1. 06 Jul, 2018 5 commits
    • H. Nikolaus Schaller's avatar
      power: generic-adc-battery: fix out-of-bounds write when copying channel properties · 932d4744
      H. Nikolaus Schaller authored
      We did have sporadic problems in the pinctrl framework during boot
      where a pin group name unexpectedly became NULL leading to a NULL
      dereference in strcmp.
      
      Detailled analysis of the failing cases did reveal that there were
      two devm allocated objects close to each other. The second one was
      the affected group_desc in pinmux and the first one was the
      psy_desc->properties buffer of the gab driver.
      
      Review of the gab code showed that the address calculation for
      one memcpy() is wrong. It does
      
      	properties + sizeof(type) * index
      
      but C is defined to do the index multiplication already for
      pointer + integer additions. Hence the factor was applied twice
      and the memcpy() does write outside of the properties buffer.
      Sometimes it happened to be the pinctrl and triggered the strcmp(NULL).
      
      Anyways, it is overkill to use a memcpy() here instead of a simple
      assignment, which is easier to read and has less risk for wrong
      address calculations. So we change code to a simple assignment.
      
      If we initialize the index to the first free location, we can even
      remove the local variable 'properties'.
      
      This bug seems to exist right from the beginning in 3.7-rc1 in
      
      commit e60fea79 ("power: battery: Generic battery driver using IIO")
      Signed-off-by: default avatarH. Nikolaus Schaller <hns@goldelico.com>
      Cc: stable@vger.kernel.org
      Fixes: e60fea79 ("power: battery: Generic battery driver using IIO")
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      932d4744
    • Hans de Goede's avatar
      power: supply: axp288_charger: Fix initial constant_charge_current value · f2a42595
      Hans de Goede authored
      We should look at val which contains the value read from the register,
      not ret which is always 0 on a successful read.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Fixes: eac53b36 ("power: supply: axp288_charger: Drop platform_data dependency")
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      f2a42595
    • Linus Walleij's avatar
      power: gemini-poweroff: Avoid more spurious poweroffs · ada1de89
      Linus Walleij authored
      Even after the previous fix I have experienced more spurious
      poweroffs on the gemini SoC. After this fix it finally seems
      to go away.
      
      Fixes: f7a388d6 ("power: reset: Add a driver for the Gemini poweroff")
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      ada1de89
    • Sudeep Holla's avatar
      power: vexpress: fix corruption in notifier registration · 09bebb1a
      Sudeep Holla authored
      Vexpress platforms provide two different restart handlers: SYS_REBOOT
      that restart the entire system, while DB_RESET only restarts the
      daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT
      if it exists.
      
      notifier_chain_register used in register_restart_handler by design
      relies on notifiers to be registered once only, however vexpress restart
      notifier can get registered twice. When this happen it corrupts list
      of notifiers, as result some notifiers can be not called on proper
      event, traverse on list can be cycled forever, and second unregister
      can access already freed memory.
      
      So far, since this was the only restart handler in the system, no issue
      was observed even if the same notifier was registered twice. However
      commit 6c5c0d48 ("watchdog: sp805: add restart handler") added
      support for SP805 restart handlers and since the system under test
      contains two vexpress restart and two SP805 watchdog instances, it was
      observed that during the boot traversing the restart handler list looped
      forever as there's a cycle in that list resulting in boot hang.
      
      This patch fixes the issues by ensuring that the notifier is installed
      only once.
      
      Cc: Sebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Fixes: 46c99ac6 ("power/reset: vexpress: Register with kernel restart handler")
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      09bebb1a
    • Benjamin Tissoires's avatar
      power: remove possible deadlock when unregistering power_supply · 3ffa6583
      Benjamin Tissoires authored
      If a device gets removed right after having registered a power_supply node,
      we might enter in a deadlock between the remove call (that has a lock on
      the parent device) and the deferred register work.
      
      Allow the deferred register work to exit without taking the lock when
      we are in the remove state.
      
      Stack trace on a Ubuntu 16.04:
      
      [16072.109121] INFO: task kworker/u16:2:1180 blocked for more than 120 seconds.
      [16072.109127]       Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
      [16072.109129] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [16072.109132] kworker/u16:2   D    0  1180      2 0x80000000
      [16072.109142] Workqueue: events_power_efficient power_supply_deferred_register_work
      [16072.109144] Call Trace:
      [16072.109152]  __schedule+0x3d6/0x8b0
      [16072.109155]  schedule+0x36/0x80
      [16072.109158]  schedule_preempt_disabled+0xe/0x10
      [16072.109161]  __mutex_lock.isra.2+0x2ab/0x4e0
      [16072.109166]  __mutex_lock_slowpath+0x13/0x20
      [16072.109168]  ? __mutex_lock_slowpath+0x13/0x20
      [16072.109171]  mutex_lock+0x2f/0x40
      [16072.109174]  power_supply_deferred_register_work+0x2b/0x50
      [16072.109179]  process_one_work+0x15b/0x410
      [16072.109182]  worker_thread+0x4b/0x460
      [16072.109186]  kthread+0x10c/0x140
      [16072.109189]  ? process_one_work+0x410/0x410
      [16072.109191]  ? kthread_create_on_node+0x70/0x70
      [16072.109194]  ret_from_fork+0x35/0x40
      [16072.109199] INFO: task test:2257 blocked for more than 120 seconds.
      [16072.109202]       Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
      [16072.109204] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [16072.109206] test            D    0  2257   2256 0x00000004
      [16072.109208] Call Trace:
      [16072.109211]  __schedule+0x3d6/0x8b0
      [16072.109215]  schedule+0x36/0x80
      [16072.109218]  schedule_timeout+0x1f3/0x360
      [16072.109221]  ? check_preempt_curr+0x5a/0xa0
      [16072.109224]  ? ttwu_do_wakeup+0x1e/0x150
      [16072.109227]  wait_for_completion+0xb4/0x140
      [16072.109230]  ? wait_for_completion+0xb4/0x140
      [16072.109233]  ? wake_up_q+0x70/0x70
      [16072.109236]  flush_work+0x129/0x1e0
      [16072.109240]  ? worker_detach_from_pool+0xb0/0xb0
      [16072.109243]  __cancel_work_timer+0x10f/0x190
      [16072.109247]  ? device_del+0x264/0x310
      [16072.109250]  ? __wake_up+0x44/0x50
      [16072.109253]  cancel_delayed_work_sync+0x13/0x20
      [16072.109257]  power_supply_unregister+0x37/0xb0
      [16072.109260]  devm_power_supply_release+0x11/0x20
      [16072.109263]  release_nodes+0x110/0x200
      [16072.109266]  devres_release_group+0x7c/0xb0
      [16072.109274]  wacom_remove+0xc2/0x110 [wacom]
      [16072.109279]  hid_device_remove+0x6e/0xd0 [hid]
      [16072.109284]  device_release_driver_internal+0x158/0x210
      [16072.109288]  device_release_driver+0x12/0x20
      [16072.109291]  bus_remove_device+0xec/0x160
      [16072.109293]  device_del+0x1de/0x310
      [16072.109298]  hid_destroy_device+0x27/0x60 [hid]
      [16072.109303]  usbhid_disconnect+0x51/0x70 [usbhid]
      [16072.109308]  usb_unbind_interface+0x77/0x270
      [16072.109311]  device_release_driver_internal+0x158/0x210
      [16072.109315]  device_release_driver+0x12/0x20
      [16072.109318]  usb_driver_release_interface+0x77/0x80
      [16072.109321]  proc_ioctl+0x20f/0x250
      [16072.109325]  usbdev_do_ioctl+0x57f/0x1140
      [16072.109327]  ? __wake_up+0x44/0x50
      [16072.109331]  usbdev_ioctl+0xe/0x20
      [16072.109336]  do_vfs_ioctl+0xa4/0x600
      [16072.109339]  ? vfs_write+0x15a/0x1b0
      [16072.109343]  SyS_ioctl+0x79/0x90
      [16072.109347]  entry_SYSCALL_64_fastpath+0x24/0xab
      [16072.109349] RIP: 0033:0x7f20da807f47
      [16072.109351] RSP: 002b:00007ffc422ae398 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      [16072.109353] RAX: ffffffffffffffda RBX: 00000000010b8560 RCX: 00007f20da807f47
      [16072.109355] RDX: 00007ffc422ae3a0 RSI: 00000000c0105512 RDI: 0000000000000009
      [16072.109356] RBP: 0000000000000000 R08: 00007ffc422ae3e0 R09: 0000000000000010
      [16072.109357] R10: 00000000000000a6 R11: 0000000000000246 R12: 0000000000000000
      [16072.109359] R13: 00000000010b8560 R14: 00007ffc422ae2e0 R15: 0000000000000000
      Reported-and-tested-by: default avatarRichard Hughes <rhughes@redhat.com>
      Tested-by: default avatarAaron Skomra <Aaron.Skomra@wacom.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Fixes: 7f1a57fd ("power_supply: Fix possible NULL pointer dereference on early uevent")
      Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
      3ffa6583
  2. 16 Jun, 2018 8 commits
    • Linus Torvalds's avatar
      Linux 4.18-rc1 · ce397d21
      Linus Torvalds authored
      ce397d21
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180616' of git://git.kernel.dk/linux-block · 265c5596
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A collection of fixes that should go into -rc1. This contains:
      
         - bsg_open vs bsg_unregister race fix (Anatoliy)
      
         - NVMe pull request from Christoph, with fixes for regressions in
           this window, FC connect/reconnect path code unification, and a
           trace point addition.
      
         - timeout fix (Christoph)
      
         - remove a few unused functions (Christoph)
      
         - blk-mq tag_set reinit fix (Roman)"
      
      * tag 'for-linus-20180616' of git://git.kernel.dk/linux-block:
        bsg: fix race of bsg_open and bsg_unregister
        block: remov blk_queue_invalidate_tags
        nvme-fabrics: fix and refine state checks in __nvmf_check_ready
        nvme-fabrics: handle the admin-only case properly in nvmf_check_ready
        nvme-fabrics: refactor queue ready check
        blk-mq: remove blk_mq_tagset_iter
        nvme: remove nvme_reinit_tagset
        nvme-fc: fix nulling of queue data on reconnect
        nvme-fc: remove reinit_request routine
        blk-mq: don't time out requests again that are in the timeout handler
        nvme-fc: change controllers first connect to use reconnect path
        nvme: don't rely on the changed namespace list log
        nvmet: free smart-log buffer after use
        nvme-rdma: fix error flow during mapping request data
        nvme: add bio remapping tracepoint
        nvme: fix NULL pointer dereference in nvme_init_subsystem
        blk-mq: reinit q->tag_set_list entry only after grace period
      265c5596
    • Linus Torvalds's avatar
      Merge tag 'docs-broken-links' of git://linuxtv.org/mchehab/experimental · 5e7b9212
      Linus Torvalds authored
      Pull documentation fixes from Mauro Carvalho Chehab:
       "This solves a series of broken links for files under Documentation,
        and improves a script meant to detect such broken links (see
        scripts/documentation-file-ref-check).
      
        The changes on this series are:
      
         - can.rst: fix a footnote reference;
      
         - crypto_engine.rst: Fix two parsing warnings;
      
         - Fix a lot of broken references to Documentation/*;
      
         - improve the scripts/documentation-file-ref-check script, in order
           to help detecting/fixing broken references, preventing
           false-positives.
      
        After this patch series, only 33 broken references to doc files are
        detected by scripts/documentation-file-ref-check"
      
      * tag 'docs-broken-links' of git://linuxtv.org/mchehab/experimental: (26 commits)
        fix a series of Documentation/ broken file name references
        Documentation: rstFlatTable.py: fix a broken reference
        ABI: sysfs-devices-system-cpu: remove a broken reference
        devicetree: fix a series of wrong file references
        devicetree: fix name of pinctrl-bindings.txt
        devicetree: fix some bindings file names
        MAINTAINERS: fix location of DT npcm files
        MAINTAINERS: fix location of some display DT bindings
        kernel-parameters.txt: fix pointers to sound parameters
        bindings: nvmem/zii: Fix location of nvmem.txt
        docs: Fix more broken references
        scripts/documentation-file-ref-check: check tools/*/Documentation
        scripts/documentation-file-ref-check: get rid of false-positives
        scripts/documentation-file-ref-check: hint: dash or underline
        scripts/documentation-file-ref-check: add a fix logic for DT
        scripts/documentation-file-ref-check: accept more wildcards at filenames
        scripts/documentation-file-ref-check: fix help message
        media: max2175: fix location of driver's companion documentation
        media: v4l: fix broken video4linux docs locations
        media: dvb: point to the location of the old README.dvb-usb file
        ...
      5e7b9212
    • Linus Torvalds's avatar
      Merge tag 'fsnotify_for_v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · dbb2816f
      Linus Torvalds authored
      Pull fsnotify updates from Jan Kara:
       "fsnotify cleanups unifying handling of different watch types.
      
        This is the shortened fsnotify series from Amir with the last five
        patches pulled out. Amir has modified those patches to not change
        struct inode but obviously it's too late for those to go into this
        merge window"
      
      * tag 'fsnotify_for_v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        fsnotify: add fsnotify_add_inode_mark() wrappers
        fanotify: generalize fanotify_should_send_event()
        fsnotify: generalize send_to_group()
        fsnotify: generalize iteration of marks by object type
        fsnotify: introduce marks iteration helpers
        fsnotify: remove redundant arguments to handle_event()
        fsnotify: use type id to identify connector object type
      dbb2816f
    • Linus Torvalds's avatar
      Merge tag 'fbdev-v4.18' of git://github.com/bzolnier/linux · 644f2639
      Linus Torvalds authored
      Pull fbdev updates from Bartlomiej Zolnierkiewicz:
       "There is nothing really major here, few small fixes, some cleanups and
        dead drivers removal:
      
         - mark omapfb drivers as orphans in MAINTAINERS file (Tomi Valkeinen)
      
         - add missing module license tags to omap/omapfb driver (Arnd
           Bergmann)
      
         - add missing GPIOLIB dependendy to omap2/omapfb driver (Arnd
           Bergmann)
      
         - convert savagefb, aty128fb & radeonfb drivers to use msleep & co.
           (Jia-Ju Bai)
      
         - allow COMPILE_TEST build for viafb driver (media part was reviewed
           by media subsystem Maintainer)
      
         - remove unused MERAM support from sh_mobile_lcdcfb and shmob-drm
           drivers (drm parts were acked by shmob-drm driver Maintainer)
      
         - remove unused auo_k190xfb drivers
      
         - misc cleanups (Souptick Joarder, Wolfram Sang, Markus Elfring, Andy
           Shevchenko, Colin Ian King)"
      
      * tag 'fbdev-v4.18' of git://github.com/bzolnier/linux: (26 commits)
        fb_omap2: add gpiolib dependency
        video/omap: add module license tags
        MAINTAINERS: make omapfb orphan
        video: fbdev: pxafb: match_string() conversion fixup
        video: fbdev: nvidia: fix spelling mistake: "scaleing" -> "scaling"
        video: fbdev: fix spelling mistake: "frambuffer" -> "framebuffer"
        video: fbdev: pxafb: Convert to use match_string() helper
        video: fbdev: via: allow COMPILE_TEST build
        video: fbdev: remove unused sh_mobile_meram driver
        drm: shmobile: remove unused MERAM support
        video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support
        video: fbdev: remove unused auo_k190xfb drivers
        video: omap: Improve a size determination in omapfb_do_probe()
        video: sm501fb: Improve a size determination in sm501fb_probe()
        video: fbdev-MMP: Improve a size determination in path_init()
        video: fbdev-MMP: Delete an error message for a failed memory allocation in two functions
        video: auo_k190x: Delete an error message for a failed memory allocation in auok190x_common_probe()
        video: sh_mobile_lcdcfb: Delete an error message for a failed memory allocation in two functions
        video: sh_mobile_meram: Delete an error message for a failed memory allocation in sh_mobile_meram_probe()
        video: fbdev: sh_mobile_meram: Drop SUPERH platform dependency
        ...
      644f2639
    • Linus Torvalds's avatar
      Merge branch 'afs-proc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 35773c93
      Linus Torvalds authored
      Pull AFS updates from Al Viro:
       "Assorted AFS stuff - ended up in vfs.git since most of that consists
        of David's AFS-related followups to Christoph's procfs series"
      
      * 'afs-proc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        afs: Optimise callback breaking by not repeating volume lookup
        afs: Display manually added cells in dynamic root mount
        afs: Enable IPv6 DNS lookups
        afs: Show all of a server's addresses in /proc/fs/afs/servers
        afs: Handle CONFIG_PROC_FS=n
        proc: Make inline name size calculation automatic
        afs: Implement network namespacing
        afs: Mark afs_net::ws_cell as __rcu and set using rcu functions
        afs: Fix a Sparse warning in xdr_decode_AFSFetchStatus()
        proc: Add a way to make network proc files writable
        afs: Rearrange fs/afs/proc.c to remove remaining predeclarations.
        afs: Rearrange fs/afs/proc.c to move the show routines up
        afs: Rearrange fs/afs/proc.c by moving fops and open functions down
        afs: Move /proc management functions to the end of the file
      35773c93
    • Linus Torvalds's avatar
      Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 29d6849d
      Linus Torvalds authored
      Pull compat updates from Al Viro:
       "Some biarch patches - getting rid of assorted (mis)uses of
        compat_alloc_user_space().
      
        Not much in that area this cycle..."
      
      * 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        orangefs: simplify compat ioctl handling
        signalfd: lift sigmask copyin and size checks to callers of do_signalfd4()
        vmsplice(): lift importing iovec into vmsplice(2) and compat counterpart
      29d6849d
    • Linus Torvalds's avatar
      Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · a5b729ea
      Linus Torvalds authored
      Pull aio fixes from Al Viro:
       "Assorted AIO followups and fixes"
      
      * 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        eventpoll: switch to ->poll_mask
        aio: only return events requested in poll_mask() for IOCB_CMD_POLL
        eventfd: only return events requested in poll_mask()
        aio: mark __aio_sigset::sigmask const
      a5b729ea
  3. 15 Jun, 2018 27 commits