1. 15 Sep, 2016 26 commits
  2. 07 Sep, 2016 14 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.7.3 · d7f6728f
      Greg Kroah-Hartman authored
      d7f6728f
    • Trond Myklebust's avatar
      SUNRPC: Fix infinite looping in rpc_clnt_iterate_for_each_xprt · 6b553b7a
      Trond Myklebust authored
      commit bdc54d8e upstream.
      
      If there were less than 2 entries in the multipath list, then
      xprt_iter_next_entry_multiple() would never advance beyond the
      first entry, which is correct for round robin behaviour, but not
      for the list iteration.
      
      The end result would be infinite looping in rpc_clnt_iterate_for_each_xprt()
      as we would never see the xprt == NULL condition fulfilled.
      Reported-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Fixes: 80b14d5e ("SUNRPC: Add a structure to track multiple transports")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Cc: Jason L Tibbitts III <tibbs@math.uh.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b553b7a
    • Konstantin Khlebnikov's avatar
      sysfs: correctly handle read offset on PREALLOC attrs · 95f83779
      Konstantin Khlebnikov authored
      commit 17d0774f upstream.
      
      Attributes declared with __ATTR_PREALLOC use sysfs_kf_read() which returns
      zero bytes for non-zero offset. This breaks script checkarray in mdadm tool
      in debian where /bin/sh is 'dash' because its builtin 'read' reads only one
      byte at a time. Script gets 'i' instead of 'idle' when reads current action
      from /sys/block/$dev/md/sync_action and as a result does nothing.
      
      This patch adds trivial implementation of partial read: generate whole
      string and move required part into buffer head.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Fixes: 4ef67a8c ("sysfs/kernfs: make read requests on pre-alloc files use the buffer.")
      Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787950Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95f83779
    • Quentin Schulz's avatar
      hwmon: (iio_hwmon) fix memory leak in name attribute · 34242c44
      Quentin Schulz authored
      commit 5d17d3b4 upstream.
      
      The "name" variable's memory is now freed when the device is destructed
      thanks to devm function.
      Signed-off-by: default avatarQuentin Schulz <quentin.schulz@free-electrons.com>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Fixes: e0f8a24e ("staging:iio::hwmon interface client driver.")
      Fixes: 61bb53bc ("hwmon: (iio_hwmon) Add support for humidity sensors")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34242c44
    • Jean Delvare's avatar
      hwmon: (it87) Add missing sysfs attribute group terminator · 6814e928
      Jean Delvare authored
      commit 3c329263 upstream.
      
      Attribute array it87_attributes_in lacks its NULL terminator,
      causing random behavior when operating on the attribute group.
      
      Fixes: 52929715 ("hwmon: (it87) Use is_visible for voltage sensors")
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6814e928
    • Andrej Krutak's avatar
      ALSA: line6: Fix POD sysfs attributes segfault · 2c926ec5
      Andrej Krutak authored
      commit b027d112 upstream.
      
      The commit 02fc76f6 changed base of the sysfs attributes from device to card.
      The "show" callbacks dereferenced wrong objects because of this.
      
      Fixes: 02fc76f6 ('ALSA: line6: Create sysfs via snd_card_add_dev_attr()')
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@gmail.com>
      Signed-off-by: default avatarAndrej Krutak <dev@andree.sk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c926ec5
    • Andrej Krutak's avatar
      ALSA: line6: Give up on the lock while URBs are released. · 906c9e0f
      Andrej Krutak authored
      commit adc8a43a upstream.
      
      Done, because line6_stream_stop() locks and calls line6_unlink_audio_urbs(),
      which in turn invokes audio_out_callback(), which tries to lock 2nd time.
      
      Fixes:
      
      =============================================
      [ INFO: possible recursive locking detected ]
      4.4.15+ #15 Not tainted
      ---------------------------------------------
      mplayer/3591 is trying to acquire lock:
       (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa27655>] audio_out_callback+0x70/0x110 [snd_usb_line6]
      
      but task is already holding lock:
       (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa26aad>] line6_stream_stop+0x24/0x5c [snd_usb_line6]
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&line6pcm->out.lock)->rlock);
        lock(&(&line6pcm->out.lock)->rlock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by mplayer/3591:
       #0:  (snd_pcm_link_rwlock){.-.-..}, at: [<bf8d49a7>] snd_pcm_stream_lock+0x1e/0x40 [snd_pcm]
       #1:  (&(&substream->self_group.lock)->rlock){-.-...}, at: [<bf8d49af>] snd_pcm_stream_lock+0x26/0x40 [snd_pcm]
       #2:  (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa26aad>] line6_stream_stop+0x24/0x5c [snd_usb_line6]
      
      stack backtrace:
      CPU: 0 PID: 3591 Comm: mplayer Not tainted 4.4.15+ #15
      Hardware name: Generic AM33XX (Flattened Device Tree)
      [<c0015d85>] (unwind_backtrace) from [<c001253d>] (show_stack+0x11/0x14)
      [<c001253d>] (show_stack) from [<c02f1bdf>] (dump_stack+0x8b/0xac)
      [<c02f1bdf>] (dump_stack) from [<c0076f43>] (__lock_acquire+0xc8b/0x1780)
      [<c0076f43>] (__lock_acquire) from [<c007810d>] (lock_acquire+0x99/0x1c0)
      [<c007810d>] (lock_acquire) from [<c06171e7>] (_raw_spin_lock_irqsave+0x3f/0x4c)
      [<c06171e7>] (_raw_spin_lock_irqsave) from [<bfa27655>] (audio_out_callback+0x70/0x110 [snd_usb_line6])
      [<bfa27655>] (audio_out_callback [snd_usb_line6]) from [<c04294db>] (__usb_hcd_giveback_urb+0x53/0xd0)
      [<c04294db>] (__usb_hcd_giveback_urb) from [<c046388d>] (musb_giveback+0x3d/0x98)
      [<c046388d>] (musb_giveback) from [<c04647f5>] (musb_urb_dequeue+0x6d/0x114)
      [<c04647f5>] (musb_urb_dequeue) from [<c042ac11>] (usb_hcd_unlink_urb+0x39/0x98)
      [<c042ac11>] (usb_hcd_unlink_urb) from [<bfa26a87>] (line6_unlink_audio_urbs+0x6a/0x6c [snd_usb_line6])
      [<bfa26a87>] (line6_unlink_audio_urbs [snd_usb_line6]) from [<bfa26acb>] (line6_stream_stop+0x42/0x5c [snd_usb_line6])
      [<bfa26acb>] (line6_stream_stop [snd_usb_line6]) from [<bfa26fe7>] (snd_line6_trigger+0xb6/0xf4 [snd_usb_line6])
      [<bfa26fe7>] (snd_line6_trigger [snd_usb_line6]) from [<bf8d47b7>] (snd_pcm_do_stop+0x36/0x38 [snd_pcm])
      [<bf8d47b7>] (snd_pcm_do_stop [snd_pcm]) from [<bf8d462f>] (snd_pcm_action_single+0x22/0x40 [snd_pcm])
      [<bf8d462f>] (snd_pcm_action_single [snd_pcm]) from [<bf8d46f9>] (snd_pcm_action+0xac/0xb0 [snd_pcm])
      [<bf8d46f9>] (snd_pcm_action [snd_pcm]) from [<bf8d4b61>] (snd_pcm_drop+0x38/0x64 [snd_pcm])
      [<bf8d4b61>] (snd_pcm_drop [snd_pcm]) from [<bf8d6233>] (snd_pcm_common_ioctl1+0x7fe/0xbe8 [snd_pcm])
      [<bf8d6233>] (snd_pcm_common_ioctl1 [snd_pcm]) from [<bf8d6779>] (snd_pcm_playback_ioctl1+0x15c/0x51c [snd_pcm])
      [<bf8d6779>] (snd_pcm_playback_ioctl1 [snd_pcm]) from [<bf8d6b59>] (snd_pcm_playback_ioctl+0x20/0x28 [snd_pcm])
      [<bf8d6b59>] (snd_pcm_playback_ioctl [snd_pcm]) from [<c016714b>] (do_vfs_ioctl+0x3af/0x5c8)
      
      Fixes: 63e20df1 ('ALSA: line6: Reorganize PCM stream handling')
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@gmail.com>
      Signed-off-by: default avatarAndrej Krutak <dev@andree.sk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      906c9e0f
    • Andrej Krutak's avatar
      ALSA: line6: Remove double line6_pcm_release() after failed acquire. · c869384f
      Andrej Krutak authored
      commit 7e4379ea upstream.
      
      If there's an error, pcm is released in line6_pcm_acquire already.
      
      Fixes: 247d95ee ('ALSA: line6: Handle error from line6_pcm_acquire()')
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@gmail.com>
      Signed-off-by: default avatarAndrej Krutak <dev@andree.sk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c869384f
    • Lorenzo Pieralisi's avatar
      ACPI / drivers: replace acpi_probe_lock spinlock with mutex · 04790a5d
      Lorenzo Pieralisi authored
      commit 5331d9ca upstream.
      
      Commit e647b532 ("ACPI: Add early device probing infrastructure")
      introduced code that allows inserting driver specific
      struct acpi_probe_entry probe entries into ACPI linker sections
      (one per-subsystem, eg irqchip, clocksource) that are then walked
      to retrieve the data and function hooks required to probe the
      respective kernel components.
      
      Probing for all entries in a section is triggered through
      the __acpi_probe_device_table() function, that in turn, according
      to the table ID a given probe entry reports parses the table
      with the function retrieved from the respective section structures
      (ie struct acpi_probe_entry). Owing to the current ACPI table
      parsing implementation, the __acpi_probe_device_table() function
      has to share global variables with the acpi_match_madt() function, so
      in order to guarantee mutual exclusion locking is required
      between the two functions.
      
      Current kernel code implements the locking through the acpi_probe_lock
      spinlock; this has the side effect of requiring all code called
      within the lock (ie struct acpi_probe_entry.probe_{table/subtbl} hooks)
      not to sleep.
      
      However, kernel subsystems that make use of the early probing
      infrastructure are relying on kernel APIs that may sleep (eg
      irq_domain_alloc_fwnode(), among others) in the function calls
      pointed at by struct acpi_probe_entry.{probe_table/subtbl} entries
      (eg gic_v2_acpi_init()), which is a bug.
      
      Since __acpi_probe_device_table() is called from context
      that is allowed to sleep the acpi_probe_lock spinlock can be replaced
      with a mutex; this fixes the issue whilst still guaranteeing
      mutual exclusion.
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: e647b532 (ACPI: Add early device probing infrastructure)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04790a5d
    • Lorenzo Pieralisi's avatar
      ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro · aeeae065
      Lorenzo Pieralisi authored
      commit 3feab13c upstream.
      
      When the ACPI_DECLARE_PROBE_ENTRY macro was added in
      commit e647b532 ("ACPI: Add early device probing infrastructure"),
      a stub macro adding an unused entry was added for the !CONFIG_ACPI
      Kconfig option case to make sure kernel code making use of the
      macro did not require to be guarded within CONFIG_ACPI in order to
      be compiled.
      
      The stub macro was never used since all kernel code that defines
      ACPI_DECLARE_PROBE_ENTRY entries is currently guarded within
      CONFIG_ACPI; it contains a typo that should be nonetheless fixed.
      
      Fix the typo in the stub (ie !CONFIG_ACPI) ACPI_DECLARE_PROBE_ENTRY()
      macro so that it can actually be used if needed.
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: e647b532 (ACPI: Add early device probing infrastructure)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aeeae065
    • Ian Abbott's avatar
      staging: comedi: ni_mio_common: fix wrong insn_write handler · 6e13820b
      Ian Abbott authored
      commit 5ca05345 upstream.
      
      For counter subdevices, the `s->insn_write` handler is being set to the
      wrong function, `ni_tio_insn_read()`.  It should be
      `ni_tio_insn_write()`.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reported-by: default avatarÉric Piel <piel@delmic.com>
      Fixes: 10f74377 ("staging: comedi: ni_tio: make ni_tio_winsn() a
        proper comedi (*insn_write)"
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e13820b
    • Ian Abbott's avatar
      staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility · fdb162d3
      Ian Abbott authored
      commit f0f4b0cc upstream.
      
      Commit ebb657ba ("staging: comedi: ni_mio_common: clarify the
      cmd->start_arg validation and use") introduced a backwards compatibility
      issue in the use of asynchronous commands on the AO subdevice when
      `start_src` is `TRIG_EXT`.  Valid values for `start_src` are `TRIG_INT`
      (for internal, software trigger), and `TRIG_EXT` (for external trigger).
      When set to `TRIG_EXT`.  In both cases, the driver relies on an
      internal, software trigger to set things up (allowing the user
      application to write sufficient samples to the data buffer before the
      trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case.
      The software trigger is handled by `ni_ao_inttrig()`.
      
      Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg`
      was required to be 0, and `ni_ao_inttrig()` checked that the software
      trigger number was also 0.  After the above change, when `start_src` was
      `TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()`
      checked that the software trigger number matched this `start_arg` value.
      The backwards compatibility issue is that the internal trigger number
      now has to match `start_arg` when `start_src` is `TRIG_EXT` when it
      previously had to be 0.
      
      Fix the backwards compatibility issue in `ni_ao_inttrig()` by always
      allowing software trigger number 0 when `start_src` is something other
      than `TRIG_INT`.
      
      Thanks to Spencer Olson for reporting the issue.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reported-by: default avatarSpencer Olson <olsonse@umich.edu>
      Fixes: ebb657ba ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use")
      Reviewed-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdb162d3
    • Ian Abbott's avatar
      staging: comedi: comedi_test: fix timer race conditions · 91ccea76
      Ian Abbott authored
      commit 403fe7f3 upstream.
      
      Commit 73e0e4df ("staging: comedi: comedi_test: fix timer lock-up")
      fixed a lock-up in the timer routine `waveform_ai_timer()` (which was
      called `waveform_ai_interrupt()` at the time) caused by
      commit 24051247 ("staging: comedi: comedi_test: use
      comedi_handle_events()").  However, it introduced a race condition that
      can result in the timer routine misbehaving, such as accessing freed
      memory or dereferencing a NULL pointer.
      
      73e0... changed the timer routine to do nothing unless a
      `WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()`
      to clear the flag and replace a call to `del_timer_sync()` with a call
      to `del_timer()`.  `waveform_ai_cancel()` may be called from the timer
      routine itself (via `comedi_handle_events()`), or from `do_cancel()`.
      (`do_cancel()` is called as a result of a file operation (usually a
      `COMEDI_CANCEL` ioctl command, or a release), or during device removal.)
      When called from `do_cancel()`, the call to `waveform_ai_cancel()` is
      followed by a call to `do_become_nonbusy()`, which frees up stuff for
      the current asynchronous command under the assumption that it is now
      safe to do so.  The race condition occurs when the timer routine
      `waveform_ai_timer()` checks the `WAVEFORM_AI_RUNNING` flag just before
      it is cleared by `waveform_ai_cancel()`, and is still running during the
      call to `do_become_nonbusy()`.  In particular, it can lead to a NULL
      pointer dereference:
      
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffffc0c63add>] waveform_ai_timer+0x17d/0x290 [comedi_test]
      
      That corresponds to this line in `waveform_ai_timer()`:
      
      		unsigned int chanspec = cmd->chanlist[async->cur_chan];
      
      but `do_become_nonbusy()` frees `cmd->chanlist` and sets it to `NULL`.
      
      Fix the race by calling `del_timer_sync()` instead of `del_timer()` in
      `waveform_ai_cancel()` when not in an interrupt context.  The only time
      `waveform_ai_cancel()` is called in an interrupt context is when it is
      called from the timer routine itself, via `comedi_handle_events()`.
      
      There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get
      rid of it.
      
      The bug was copied from the AI subdevice to the AO when support for
      commands on the AO subdevice was added by commit 0cf55bbe ("staging:
      comedi: comedi_test: implement commands on AO subdevice").  That
      involves the timer routine `waveform_ao_timer()`, the comedi "cancel"
      routine `waveform_ao_cancel()`, and the flag `WAVEFORM_AO_RUNNING`.  Fix
      it in the same way as for the AI subdevice.
      
      Fixes: 73e0e4df ("staging: comedi: comedi_test: fix timer lock-up")
      Fixes: 0cf55bbe ("staging: comedi: comedi_test: implement commands
       on AO subdevice")
      Reported-by: default avatarÉric Piel <piel@delmic.com>
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: Éric Piel <piel@delmic.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91ccea76
    • Ian Abbott's avatar
      staging: comedi: daqboard2000: bug fix board type matching code · f231fe0f
      Ian Abbott authored
      commit 80e162ee upstream.
      
      `daqboard2000_find_boardinfo()` is supposed to check if the
      DaqBoard/2000 series model is supported, based on the PCI subvendor and
      subdevice ID.  The current code is wrong as it is comparing the PCI
      device's subdevice ID to an expected, fixed value for the subvendor ID.
      It should be comparing the PCI device's subvendor ID to this fixed
      value.  Correct it.
      
      Fixes: 7e8401b2 ("staging: comedi: daqboard2000: add back subsystem_device check")
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f231fe0f