the core support for regulators supplying other regulators fixing both
an issue with ACPI support (which had never been tested before) and
some error handling and device removal issues that Javier noticed"
* tag 'regulator-fix-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: core: Fix memory leak in regulator_resolve_supply()
regulator: core: Increase refcount for regulator supply's module
regulator: core: Handle full constraints systems when resolving supplies
regulator: 88pm800: fix LDO vsel_mask value
regulator: max8973: Fix up control flag option for bias control
regulator: s2mps11: Fix GPIO suspend enable shift wrapping bug
Merge tag 'spi-fix-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A small collection of pretty much unremarkable driver specific fixes
here plus the addition of a new device ID to spidev which requires no
other code changes"
* tag 'spi-fix-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: imx: Fix small DMA transfers
spi: zynq: missing break statement
spi: SPI_ZYNQMP_GQSPI should depend on HAS_DMA
spi: spidev: add compatible value for LTC2488
spi: img-spfi: fix support for speeds up to 1/4th input clock
Merge tag 'sound-4.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This has been a calm week again: one minor lockdep fix for PCM core,
and the most of the rest are HD-audio quirks and fixups for various
chips and machines"
* tag 'sound-4.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda - Add headset mic pin quirk for a Dell device
ALSA: hda - remove one pin from ALC292_STANDARD_PINS
ALSA: hda - Add new GPU codec ID 0x10de007d to snd-hda
ALSA: hda: add new AMD PCI IDs with proper driver caps
ALSA: hda - Fix Skylake codec timeout
ALSA: hda - Add headset mic support for Acer Aspire V5-573G
ALSA: sparc: Add missing kfree in error path
ALSA: pcm: Fix lockdep warning with nonatomic PCM ops
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
- kernel crash fixes for multitouch and wacom drivers, by Brent Adam
and Dan Carpenter
- cp2112 data packet race condition corruption fix, by Antonio Borneo
- a few new device IDs for wacom and microsoft drivers
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: cp2112: fix to force single data-report reply
HID: wacom: Enable pad device for older Bamboo Touch tablets
HID: multitouch: Fix fields from pen report ID being interpreted for multitouch
HID: microsoft: Add quirk for MS Surface Type/Touch cover
HID: wacom: NULL dereferences on error in probe()
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Aome amdgpu, one i915, one ttm and one hlcdc, nothing too scary.
All seems fine for about this time"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/ttm: recognize ARM64 arch in ioprot handler
drm/amdgpu/cz/dpm: properly report UVD and VCE clock levels
drm/amdgpu/cz: implement voltage validation properly
drm/amdgpu: add VCE harvesting instance query
drm/amdgpu: implement VCE 3.0 harvesting support (v4)
drm/amdgpu/dce10: Re-set VBLANK interrupt state when enabling a CRTC
drm/amdgpu/dce11: Re-set VBLANK interrupt state when enabling a CRTC
drm: Stop resetting connector state to unknown
drm/i915: Use two 32bit reads for select 64bit REG_READ ioctls
drm: atmel-hlcdc: fix vblank initial state
Merge tag 'asoc-fix-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.2
A lot of small fixes here, a few to the core:
- Fix for binding DAPM stream widgets on devices with prefixes assigned
to them
- Minor fixes for the newly added topology interfaces
- Locking and memory leak fixes for DAPM
- Driver specific fixes
Commit 4104d326b670 ("ftrace: Remove global function list and call function
directly") simplified the ftrace code by removing the global_ops list with a
new design. But this cleanup also broke the filtering of PIDs that are added
to the set_ftrace_pid file.
Add back the proper hooks to have pid filtering working once again.
Input: goodix - fix touch coordinates on WinBook TW100 and TW700
The touchscreen on the WinBook TW100 and TW700 don't match the default
display, with 0,0 touches being reported when touching at the bottom
right of the screen.
It's unfortunately impossible to detect this problem with data from the
DSDT, or other auxiliary metadata, so fallback to quirking this specific
model of tablet instead.
Devices may declare more LEDs than what is known to input-leds
(HID does this for some devices). Instead of showing ugly warnings
on connect and, even worse, oopsing on disconnect, let's simply
ignore LEDs that are not known to us.
Jason Gunthorpe [Wed, 22 Jul 2015 20:30:03 +0000 (14:30 -0600)]
IB/ipoib: Fix CONFIG_INFINIBAND_IPOIB_CM
If the above is turned off then ipoib_cm_dev_init unconditionally
returns ENOSYS, and the newly added error handling in
0b3957 prevents ipoib from coming up at all:
kernel: mlx4_0: ipoib_transport_dev_init failed
kernel: mlx4_0: failed to initialize port 1 (ret = -12)
Fixes: 0b39578bcde4 (IB/ipoib: Use dedicated workqueues per interface) Signed-off-by: Jason Gunthorpe <[email protected]> Signed-off-by: Doug Ledford <[email protected]>
Steve Wise [Wed, 22 Jul 2015 19:14:17 +0000 (14:14 -0500)]
RDMA/cxgb3: fail get_dma_mr on 64 bit arches
T3 HW only supports 32 bit MRs. If the system uses 64 bit memory
addresses, then a registered 32 bit MR will wrap and write to the
wrong memory when used with addresses > 4GB. To prevent this,
simply fail to allocate an MR on 64 bit machines (other means
of registering memory are still available and software can still
work, we just don't allow this means of memory registration).
Mark Brown [Fri, 24 Jul 2015 15:19:25 +0000 (16:19 +0100)]
Merge remote-tracking branches 'regulator/fix/88pm800', 'regulator/fix/max8973', 'regulator/fix/s2mps11' and 'regulator/fix/supply' into regulator-linus
DMA transfers must be greater than the watermark level size. spi_imx->rx_wml
and spi_imx->tx_wml contain the watermark level in 32bit words whereas struct
spi_transfer contains the transfer len in bytes. Fix the check if DMA is
possible for a transfer accordingly. This fixes transfers with sizes between
33 and 128 bytes for which previously was claimed that DMA is possible.
x86/asm/entry/32: Revert 'Do not use R9 in SYSCALL32' commit
This change reverts most of commit 53e9accf0f 'Do not use R9 in
SYSCALL32'. I don't yet understand how, but code in that commit
sometimes fails to preserve EBP.
See https://bugzilla.kernel.org/show_bug.cgi?id=101061
"Problems while executing 32-bit code on AMD64"
mmc: sdhci-pxav3: fix platform_data is not initialized
pdev->dev.platform_data is not initialized if match is true in function
sdhci_pxav3_probe. Just local variable pdata is assigned the return value
from function pxav3_get_mmc_pdata().
static int sdhci_pxav3_probe(struct platform_device *pdev) {
struct sdhci_pxa_platdata *pdata = pdev->dev.platform_data;
...
if (match) {
ret = mmc_of_parse(host->mmc);
if (ret)
goto err_of_parse;
sdhci_get_of_property(pdev);
pdata = pxav3_get_mmc_pdata(dev);
}
...
}
After commit 8d86e4fcccf6 ("mmc: sdhci-esdhc-imx: Call mmc_of_parse()"),
we do not need those duplicated parsing anymore.
Note: fsl,cd-controller is also deleted due to the driver does
not support controller card detection anymore after switch to runtime pm.
And there's no user of it right now in device tree.
wp-gpios is kept because we're still support fsl,wp-controller,
so we need a way to check if it's gpio wp or controller wp.
mmc: sdhci: make max-frequency property in device tree work
Device tree provides option to specify the max freqency with property
"max-frequency" in dts and common parse function mmc_of_parse() will
parse it and use this value to set host->f_max to tell the MMC core
the maxinum frequency the host works.
However, current sdhci driver will finally overwrite this value with
host->max_clk regardless of the max-frequency property.
This patch makes sure not overwrite the max-frequency set from device
tree and do basic sanity check.
mmc: sdhci-esdhc-imx: move all non dt probe code into one function
This is an incremental fix of commit e62bd351b("mmc: sdhci-esdhc-imx: Do not break platform data boards").
After commit 8d86e4fcccf6 ("mmc: sdhci-esdhc-imx: Call mmc_of_parse()"),
we do not need to run the check of boarddata->wp_type/cd_type/max_bus_width
again for dt platform since those are already handled by mmc_of_parse().
Current code only exclude the checking of wp_type for dt platform which
does not make sense.
This patch moves all non dt probe code into one function.
Besides, since we only support SD3.0/eMMC HS200 for dt platform, the
support_vsel checking and ultra high speed pinctrl state are also merged
into sdhci_esdhc_imx_probe_dt.
Then we have two separately probe function for dt and non dt type.
This can make the driver probe more clearly.
mmc: sdhci-esdhc-imx: fix cd regression for dt platform
Current card detect probe process is that when driver finds a valid
ESDHC_CD_GPIO, it will clear the quirk SDHCI_QUIRK_BROKEN_CARD_DETECTION
which is set by default for all esdhc/usdhc controllers.
Then host driver will know there's a valid card detect function.
Commit 8d86e4fcccf6 ("mmc: sdhci-esdhc-imx: Call mmc_of_parse()")
breaks GPIO CD function for dt platform that it will return directly
when find ESDHC_CD_GPIO for dt platform which result in the later wrongly
to keep SDHCI_QUIRK_BROKEN_CARD_DETECTION for all dt platforms.
Then MMC_CAP_NEEDS_POLL will be used instead even there's a valid
GPIO card detect.
This patch adds back this function and follows the original approach to
clear the quirk if find an valid CD GPIO for dt platforms.
dts: imx7: fix sd card gpio polarity specified in device tree
cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
should be changed to GPIO_ACTIVE_HIGH.
Otherwise, the SD may not work properly due to wrong polarity inversion
specified in DT after switch to common parsing function mmc_of_parse().
dts: imx25: fix sd card gpio polarity specified in device tree
cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
should be changed to GPIO_ACTIVE_HIGH.
Otherwise, the SD may not work properly due to wrong polarity inversion
specified in DT after switch to common parsing function mmc_of_parse().
dts: imx6: fix sd card gpio polarity specified in device tree
cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
should be changed to GPIO_ACTIVE_HIGH.
Otherwise, the SD may not work properly due to wrong polarity inversion
specified in DT after switch to common parsing function mmc_of_parse().
dts: imx53: fix sd card gpio polarity specified in device tree
cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
should be changed to GPIO_ACTIVE_HIGH.
Otherwise, the SD may not work properly due to wrong polarity inversion
specified in DT after switch to common parsing function mmc_of_parse().
dts: imx51: fix sd card gpio polarity specified in device tree
cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
should be changed to GPIO_ACTIVE_HIGH.
Otherwise, the SD may not work properly due to wrong polarity inversion
specified in DT after switch to common parsing function mmc_of_parse().
Support for 8BIT bus with was added some time ago to sdhci-esdhc but
then missed to remove the 8BIT from the reserved bit mask which made
8BIT non functional.
Fixes: 66b50a00992d ("mmc: esdhc: Add support for 8-bit bus width and..") Signed-off-by: Joakim Tjernlund <[email protected]> Signed-off-by: Ulf Hansson <[email protected]>
Vignesh R [Tue, 16 Jun 2015 10:37:18 +0000 (16:07 +0530)]
mmc: omap_hsmmc: Handle BADA, DEB and CEB interrupts
Sometimes BADA, DEB or CEB error interrupts occur when sd card is
unplugged during data transfer. These interrupts are currently ignored
by the interrupt handler. But, this results in card not being
recognised on subsequent insertion. This is because mmcqd is waiting
forever for the data transfer(for which error occurred) to complete.
Fix this, by reporting BADA, DEB, CEB errors to mmc-core as -EILSEQ, so
that the core can do appropriate handling.
DTO/DCRC errors were not being informed to the mmc core since
commit ae4bf788ee9b ("mmc: omap_hsmmc: consolidate error report handling of
HSMMC IRQ"). This commit made sure 'end_trans' is never set on DTO/DCRC
errors. This is because after this commit 'host->data' is checked after
it has been cleared to NULL by omap_hsmmc_dma_cleanup().
Because 'end_trans' is never set, omap_hsmmc_xfer_done() is never invoked
making core layer not to be aware of DTO/DCRC errors. Because of this
any command invoked after DTO/DCRC error leads to a hang.
Fix this by checking for 'host->data' before it is actually cleared.
David Disseldorp [Sun, 12 Jul 2015 16:49:18 +0000 (18:49 +0200)]
target/configfs: handle match_int() errors
As a follow up to ce31c1b0dc4038a1dec64585d892adb73d9c45f4 - there are
still a few LIO match_int() calls that don't check the return value.
Propagate errors rather than using the potentially uninitialised result.
Andy Grover [Thu, 9 Jul 2015 16:56:48 +0000 (09:56 -0700)]
target: Do not return 0 from aptpl and alua configfs store functions
Here are some more instances where we are returning 0 from a configfs
store function, the unintended result of which is likely infinite retries
from userspace.
API compliance scanning with coccinelle flagged:
./drivers/scsi/qla2xxx/tcm_qla2xxx.c:407:2-29:
WARNING: timeout is HZ dependent
This was introduced in 'commit 75f8c1f693ee ("[SCSI] tcm_qla2xxx: Add >=
24xx series fabric module for target-core")'. wait_for_completion_timeout()
expects a timeout in jiffies so the numeric constant makes the effective
timeout HZ dependent. Resolved by converting it to CONST * HZ.
During a node failure, We need to suspend read balancing so that the
reads are directed to the first device and stale data is not read.
Suspending writes is not required because these would be recorded and
synced eventually.
A new flag MD_CLUSTER_SUSPEND_READ_BALANCING is set in recover_prep().
area_resyncing() will respond true for the entire devices if this
flag is set and the request type is READ. The flag is cleared
in recover_done().
md-cluster: fix bitmap sub-offset in bitmap_read_sb
bitmap_read_sb is modifying mddev->bitmap_info.offset. This works for
the first bitmap read. However, when multiple bitmaps need to be opened
by the same node, it ends up corrupting the offset. Fix it by using a
local variable.
Also, bitmap_read_sb is not required in bitmap_copy_from_slot since
it is called in bitmap_create. Remove bitmap_read_sb().
md: Return error if request_module fails and returns positive value
request_module() can return 256 (process exited) in some cases,
which is not as specified in the documentation before the
request_module() definition. Convert the error to -ENOENT.
The positive error number results in bitmap_create() returning
a value that is meant to be an error but doesn't look like one,
so it is dereferenced as a point and causes a crash.
(not needed for stable as this is "experimental" code) Fixes: edb39c9deda8 ("Introduce md_cluster_operations to handle cluster functions") Signed-off-By: Goldwyn Rodrigues <[email protected]> Signed-off-by: NeilBrown <[email protected]>
md: Skip cluster setup in case of error while reading bitmap
If the bitmap read fails, the error code set is -EINVAL. However,
we don't check for errors and go ahead with cluster_setup.
Skip the cluster setup in case of error.
md/raid1: fix test for 'was read error from last working device'.
When we get a read error from the last working device, we don't
try to repair it, and don't fail the device. We simple report a
read error to the caller.
However the current test for 'is this the last working device' is
wrong.
When there is only one fully working device, it assumes that a
non-faulty device is that device. However a spare which is rebuilding
would be non-faulty but so not the only working device.
So change the test from "!Faulty" to "In_sync". If ->degraded says
there is only one fully working device and this device is in_sync,
this must be the one.
This bug has existed since we allowed read_balance to read from
a recovering spare in v3.0
Dave Airlie [Fri, 24 Jul 2015 01:52:35 +0000 (11:52 +1000)]
Merge tag 'topic/drm-fixes-2015-07-23' of git://anongit.freedesktop.org/drm-intel into drm-fixes
Regression fix for systemd getting confused about unknown connector state
after resume. Just stop setting the state to unknown, turned out to be a
silly idea anyway. What drivers imo really should do (and i915 still does
that) is forcing a full reprobe on resume to make sure connector changes
while suspended are caught. Most drivers seem to get this wrong. Otoh it
took us years to get fixes merged where some probe races resulted in
eating uevents, I guess userspace expectations for reliable hpd are just
really low :(
* tag 'topic/drm-fixes-2015-07-23' of git://anongit.freedesktop.org/drm-intel:
drm: Stop resetting connector state to unknown
Dave Airlie [Fri, 24 Jul 2015 01:51:18 +0000 (11:51 +1000)]
Merge branch 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Some amdgpu fixes.
* 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux:
drm/amdgpu/cz/dpm: properly report UVD and VCE clock levels
drm/amdgpu/cz: implement voltage validation properly
drm/amdgpu: add VCE harvesting instance query
drm/amdgpu: implement VCE 3.0 harvesting support (v4)
drm/amdgpu/dce10: Re-set VBLANK interrupt state when enabling a CRTC
drm/amdgpu/dce11: Re-set VBLANK interrupt state when enabling a CRTC
Peter Hurley [Mon, 13 Jul 2015 01:05:26 +0000 (21:05 -0400)]
serial: core: Fix crashes while echoing when closing
While closing, new rx data may be received after the input buffers
have been flushed but before stop_rx() halts receiving [1]. The
new data might not be processed by flush_to_ldisc() until after
uart_shutdown() and normal input processing is re-enabled (ie.,
tty->closing = 0). The race is outlined below:
Input processing must be prevented from echoing (tty->closing = 1)
until _after_ the input buffers have been flushed again at the end
of uart_close().
[1] In fact, some input may actually be buffered _after_ stop_rx()
since the rx interrupt may have already triggered but not yet been
handled when stop_rx() disables rx interrupts.
Fixes: 2e758910832d ("serial: core: Flush ldisc after dropping port
mutex in uart_close()") Reported-by: Robert Elliott <[email protected]> Signed-off-by: Peter Hurley <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit c627f2ceb692 ("serial: 8250: Add support for big-endian MMIO accesses")
added support for 32-bit big-endian mmio to the 8250 driver. Support for
ioreadXXbe/iowriteXXbe io accessors was missing from m32r arch, which caused
build errors.
According to some tests, SDMA support is broken at least for i.MX6 without
HW flow control. Different forms of data-corruption appear either with
the ROM firmware for the SDMA controller as well as when loading Freescale
provided SDMA firmware versions 1.1 or 3.1.
Bo Svangård [Sat, 13 Jun 2015 11:40:20 +0000 (13:40 +0200)]
sc16is7xx: fix FIFO address of secondary UART
Calls to regmap_raw_read/write needed register rewrite in a
similar way as function calls to regmap_read/write already had.
This enables reading/writing the serial datastream to the device.
Jakub Kicinski [Wed, 1 Jul 2015 12:19:52 +0000 (14:19 +0200)]
sc16is7xx: fix Kconfig dependencies
When I2C=m and SPI=y or-ing them will produce =y while
what we need is the lower bound, i.e. =m. Fortunately
SPI is a boolean so we need to handle only one special
case.
In probe, we use dev_id as array index of etraxfs_uart_ports and store the
index in port->line. So etraxfs_uart_ports[port->line] should be released
when unload the module.
block: Do a full clone when splitting discard bios
This fixes a data corruption bug when using discard on top of MD linear,
raid0 and raid10 personalities.
Commit 20d0189b1012 "block: Introduce new bio_split()" permits sharing
the bio_vec between the two resulting bios. That is fine for read/write
requests where the bio_vec is immutable. For discards, however, we need
to be able to attach a payload and update the bio_vec so the page can
get mapped to a scatterlist entry. Therefore the bio_vec can not be
shared when splitting discards and we must do a full clone.
serial: amba-pl011: Fix devm_ioremap_resource return value check
Value returned by devm_ioremap_resource() was checked for non-NULL but
devm_ioremap_resource() returns IOMEM_ERR_PTR, not NULL. In case of
error this could lead to dereference of ERR_PTR.
Peter Hurley [Sat, 27 Jun 2015 13:21:32 +0000 (09:21 -0400)]
n_tty: signal and flush atomically
When handling signalling char, claim the termios write lock before
signalling waiting readers and writers to prevent further i/o
before flushing the echo and output buffers. This prevents a
userspace signal handler which may output from racing the terminal
flush.
Reference: Bugzilla #99351 ("Output truncated in ssh session after...") Fixes: commit d2b6f44779d3 ("n_tty: Fix signal handling flushes") Reported-by: Filipe Brandenburger <[email protected]> Signed-off-by: Peter Hurley <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
This patch fixes a problem in the usbtouchscreen driver for DMC TSC-30
touch screen. Due to a missing delay between the RESET and SET_RATE
commands, the touch screen may become unresponsive during system startup or
driver loading.
According to the DMC documentation, a delay is needed after the RESET
command to allow the chip to complete its internal initialization. As this
delay is not guaranteed, we had a system where the touch screen
occasionally did not send any touch data. There was no other indication of
the problem.
The patch fixes the problem by adding a 150ms delay between the RESET and
SET_RATE commands.
Merge tag 'iio-fixes-for-4.2c' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
Jonathan writes:
3rd round of IIO fixes for the 4.2 cycle.
* bmc150_magn - add missing regmap dependency and ensure on a wrong chip
case report hte chip id rather than a previous return value.
* mmc35240 - Fill a null pointer derefrence and wrong SET / RESET logic
that results in North and South being swapped.
* mlx96014 - correct the offset value reported to userspace (wrong sign)
* vf610 - Prevent non aligned register reading.
* mcp320x - Another null pointer deference bug.
* mma8452 - change threshold type from THRESH to MAG to reflect the fact
that the sign of the signal is not known when the event is signaled.
* stk3310 - move device registert to end of probe to avoid race conditions
when coming up, check for invalid client->irq values and make it work
for both endian types of host.
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull namespace fixes from Eric Biederman:
"While reading through the code of detach_mounts I realized the code
was slightly off. Testing it revealed two buggy corner cases that can
send the code of detach_mounts into an infinite loop.
Fixing the code to do the right thing removes the possibility of these
user triggered infinite loops in the code"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
mnt: In detach_mounts detach the appropriate unmounted mount
mnt: Clarify and correct the disconnect logic in umount_tree
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
Pull virtio/vhost fixes from Michael Tsirkin:
"Bugfixes and documentation fixes.
Igor's patch that allows users to tweak memory table size is
borderline, but it does fix known crashes, so I merged it"
* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
vhost: add max_mem_regions module parameter
vhost: extend memory regions allocation to vmalloc
9p/trans_virtio: reset virtio device on remove
virtio/s390: rename drivers/s390/kvm -> drivers/s390/virtio
MAINTAINERS: separate section for s390 virtio drivers
virtio: define virtio_pci_cfg_cap in header.
virtio: Fix typecast of pointer in vring_init()
virtio scsi: fix unused variable warning
vhost: use binary search instead of linear in find_region()
virtio_net: document VIRTIO_NET_CTRL_GUEST_OFFLOADS
block: export bio_associate_*() and wbc_account_io()
bio_associate_blkcg(), bio_associate_current() and wbc_account_io()
are used to implement cgroup writeback support for filesystems and
thus need to be exported. Export them.
Merge tag 'iommu-fixes-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
Pull iommu fixes from Joerg Roedel:
"The fixes include:
- a couple of fixes for the new ARM-SMMUv3 driver to fix issues found
on the first real implementation of that hardware.
- a patch for the Intel VT-d driver to fix a domain-id leak"
* tag 'iommu-fixes-v4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/vt-d: Fix VM domain ID leak
iommu/arm-smmu: Skip the execution of CMD_PREFETCH_CONFIG
iommu/arm-smmu: Enlarge STRTAB_L1_SZ_SHIFT to support larger sidsize
iommu/arm-smmu: Fix the values of ARM64_TCR_{I,O}RGN0_SHIFT
iommu/arm-smmu: Fix LOG2SIZE setting for 2-level stream tables
iommu/arm-smmu: Fix the index calculation of strtab
mnt: In detach_mounts detach the appropriate unmounted mount
The handling of in detach_mounts of unmounted but connected mounts is
buggy and can lead to an infinite loop.
Correct the handling of unmounted mounts in detach_mount. When the
mountpoint of an unmounted but connected mount is connected to a
dentry, and that dentry is deleted we need to disconnect that mount
from the parent mount and the deleted dentry.
Nothing changes for the unmounted and connected children. They can be
safely ignored.
Cc: [email protected] Fixes: ce07d891a0891d3c0d0c2d73d577490486b809e1 mnt: Honor MNT_LOCKED when detaching mounts Signed-off-by: "Eric W. Biederman" <[email protected]>
projects / linux.git / log