summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* usb: gadget: f_hid: Use spinlock instead of mutexKrzysztof Opasiak2017-01-241-23/+34
| | | | | | | | | | | As IN request has to be allocated in set_alt() and released in disable() we cannot use mutex to protect it as we cannot sleep in those funcitons. Let's replace this mutex with a spinlock. Cc: stable@vger.kernel.org Tested-by: David Lechner <david@lechnology.com> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: f_hid: fix: Prevent accessing released memoryKrzysztof Opasiak2017-01-241-4/+20
| | | | | | | | | | | | | | | | | When we unlock our spinlock to copy data to user we may get disabled by USB host and free the whole list of completed out requests including the one from which we are copying the data to user memory. To prevent from this let's remove our working element from the list and place it back only if there is sth left when we finish with it. Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT") Cc: stable@vger.kernel.org Tested-by: David Lechner <david@lechnology.com> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: f_hid: fix: Free out requestsKrzysztof Opasiak2017-01-241-8/+24
| | | | | | | | | | | | | | Requests for out endpoint are allocated in bind() function but never released. This commit ensures that all pending requests are released when we disable out endpoint. Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT") Cc: stable@vger.kernel.org Tested-by: David Lechner <david@lechnology.com> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* tools: usb: ffs-test: add SS descriptorsFelipe Balbi2017-01-241-1/+49
| | | | | | | Without SS descriptors, we have no possibility of running on SS controllers such as DWC3. Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* tools: usb: ffs-test: switch to _DEFAULT_SOURCEFelipe Balbi2017-01-241-1/+1
| | | | | | | _BSD_SOURCE is deprecated and gives a build warning. Let's use _DEFAULT_SOURCE instead. Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: gadget: skip Set/Clear Halt when invalidFelipe Balbi2017-01-241-0/+5
| | | | | | | | | | | | At least macOS seems to be sending ClearFeature(ENDPOINT_HALT) to endpoints which aren't Halted. This makes DWC3's CLEARSTALL command time out which causes several issues for the driver. Instead, let's just return 0 and bail out early. Cc: <stable@vger.kernel.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: ep0: Fix the possible missed request for handling delay STATUS phaseBaolin Wang2017-01-241-0/+14
| | | | | | | | | | | | | | | | When handing the SETUP packet by composite_setup(), we will release the dwc->lock. If we get the 'USB_GADGET_DELAYED_STATUS' result from setup function, which means we need to delay handling the STATUS phase. But during the lock release period, maybe the request for handling delay STATUS phase has been queued into list before we set 'dwc->delayed_status' flag or entering 'EP0_STATUS_PHASE' phase, then we will miss the chance to handle the STATUS phase. Thus we should check if the request for delay STATUS phase has been enqueued when entering 'EP0_STATUS_PHASE' phase in dwc3_ep0_xfernotready(), if so, we should handle it. Signed-off-by: Baolin Wang <baolin.wang@linaro.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: phy: tahvo: Replace the deprecated extcon APIChanwoo Choi2017-01-241-5/+5
| | | | | | | | | This patch replaces the deprecated extcon API as following: - extcon_set_cable_state_() -> extcon_set_state_sync() Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: omap: Replace the extcon APIChanwoo Choi2017-01-241-13/+7
| | | | | | | | | | | This patch uses the resource-managed extcon API for extcon_register_notifier() and replaces the deprecated extcon API as following: - extcon_get_cable_state_() -> extcon_get_state() Cc: linux-omap@vger.kernel.org Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: renesas_usbhs: Replace the deprecated extcon APIChanwoo Choi2017-01-241-1/+1
| | | | | | | | | | This patch replaces the deprecated extcon API as following: - extcon_get_cable_state_() -> extcon_get_state() Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: phy: qcom-8x16-usb: Replace the extcon APIChanwoo Choi2017-01-241-9/+4
| | | | | | | | | | This patch uses the resource-managed extcon API for extcon_register_notifier() and replaces the deprecated extcon API as following: - extcon_get_cable_state_() -> extcon_get_state() Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: phy: msm: Replace the extcon APIChanwoo Choi2017-01-241-22/+11
| | | | | | | | | | This patch uses the resource-managed extcon API for extcon_register_notifier() and replaces the deprecated extcon API as following: - extcon_get_cable_state_() -> extcon_get_state() Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: phy: omap-otg: Replace the extcon APIChanwoo Choi2017-01-241-18/+6
| | | | | | | | | | | This patch uses the resource-managed extcon API for extcon_register_notifier() and replaces the deprecated extcon API as following: - extcon_get_cable_state_() -> extcon_get_state() Cc: linux-omap@vger.kernel.org Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: gadget: align transfers to wMaxPacketSizeFelipe Balbi2017-01-242-8/+63
| | | | | | | Instead of passing quirk_ep_out_aligned_size, we can use one extra TRB to align transfer to wMaxPacketSize. Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: gadget: allocate bounce buffer for unaligned xfersFelipe Balbi2017-01-242-2/+17
| | | | | | | | Allocate a coherent buffer of 1024 bytes (size of a single superspeed bulk packet) to serve as bounce buffer for an extra TRB needed to align transfers to wMaxPacketSize. Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: gadget: extract __dwc3_prepare_one_trb()Felipe Balbi2017-01-241-22/+36
| | | | | | | | | | | | | This new internal function will be used to solve a minor issue with dwc3 which exists in regards to short packets with OUT endpoints. Currently we're asking gadget driver to *always* send us aligned requests; however if we have enough TRBs we can easily append one extra TRB chained to the previous and keep a throw away 1024 byte buffer around for that. The actual fix will come in a separate patch, this is merely in preparation for such fix. Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: gadget: simplify dwc3_prepare_one_trb()Felipe Balbi2017-01-241-17/+5
| | | | | | | | | | We are already passing struct dwc3_request * to dwc3_prepare_one_trb(), because of that there's no need to extract dma address and length in the caller. We can let dwc3_prepare_one_trb() itself handle that part. This simplifies the prototype of the function by removing two arguments. Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: f_uac2: improve error handlingPeter Chen2017-01-241-4/+6
| | | | | | | If it is out of memory, we should return -ENOMEM; Signed-off-by: Peter Chen <peter.chen@nxp.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* Documentation: usb: fix wrong documentation pathsYegor Yefremov2017-01-245-7/+7
| | | | | | | | Fixes wrong spelled "pinctrl-bindings.txt" and "qcom-dwc3-usb-phy.txt" file names as also wrong specified "mt8173-mtu3.txt" file name. Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* Documentation: dt: dwc3: add reference to the usb-xhci propertiesMartin Blumenstingl2017-01-241-0/+4
| | | | | | | | | dwc3 internally creates a usb-xhci device which means that all properties documented in usb-xhci.txt are supported as well. Acked-by: Rob Herring <robh@kernel.org> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc2: host: use true/false for booleanNicholas Mc Guire2017-01-241-6/+6
| | | | | | | | For boolean variables true/false is preferred over 1/0 for readability. Acked-by: John Youn <johnyoun@synopsys.com> Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc2: host: use msleep() for long delaysNicholas Mc Guire2017-01-241-6/+6
| | | | | | | | | | ulseep_range() uses hrtimers and provides no advantage over msleep() for larger delays. Fix up the 20+ ms delays here passing the adjusted "min" value to msleep(). This helps reduce the load on the hrtimer subsystem. Acked-by: John Youn <johnyoun@synopsys.com> Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: exynos: Remove MODULE_ALIAS()Javier Martinez Canillas2017-01-241-1/+0
| | | | | | | Exynos is DT-only, so there's no need for a platform MODALIAS. Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc3: exynos remove suspend clock unspecified debug messageShuah Khan2017-01-241-3/+1
| | | | | | | | | | | dwc3-exynos prints debug message when suspend clock is not specified. The suspend clock is optional and driver can work without it. This debug message doesn't add any value and leads to confusion and concern. Remove it. Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: constify usb_gadget_ops structuresBhumika Goyal2017-01-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Declare usb_gadget_ops structures as const as they are only stored in the ops field of a usb_gadget structure. This field is of type const, so usb_gadget_ops structures having this property can be declared const too. Done using Coccinelle: @r1 disable optional_qualifier@ identifier i; position p; @@ static struct usb_gadget_ops i@p={...}; @ok1@ identifier r1.i; position p; struct fotg210_udc fotg210; @@ fotg210.gadget.ops=&i@p @bad@ position p!={r1.p,ok1.p}; identifier r1.i; @@ i@p @depends on !bad disable optional_qualifier@ identifier r1.i; @@ +const struct usb_gadget_ops i; File size before: text data bss dec hex filename 7559 384 8 7951 1f0f usb/gadget/udc/fotg210-udc.o File size after: text data bss dec hex filename 7655 288 8 7951 1f0f usb/gadget/udc/fotg210-udc.o Signed-off-by: Bhumika Goyal <bhumirks@gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: dwc2: use u32 for DT binding parametersLeo Yan2017-01-242-7/+7
| | | | | | | | | | | | | | | | | | Commit 05ee799f2021 ("usb: dwc2: Move gadget settings into core_params") changes to type u16 for DT binding "g-rx-fifo-size" and "g-np-tx-fifo-size" but use type u32 for "g-tx-fifo-size". Finally the the first two parameters cannot be passed successfully with wrong data format. This is found the data transferring broken on 96boards Hikey. This patch is to change all parameters to u32 type, and verified on Hikey board the DT parameters can pass successfully. [johnyoun: minor rebase] Signed-off-by: Leo Yan <leo.yan@linaro.org> Signed-off-by: John Youn <johnyoun@synopsys.com> Tested-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: renesas_usbhs: mod_host: fix typo: "connecte" -> "connected"Colin Ian King2017-01-241-1/+1
| | | | | | | trivial fix to typo in dev_dbg message Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: printer: Remove pnp_string static bufferKrzysztof Opasiak2017-01-243-28/+62
| | | | | | | | | | pnp string is usually much shorter than 1k so let's stop wasting 1k of memory for its buffer and make it dynamically alocated. This also removes 1k len limitation for pnp_string and adds a new line after string content if required. Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: ether: Add \n to each attribute of ethernet functionsKrzysztof Opasiak2017-01-242-5/+21
| | | | | | | | | Generally in SysFS and ConfigFS files are new line terminated. Also most of USB functions adds a trailing newline to each attribute. Let's follow this convention also in ethernet functions. Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* usb: gadget: udc-core: Rescan pending list on driver unbindKrzysztof Opasiak2017-01-241-14/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since: commit 855ed04a3758 ("usb: gadget: udc-core: independent registration of gadgets and gadget drivers") if we load gadget module but there is no free udc available then it will be stored on a pending gadgets list. $ modprobe g_zero.ko $ modprobe g_ether.ko [] udc-core: couldn't find an available UDC - added [g_ether] to list of pending drivers We scan this list each time when new UDC appears in system. But we can get a free UDC each time after gadget unbind. This commit add scanning of that list directly after unbinding gadget from udc. Thanks to this, when we unload first gadget: $ rmmod g_zero.ko gadget which is pending is automatically attached to that UDC (if name matches). Fixes: 855ed04a3758 ("usb: gadget: udc-core: independent registration of gadgets and gadget drivers") Cc: stable <stable@vger.kernel.org> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
* Linux 4.10-rc4v4.10-rc4Linus Torvalds2017-01-161-1/+1
|
* Merge branch 'for-linus' of ↵Linus Torvalds2017-01-165-27/+60
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull namespace fixes from Eric Biederman: "This tree contains 4 fixes. The first is a fix for a race that can causes oopses under the right circumstances, and that someone just recently encountered. Past that are several small trivial correct fixes. A real issue that was blocking development of an out of tree driver, but does not appear to have caused any actual problems for in-tree code. A potential deadlock that was reported by lockdep. And a deadlock people have experienced and took the time to track down caused by a cleanup that removed the code to drop a reference count" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: sysctl: Drop reference added by grab_header in proc_sys_readdir pid: fix lockdep deadlock warning due to ucount_lock libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount mnt: Protect the mountpoint hashtable with mount_lock
| * sysctl: Drop reference added by grab_header in proc_sys_readdirZhou Chengming2017-01-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference added by grab_header when return from !dir_emit_dots path. It can cause any path called unregister_sysctl_table will wait forever. The calltrace of CVE-2016-9191: [ 5535.960522] Call Trace: [ 5535.963265] [<ffffffff817cdaaf>] schedule+0x3f/0xa0 [ 5535.968817] [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0 [ 5535.975346] [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130 [ 5535.982256] [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130 [ 5535.988972] [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80 [ 5535.994804] [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0 [ 5536.001227] [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0 [ 5536.007648] [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0 [ 5536.014654] [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0 [ 5536.021657] [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40 [ 5536.029344] [<ffffffff810d7704>] partition_sched_domains+0x44/0x450 [ 5536.036447] [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0 [ 5536.043844] [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0 [ 5536.051336] [<ffffffff8116789d>] update_flag+0x11d/0x210 [ 5536.057373] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450 [ 5536.064186] [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60 [ 5536.070899] [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10 [ 5536.077420] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450 [ 5536.084234] [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220 [ 5536.091049] [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60 [ 5536.097571] [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220 [ 5536.104207] [<ffffffff810bc83f>] process_one_work+0x1df/0x710 [ 5536.110736] [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710 [ 5536.117461] [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0 [ 5536.123697] [<ffffffff810bcd70>] ? process_one_work+0x710/0x710 [ 5536.130426] [<ffffffff810c3f7e>] kthread+0xfe/0x120 [ 5536.135991] [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40 [ 5536.142041] [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230 One cgroup maintainer mentioned that "cgroup is trying to offline a cpuset css, which takes place under cgroup_mutex. The offlining ends up trying to drain active usages of a sysctl table which apprently is not happening." The real reason is that proc_sys_readdir doesn't drop reference added by grab_header when return from !dir_emit_dots path. So this cpuset offline path will wait here forever. See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13 Fixes: f0c3b5093add ("[readdir] convert procfs") Cc: stable@vger.kernel.org Reported-by: CAI Qian <caiqian@redhat.com> Tested-by: Yang Shukui <yangshukui@huawei.com> Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
| * pid: fix lockdep deadlock warning due to ucount_lockAndrei Vagin2017-01-101-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ========================================================= [ INFO: possible irq lock inversion dependency detected ] 4.10.0-rc2-00024-g4aecec9-dirty #118 Tainted: G W --------------------------------------------------------- swapper/1/0 just changed the state of lock: (&(&sighand->siglock)->rlock){-.....}, at: [<ffffffffbd0a1bc6>] __lock_task_sighand+0xb6/0x2c0 but this lock took another, HARDIRQ-unsafe lock in the past: (ucounts_lock){+.+...} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Chain exists of: &(&sighand->siglock)->rlock --> &(&tty->ctrl_lock)->rlock --> ucounts_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ucounts_lock); local_irq_disable(); lock(&(&sighand->siglock)->rlock); lock(&(&tty->ctrl_lock)->rlock); <Interrupt> lock(&(&sighand->siglock)->rlock); *** DEADLOCK *** This patch removes a dependency between rlock and ucount_lock. Fixes: f333c700c610 ("pidns: Add a limit on the number of pid namespaces") Cc: stable@vger.kernel.org Signed-off-by: Andrei Vagin <avagin@openvz.org> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
| * libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mountEric W. Biederman2017-01-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add MS_KERNMOUNT to the flags that are passed. Use sget_userns and force &init_user_ns instead of calling sget so that even if called from a weird context the internal filesystem will be considered to be in the intial user namespace. Luis Ressel reported that the the failure to pass MS_KERNMOUNT into mount_pseudo broke his in development graphics driver that uses the generic drm infrastructure. I am not certain the deriver was bug free in it's usage of that infrastructure but since mount_pseudo_xattr can never be triggered by userspace it is clearer and less error prone, and less problematic for the code to be explicit. Reported-by: Luis Ressel <aranea@aixah.de> Tested-by: Luis Ressel <aranea@aixah.de> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
| * mnt: Protect the mountpoint hashtable with mount_lockEric W. Biederman2017-01-102-21/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Protecting the mountpoint hashtable with namespace_sem was sufficient until a call to umount_mnt was added to mntput_no_expire. At which point it became possible for multiple calls of put_mountpoint on the same hash chain to happen on the same time. Kristen Johansen <kjlx@templeofstupid.com> reported: > This can cause a panic when simultaneous callers of put_mountpoint > attempt to free the same mountpoint. This occurs because some callers > hold the mount_hash_lock, while others hold the namespace lock. Some > even hold both. > > In this submitter's case, the panic manifested itself as a GP fault in > put_mountpoint() when it called hlist_del() and attempted to dereference > a m_hash.pprev that had been poisioned by another thread. Al Viro observed that the simple fix is to switch from using the namespace_sem to the mount_lock to protect the mountpoint hash table. I have taken Al's suggested patch moved put_mountpoint in pivot_root (instead of taking mount_lock an additional time), and have replaced new_mountpoint with get_mountpoint a function that does the hash table lookup and addition under the mount_lock. The introduction of get_mounptoint ensures that only the mount_lock is needed to manipulate the mountpoint hashtable. d_set_mounted is modified to only set DCACHE_MOUNTED if it is not already set. This allows get_mountpoint to use the setting of DCACHE_MOUNTED to ensure adding a struct mountpoint for a dentry happens exactly once. Cc: stable@vger.kernel.org Fixes: ce07d891a089 ("mnt: Honor MNT_LOCKED when detaching mounts") Reported-by: Krister Johansen <kjlx@templeofstupid.com> Suggested-by: Al Viro <viro@ZenIV.linux.org.uk> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
* | Merge tag 'char-misc-4.10-rc4' of ↵Linus Torvalds2017-01-1510-16/+34
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small char/misc driver fixes for 4.10-rc4 that resolve some reported issues. The MEI driver issue resolves a lot of problems that people have been having, as does the mem driver fix. The other minor fixes resolve other reported issues. All of these have been in linux-next for a while" * tag 'char-misc-4.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: vme: Fix wrong pointer utilization in ca91cx42_slave_get auxdisplay: fix new ht16k33 build errors ppdev: don't print a free'd string extcon: return error code on failure drivers: char: mem: Fix thinkos in kmem address checks mei: bus: enable OS version only for SPT and newer
| * | vme: Fix wrong pointer utilization in ca91cx42_slave_getAugusto Mecking Caringi2017-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In ca91cx42_slave_get function, the value pointed by vme_base pointer is set through: *vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]); So it must be dereferenced to be used in calculation of pci_base: *pci_base = (dma_addr_t)*vme_base + pci_offset; This bug was caught thanks to the following gcc warning: drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’: drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] *pci_base = (dma_addr_t)vme_base + pci_offset; Signed-off-by: Augusto Mecking Caringi <augustocaringi@gmail.com> Acked-By: Martyn Welch <martyn@welchs.me.uk> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | auxdisplay: fix new ht16k33 build errorsRandy Dunlap2017-01-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix build errors caused by selecting incorrect kconfig symbols. drivers/built-in.o:(.data+0x19cec): undefined reference to `sys_fillrect' drivers/built-in.o:(.data+0x19cf0): undefined reference to `sys_copyarea' drivers/built-in.o:(.data+0x19cf4): undefined reference to `sys_imageblit' Fixes: 31114fa95bdb (auxdisplay: ht16k33: select framebuffer helper modules) Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com> Reported-by: kbuild test robot <fengguang.wu@intel.com> Acked-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | ppdev: don't print a free'd stringColin Ian King2017-01-111-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A previous fix of a memory leak now prints the string 'name' that was previously free'd. Fix this by free'ing the string at the end of the function and adding an error exit path for the error conditions. CoverityScan CID#1384523 ("Use after free") Fixes: 2bd362d5f45c1 ("ppdev: fix memory leak") Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | extcon: return error code on failurePan Bian2017-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Function get_zeroed_page() returns a NULL pointer if there is no enough memory. In function extcon_sync(), it returns 0 if the call to get_zeroed_page() fails. The return value 0 indicates success in the context, which is incosistent with the execution status. This patch fixes the bug by returning -ENOMEM. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188611 Signed-off-by: Pan Bian <bianpan2016@163.com> Fixes: a580982f0836e Cc: stable <stable@vger.kernel.org> Acked-by: Chanwoo Choi <cw00.choi@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | drivers: char: mem: Fix thinkos in kmem address checksRobin Murphy2017-01-111-6/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When borrowing the pfn_valid() check from mmap_kmem(), somebody managed to get physical and virtual addresses spectacularly muddled up, such that we've ended up with checks for one being the other. Whilst this does indeed prevent out-of-bounds accesses crashing, on most systems it also prevents the more desirable use-case of working at all ever. Check the *virtual* offset correctly for what it is. Furthermore, do so in the right place - a read or write may span multiple pages, so a single up-front check is insufficient. High memory accesses already have a similar validity check just before the copy_to_user() call, so just make the low memory path fully consistent with that. Reported-by: Jason A. Donenfeld <Jason@zx2c4.com> CC: stable@vger.kernel.org Fixes: 148a1bc84398 ("drivers: char: mem: Check {read,write}_kmem() addresses") Signed-off-by: Robin Murphy <robin.murphy@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | mei: bus: enable OS version only for SPT and newerAlexander Usyskin2017-01-115-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sending OS version for support of TPM2_ChangeEPS() is required only for SPT FW (HMB version 2.0) and newer. On older platforms the command should be just ignored by the firmware but some older platforms misbehave so it's safer to send the command only if required. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=192051 Fixes: 7279b238bade (mei: send OS type to the FW) Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Tested-by: Jan Niehusmann <jan@gondor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge tag 'driver-core-4.10-rc4' of ↵Linus Torvalds2017-01-154-34/+0
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fix from Greg KH: "Here is a single patch being reverted to remove a feature that was added in 4.10-rc1 that isn't quite ready for release. It will be redone as a debugfs file instead of a sysfs file in the future" * tag 'driver-core-4.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: Revert "driver core: Add deferred_probe attribute to devices in sysfs"
| * | | Revert "driver core: Add deferred_probe attribute to devices in sysfs"Greg Kroah-Hartman2017-01-144-34/+0
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 6751667a29d6fd64afb9ce30567ad616b68ed789. Rob Herring objected to it, and a replacement for it will be added using debugfs in the future. Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> Reported-by: Rob Herring <robh@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge tag 'tty-4.10-rc4' of ↵Linus Torvalds2017-01-155-17/+25
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are some small tty/serial driver fixes for 4.10-rc4 to resolve a number of reported issues. Nothing major here at all, one revert of a problematic patch, and some other tiny bugfixes. Full details are in the shortlog below. All have been in linux-next with no reported issues" * tag 'tty-4.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: sysrq: attach sysrq handler correctly for 32-bit kernel Revert "tty: serial: 8250: add CON_CONSDEV to flags" Clearing FIFOs in RS485 emulation mode causes subsequent transmits to break 8250_pci: Fix potential use-after-free in error path tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx
| * | | sysrq: attach sysrq handler correctly for 32-bit kernelAkinobu Mita2017-01-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sysrq input handler should be attached to the input device which has a left alt key. On 32-bit kernels, some input devices which has a left alt key cannot attach sysrq handler. Because the keybit bitmap in struct input_device_id for sysrq is not correctly initialized. KEY_LEFTALT is 56 which is greater than BITS_PER_LONG on 32-bit kernels. I found this problem when using a matrix keypad device which defines a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32). Cc: Jiri Slaby <jslaby@suse.com> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | Revert "tty: serial: 8250: add CON_CONSDEV to flags"Herbert Xu2017-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit needs to be reverted because it prevents people from using the serial console as a secondary console with input being directed to tty0. IOW, if you boot with console=ttyS0 console=tty0 then all kernels prior to this commit will produce output on both ttyS0 and tty0 but input will only be taken from tty0. With this patch the serial console will always be the primary console instead of tty0, potentially preventing people from getting into their machines in emergency situations. Fixes: d03516df8375 ("tty: serial: 8250: add CON_CONSDEV to flags") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | Clearing FIFOs in RS485 emulation mode causes subsequent transmits to breakDaniel Jedrychowski2017-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When in RS485 emulation mode, __do_stop_tx_rs485() calls serial8250_clear_fifos(). This not only clears the FIFOs, but also sets all bits in their control register (UART_FCR) to 0. One of the effects of this is the disabling of the FIFOs, which turns them into single-byte holding registers. The rest of the driver doesn't know this, which results in the lions share of characters passed into a write call to be dropped. (I can supply logic analyzer screenshots if necessary) This fix replaces the serial8250_clear_fifos() call to serial8250_clear_and_reinit_fifos() - this prevents the "dropped characters" issue from manifesting again while retaining the requirement of clearing the RX FIFO after transmission if the SER_RS485_RX_DURING_TX flag is disabled. Signed-off-by: Daniel Jedrychowski <avistel@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | 8250_pci: Fix potential use-after-free in error pathGabriel Krisman Bertazi2017-01-111-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during PCI error recovery") introduces a potential use-after-free in case the pciserial_init_ports call in serial8250_io_resume fails, which may happen if a memory allocation fails or if the .init quirk failed for whatever reason). If this happen, further pci_get_drvdata will return a pointer to freed memory. This patch reworks the PCI recovery resume hook to restore the old priv structure in this case, which should be ok, since the ports were already detached. Such error during recovery causes us to give up on the recovery. Fixes: f209fa03fc9d ("serial: 8250_pci: Detach low-level driver during PCI error recovery") Reported-by: Michal Suchanek <msuchanek@suse.com> Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com> Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>