1. 06 Jan, 2016 40 commits
    • Mauricio Faria de Oliveira's avatar
      Revert "dm mpath: fix stalls when handling invalid ioctls" · 81b16323
      Mauricio Faria de Oliveira authored
      commit 47796938 upstream.
      
      This reverts commit a1989b33.
      
      That commit introduced a regression at least for the case of the SG_IO ioctl()
      running without CAP_SYS_RAWIO capability (e.g., unprivileged users) when there
      are no active paths: the ioctl() fails with the ENOTTY errno immediately rather
      than blocking due to queue_if_no_path until a path becomes active, for example.
      
      That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices
      (qemu "-device scsi-block" [1], libvirt "<disk type='block' device='lun'>" [2])
      from multipath devices; which leads to SCSI/filesystem errors in such a guest.
      
      More general scenarios can hit that regression too. The following demonstration
      employs a SG_IO ioctl() with a standard SCSI INQUIRY command for this objective
      (some output & user changes omitted for brevity and comments added for clarity).
      
      Reverting that commit restores normal operation (queueing) in failing scenarios;
      tested on linux-next (next-20151022).
      
      1) Test-case is based on sg_simple0 [3] (just SG_IO; remove SG_GET_VERSION_NUM)
      
          $ cat sg_simple0.c
          ... see [3] ...
          $ sed '/SG_GET_VERSION_NUM/,/}/d' sg_simple0.c > sgio_inquiry.c
          $ gcc sgio_inquiry.c -o sgio_inquiry
      
      2) The ioctl() works fine with active paths present.
      
          # multipath -l 85ag56
          85ag56 (...) dm-19 IBM     ,2145
          size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw
          |-+- policy='service-time 0' prio=0 status=active
          | |- 8:0:11:0  sdz  65:144  active undef running
          | `- 9:0:9:0   sdbf 67:144  active undef running
          `-+- policy='service-time 0' prio=0 status=enabled
            |- 8:0:12:0  sdae 65:224  active undef running
            `- 9:0:12:0  sdbo 68:32   active undef running
      
          $ ./sgio_inquiry /dev/mapper/85ag56
          Some of the INQUIRY command's response:
              IBM       2145              0000
          INQUIRY duration=0 millisecs, resid=0
      
      3) The ioctl() fails with ENOTTY errno with _no_ active paths present,
         for unprivileged users (rather than blocking due to queue_if_no_path).
      
          # for path in $(multipath -l 85ag56 | grep -o 'sd[a-z]\+'); \
                do multipathd -k"fail path $path"; done
      
          # multipath -l 85ag56
          85ag56 (...) dm-19 IBM     ,2145
          size=60G features='1 queue_if_no_path' hwhandler='0' wp=rw
          |-+- policy='service-time 0' prio=0 status=enabled
          | |- 8:0:11:0  sdz  65:144  failed undef running
          | `- 9:0:9:0   sdbf 67:144  failed undef running
          `-+- policy='service-time 0' prio=0 status=enabled
            |- 8:0:12:0  sdae 65:224  failed undef running
            `- 9:0:12:0  sdbo 68:32   failed undef running
      
          $ ./sgio_inquiry /dev/mapper/85ag56
          sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device
      
      4) dmesg shows that scsi_verify_blk_ioctl() failed for SG_IO (0x2285);
         it returns -ENOIOCTLCMD, later replaced with -ENOTTY in vfs_ioctl().
      
          $ dmesg
          <...>
          [] device-mapper: multipath: Failing path 65:144.
          [] device-mapper: multipath: Failing path 67:144.
          [] device-mapper: multipath: Failing path 65:224.
          [] device-mapper: multipath: Failing path 68:32.
          [] sgio_inquiry: sending ioctl 2285 to a partition!
      
      5) The ioctl() only works if the SYS_CAP_RAWIO capability is present
         (then queueing happens -- in this example, queue_if_no_path is set);
         this is due to a conditional check in scsi_verify_blk_ioctl().
      
          # capsh --drop=cap_sys_rawio -- -c './sgio_inquiry /dev/mapper/85ag56'
          sg_simple0: Inquiry SG_IO ioctl error: Inappropriate ioctl for device
      
          # ./sgio_inquiry /dev/mapper/85ag56 &
          [1] 72830
      
          # cat /proc/72830/stack
          [<c00000171c0df700>] 0xc00000171c0df700
          [<c000000000015934>] __switch_to+0x204/0x350
          [<c000000000152d4c>] msleep+0x5c/0x80
          [<c00000000077dfb0>] dm_blk_ioctl+0x70/0x170
          [<c000000000487c40>] blkdev_ioctl+0x2b0/0x9b0
          [<c0000000003128e4>] block_ioctl+0x64/0xd0
          [<c0000000002dd3b0>] do_vfs_ioctl+0x490/0x780
          [<c0000000002dd774>] SyS_ioctl+0xd4/0xf0
          [<c000000000009358>] system_call+0x38/0xd0
      
      6) This is the function call chain exercised in this analysis:
      
      SYSCALL_DEFINE3(ioctl, <...>) @ fs/ioctl.c
          -> do_vfs_ioctl()
              -> vfs_ioctl()
                  ...
                  error = filp->f_op->unlocked_ioctl(filp, cmd, arg);
                  ...
                      -> dm_blk_ioctl() @ drivers/md/dm.c
                          -> multipath_ioctl() @ drivers/md/dm-mpath.c
                              ...
                              (bdev = NULL, due to no active paths)
                              ...
                              if (!bdev || <...>) {
                                  int err = scsi_verify_blk_ioctl(NULL, cmd);
                                  if (err)
                                      r = err;
                              }
                              ...
                                  -> scsi_verify_blk_ioctl() @ block/scsi_ioctl.c
                                      ...
                                      if (bd && bd == bd->bd_contains) // not taken (bd = NULL)
                                          return 0;
                                      ...
                                      if (capable(CAP_SYS_RAWIO)) // not taken (unprivileged user)
                                          return 0;
                                      ...
                                      printk_ratelimited(KERN_WARNING
                                                 "%s: sending ioctl %x to a partition!\n" <...>);
      
                                      return -ENOIOCTLCMD;
                                  <-
                              ...
                              return r ? : <...>
                          <-
                  ...
                  if (error == -ENOIOCTLCMD)
                      error = -ENOTTY;
                   out:
                      return error;
                  ...
      
      Links:
      [1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52
      [2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device')
      [3] http://tldp.org/HOWTO/SCSI-Generic-HOWTO/pexample.html (Revision 1.2, 2002-05-03)
      Signed-off-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      81b16323
    • Brian Norris's avatar
      mtd: blkdevs: fix potential deadlock + lockdep warnings · 3b819706
      Brian Norris authored
      commit f3c63795 upstream.
      
      Commit 073db4a5 ("mtd: fix: avoid race condition when accessing
      mtd->usecount") fixed a race condition but due to poor ordering of the
      mutex acquisition, introduced a potential deadlock.
      
      The deadlock can occur, for example, when rmmod'ing the m25p80 module, which
      will delete one or more MTDs, along with any corresponding mtdblock
      devices. This could potentially race with an acquisition of the block
      device as follows.
      
       -> blktrans_open()
          ->  mutex_lock(&dev->lock);
          ->  mutex_lock(&mtd_table_mutex);
      
       -> del_mtd_device()
          ->  mutex_lock(&mtd_table_mutex);
          ->  blktrans_notify_remove() -> del_mtd_blktrans_dev()
             ->  mutex_lock(&dev->lock);
      
      This is a classic (potential) ABBA deadlock, which can be fixed by
      making the A->B ordering consistent everywhere. There was no real
      purpose to the ordering in the original patch, AFAIR, so this shouldn't
      be a problem. This ordering was actually already present in
      del_mtd_blktrans_dev(), for one, where the function tried to ensure that
      its caller already held mtd_table_mutex before it acquired &dev->lock:
      
              if (mutex_trylock(&mtd_table_mutex)) {
                      mutex_unlock(&mtd_table_mutex);
                      BUG();
              }
      
      So, reverse the ordering of acquisition of &dev->lock and &mtd_table_mutex so
      we always acquire mtd_table_mutex first.
      
      Snippets of the lockdep output follow:
      
        # modprobe -r m25p80
        [   53.419251]
        [   53.420838] ======================================================
        [   53.427300] [ INFO: possible circular locking dependency detected ]
        [   53.433865] 4.3.0-rc6 #96 Not tainted
        [   53.437686] -------------------------------------------------------
        [   53.444220] modprobe/372 is trying to acquire lock:
        [   53.449320]  (&new->lock){+.+...}, at: [<c043fe4c>] del_mtd_blktrans_dev+0x80/0xdc
        [   53.457271]
        [   53.457271] but task is already holding lock:
        [   53.463372]  (mtd_table_mutex){+.+.+.}, at: [<c0439994>] del_mtd_device+0x18/0x100
        [   53.471321]
        [   53.471321] which lock already depends on the new lock.
        [   53.471321]
        [   53.479856]
        [   53.479856] the existing dependency chain (in reverse order) is:
        [   53.487660]
        -> #1 (mtd_table_mutex){+.+.+.}:
        [   53.492331]        [<c043fc5c>] blktrans_open+0x34/0x1a4
        [   53.497879]        [<c01afce0>] __blkdev_get+0xc4/0x3b0
        [   53.503364]        [<c01b0bb8>] blkdev_get+0x108/0x320
        [   53.508743]        [<c01713c0>] do_dentry_open+0x218/0x314
        [   53.514496]        [<c0180454>] path_openat+0x4c0/0xf9c
        [   53.519959]        [<c0182044>] do_filp_open+0x5c/0xc0
        [   53.525336]        [<c0172758>] do_sys_open+0xfc/0x1cc
        [   53.530716]        [<c000f740>] ret_fast_syscall+0x0/0x1c
        [   53.536375]
        -> #0 (&new->lock){+.+...}:
        [   53.540587]        [<c063f124>] mutex_lock_nested+0x38/0x3cc
        [   53.546504]        [<c043fe4c>] del_mtd_blktrans_dev+0x80/0xdc
        [   53.552606]        [<c043f164>] blktrans_notify_remove+0x7c/0x84
        [   53.558891]        [<c04399f0>] del_mtd_device+0x74/0x100
        [   53.564544]        [<c043c670>] del_mtd_partitions+0x80/0xc8
        [   53.570451]        [<c0439aa0>] mtd_device_unregister+0x24/0x48
        [   53.576637]        [<c046ce6c>] spi_drv_remove+0x1c/0x34
        [   53.582207]        [<c03de0f0>] __device_release_driver+0x88/0x114
        [   53.588663]        [<c03de19c>] device_release_driver+0x20/0x2c
        [   53.594843]        [<c03dd9e8>] bus_remove_device+0xd8/0x108
        [   53.600748]        [<c03dacc0>] device_del+0x10c/0x210
        [   53.606127]        [<c03dadd0>] device_unregister+0xc/0x20
        [   53.611849]        [<c046d878>] __unregister+0x10/0x20
        [   53.617211]        [<c03da868>] device_for_each_child+0x50/0x7c
        [   53.623387]        [<c046eae8>] spi_unregister_master+0x58/0x8c
        [   53.629578]        [<c03e12f0>] release_nodes+0x15c/0x1c8
        [   53.635223]        [<c03de0f8>] __device_release_driver+0x90/0x114
        [   53.641689]        [<c03de900>] driver_detach+0xb4/0xb8
        [   53.647147]        [<c03ddc78>] bus_remove_driver+0x4c/0xa0
        [   53.652970]        [<c00cab50>] SyS_delete_module+0x11c/0x1e4
        [   53.658976]        [<c000f740>] ret_fast_syscall+0x0/0x1c
        [   53.664621]
        [   53.664621] other info that might help us debug this:
        [   53.664621]
        [   53.672979]  Possible unsafe locking scenario:
        [   53.672979]
        [   53.679169]        CPU0                    CPU1
        [   53.683900]        ----                    ----
        [   53.688633]   lock(mtd_table_mutex);
        [   53.692383]                                lock(&new->lock);
        [   53.698306]                                lock(mtd_table_mutex);
        [   53.704658]   lock(&new->lock);
        [   53.707946]
        [   53.707946]  *** DEADLOCK ***
      
      Fixes: 073db4a5 ("mtd: fix: avoid race condition when accessing mtd->usecount")
      Reported-by: default avatarFelipe Balbi <balbi@ti.com>
      Tested-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3b819706
    • Mikulas Patocka's avatar
      dm: initialize non-blk-mq queue data before queue is used · 24ff5521
      Mikulas Patocka authored
      commit ad5f498f upstream.
      
      Commit bfebd1cd ("dm: add full blk-mq
      support to request-based DM") moves the initialization of the fields
      backing_dev_info.congested_fn, backing_dev_info.congested_data and
      queuedata from the function dm_init_md_queue (that is called when the
      device is created) to dm_init_old_md_queue (that is called after the
      device type is determined).
      
      There is no locking when accessing these variables, thus it is possible
      for other parts of the kernel to briefly see this data in a transient
      state (e.g. queue->backing_dev_info.congested_fn initialized and
      md->queue->backing_dev_info.congested_data uninitialized, resulting in
      passing an incorrect parameter to the function dm_any_congested).
      
      This queue data is left initialized for blk-mq devices even though they
      that don't use it.
      
      Fixes: bfebd1cd ("dm: add full blk-mq support to request-based DM")
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      24ff5521
    • sumit.saxena@avagotech.com's avatar
      megaraid_sas: Do not use PAGE_SIZE for max_sectors · b0656119
      sumit.saxena@avagotech.com authored
      commit 357ae967 upstream.
      
      Do not use PAGE_SIZE marco to calculate max_sectors per I/O
      request. Driver code assumes PAGE_SIZE will be always 4096 which can
      lead to wrongly calculated value if PAGE_SIZE is not 4096. This issue
      was reported in Ubuntu Bugzilla Bug #1475166.
      Signed-off-by: default avatarSumit Saxena <sumit.saxena@avagotech.com>
      Signed-off-by: default avatarKashyap Desai <kashyap.desai@avagotech.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b0656119
    • sumit.saxena@avagotech.com's avatar
      megaraid_sas: Expose TAPE drives unconditionally · 714be29f
      sumit.saxena@avagotech.com authored
      commit 0d5b47a7 upstream.
      
      Expose non-disk (TAPE drive, CD-ROM) unconditionally.
      Signed-off-by: default avatarSumit Saxena <sumit.saxena@avagotech.com>
      Signed-off-by: default avatarKashyap Desai <kashyap.desai@avagotech.com>
      Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      714be29f
    • Ricardo Ribalda Delgado's avatar
      spi/spi-xilinx: Fix race condition on last word read · 795cd3cd
      Ricardo Ribalda Delgado authored
      commit eca37c7c upstream.
      
      Some users have reported that in polled mode the driver fails randomly
      to read the last word of the transfer.
      
      The end condition used for the transmissions (in polled and irq mode)
      has been the TX_EMPTY flag. But Lars-Peter Clausen has identified a delay
      from the TX_EMPTY to the actual end of the data rx.
      
      I believe that this race condition has not been detected until now
      because of the latency added by the IRQ handler or the PCIe bridge.
      This bugs affects setups with low latency access to the spi core.
      
      This patch replaces the readout logic:
      
      For all the words, except the last one, the TX_EMPTY flag is used (and
      cached).
      
      If !TX_EMPY or is the last word. The status register is read and the
      RX_EMPTY flag is used.
      
      The performance is not affected: there is an extra read of the
      Status Register, but the readout can start as soon as there is a word
      in the buffer.
      Reported-by: default avatarEdward Kigwana <ekigwana@scires.com>
      Initial-fix-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarRicardo Ribalda Delgado <ricardo.ribalda@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      795cd3cd
    • Alex Deucher's avatar
      drm/amdgpu: add some additional CZ revisions · 065c15cb
      Alex Deucher authored
      commit b8b339ea upstream.
      Reviewed-by: default avatarJammy Zhou <Jammy.Zhou@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      065c15cb
    • Vineet Gupta's avatar
      MAINTAINERS: Add public mailing list for ARC · b4ffda0f
      Vineet Gupta authored
      commit 9acdc911 upstream.
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b4ffda0f
    • Takashi Iwai's avatar
      ALSA: hda - Disable 64bit address for Creative HDA controllers · b894db5f
      Takashi Iwai authored
      commit cadd16ea upstream.
      
      We've had many reports that some Creative sound cards with CA0132
      don't work well.  Some reported that it starts working after reloading
      the module, while some reported it starts working when a 32bit kernel
      is used.  All these facts seem implying that the chip fails to
      communicate when the buffer is located in 64bit address.
      
      This patch addresses these issues by just adding AZX_DCAPS_NO_64BIT
      flag to the corresponding PCI entries.  I casually had a chance to
      test an SB Recon3D board, and indeed this seems helping.
      
      Although this hasn't been tested on all Creative devices, it's safer
      to assume that this restriction applies to the rest of them, too.  So
      the flag is applied to all Creative entries.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b894db5f
    • Kailang Yang's avatar
      ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after resume back · 91dc6536
      Kailang Yang authored
      commit 6ed1131f upstream.
      
      This machine had I2S codec for speaker output.
      It need to refill the I2S codec initial verb after resume back.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Reported-and-tested-by: default avatarGeorge Gugulea <gugulea@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      91dc6536
    • Ludovic Desroches's avatar
      i2c: at91: manage unexpected RXRDY flag when starting a transfer · 96a40b6c
      Ludovic Desroches authored
      commit a9bed6b1 upstream.
      
      In some cases, we could start a new i2c transfer with the RXRDY flag
      set. It is not a clean state and it leads to print annoying error
      messages even if there no real issue. The cause is only having garbage
      data in the Receive Holding Register because of a weird behavior of the
      RXRDY flag.
      Reported-by: default avatarPeter Rosin <peda@lysator.liu.se>
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Tested-by: default avatarPeter Rosin <peda@lysator.liu.se>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Fixes: 93563a6a ("i2c: at91: fix a race condition when using the DMA controller")
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      96a40b6c
    • Chen Yu's avatar
      ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle · adec750c
      Chen Yu authored
      commit 8c01275e upstream.
      
      For an ACPI compatible system, the SCI (ACPI System Control
      Interrupt) is used to wake the system up from suspend-to-idle.
      Once the CPU is woken up by the SCI, the interrupt handler will
      first check if the current IRQ has been configured for system
      wakeup, so irq_pm_check_wakeup() is invoked to validate the IRQ
      number.  However, during suspend-to-idle, enable_irq_wake() is
      called for acpi_gbl_FADT.sci_interrupt, although the IRQ number
      that the SCI handler has been installed for should be passed to
      it instead.  Thus, if acpi_gbl_FADT.sci_interrupt happens to be
      different from that number, ACPI interrupts will not be able to
      wake up the system from sleep.
      
      Fix this problem by passing the IRQ number returned by
      acpi_gsi_to_irq() to enable_irq_wake() instead of
      acpi_gbl_FADT.sci_interrupt.
      Acked-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      adec750c
    • Chen Yu's avatar
      ACPI: Using correct irq when waiting for events · 16cd8293
      Chen Yu authored
      commit efb1cf7d upstream.
      
      When the system is waiting for GPE/fixed event handler to finish,
      it uses acpi_gbl_FADT.sci_interrupt directly as the IRQ number.
      However, the remapped IRQ returned by acpi_gsi_to_irq() should be
      passed to synchronize_hardirq() instead of it.
      Acked-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      16cd8293
    • Chen Yu's avatar
      ACPI: Use correct IRQ when uninstalling ACPI interrupt handler · 11e695d9
      Chen Yu authored
      commit 49e4b843 upstream.
      
      Currently when the system is trying to uninstall the ACPI interrupt
      handler, it uses acpi_gbl_FADT.sci_interrupt as the IRQ number.
      However, the IRQ number that the ACPI interrupt handled is installed
      for comes from acpi_gsi_to_irq() and that is the number that should
      be used for the handler removal.
      
      Fix this problem by using the mapped IRQ returned from acpi_gsi_to_irq()
      as appropriate.
      Acked-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      11e695d9
    • David Mosberger-Tang's avatar
      spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word · 42c386aa
      David Mosberger-Tang authored
      commit 06515f83 upstream.
      
      The DMA-slave configuration depends on the whether <= 8 or > 8 bits
      are transferred per word, so we need to call
      atmel_spi_dma_slave_config() with the correct value.
      Signed-off-by: default avatarDavid Mosberger <davidm@egauge.net>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      42c386aa
    • Cyrille Pitchen's avatar
      i2c: at91: fix write transfers by clearing pending interrupt first · a3f58473
      Cyrille Pitchen authored
      commit 6f6ddbb0 upstream.
      
      In some cases a NACK interrupt may be pending in the Status Register (SR)
      as a result of a previous transfer. However at91_do_twi_transfer() did not
      read the SR to clear pending interruptions before starting a new transfer.
      Hence a NACK interrupt rose as soon as it was enabled again at the I2C
      controller level, resulting in a wrong sequence of operations and strange
      patterns of behaviour on the I2C bus, such as a clock stretch followed by
      a restart of the transfer.
      
      This first issue occurred with both DMA and PIO write transfers.
      
      Also when a NACK error was detected during a PIO write transfer, the
      interrupt handler used to wrongly start a new transfer by writing into the
      Transmit Holding Register (THR). Then the I2C slave was likely to reply
      with a second NACK.
      
      This second issue is fixed in atmel_twi_interrupt() by handling the TXRDY
      status bit only if both the TXCOMP and NACK status bits are cleared.
      
      Tested with a at24 eeprom on sama5d36ek board running a linux-4.1-at91
      kernel image. Adapted to linux-next.
      Reported-by: default avatarPeter Rosin <peda@lysator.liu.se>
      Signed-off-by: default avatarCyrille Pitchen <cyrille.pitchen@atmel.com>
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Tested-by: default avatarPeter Rosin <peda@lysator.liu.se>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Fixes: 93563a6a ("i2c: at91: fix a race condition when using the DMA controller")
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a3f58473
    • Antonio Ospite's avatar
      [media] media/v4l2-ctrls: fix setting autocluster to manual with VIDIOC_S_CTRL · ce4d5d5f
      Antonio Ospite authored
      commit 759b26a1 upstream.
      
      Since commit 5d0360a4 it's not possible
      anymore to set auto clusters from auto to manual using VIDIOC_S_CTRL.
      
      For example, setting autogain to manual with gspca/ov534 driver and this
      sequence of commands does not work:
      
        v4l2-ctl --set-ctrl=gain_automatic=1
        v4l2-ctl --list-ctrls | grep gain_automatic
        # The following does not work
        v4l2-ctl --set-ctrl=gain_automatic=0
        v4l2-ctl --list-ctrls | grep gain_automatic
      
      Changing the value using VIDIOC_S_EXT_CTRLS (like qv4l2 does) works
      fine.
      
      The apparent cause by looking at the changes in 5d0360a4 and comparing
      with the code path for VIDIOC_S_EXT_CTRLS seems to be that the code in
      v4l2-ctrls.c::set_ctrl() is not calling user_to_new() anymore after
      calling update_from_auto_cluster(master).
      
      However the root cause of the problem is that calling
      update_from_auto_cluster(master) overrides also the _master_ control
      state calling cur_to_new() while it was supposed to only update the
      volatile controls.
      
      Calling user_to_new() after update_from_auto_cluster(master) was just
      masking the original bug by restoring the correct new value of the
      master control before making the changes permanent.
      
      Fix the original bug by making update_from_auto_cluster() not override
      the new master control value.
      Signed-off-by: default avatarAntonio Ospite <ao2@ao2.it>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ce4d5d5f
    • Tiffany Lin's avatar
      [media] media: vb2 dma-sg: Fully cache synchronise buffers in prepare and finish · 10941eba
      Tiffany Lin authored
      commit 418dae22 upstream.
      
      In videobuf2 dma-sg memory types the prepare and finish ops, instead
      of passing the number of entries in the original scatterlist as the
      "nents" parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(),
      the value returned by dma_map_sg() was used. Albeit this has been
      suggested in comments of some implementations (which have since been
      corrected), this is wrong.
      
      Fixes: d790b7ed ("vb2-dma-sg: move dma_(un)map_sg here")
      Signed-off-by: default avatarTiffany Lin <tiffany.lin@mediatek.com>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      10941eba
    • Tiffany Lin's avatar
      [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish · 33af35a5
      Tiffany Lin authored
      commit d9a98588 upstream.
      
      In videobuf2 dma-contig memory type the prepare and finish ops, instead of
      passing the number of entries in the original scatterlist as the "nents"
      parameter to dma_sync_sg_for_device() and dma_sync_sg_for_cpu(), the value
      returned by dma_map_sg() was used. Albeit this has been suggested in
      comments of some implementations (which have since been corrected), this
      is wrong.
      
      Fixes: 199d101e ("v4l: vb2-dma-contig: add prepare/finish to dma-contig allocator")
      Signed-off-by: default avatarTiffany Lin <tiffany.lin@mediatek.com>
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      33af35a5
    • Andy Shevchenko's avatar
      spi: dw: explicitly free IRQ handler in dw_spi_remove_host() · e3ff6c9b
      Andy Shevchenko authored
      commit 02f20387 upstream.
      
      The following warning occurs when DW SPI is compiled as a module and it's a PCI
      device. On the removal stage pcibios_free_irq() is called earlier than
      free_irq() due to the latter is called at managed resources free strage.
      
      ------------[ cut here ]------------
      WARNING: CPU: 1 PID: 1003 at /home/andy/prj/linux/fs/proc/generic.c:575 remove_proc_entry+0x118/0x150()
      remove_proc_entry: removing non-empty directory 'irq/38', leaking at least 'dw_spi1'
      Modules linked in: spi_dw_midpci(-) spi_dw [last unloaded: dw_dmac_core]
      CPU: 1 PID: 1003 Comm: modprobe Not tainted 4.3.0-rc5-next-20151013+ #32
       00000000 00000000 f5535d70 c12dc220 f5535db0 f5535da0 c104e912 c198a6bc
       f5535dcc 000003eb c198a638 0000023f c11b4098 c11b4098 f54f1ec8 f54f1ea0
       f642ba20 f5535db8 c104e96e 00000009 f5535db0 c198a6bc f5535dcc f5535df0
      Call Trace:
       [<c12dc220>] dump_stack+0x41/0x61
       [<c104e912>] warn_slowpath_common+0x82/0xb0
       [<c11b4098>] ? remove_proc_entry+0x118/0x150
       [<c11b4098>] ? remove_proc_entry+0x118/0x150
       [<c104e96e>] warn_slowpath_fmt+0x2e/0x30
       [<c11b4098>] remove_proc_entry+0x118/0x150
       [<c109b96a>] unregister_irq_proc+0xaa/0xc0
       [<c109575e>] free_desc+0x1e/0x60
       [<c10957d2>] irq_free_descs+0x32/0x70
       [<c109b1a0>] irq_domain_free_irqs+0x120/0x150
       [<c1039e8c>] mp_unmap_irq+0x5c/0x60
       [<c16277b0>] intel_mid_pci_irq_disable+0x20/0x40
       [<c1627c7f>] pcibios_free_irq+0xf/0x20
       [<c13189f2>] pci_device_remove+0x52/0xb0
       [<c13f6367>] __device_release_driver+0x77/0x100
       [<c13f6da7>] driver_detach+0x87/0x90
       [<c13f5eaa>] bus_remove_driver+0x4a/0xc0
       [<c128bf0d>] ? selinux_capable+0xd/0x10
       [<c13f7483>] driver_unregister+0x23/0x60
       [<c10bad8a>] ? find_module_all+0x5a/0x80
       [<c1317413>] pci_unregister_driver+0x13/0x60
       [<f80ac654>] dw_spi_driver_exit+0xd/0xf [spi_dw_midpci]
       [<c10bce9a>] SyS_delete_module+0x17a/0x210
      
      Explicitly call free_irq() at removal stage of the DW SPI driver.
      
      Fixes: 04f421e7 (spi: dw: use managed resources)
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [ kamal: backport to 4.2-stable: context ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e3ff6c9b
    • Alex Deucher's avatar
      drm/amdgpu/gfx8: set TC_WB_ACTION_EN in RELEASE_MEM packet · e44b34bf
      Alex Deucher authored
      commit a3d5aaa8 upstream.
      
      This is the recommended setting from the hw team for newer
      versions of the firmware.
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e44b34bf
    • Jarkko Sakkinen's avatar
      tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0 · 2c076fde
      Jarkko Sakkinen authored
      commit 399235dc upstream.
      
      Both for FIFO and CRB interface TCG has decided to use the same HID
      MSFT0101. They can be differentiated by looking at the start method from
      TPM2 ACPI table. This patches makes necessary fixes to tpm_tis and
      tpm_crb modules in order to correctly detect, which module should be
      used.
      
      For MSFT0101 we must use struct acpi_driver because struct pnp_driver
      has a 7 character limitation.
      
      It turned out that the root cause in b371616b was not correct for
      https://bugzilla.kernel.org/show_bug.cgi?id=98181.
      
      v2:
      
      * One fixup was missing from v1: is_tpm2_fifo -> is_fifo
      
      v3:
      
      * Use pnp_driver for existing HIDs and acpi_driver only for MSFT0101 in
        order ensure backwards compatibility.
      
      v4:
      
      * Check for FIFO before doing *anything* in crb_acpi_add().
      * There was return immediately after acpi_bus_unregister_driver() in
        cleanup_tis(). This caused pnp_unregister_driver() not to be called.
      Reported-by: default avatarMichael Saunders <mick.saunders@gmail.com>
      Reported-by: default avatarMichael Marley <michael@michaelmarley.com>
      Reported-by: default avatarJethro Beekman <kernel@jbeekman.nl>
      Reported-by: default avatarMatthew Garrett <mjg59@srcf.ucam.org>
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Tested-by: default avatarMichael Marley <michael@michaelmarley.com>
      Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (on TPM 1.2)
      Reviewed-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2c076fde
    • Jarkko Sakkinen's avatar
      tpm, tpm_crb: fix unaligned read of the command buffer address · 966c3fb9
      Jarkko Sakkinen authored
      commit 149789ce upstream.
      
      The command buffer address must be read with exactly two 32-bit reads.
      Otherwise, on some HW platforms, it seems that HW will abort the read
      operation, which causes CPU to fill the read bytes with 1's. Therefore,
      we cannot rely on memcpy_fromio() but must call ioread32() two times
      instead.
      
      Also, this matches the PC Client Platform TPM Profile specification,
      which defines command buffer address with two 32-bit fields.
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Reviewed-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      966c3fb9
    • Hon Ching \\(Vicky\\) Lo's avatar
      vTPM: fix memory allocation flag for rtce buffer at kernel boot · c3e73b90
      Hon Ching \\(Vicky\\) Lo authored
      commit 60ecd86c upstream.
      
      At ibm vtpm initialzation, tpm_ibmvtpm_probe() registers its interrupt
      handler, ibmvtpm_interrupt, which calls ibmvtpm_crq_process to allocate
      memory for rtce buffer.  The current code uses 'GFP_KERNEL' as the
      type of kernel memory allocation, which resulted a warning at
      kernel/lockdep.c.  This patch uses 'GFP_ATOMIC' instead so that the
      allocation is high-priority and does not sleep.
      Signed-off-by: default avatarHon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c3e73b90
    • Andy Leiserson's avatar
      [PATCH] fix calculation of meta_bg descriptor backups · 7868d9fd
      Andy Leiserson authored
      commit 904dad47 upstream.
      
      "group" is the group where the backup will be placed, and is
      initialized to zero in the declaration. This meant that backups for
      meta_bg descriptors were erroneously written to the backup block group
      descriptors in groups 1 and (desc_per_block-1).
      
      Reproduction information:
        mke2fs -Fq -t ext4 -b 1024 -O ^resize_inode /tmp/foo.img 16G
        truncate -s 24G /tmp/foo.img
        losetup /dev/loop0 /tmp/foo.img
        mount /dev/loop0 /mnt
        resize2fs /dev/loop0
        umount /dev/loop0
        dd if=/dev/zero of=/dev/loop0 bs=1024 count=2
        e2fsck -fy /dev/loop0
        losetup -d /dev/loop0
      Signed-off-by: default avatarAndy Leiserson <andy@leiserson.org>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      7868d9fd
    • Jan Kara's avatar
      jbd2: fix checkpoint list cleanup · 0fa1d864
      Jan Kara authored
      commit 33d14975 upstream.
      
      Unlike comments and expectation of callers journal_clean_one_cp_list()
      returned 1 not only if it freed the transaction but also if it freed
      some buffers in the transaction. That could make
      __jbd2_journal_clean_checkpoint_list() skip processing
      t_checkpoint_io_list and continue with processing the next transaction.
      This is mostly a cosmetic issue since the only result is we can
      sometimes free less memory than we could. But it's still worth fixing.
      Fix journal_clean_one_cp_list() to return 1 only if the transaction was
      really freed.
      
      Fixes: 50849db3Signed-off-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      0fa1d864
    • Will Deacon's avatar
      iommu/arm-smmu: Fix error checking for ASID and VMID allocation · 8905f33f
      Will Deacon authored
      commit c0733a2c upstream.
      
      The bitmap allocator returns an int, which is one of the standard
      negative values on failure. Rather than assigning this straight to a
      u16 (like we do for the ASID and VMID callers), which means that we
      won't detect failure correctly, use an int for the purposes of error
      checking.
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8905f33f
    • David Woodhouse's avatar
      iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints · 36c3c580
      David Woodhouse authored
      commit d14053b3 upstream.
      
      The VT-d specification says that "Software must enable ATS on endpoint
      devices behind a Root Port only if the Root Port is reported as
      supporting ATS transactions."
      
      We walk up the tree to find a Root Port, but for integrated devices we
      don't find one — we get to the host bridge. In that case we *should*
      allow ATS. Currently we don't, which means that we are incorrectly
      failing to use ATS for the integrated graphics. Fix that.
      
      We should never break out of this loop "naturally" with bus==NULL,
      since we'll always find bridge==NULL in that case (and now return 1).
      
      So remove the check for (!bridge) after the loop, since it can never
      happen. If it did, it would be worthy of a BUG_ON(!bridge). But since
      it'll oops anyway in that case, that'll do just as well.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      36c3c580
    • Andrey Ryabinin's avatar
      lockd: create NSM handles per net namespace · 74afe7d1
      Andrey Ryabinin authored
      commit 0ad95472 upstream.
      
      Commit cb7323ff ("lockd: create and use per-net NSM
       RPC clients on MON/UNMON requests") introduced per-net
      NSM RPC clients. Unfortunately this doesn't make any sense
      without per-net nsm_handle.
      
      E.g. the following scenario could happen
      Two hosts (X and Y) in different namespaces (A and B) share
      the same nsm struct.
      
      1. nsm_monitor(host_X) called => NSM rpc client created,
      	nsm->sm_monitored bit set.
      2. nsm_mointor(host-Y) called => nsm->sm_monitored already set,
      	we just exit. Thus in namespace B ln->nsm_clnt == NULL.
      3. host X destroyed => nsm->sm_count decremented to 1
      4. host Y destroyed => nsm_unmonitor() => nsm_mon_unmon() => NULL-ptr
      	dereference of *ln->nsm_clnt
      
      So this could be fixed by making per-net nsm_handles list,
      instead of global. Thus different net namespaces will not be able
      share the same nsm_handle.
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      74afe7d1
    • Vignesh R's avatar
      spi: ti-qspi: Fix data corruption seen on r/w stress test · 9c871727
      Vignesh R authored
      commit bc27a539 upstream.
      
      Writing invalid command to QSPI_SPI_CMD_REG will terminate current
      transfer and de-assert the chip select. This has to be done before
      calling spi_finalize_current_message(). Because
      spi_finalize_current_message() will mark the end of current message
      transfer and schedule the next transfer. If the chipselect is not
      de-asserted before calling spi_finalize_current_message() then the next
      transfer will overlap with the previous transfer leading to data
      corruption.
      __spi_pump_message() can be called either from kthread worker context or
      directly from the calling process's context. It is possible that these
      two calls can race against each other. But race is serialized by
      checking whether master->cur_msg == NULL (pointer to msg being handled
      by transfer_one() at present). The master->cur_msg is set to NULL when
      spi_finalize_current_message() is called on that message, which means
      calling spi_finalize_current_message() allows __spi_sync() to pump next
      message in calling process context.
      Now if spi-ti-qspi calls spi_finalize_current_message() before we
      terminate transfer at hardware side, if __spi_pump_message() is called
      from process context then the successive transactions can overlap.
      
      Fix this by moving writing invalid command to QSPI_SPI_CMD_REG to
      before calling spi_finalize_current_message() call.
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9c871727
    • Jaegeuk Kim's avatar
      f2fs crypto: allocate buffer for decrypting filename · 73ba5701
      Jaegeuk Kim authored
      commit 569cf187 upstream.
      
      We got dentry pages from high_mem, and its address space directly goes into the
      decryption path via f2fs_fname_disk_to_usr.
      But, sg_init_one assumes the address is not from high_mem, so we can get this
      panic since it doesn't call kmap_high but kunmap_high is triggered at the end.
      
      kernel BUG at ../../../../../../kernel/mm/highmem.c:290!
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
      ...
       (kunmap_high+0xb0/0xb8) from [<c0114534>] (__kunmap_atomic+0xa0/0xa4)
       (__kunmap_atomic+0xa0/0xa4) from [<c035f028>] (blkcipher_walk_done+0x128/0x1ec)
       (blkcipher_walk_done+0x128/0x1ec) from [<c0366c24>] (crypto_cbc_decrypt+0xc0/0x170)
       (crypto_cbc_decrypt+0xc0/0x170) from [<c0367148>] (crypto_cts_decrypt+0xc0/0x114)
       (crypto_cts_decrypt+0xc0/0x114) from [<c035ea98>] (async_decrypt+0x40/0x48)
       (async_decrypt+0x40/0x48) from [<c032ca34>] (f2fs_fname_disk_to_usr+0x124/0x304)
       (f2fs_fname_disk_to_usr+0x124/0x304) from [<c03056fc>] (f2fs_fill_dentries+0xac/0x188)
       (f2fs_fill_dentries+0xac/0x188) from [<c03059c8>] (f2fs_readdir+0x1f0/0x300)
       (f2fs_readdir+0x1f0/0x300) from [<c0218054>] (vfs_readdir+0x90/0xb4)
       (vfs_readdir+0x90/0xb4) from [<c0218418>] (SyS_getdents64+0x64/0xcc)
       (SyS_getdents64+0x64/0xcc) from [<c0105ba0>] (ret_fast_syscall+0x0/0x30)
      Reviewed-by: default avatarChao Yu <chao2.yu@samsung.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      73ba5701
    • Dmitry Kasatkin's avatar
      integrity: prevent loading untrusted certificates on the IMA trusted keyring · d4d502d2
      Dmitry Kasatkin authored
      commit 72e1eed8 upstream.
      
      If IMA_LOAD_X509 is enabled, either directly or indirectly via
      IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA
      trusted keyring by the kernel via key_create_or_update(). When
      the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded
      without first verifying the certificate is properly signed by a
      trusted key on the system keyring.  This patch removes the
      KEY_ALLOC_TRUSTED flag.
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      d4d502d2
    • Chris Wilson's avatar
      drm/i915: Fix userptr deadlock with aliased GTT mmappings · 9bf28fbc
      Chris Wilson authored
      commit e4b946bf upstream.
      
      Michał Winiarski found a really evil way to trigger a struct_mutex
      deadlock with userptr. He found that if he allocated a userptr bo and
      then GTT mmaped another bo, or even itself, at the same address as the
      userptr using MAP_FIXED, he could then cause a deadlock any time we then
      had to invalidate the GTT mmappings (so at will). Tvrtko then found by
      repeatedly allocating GTT mmappings he could alias with an old userptr
      mmap and also trigger the deadlock.
      
      To counter act the deadlock, we make the observation that we only need
      to take the struct_mutex if the object has any pages to revoke, and that
      before userspace can alias with the userptr address space, it must have
      invalidated the userptr->pages. Thus if we can check for those pages
      outside of the struct_mutex, we can avoid the deadlock. To do so we
      introduce a separate flag for userptr objects that we can inspect from
      the mmu-notifier underneath its spinlock.
      
      The patch makes one eye-catching change. That is the removal serial=0
      after detecting a to-be-freed object inside the invalidate walker. I
      felt setting serial=0 was a questionable pessimisation: it denies us the
      chance to reuse the current iterator for the next loop (before it is
      freed) and being explicit makes the reader question the validity of the
      locking (since the object-free race could occur elsewhere). The
      serialisation of the iterator is through the spinlock, if the object is
      freed before the next loop then the notifier.serial will be incremented
      and we start the walk from the beginning as we detect the invalid cache.
      
      To try and tame the error paths and interactions with the userptr->active
      flag, we have to do a fair amount of rearranging of get_pages_userptr().
      
      v2: Grammar fixes
      v3: Reorder set-active so that it is only set when obj->pages is set
      (and so needs cancellation). Only the order of setting obj->pages and
      the active-flag is crucial. Calling gup after invalidate-range begin
      means the userptr sees the new set of backing storage (and so will not
      need to invalidate its new pages), but we have to be careful not to set
      the active-flag prior to successfully establishing obj->pages.
      v4: Take the active->flag early so we know in the mmu-notifier when we
      have to cancel a pending gup-worker.
      v5: Rearrange the error path so that is not so convoluted
      v6: Set pinned to 0 when negative before calling release_pages()
      Reported-by: default avatarMichał Winiarski <michal.winiarski@intel.com>
      Testcase: igt/gem_userptr_blits/map-fixed*
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Michał Winiarski <michal.winiarski@intel.com>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9bf28fbc
    • Chris Wilson's avatar
      drm/i915: Only update the current userptr worker · 85d94e5d
      Chris Wilson authored
      commit 68d6c840 upstream.
      
      The userptr worker allows for a slight race condition where upon there
      may two or more threads calling get_user_pages for the same object. When
      we have the array of pages, then we serialise the update of the object.
      However, the worker should only overwrite the obj->userptr.work pointer
      if and only if it is the active one. Currently we clear it for a
      secondary worker with the effect that we may rarely force a second
      lookup.
      
      v2: Rebase and rename a variable to avoid 80cols
      v3: Mention v2
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: default avatarTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      [ kamal: 4.2-stable prereq for
        e4b946bf "drm/i915: Fix userptr deadlock with aliased GTT mmappings" ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      85d94e5d
    • Richard Weinberger's avatar
      ubi: fastmap: Implement produce_free_peb() · 62487d13
      Richard Weinberger authored
      commit 1cb8f977 upstream.
      
      If fastmap requests a free PEB for a pool and UBI is busy
      with erasing PEBs we need to offer a function to wait for one.
      We can reuse produce_free_peb() from the non-fastmap WL code
      but with different locking semantics.
      Reported-and-tested-by: default avatarJörg Krause <joerg.krause@embedded.rocks>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      62487d13
    • Benoit Parrot's avatar
      [media] media: v4l2-ctrls: Fix 64bit support in get_ctrl() · 6fa433e0
      Benoit Parrot authored
      commit a8077734 upstream.
      
      When trying to use v4l2_ctrl_g_ctrl_int64() to retrieve a
      V4L2_CTRL_TYPE_INTEGER64 type value the internal helper function
      get_ctrl() would prematurely exit because for this control type
      the 'is_int' flag is not set. This would result in v4l2_ctrl_g_ctrl_int64
      always returning 0.
      
      Also v4l2_ctrl_g_ctrl_int64() is reading and returning the 32bit value
      member instead of the 64bit version, so fixing that as well.
      
      This patch extends the condition check to allow the V4L2_CTRL_TYPE_INTEGER64
      type to continue processing instead of exiting.
      Signed-off-by: default avatarBenoit Parrot <bparrot@ti.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6fa433e0
    • Hans Verkuil's avatar
      [media] v4l2-ctrls: arrays are also considered compound controls · 01f6101c
      Hans Verkuil authored
      commit 35204e2e upstream.
      
      Array controls weren't skipped when only V4L2_CTRL_FLAG_NEXT_CTRL was
      provided (so no V4L2_CTRL_FLAG_NEXT_COMPOUND was set). This is wrong
      since arrays are also considered compound controls (i.e. with more than
      one value), and applications that do not know about arrays will not
      be able to handle such controls.
      
      Fix the test to include arrays.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Reported-by: default avatarRicardo Ribalda Delgado <ricardo.ribalda@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      01f6101c
    • Boris BREZILLON's avatar
      mtd: mtdpart: fix add_mtd_partitions error path · 1b98249e
      Boris BREZILLON authored
      commit e5bae867 upstream.
      
      If we fail to allocate a partition structure in the middle of the partition
      creation process, the already allocated partitions are never removed, which
      means they are still present in the partition list and their resources are
      never freed.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      1b98249e
    • Andrzej Hajda's avatar
      [media] v4l2-compat-ioctl32: fix alignment for ARM64 · 9bbd2b4d
      Andrzej Hajda authored
      commit 655e9780 upstream.
      
      Alignment/padding rules on AMD64 and ARM64 differs. To allow properly match
      compatible ioctls on ARM64 kernels without breaking AMD64 some fields
      should be aligned using compat_s64 type and in one case struct should be
      unpacked.
      Signed-off-by: default avatarAndrzej Hajda <a.hajda@samsung.com>
      [hans.verkuil@cisco.com: use compat_u64 instead of compat_s64 in v4l2_input32]
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9bbd2b4d
    • Richard Purdie's avatar
      HID: core: Avoid uninitialized buffer access · e131ca35
      Richard Purdie authored
      commit 79b568b9 upstream.
      
      hid_connect adds various strings to the buffer but they're all
      conditional. You can find circumstances where nothing would be written
      to it but the kernel will still print the supposedly empty buffer with
      printk. This leads to corruption on the console/in the logs.
      
      Ensure buf is initialized to an empty string.
      Signed-off-by: default avatarRichard Purdie <richard.purdie@linuxfoundation.org>
      [dvhart: Initialize string to "" rather than assign buf[0] = NULL;]
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: linux-input@vger.kernel.org
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e131ca35