- 14 Nov, 2014 40 commits
-
-
Grzegorz Jaszczyk authored
commit 758e8366 upstream. In both Armada-375 and Armada-38x MPIC interrupts should be identified by reading cause register multiplied by the interrupt mask. A lack of above mentioned multiplication resulted in a bug, caused by the fact that in Armada-375 and Armada-38x some of the interrupts (e.g. network interrupts) can be handled either as a GIC or MPIC interrupts. Therefore during MPIC interrupts handling, cause register shows hits from interrupts even if they are masked for MPIC but unmasked for a GIC. This resulted in 'bad IRQ' error, because masked MPIC interrupt without registered interrupt handler, was trying to be handled during interrupt handling procedure of some other unmasked MPIC interrupt (e.g. local timer irq). This commit fixes that by ensuring that during MPIC interrupt handling only interrupts that are unmasked for MPIC are processed. Signed-off-by:
Grzegorz Jaszczyk <jaz@semihalf.com> Reviewed-by:
Gregory CLEMENT <gregory.clement@free-electrons.com> Fixes: bc69b8ad ("irqchip: armada-370-xp: Setup a chained handler for the MPIC") Acked-by:
Ezequiel Garcia <ezequiel.garcia@free-electrons.com> Link: https://lkml.kernel.org/r/1411643839-64925-3-git-send-email-jaz@semihalf.comSigned-off-by:
Jason Cooper <jason@lakedaemon.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Grzegorz Jaszczyk authored
commit 298dcb2d upstream. The MSI interrupts use the 16 high doorbells, which are notified by using IRQ1 of the main interrupt controller. The MSI interrupts were handled correctly for Armada-XP and Armada-370 but not for Armada-375 and Armada-38x, which use chained handler for the MPIC. This commit fixes that by checking proper interrupt number in chained handler for the MPIC. Signed-off-by:
-
Krzysztof Kozlowski authored
commit ca0c37a0 upstream. Driver allocated on stack struct regulator_config but didn't initialize it fully. Few fields (driver_data, ena_gpio) were left untouched. This lead to using random ena_gpio values as GPIOs for max77693 regulators. On occasion these values could match real GPIO numbers leading to interfering with other drivers and to unsuccessful enable/disable of regulator. Signed-off-by:
Krzysztof Kozlowski <k.kozlowski@samsung.com> Fixes: 80b022e2 ("regulator: max77693: Add max77693 regualtor driver.") Signed-off-by:
Mark Brown <broonie@kernel.org> Signed-off-by:
-
Hui Wang authored
commit c922c4e8 upstream. Without the fix, the mute led can't work on these three machines. After apply this fix, these three machines will fall back on the led control quirk as below, and through testing, the mute led works very well. PIN_QUIRK(0x10ec0282, 0x103c, "HP", ALC269_FIXUP_HP_LINE1_MIC1_LED, ALC282_STANDARD_PINS, {0x12, 0x90a60140}, ... BugLink: https://bugs.launchpad.net/bugs/1389497Tested-by:
TieFu Chen <tienfu.chen@canonical.com> Cc: Kailang Yang <kailang@realtek.com> Signed-off-by:
Hui Wang <hui.wang@canonical.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Anton Blanchard authored
commit 808be314 upstream. Back in 7230c564 ("powerpc: Rework lazy-interrupt handling") we added a call out to restore_interrupts() (written in c) before calling do_notify_resume: bl restore_interrupts addi r3,r1,STACK_FRAME_OVERHEAD bl do_notify_resume Unfortunately do_notify_resume takes two arguments, the second one being the thread_info flags: void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags) We do populate r4 (the second argument) earlier, but restore_interrupts() is free to muck it up all it wants. My guess is the gcc compiler gods shone down on us and its register allocator never used r4. Sometimes, rarely, luck is on our side. LLVM on the other hand did trample r4. Signed-off-by:
Anton Blanchard <anton@samba.org> Signed-off-by:
Michael Ellerman <mpe@ellerman.id.au> Signed-off-by:
-
Benjamin Herrenschmidt authored
commit 325e4114 upstream. Endian is hard, especially when I designed a stupid FW interface, and I should know better... oh well, this is attempt #2 at fixing this properly. This time it seems to work with all access sizes and I can run my flashing tool (which exercises all sort of access sizes and types to access the SPI controller in the BMC) just fine. Signed-off-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
-
Dan Streetman authored
commit 10ccaf17 upstream. In powerpc pseries platform dlpar operations, use device_online() and device_offline() instead of cpu_up() and cpu_down(). Calling cpu_up/down() directly does not update the cpu device offline field, which is used to online/offline a cpu from sysfs. Calling device_online/offline() instead keeps the sysfs cpu online value correct. The hotplug lock, which is required to be held when calling device_online/offline(), is already held when dlpar_online/offline_cpu() are called, since they are called only from cpu_probe|release_store(). This patch fixes errors on phyp (PowerVM) systems that have cpu(s) added/removed using dlpar operations; without this patch, the /sys/devices/system/cpu/cpuN/online nodes do not correctly show the online state of added/removed cpus. Signed-off-by:
Dan Streetman <ddstreet@ieee.org> Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com> Fixes: 0902a904 ("Driver core: Use generic offline/online for CPU offline/online") Signed-off-by:
-
Robert Jarzmik authored
commit cde7fc87 upstream. The commit 2111667b ("ARM: pxa: call debug_ll_io_init for earlyprintk") triggers in the current kernel the attached backtrace on PXA/tosa early in the boot time when DEBUG_LL is enabled. It is due to overlap between uart virtual memory defined in DEBUG_UART_VIRT and mapped by debug_ll_io_init() and peripheral bus mapped by pxa_map_io at the same address, 0xf2100000. As hinted by Arnd, map early virtual memory for low level debug on address 0xf6200000, even if that means 2 virtual mappings will give access to the pxa internal UARTs (FFUART, BTUART, STUART, ...). ------------[ cut here ]------------ kernel BUG at /home/lumag/linux/mm/vmalloc.c:1143! Internal error: Oops - BUG: 0 [#1] PREEMPT ARM Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 3.17.0-00032-g8e0d202-dirty #23 task: c062a5a8 ti: c0620000 task.ti: c0620000 PC is at vm_area_add_early+0x54/0x84 LR is at add_static_vm_early+0xc/0x60 pc : [<c03e1100>] lr : [<c03d9ef4>] psr: 800001d3 sp : c0621f04 ip : c03efa74 fp : c03edf84 r10: c0637e98 r9 : 40000001 r8 : c03da57c r7 : c3ffcfb0 r6 : 00000000 r5 : c3ffcfb0 r4 : 02000000 r3 : c3ffcfd8 r2 : f2100000 r1 : f4000000 r0 : c3ffcfb0 Flags: Nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel Control: 00007977 Table: a0004000 DAC: 00000017 Process swapper (pid: 0, stack limit = 0xc06201c8) Stack: (0xc0621f04 to 0xc0622000) 1f00: c3ffcfd8 40000001 c3ffcfd8 c03ee08c c03da570 c03db90c c0637d24 1f20: 00000000 c03ec7cc c066e654 a0700000 000a0700 c03db914 c03db90c c03daf84 1f40: 00000000 000a0000 c0000000 c03ec7cc 000a0700 c0700000 ffff1000 000a3fff 1f60: 00001000 00000007 00000000 c03ec7cc c0008000 c03ed748 c0621fd4 c03d5d18 1f80: 69052d00 a03ec48c 00000000 c03d8ad0 0000006c 00007977 c036c6e8 00000001 1fa0: c0621fd4 c03ed744 c0628000 a0004000 69052d00 a03ec48c 00000000 c03d68d4 1fc0: 00000000 00000000 00000000 00000000 00000000 c03ed748 c0649894 c062801c 1fe0: c03ed744 c062b2f0 a0004000 69052d00 a03ec48c a0008040 00000000 00000000 [<c03e1100>] (vm_area_add_early) from [<c03d9ef4>] (add_static_vm_early+0xc/0x60) [<c03d9ef4>] (add_static_vm_early) from [<c03da570>] (iotable_init.part.6+0xa8/0xb4) [<c03da570>] (iotable_init.part.6) from [<c03db914>] (pxa25x_map_io+0x8/0x24) [<c03db914>] (pxa25x_map_io) from [<c03daf84>] (paging_init+0x744/0x8d8) [<c03daf84>] (paging_init) from [<c03d8ad0>] (setup_arch+0x354/0x608) [<c03d8ad0>] (setup_arch) from [<c03d68d4>] (start_kernel+0xa8/0x3dc) [<c03d68d4>] (start_kernel) from [<a0008040>] (0xa0008040) Code: e5904008 e0811004 e1520001 2a000005 (e7f001f2) ---[ end trace f24b6c88ae00fa9a ]--- Kernel panic - not syncing: Attempted to kill the idle task! ---[ end Kernel panic - not syncing: Attempted to kill the idle task! Reported-by:
Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Signed-off-by:
Robert Jarzmik <robert.jarzmik@free.fr> Acked-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
David Cohen authored
commit d90c3381 upstream. Even if a gpio pin is set to output, we still need to set INPUT_EN functionality (by clearing INPUT_EN bit) to be able to read the pin's level. E.g. without this change, we'll always read low level state from sysfs. Cc: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by:
David Cohen <david.a.cohen@linux.intel.com> Reviewed-by:
Felipe Balbi <balbi@ti.com> Signed-off-by:
Linus Walleij <linus.walleij@linaro.org> Signed-off-by:
-
Al Viro authored
commit 7e8631e8 upstream. uninitialized msghdr. Broken in "ocfs2: don't open-code kernel_recvmsg()" by me ;-/ Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Hans de Goede authored
commit 5a1426c9 upstream. The acpi-video backlight interface on the NC210 does not work, blacklist it and use the samsung-laptop interface instead. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=861573Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Signed-off-by:
Darren Hart <dvhart@linux.intel.com> Signed-off-by:
-
Hans de Goede authored
commit 183fd8fc upstream. The acpi-video backlight interface on the Acer KAV80 is broken, and worse it causes the entire machine to slow down significantly after a suspend/resume. Blacklist it, and use the acer-wmi backlight interface instead. Note that the KAV80 is somewhat unique in that it is the only Acer model where we fall back to acer-wmi after blacklisting, rather then using the native (e.g. intel) backlight driver. This is done because there is no native backlight interface on this model. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1128309Signed-off-by:
-
Jan Kara authored
commit a8d42056 upstream. When we fail to allocate page vector in rbd_obj_read_sync() we just basically ignore the problem and continue which will result in an oops later. Fix the problem by returning proper error. CC: Yehuda Sadeh <yehuda@inktank.com> CC: Sage Weil <sage@inktank.com> CC: ceph-devel@vger.kernel.org Coverity-id: 1226882 Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
Ilya Dryomov <idryomov@redhat.com> Signed-off-by:
-
Laurent Pinchart authored
commit f022d8cb upstream. If activation of the CMA area fails its mutex won't be initialized, leading to an oops at allocation time when trying to lock the mutex. Fix this by setting the cma area count field to 0 when activation fails, leading to allocation returning NULL immediately. Signed-off-by:
Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> Acked-by:
Michal Nazarewicz <mina86@mina86.com> Signed-off-by:
Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by:
-
jens stein authored
commit b2a9601c upstream. commit c675949e Author: Jani Nikula <jani.nikula@intel.com> Date: Wed Apr 9 11:31:37 2014 +0300 drm/i915: do not setup backlight if not available according to VBT prevents backlight setup on Macbook 2,1. Apply quirk to ignore the VBT check so backlight is set up properly. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81438Signed-off-by:
Jens Stein Jørgensen <jens.s.stein@gmail.com> Signed-off-by:
Jani Nikula <jani.nikula@intel.com> Signed-off-by:
-
Ville Syrjälä authored
commit 6be1e3d3 upstream. vlv_cdclk_freq is in kHz but we need MHz for the GMBUSFREQ divider. This is a regression from: commit f8bf63fd Author: Ville Syrjälä <ville.syrjala@linux.intel.com> Date: Fri Jun 13 13:37:54 2014 +0300 drm/i915: Kill duplicated cdclk readout code from i2c Signed-off-by:
Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by:
-
Ville Syrjälä authored
commit f6a19066 upstream. Sometimes we seem to get utter garbage from DPCD reads. The resulting buffer is filled with the same byte, and the operation completed without errors. My HP ZR24w monitor seems particularly susceptible to this problem once it's gone into a sleep mode. The issue seems to happen only for the first AUX message that wakes the sink up. But as the first AUX read we often do is the DPCD receiver cap it does wreak a bit of havoc with subsequent link training etc. when the receiver cap bw/lane/etc. information is garbage. A sufficient workaround seems to be to perform a single byte dummy read before reading the actual data. I suppose that just wakes up the sink sufficiently and we can just throw away the returned data in case it's crap. DP_DPCD_REV seems like a sufficiently safe location to read here. Signed-off-by:
Todd Previte <tprevite@gmail.com> Signed-off-by:
-
Alex Deucher authored
commit 8c3e4347 upstream. 0x4c6e is a secondary device id so should not be used by the driver. Noticed-by:
Mark Kettenis <mark.kettenis@xs4all.nl> Signed-off-by:
Alex Deucher <alexander.deucher@amd.com> Signed-off-by:
-
Alex Deucher authored
commit 72b3f918 upstream. - bapm seems to cause CPU stuck messages so disable it. - nb dpm seems to prevent GPU dpm from getting enabled, so disable it. bug: https://bugs.freedesktop.org/show_bug.cgi?id=85107Signed-off-by:
-
Michel Dänzer authored
commit e5a5fd4d upstream. Should avoid kmalloc failures due to large number of array entries. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81991Reviewed-by:
Dave Airlie <airlied@redhat.com> Reviewed-by:
Christian König <christian.koenig@amd.com> Signed-off-by:
Michel Dänzer <michel.daenzer@amd.com> Signed-off-by:
-
Alex Deucher authored
commit 6fa45593 upstream. Causes problems on some boards. bug: https://bugs.freedesktop.org/show_bug.cgi?id=82889Signed-off-by:
-
Sinclair Yeh authored
commit 9a72384d upstream. When screen objects are enabled, the bpp is assumed to be 32, otherwise it is set to 16. v2: * Use u32 instead of u64 for assumed_bpp. * Fixed mechanism to check for screen objects * Limit the back buffer size to VRAM. Signed-off-by:
Sinclair Yeh <syeh@vmware.com> Reviewed-by:
Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by:
-
Jiang Liu authored
commit f1829859 upstream. Intel MID platforms has no legacy interrupts, so no IRQ descriptors preallocated. We need to call mp_map_gsi_to_irq() to create IRQ descriptors for APB timers and RTC timers, otherwise it may cause invalid memory access as: [ 0.116839] BUG: unable to handle kernel NULL pointer dereference at 0000003a [ 0.123803] IP: [<c1071c0e>] setup_irq+0xf/0x4d Tested-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by:
Jiang Liu <jiang.liu@linux.intel.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Tony Luck <tony.luck@intel.com> Cc: Joerg Roedel <joro@8bytes.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: H. Peter Anvin <hpa@linux.intel.com> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Rafael J. Wysocki <rjw@rjwysocki.net> Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: Randy Dunlap <rdunlap@infradead.org> Cc: Yinghai Lu <yinghai@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: David Cohen <david.a.cohen@linux.intel.com> Link: http://lkml.kernel.org/r/1414387308-27148-3-git-send-email-jiang.liu@linux.intel.comSigned-off-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
-
Kirill Tkhai authored
commit f1e3a093 upstream. Probability of use-after-free isn't zero in this place. Signed-off-by:
Kirill Tkhai <ktkhai@parallels.com> Signed-off-by:
Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/20140922183636.11015.83611.stgit@localhostSigned-off-by:
-
Felipe Balbi authored
[ Upstream commit 52ec49a5 ] During Halt Endpoint Test, our interrupt endpoint will be disabled, which will clear out ep->desc to NULL. Unless we call config_ep_by_speed() again, we will not be able to enable this endpoint which will make us fail that test. Fixes: f9c56cdd (usb: gadget: Clear usb_endpoint_descriptor inside the struct usb_ep on disable) Signed-off-by:
-
Felipe Balbi authored
[ Upstream commit 7a608559 ] According to our Gadget Framework API documentation, ->set_halt() *must* return -EAGAIN if we have pending transfers (on either direction) or FIFO isn't empty (on TX endpoints). Fix this bug so that the mass storage gadget can be used without stall=0 parameter. This patch should be backported to all kernels since v3.2. Suggested-by:
Alan Stern <stern@rowland.harvard.edu> Signed-off-by:
-
Ben Hutchings authored
Based on a5b7616c, but backported so that a bunch of dependencies are not needed. m25p80's device ID table is now spi_nor_ids, defined in spi-nor. The MODULE_DEVICE_TABLE() macro doesn't work with extern definitions, but its use was also removed at the same time. Now if m25p80 is built as a module it doesn't get the necessary aliases to be loaded automatically. A clean solution to this will involve defining the list of device IDs in spi-nor.h and removing struct spi_device_id from the spi-nor API, but this is quite a large change. As a quick fix suitable for stable, copy the device IDs back into m25p80. Fixes: 03e296f6 ("mtd: m25p80: use the SPI nor framework") Signed-off-by:
Ben Hutchings <ben@decadent.org.uk> [Brian: backport without the dependencies] Signed-off-by:
Brian Norris <computersforpeace@gmail.com> Signed-off-by:
-
Ondrej Kozina authored
commit e2cffb5f upstream. On archs with PAGE_SIZE >= 64 KiB the function skcipher_alloc_sgl() fails with -ENOMEM no matter what user space actually requested. This is caused by the fact sock_kmalloc call inside the function tried to allocate more memory than allowed by the default kernel socket buffer size (kernel param net.core.optmem_max). Signed-off-by:
Ondrej Kozina <okozina@redhat.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Sylwester Nawrocki authored
commit 098bcd23 upstream. The PLAT_S5P Kconfig symbol was removed in commit d78c16cc ("ARM: SAMSUNG: Remove remaining legacy code"). However, there are still some references to that symbol left, fix that by substituting them with ARCH_S5PV210. Fixes: d78c16cc ("ARM: SAMSUNG: Remove remaining legacy code") Reported-by:
Paul Bolle <pebolle@tiscali.nl> Signed-off-by:
Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by:
-
Jan Kara authored
commit f55fefd1 upstream. The WARN_ON checking whether i_mutex is held in pagecache_isize_extended() was wrong because some filesystems (e.g. XFS) use different locks for serialization of truncates / writes. So just remove the check. Signed-off-by:
Dave Chinner <dchinner@redhat.com> Signed-off-by:
Dave Chinner <david@fromorbit.com> Signed-off-by:
-
Andy Lutomirski authored
commit b47dcbdc upstream. If the TSC is unusable or disabled, then this patch fixes: - Confusion while trying to clear old APIC interrupts. - Division by zero and incorrect programming of the TSC deadline timer. This fixes boot if the CPU has a TSC deadline timer but a missing or broken TSC. The failure to boot can be observed with qemu using -cpu qemu64,-tsc,+tsc-deadline This also happens to me in nested KVM for unknown reasons. With this patch, I can boot cleanly (although without a TSC). Signed-off-by:
Andy Lutomirski <luto@amacapital.net> Cc: Bandan Das <bsd@redhat.com> Link: http://lkml.kernel.org/r/e2fa274e498c33988efac0ba8b7e3120f7f92d78.1413393027.git.luto@amacapital.netSigned-off-by:
-
Mathias Krause authored
commit 6891c450 upstream. If userland creates a timer without specifying a sigevent info, we'll create one ourself, using a stack local variable. Particularly will we use the timer ID as sival_int. But as sigev_value is a union containing a pointer and an int, that assignment will only partially initialize sigev_value on systems where the size of a pointer is bigger than the size of an int. On such systems we'll copy the uninitialized stack bytes from the timer_create() call to userland when the timer actually fires and we're going to deliver the signal. Initialize sigev_value with 0 to plug the stack info leak. Found in the PaX patch, written by the PaX Team. Fixes: 5a9fa730 ("posix-timers: kill ->it_sigev_signo and...") Signed-off-by:
Mathias Krause <minipli@googlemail.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Brad Spengler <spender@grsecurity.net> Cc: PaX Team <pageexec@freemail.hu> Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.comSigned-off-by:
-
Dmitry Eremin-Solenikov authored
commit 89cf38dd upstream. After '#echo mem > /sys/power/state' some devices can not be properly resumed because apparently the MTD Partition Configuration Register has been reset to default thus the rootfs cannot be mounted cleanly on resume. An example of this can be found in the SA-1100 Developer's Manual at 9.5.3.3 where the second step of the Sleep Shutdown Sequence is described: "An internal reset is applied to the SA-1100. All units are reset...". As workaround we refresh the PCR value as done initially on chip setup. This behavior and the fix are confirmed by our tests done on 2 different Zaurus collie units with kernel 3.17. Fixes: 812c5fa8: ("mtd: cfi_cmdset_0001.c: add support for Sharp LH28F640BF NOR") Signed-off-by:
Andrea Adami <andrea.adami@gmail.com> Signed-off-by:
-
Karl Beldan authored
commit c7abf25a upstream. It affects non-(V)HT rates and can lead to selecting an rts_cts rate that is not a basic rate or way superior to the reference rate (ATM rates[0] used for the 1st attempt of the protected frame data). E.g, assuming drivers register growing (bitrate) sorted tables of ieee80211_rate-s, having : - rates[0].idx == d'2 and basic_rates == b'10100 will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise - rates[0].idx == d'2 and basic_rates == b'10001 will select rts_cts idx b'10000 The first is not a basic rate and the second is > rates[0]. Also, wrt severity of the addressed misbehavior, ATM we only have one rts_cts_rate_idx rather than one per rate table entry, so this idx might still point to bitrates > rates[1..MAX_RATES]. Fixes: 5253ffb8 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates") Signed-off-by:
Karl Beldan <karl.beldan@rivierawaves.com> Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
-
Ian Abbott authored
commit 238b5ad8 upstream. As a follow-up to commit 6cab7a37 ("staging: comedi: (regression) channel list must be set for COMEDI_CMD ioctl"), Hartley Sweeten pointed out another couple of bugs stemming from commit 6cab7a37 ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()"). Firstly, `do_cmdtest_ioctl()` never frees the kernel copy of the user chanlist allocated by `__comedi_get_user_chanlist()`, so that memory is leaked. Fix it by freeing the allocated kernel memory pointed to by `cmd.chanlist` before that pointer is overwritten with its original pointer to user memory before `cmd` is copied back to user-space. Secondly, if `__comedi_get_user_chanlist()` returns an error, `cmd->chanlist` is left unchanged and in fact will be a pointer to user memory. This causes `do_cmd_ioctl()` to `goto cleanup` and call `do_become_nonbusy()` which would attempt to free the memory pointed to by the user-space pointer. Fix it by setting `cmd->chanlist` to NULL at the start of `__comedi_get_user_chanlist()`. Fixes: c6cd0eef ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()") Reported-by:
H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by:
-
Ian Abbott authored
commit 6cab7a37 upstream. `do_cmd_ioctl()`, the handler for the `COMEDI_CMD` ioctl can incorrectly call the Comedi subdevice's `do_cmd()` handler with a NULL channel list pointer. This is a regression as the `do_cmd()` handler has never been expected to deal with that, leading to a kernel OOPS when it tries to dereference it. A NULL channel list pointer is allowed for the `COMEDI_CMDTEST` ioctl, handled by `do_cmdtest_ioctl()` and the subdevice's `do_cmdtest()` handler, but not for the `COMEDI_CMD` ioctl and its handlers. Both `do_cmd_ioctl()` and `do_cmdtest_ioctl()` call `__comedi_get_user_chanlist()` to copy the channel list from user memory into dynamically allocated kernel memory and check it for consistency. That function currently returns 0 if the `user_chanlist` parameter (pointing to the channel list in user memory) is NULL. That's fine for `do_cmdtest_ioctl()`, but `do_cmd_ioctl()` incorrectly assumes the kernel copy of the channel list has been set-up correctly. Fix it by not allowing the `user_chanlist` parameter to be NULL in `__comedi_get_user_chanlist()`, and only calling it from `do_cmdtest_ioctl()` if the parameter is non-NULL. Thanks to Bernd Porr for reporting the bug via an initial patch sent privately. Fixes: c6cd0eef ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()") Reported-by:
Bernd Porr <mail@berndporr.me.uk> Signed-off-by:
Ian Abbott <abbotti@mev.co.uk> Reviewed-by:
-
Imre Deak authored
commit 94fb823f upstream. If a device's dev_pm_ops::freeze callback fails during the QUIESCE phase, we don't rollback things correctly calling the thaw and complete callbacks. This could leave some devices in a suspended state in case of an error during resuming from hibernation. Signed-off-by:
Imre Deak <imre.deak@intel.com> Signed-off-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by:
-
Imre Deak authored
commit 246ef766 upstream. If an asynchronous suspend_late or freeze_late callback fails during the SUSPEND, FREEZE or QUIESCE phases, we don't propagate the corresponding error correctly, in effect ignoring the error and continuing the suspend-to-ram/hibernation. During suspend-to-ram this could leave some devices without a valid saved context, leading to a failure to reinitialize them during resume. During hibernation this could leave some devices active interfeering with the creation / restoration of the hibernation image. Also this could leave the corresponding devices without a valid saved context and failure to reinitialize them during resume. Fixes: de377b39 (PM / sleep: Asynchronous threads for suspend_late) Signed-off-by:
-
Peter Hurley authored
commit 37b16457 upstream. Kernel oops can cause the tty to be unreleaseable (for example, if n_tty_read() crashes while on the read_wait queue). This will cause tty_release() to endlessly loop without sleeping. Use a killable sleep timeout which grows by 2n+1 jiffies over the interval [0, 120 secs.) and then jumps to forever (but still killable). NB: killable just allows for the task to be rewoken manually, not to be terminated. Signed-off-by:
Peter Hurley <peter@hurleysoftware.com> Signed-off-by:
-
Imre Deak authored
commit 9e326f78 upstream. We can call this function for a dummy console that doesn't support setting the font mapping, which will result in a null ptr BUG. So check for this case and return error for consoles w/o font mapping support. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=59321Signed-off-by:
-
