summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-01-04vfio-mdev: fix some error codes in the sample codeDan Carpenter1-1/+3
This is just sample code. We forget to set the error codes in a couple places. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2017-01-04Merge tag 'scpi-fixes-4.10' of ↵Arnd Bergmann1-2/+8
git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into fixes Pull "SCPI fix for v4.10" from Sudeep Holla: A simple fix for reading only lower 32-bit sensor values on pre-1.0 SCPI firmwares so that upper 32-bit (garbage) value is discarded properly. * tag 'scpi-fixes-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scpi: fix reading sensor values on pre-1.0 SCPI firmwares
2017-01-04Merge tag 'imx-fixes-4.10' of ↵Arnd Bergmann7-5/+7
git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes Pull "i.MX fixes for 4.10" from Shawn Guo: - A format fix for vf610-zii-dev-rev-b.dts, which has a very odd line due to misses a newline. - A fix to imx-weim bus error seen on board which doesn't actually use the bus. - A fix for imx6qdl-nitrogen6x board which has conflicting usage of pad NANDF_CS2. - A cleanup on i.MX1 machine to remove .map_io callback, which also fixes a compiling error for NOMMU build. - Fix AVIC base address in i.MX31 device tree source. The problem was shadowed by the AVIC driver, which takes the correct base address from a SoC specific header file. * tag 'imx-fixes-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx6: Disable "weim" node in the dtsi files ARM: i.MX: remove map_io callback ARM: dts: vf610-zii-dev-rev-b: Add missing newline ARM: dts: imx6qdl-nitrogen6x: remove duplicate iomux entry ARM: dts: imx31: fix AVIC base address
2017-01-04Merge tag 'qcom-arm-fixes-for-4.10-rc2' of ↵Arnd Bergmann1-0/+4
git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux into fixes Pull "Qualcomm ARM DTS Fixes for v4.10-rc2" from Andy Gross: * Add SCM clock for APQ8064 to fix boot failures * tag 'qcom-arm-fixes-for-4.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux: ARM: dts: qcom: apq8064: Add missing scm clock
2017-01-04Merge tag 'omap-for-v4.10/fixes-rc1' of ↵Arnd Bergmann26-221/+74
git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Pull "omap fixes for v4.10-rc cycle" from Tony Lindgren: Fist set of fixes for omaps for v4.10-rc cycle, mostly to deal with various regressions noticed during the merge window and to fix various device tree configurations for boards. Also included is removal of mach-omap2/gpio.c that is now dead code with device tree based booting that should be OK for the early -rc cycle: - A series of fixes to add empty chosen node to fix regressions caused for bootloaders that don't create chosen node as the decompressor needs the chosen node to merge command line and ATAGs into it - Fix missing logicpd-som-lv-37xx-devkit.dtb entry in Makefile - Fix regression for am437x timers - Fix wrong strcat for non-NULL terminated string - A series of changes to fix tps65217 interrupts to not use defines as we don't do that for interrupts - Two patches to fix USB VBUS detection on am57xx-idk and force it to peripheral mode until dwc3 role detection is working - Add missing dra72-evm-tps65917 missing voltage supplies accidentally left out of an earlier patch - Fix n900 eMMC detection when booted on qemu - Remove unwanted pr_err on failed memory allocation for prm_common.c - Remove legacy mach-omap2/gpio.c that now is dead code since we boot mach-omap2 in device tree only mode - Fix am572x-idk pcie1 by adding the missing gpio reset pin * tag 'omap-for-v4.10/fixes-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: (23 commits) ARM: dts: am572x-idk: Add gpios property to control PCIE_RESETn ARM: OMAP2+: PRM: Delete an error message for a failed memory allocation ARM: dts: n900: Mark eMMC slot with no-sdio and no-sd flags ARM: dts: dra72-evm-tps65917: Add voltage supplies to usb_phy, mmc, dss ARM: dts: am57xx-idk: Put USB2 port in peripheral mode ARM: dts: am57xx-idk: Support VBUS detection on USB2 port dt-bindings: input: Specify the interrupt number of TPS65217 power button dt-bindings: power/supply: Update TPS65217 properties dt-bindings: mfd: Remove TPS65217 interrupts ARM: dts: am335x: Fix the interrupt name of TPS65217 ARM: omap2+: fixing wrong strcat for Non-NULL terminated string ARM: omap2+: am437x: rollback to use omap3_gptimer_timer_init() ARM: dts: omap3: Add DTS for Logic PD SOM-LV 37xx Dev Kit ARM: dts: dra7: Add an empty chosen node to top level DTSI ARM: dts: dm816x: Add an empty chosen node to top level DTSI ARM: dts: dm814x: Add an empty chosen node to top level DTSI ARM: dts: am4372: Add an empty chosen node to top level DTSI ARM: dts: am33xx: Add an empty chosen node to top level DTSI ARM: dts: omap5: Add an empty chosen node to top level DTSI ARM: dts: omap4: Add an empty chosen node to top level DTSI ...
2017-01-04Merge tag 'samsung-soc-4.10-2' of ↵Arnd Bergmann3-33/+77
git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into fixes Samsung mach/soc update for v4.10: 1. Minor cleanup in smp_operations. 2. Another step in switching s3c24xx to new DMA API. 3. Drop fixed requirement for HZ=200 on Samsung platforms. * tag 'samsung-soc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: ARM: Drop fixed 200 Hz timer requirement from Samsung platforms ARM: S3C24XX: Add DMA slave maps for remaining s3c24xx SoCs ARM: EXYNOS: Remove smp_init_cpus hook from platsmp.c
2017-01-04Merge tag 'qcom-fixes-for-4.10-rc1' of ↵Arnd Bergmann1-0/+10
git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux into fixes Qualcomm ARM64 Fixes for v4.10-rc1 * Fix instability in MSM8996 due to incorrect carveouts * tag 'qcom-fixes-for-4.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux: arm64: dts: msm8996: Add required memory carveouts
2017-01-04Merge tag 'renesas-fixes-for-v4.10' of ↵Arnd Bergmann1-1/+1
https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into fixes Renesas ARM Based SoC Fixes for v4.10 * Provide sd0_uhs node * tag 'renesas-fixes-for-v4.10' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas: arm64: dts: h3ulcb: Provide sd0_uhs node
2017-01-04iommu/amd: Fix the left value check of cmd bufferHuang Rui1-1/+1
The generic command buffer entry is 128 bits (16 bytes), so the offset of tail and head pointer should be 16 bytes aligned and increased with 0x10 per command. When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE. So when left space of cmd buf should be able to store only two command, we should be issued one COMPLETE_WAIT additionally to wait all older commands completed. Then the left space should be increased after IOMMU fetching from cmd buf. So left check value should be left <= 0x20 (two commands). Signed-off-by: Huang Rui <ray.huang@amd.com> Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer') Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-01-04iommu/vt-d: Fix pasid table size encodingJacob Pan1-1/+22
Different encodings are used to represent supported PASID bits and number of PASID table entries. The current code assigns ecap_pss directly to extended context table entry PTS which is wrong and could result in writing non-zero bits to the reserved fields. IOMMU fault reason 11 will be reported when reserved bits are nonzero. This patch converts ecap_pss to extend context entry pts encoding based on VT-d spec. Chapter 9.4 as follows: - number of PASID bits = ecap_pss + 1 - number of PASID table entries = 2^(pts + 5) Software assigned limit of pasid_max value is also respected to match the allocation limitation of PASID table. cc: Mika Kuoppala <mika.kuoppala@linux.intel.com> cc: Ashok Raj <ashok.raj@intel.com> Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> Tested-by: Mika Kuoppala <mika.kuoppala@intel.com> Fixes: 2f26e0a9c9860 ('iommu/vt-d: Add basic SVM PASID support') Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-01-04iommu/vt-d: Flush old iommu caches for kdump when the device gets context mappedXunlei Pang1-0/+19
We met the DMAR fault both on hpsa P420i and P421 SmartArray controllers under kdump, it can be steadily reproduced on several different machines, the dmesg log is like: HP HPSA Driver (v 3.4.16-0) hpsa 0000:02:00.0: using doorbell to reset controller hpsa 0000:02:00.0: board ready after hard reset. hpsa 0000:02:00.0: Waiting for controller to respond to no-op DMAR: Setting identity map for device 0000:02:00.0 [0xe8000 - 0xe8fff] DMAR: Setting identity map for device 0000:02:00.0 [0xf4000 - 0xf4fff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6e000 - 0xbdf6efff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf6f000 - 0xbdf7efff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf7f000 - 0xbdf82fff] DMAR: Setting identity map for device 0000:02:00.0 [0xbdf83000 - 0xbdf84fff] DMAR: DRHD: handling fault status reg 2 DMAR: [DMA Read] Request device [02:00.0] fault addr fffff000 [fault reason 06] PTE Read access is not set hpsa 0000:02:00.0: controller message 03:00 timed out hpsa 0000:02:00.0: no-op failed; re-trying After some debugging, we found that the fault addr is from DMA initiated at the driver probe stage after reset(not in-flight DMA), and the corresponding pte entry value is correct, the fault is likely due to the old iommu caches of the in-flight DMA before it. Thus we need to flush the old cache after context mapping is setup for the device, where the device is supposed to finish reset at its driver probe stage and no in-flight DMA exists hereafter. I'm not sure if the hardware is responsible for invalidating all the related caches allocated in the iommu hardware before, but seems not the case for hpsa, actually many device drivers have problems in properly resetting the hardware. Anyway flushing (again) by software in kdump kernel when the device gets context mapped which is a quite infrequent operation does little harm. With this patch, the problematic machine can survive the kdump tests. CC: Myron Stowe <myron.stowe@gmail.com> CC: Joseph Szczypek <jszczype@redhat.com> CC: Don Brace <don.brace@microsemi.com> CC: Baoquan He <bhe@redhat.com> CC: Dave Young <dyoung@redhat.com> Fixes: 091d42e43d21 ("iommu/vt-d: Copy translation tables from old kernel") Fixes: dbcd861f252d ("iommu/vt-d: Do not re-use domain-ids from the old kernel") Fixes: cf484d0e6939 ("iommu/vt-d: Mark copied context entries") Signed-off-by: Xunlei Pang <xlpang@redhat.com> Tested-by: Don Brace <don.brace@microsemi.com> Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-01-04video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremapArvind Yadav1-0/+5
Here, If devm_ioremap will fail. It will return NULL. Kernel can run into a NULL-pointer dereference. This error check will avoid NULL pointer dereference. Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> Acked-by: Yoichi Yuasa <yuasa@linux-mips.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2017-01-04MAINTAINERS: add myself as maintainer of fbdevBartlomiej Zolnierkiewicz1-1/+3
I would like to help with fbdev maintenance. I can dedicate some time for reviewing and handling patches but won't have time for much more. The subsystem will remain in maintenance mode (no new drivers will be added to it). Cc: Tomi Valkeinen <tomi.valkeinen@ti.com> Cc: Daniel Vetter <daniel.vetter@intel.com> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2017-01-04ALSA: hda - Fix up GPIO for ASUS ROG RangerTakashi Iwai1-0/+1
ASUS ROG Ranger VIII with ALC1150 codec requires the extra GPIO pin to up for the front panel. Just use the existing fixup for setting up the GPIO pins. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189411 Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-01-04USB: serial: ti_usb_3410_5052: fix NULL-deref at openJohan Hovold1-0/+7
Fix NULL-pointer dereference in open() should a malicious device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 .. [<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial]) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: spcp8x5: fix NULL-deref at openJohan Hovold1-0/+14
Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at spcp8x5_open+0x30/0xd0 [spcp8x5] Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: quatech2: fix sleep-while-atomic in closeJohan Hovold1-4/+0
The write URB was being killed using the synchronous interface while holding a spin lock in close(). Simply drop the lock and busy-flag update, something which would have been taken care of by the completion handler if the URB was in flight. Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: pl2303: fix NULL-deref at openJohan Hovold1-0/+8
Fix NULL-pointer dereference in open() should a type-0 or type-1 device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at pl2303_open+0x38/0xec [pl2303] Note that a missing interrupt-in endpoint would have caused open() to fail. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: oti6858: fix NULL-deref at openJohan Hovold1-0/+16
Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at oti6858_open+0x30/0x1d0 [oti6858] Note that a missing interrupt-in endpoint would have caused open() to fail. Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42 cable)") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: omninet: fix NULL-derefs at open and disconnectJohan Hovold1-0/+13
Fix NULL-pointer dereferences at open() and disconnect() should the device lack the expected bulk-out endpoints: Unable to handle kernel NULL pointer dereference at virtual address 000000b4 ... [c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264) [<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c) [<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4) [<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet]) [<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial]) Unable to handle kernel NULL pointer dereference at virtual address 00000234 ... [<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial]) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7840: fix misleading interrupt-URB commentJohan Hovold1-3/+1
The interrupt URB is killed at final port close since commit 0de9a7024e7a ("USB: overhaul of mos7840 driver"). Fixes: 0de9a7024e7a ("USB: overhaul of mos7840 driver") Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7840: remove unused write URBJohan Hovold1-8/+0
Remove code to manage a write URB that was never allocated. Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7840: fix NULL-deref at openJohan Hovold1-0/+12
Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at mos7840_open+0x88/0x8dc [mos7840] Note that we continue to treat the interrupt-in endpoint as optional for now. Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7720: remove obsolete port initialisationJohan Hovold1-5/+0
Since commit b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715"), the interrupt urb is no longer submitted at first port open and the endpoint-address initialisation at port-probe is no longer used. Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7720: fix parallel probeJohan Hovold1-23/+7
A static usb-serial-driver structure that is used to initialise the interrupt URB was modified during probe depending on the currently probed device type, something which could break a parallel probe of a device of a different type. Fix this up by overriding the default completion callback for MCS7715 devices in attach() instead. We may want to use two usb-serial driver instances for the two types later. Fixes: fb088e335d78 ("USB: serial: add support for serial port on the moschip 7715") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7720: fix parport use-after-free on probe errorsJohan Hovold1-10/+8
Do not submit the interrupt URB until after the parport has been successfully registered to avoid another use-after-free in the completion handler when accessing the freed parport private data in case of a racing completion. Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7720: fix use-after-free on probe errorsJohan Hovold1-1/+5
The interrupt URB was submitted on probe but never stopped on probe errors. This can lead to use-after-free issues in the completion handler when accessing the freed usb-serial struct: Unable to handle kernel paging request at virtual address 6b6b6be7 ... [<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140) [<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138) [<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc) Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: mos7720: fix NULL-deref at openJohan Hovold1-0/+5
Fix NULL-pointer dereference at port open if a device lacks the expected bulk in and out endpoints. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial]) [<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8) [<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial]) [<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc) Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: kobil_sct: fix NULL-deref in writeJohan Hovold1-0/+12
Fix NULL-pointer dereference in write() should the device lack the expected interrupt-out endpoint: Unable to handle kernel NULL pointer dereference at virtual address 00000054 ... PC is at kobil_write+0x144/0x2a0 [kobil_sct] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: keyspan_pda: verify endpoints at probeJohan Hovold1-0/+14
Check for the expected endpoints in attach() and fail loudly if not present. Note that failing to do this appears to be benign since da280e348866 ("USB: keyspan_pda: clean up write-urb busy handling") which prevents a NULL-pointer dereference in write() by never marking a non-existent write-urb as free. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # < v3.3 Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: iuu_phoenix: fix NULL-deref at openJohan Hovold1-0/+11
Fix NULL-pointer dereference at open should the device lack a bulk-in or bulk-out endpoint: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at iuu_open+0x78/0x59c [iuu_phoenix] Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints check") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: io_ti: bind to interface after fw downloadJohan Hovold1-2/+1
Bind to the interface, but do not register any ports, after having downloaded the firmware. The device will still disconnect and re-enumerate, but this way we avoid an error messages from being logged as part of the process: io_ti: probe of 1-1.3:1.0 failed with error -5 Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: io_ti: fix I/O after disconnectJohan Hovold1-0/+3
Cancel the heartbeat work on driver unbind in order to avoid I/O after disconnect in case the port is held open. Note that the cancel in release() is still needed to stop the heartbeat after late probe errors. Fixes: 26c78daade0f ("USB: io_ti: Add heartbeat to keep idle EP/416 ports from disconnecting") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: io_ti: fix another NULL-deref at openJohan Hovold1-3/+6
In case a device is left in "boot-mode" we must not register any port devices in order to avoid a NULL-pointer dereference on open due to missing endpoints. This could be used by a malicious device to trigger an OOPS: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial]) [<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8) [<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial]) [<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: io_ti: fix NULL-deref at openJohan Hovold1-0/+7
Fix NULL-pointer dereference when clearing halt at open should a malicious device lack the expected endpoints when in download mode. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial]) [<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8) [<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial]) [<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: io_edgeport: fix NULL-deref at openJohan Hovold1-0/+5
Fix NULL-pointer dereference when initialising URBs at open should a non-EPIC device lack a bulk-in or interrupt-in endpoint. Unable to handle kernel NULL pointer dereference at virtual address 00000028 ... PC is at edge_open+0x24c/0x3e8 [io_edgeport] Note that the EPIC-device probe path has the required sanity checks so this makes those checks partially redundant. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: garmin_gps: fix memory leak on failed URB submitJohan Hovold1-0/+1
Make sure to free the URB transfer buffer in case submission fails (e.g. due to a disconnect). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-04USB: serial: cyberjack: fix NULL-deref at openJohan Hovold1-0/+10
Fix NULL-pointer dereference when clearing halt at open should the device lack a bulk-out endpoint. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at cyberjack_open+0x40/0x9c [cyberjack] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-03xfs: fix max_retries _show and _store functionsCarlos Maiolino1-2/+2
max_retries _show and _store functions should test against cfg->max_retries, not cfg->retry_timeout Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com> Reviewed-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03xfs: update MAINTAINERSDarrick J. Wong1-2/+2
I am taking over as XFS maintainer from Dave Chinner[1], so update contact information and git tree pointers. [1] http://lkml.iu.edu/hypermail/linux/kernel/1612.1/04390.html Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03xfs: fix crash and data corruption due to removal of busy COW extentsChristoph Hellwig1-1/+2
There is a race window between write_cache_pages calling clear_page_dirty_for_io and XFS calling set_page_writeback, in which the mapping for an inode is tagged neither as dirty, nor as writeback. If the COW shrinker hits in exactly that window we'll remove the delayed COW extents and writepages trying to write it back, which in release kernels will manifest as corruption of the bmap btree, and in debug kernels will trip the ASSERT about now calling xfs_bmapi_write with the COWFORK flag for holes. A complex customer load manages to hit this window fairly reliably, probably by always having COW writeback in flight while the cow shrinker runs. This patch adds another check for having the I_DIRTY_PAGES flag set, which is still set during this race window. While this fixes the problem I'm still not overly happy about the way the COW shrinker works as it still seems a bit fragile. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03xfs: use the actual AG length when reserving blocksDarrick J. Wong6-12/+34
We need to use the actual AG length when making per-AG reservations, since we could otherwise end up reserving more blocks out of the last AG than there are actual blocks. Complained-about-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Christoph Hellwig <hch@lst.de>
2017-01-03xfs: fix double-cleanup when CUI recovery failsDarrick J. Wong1-1/+2
Dan Carpenter reported a double-free of rcur if _defer_finish fails while we're recovering CUI items. Fix the error recovery to prevent this. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-01-03net: vrf: Add missing Rx countersDavid Ahern1-0/+3
The move from rx-handler to L3 receive handler inadvertantly dropped the rx counters. Restore them. Fixes: 74b20582ac38 ("net: l3mdev: Add hook in ip and ipv6") Reported-by: Dinesh Dutt <ddutt@cumulusnetworks.com> Signed-off-by: David Ahern <dsa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-03block: fix up io_poll documentationJeff Moyer1-3/+3
/sys/block/<dev>/queue/io_poll is a boolean. Fix the docs. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-03audit: Fix sleep in atomicJan Kara1-4/+14
Audit tree code was happily adding new notification marks while holding spinlocks. Since fsnotify_add_mark() acquires group->mark_mutex this can lead to sleeping while holding a spinlock, deadlocks due to lock inversion, and probably other fun. Fix the problem by acquiring group->mark_mutex earlier. CC: Paul Moore <paul@paul-moore.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-01-03gcc-plugins: update gcc-common.h for gcc-7Kees Cook1-0/+85
This updates gcc-common.h from Emese Revfy for gcc 7. This fixes issues seen by Kugan and Arnd. Build tested with gcc 5.4 and 7 snapshot. Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
2017-01-03latent_entropy: fix ARM build error on earlier gccKees Cook1-2/+2
This fixes build errors seen on gcc-4.9.3 or gcc-5.3.1 for an ARM: arm-soc/init/initramfs.c: In function 'error': arm-soc/init/initramfs.c:50:1: error: unrecognizable insn: } ^ (insn 26 25 27 5 (set (reg:SI 111 [ local_entropy.243 ]) (rotatert:SI (reg:SI 116 [ local_entropy.243 ]) (const_int -30 [0xffffffffffffffe2]))) -1 (nil)) Patch from PaX Team <pageexec@freemail.hu> Reported-by: Arnd Bergmann <arnd@arndb.de> Reported-by: Brad Spengler <spender@grsecurity.net> Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
2017-01-03Merge branch 'parisc-4.10-2' of ↵Linus Torvalds3-5/+21
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc updates from Helge Deller: - limit usage of processor-internal cr16 clocksource to UP systems only - segfault info lines in syslog were too long, split those up - drop own TIF_RESTORE_SIGMASK flag and switch to generic code * 'parisc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Add line-break when printing segfault info parisc: Drop TIF_RESTORE_SIGMASK and switch to generic code parisc: Mark cr16 clocksource unstable on SMP systems
2017-01-03Xen: ARM: Zero reserved fields of xatp before making hypervisor callJiandi An1-3/+5
Ensure all reserved fields of xatp are zero before making hypervisor call to XEN in xen_map_device_mmio(). xenmem_add_to_physmap_one() in XEN fails the mapping request if extra.res reserved field in xatp is not zero for XENMAPSPACE_dev_mmio request. Signed-off-by: Jiandi An <anjiandi@codeaurora.org> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>