1. 15 Sep, 2016 27 commits
  2. 07 Sep, 2016 13 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.20 · 2cb99ded
      Greg Kroah-Hartman authored
      2cb99ded
    • Konstantin Khlebnikov's avatar
      sysfs: correctly handle read offset on PREALLOC attrs · 625ddb78
      Konstantin Khlebnikov authored
      commit 17d0774f upstream.
      
      Attributes declared with __ATTR_PREALLOC use sysfs_kf_read() which returns
      zero bytes for non-zero offset. This breaks script checkarray in mdadm tool
      in debian where /bin/sh is 'dash' because its builtin 'read' reads only one
      byte at a time. Script gets 'i' instead of 'idle' when reads current action
      from /sys/block/$dev/md/sync_action and as a result does nothing.
      
      This patch adds trivial implementation of partial read: generate whole
      string and move required part into buffer head.
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Fixes: 4ef67a8c ("sysfs/kernfs: make read requests on pre-alloc files use the buffer.")
      Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787950Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      625ddb78
    • Quentin Schulz's avatar
      hwmon: (iio_hwmon) fix memory leak in name attribute · dde898fb
      Quentin Schulz authored
      commit 5d17d3b4 upstream.
      
      The "name" variable's memory is now freed when the device is destructed
      thanks to devm function.
      Signed-off-by: default avatarQuentin Schulz <quentin.schulz@free-electrons.com>
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Fixes: e0f8a24e ("staging:iio::hwmon interface client driver.")
      Fixes: 61bb53bc ("hwmon: (iio_hwmon) Add support for humidity sensors")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dde898fb
    • Andrej Krutak's avatar
      ALSA: line6: Fix POD sysfs attributes segfault · a2d9e40c
      Andrej Krutak authored
      commit b027d112 upstream.
      
      The commit 02fc76f6 changed base of the sysfs attributes from device to card.
      The "show" callbacks dereferenced wrong objects because of this.
      
      Fixes: 02fc76f6 ('ALSA: line6: Create sysfs via snd_card_add_dev_attr()')
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@gmail.com>
      Signed-off-by: default avatarAndrej Krutak <dev@andree.sk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2d9e40c
    • Andrej Krutak's avatar
      ALSA: line6: Give up on the lock while URBs are released. · d21befeb
      Andrej Krutak authored
      commit adc8a43a upstream.
      
      Done, because line6_stream_stop() locks and calls line6_unlink_audio_urbs(),
      which in turn invokes audio_out_callback(), which tries to lock 2nd time.
      
      Fixes:
      
      =============================================
      [ INFO: possible recursive locking detected ]
      4.4.15+ #15 Not tainted
      ---------------------------------------------
      mplayer/3591 is trying to acquire lock:
       (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa27655>] audio_out_callback+0x70/0x110 [snd_usb_line6]
      
      but task is already holding lock:
       (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa26aad>] line6_stream_stop+0x24/0x5c [snd_usb_line6]
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&line6pcm->out.lock)->rlock);
        lock(&(&line6pcm->out.lock)->rlock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by mplayer/3591:
       #0:  (snd_pcm_link_rwlock){.-.-..}, at: [<bf8d49a7>] snd_pcm_stream_lock+0x1e/0x40 [snd_pcm]
       #1:  (&(&substream->self_group.lock)->rlock){-.-...}, at: [<bf8d49af>] snd_pcm_stream_lock+0x26/0x40 [snd_pcm]
       #2:  (&(&line6pcm->out.lock)->rlock){-.-...}, at: [<bfa26aad>] line6_stream_stop+0x24/0x5c [snd_usb_line6]
      
      stack backtrace:
      CPU: 0 PID: 3591 Comm: mplayer Not tainted 4.4.15+ #15
      Hardware name: Generic AM33XX (Flattened Device Tree)
      [<c0015d85>] (unwind_backtrace) from [<c001253d>] (show_stack+0x11/0x14)
      [<c001253d>] (show_stack) from [<c02f1bdf>] (dump_stack+0x8b/0xac)
      [<c02f1bdf>] (dump_stack) from [<c0076f43>] (__lock_acquire+0xc8b/0x1780)
      [<c0076f43>] (__lock_acquire) from [<c007810d>] (lock_acquire+0x99/0x1c0)
      [<c007810d>] (lock_acquire) from [<c06171e7>] (_raw_spin_lock_irqsave+0x3f/0x4c)
      [<c06171e7>] (_raw_spin_lock_irqsave) from [<bfa27655>] (audio_out_callback+0x70/0x110 [snd_usb_line6])
      [<bfa27655>] (audio_out_callback [snd_usb_line6]) from [<c04294db>] (__usb_hcd_giveback_urb+0x53/0xd0)
      [<c04294db>] (__usb_hcd_giveback_urb) from [<c046388d>] (musb_giveback+0x3d/0x98)
      [<c046388d>] (musb_giveback) from [<c04647f5>] (musb_urb_dequeue+0x6d/0x114)
      [<c04647f5>] (musb_urb_dequeue) from [<c042ac11>] (usb_hcd_unlink_urb+0x39/0x98)
      [<c042ac11>] (usb_hcd_unlink_urb) from [<bfa26a87>] (line6_unlink_audio_urbs+0x6a/0x6c [snd_usb_line6])
      [<bfa26a87>] (line6_unlink_audio_urbs [snd_usb_line6]) from [<bfa26acb>] (line6_stream_stop+0x42/0x5c [snd_usb_line6])
      [<bfa26acb>] (line6_stream_stop [snd_usb_line6]) from [<bfa26fe7>] (snd_line6_trigger+0xb6/0xf4 [snd_usb_line6])
      [<bfa26fe7>] (snd_line6_trigger [snd_usb_line6]) from [<bf8d47b7>] (snd_pcm_do_stop+0x36/0x38 [snd_pcm])
      [<bf8d47b7>] (snd_pcm_do_stop [snd_pcm]) from [<bf8d462f>] (snd_pcm_action_single+0x22/0x40 [snd_pcm])
      [<bf8d462f>] (snd_pcm_action_single [snd_pcm]) from [<bf8d46f9>] (snd_pcm_action+0xac/0xb0 [snd_pcm])
      [<bf8d46f9>] (snd_pcm_action [snd_pcm]) from [<bf8d4b61>] (snd_pcm_drop+0x38/0x64 [snd_pcm])
      [<bf8d4b61>] (snd_pcm_drop [snd_pcm]) from [<bf8d6233>] (snd_pcm_common_ioctl1+0x7fe/0xbe8 [snd_pcm])
      [<bf8d6233>] (snd_pcm_common_ioctl1 [snd_pcm]) from [<bf8d6779>] (snd_pcm_playback_ioctl1+0x15c/0x51c [snd_pcm])
      [<bf8d6779>] (snd_pcm_playback_ioctl1 [snd_pcm]) from [<bf8d6b59>] (snd_pcm_playback_ioctl+0x20/0x28 [snd_pcm])
      [<bf8d6b59>] (snd_pcm_playback_ioctl [snd_pcm]) from [<c016714b>] (do_vfs_ioctl+0x3af/0x5c8)
      
      Fixes: 63e20df1 ('ALSA: line6: Reorganize PCM stream handling')
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@gmail.com>
      Signed-off-by: default avatarAndrej Krutak <dev@andree.sk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d21befeb
    • Andrej Krutak's avatar
      ALSA: line6: Remove double line6_pcm_release() after failed acquire. · 85db22a1
      Andrej Krutak authored
      commit 7e4379ea upstream.
      
      If there's an error, pcm is released in line6_pcm_acquire already.
      
      Fixes: 247d95ee ('ALSA: line6: Handle error from line6_pcm_acquire()')
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@gmail.com>
      Signed-off-by: default avatarAndrej Krutak <dev@andree.sk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85db22a1
    • Lukasz Anaczkowski's avatar
      ACPI / SRAT: fix SRAT parsing order with both LAPIC and X2APIC present · 37e16dc9
      Lukasz Anaczkowski authored
      commit 702b07fc upstream.
      
      SRAT maps APIC ID to proximity domains ids (PXM). Mapping from PXM to
      NUMA node ids is based on order of entries in SRAT table.
      SRAT table has just LAPIC entires or mix of LAPIC and X2APIC entries.
      As long as there are only LAPIC entires, mapping from proximity domain
      id to NUMA node id is as assumed by BIOS. However, once APIC entries are
      mixed, X2APIC entries would be first mapped which causes unexpected NUMA
      node mapping.
      
      To fix that, change parsing to check each entry against both LAPIC and
      X2APIC so mapping is in the SRAT/PXM order.
      
      This is supplemental change to the fix made by commit d81056b5
      (Handle apic/x2apic entries in MADT in correct order) and using the
      mechanism introduced by 9b3fedde (ACPI / tables: Add acpi_subtable_proc
      to ACPI table parsers).
      
      Fixes: d81056b5 (Handle apic/x2apic entries in MADT in correct order)
      Signed-off-by: default avatarLukasz Anaczkowski <lukasz.anaczkowski@intel.com>
      [ rjw : Subject & changelog ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37e16dc9
    • Dan Carpenter's avatar
      ACPI / sysfs: fix error code in get_status() · a37b8344
      Dan Carpenter authored
      commit f18ebc21 upstream.
      
      The problem with ornamental, do-nothing gotos is that they lead to
      "forgot to set the error code" bugs.  We should be returning -EINVAL
      here but we don't.  It leads to an uninitalized variable in
      counter_show():
      
          drivers/acpi/sysfs.c:603 counter_show()
          error: uninitialized symbol 'status'.
      
      Fixes: 1c8fce27 (ACPI: introduce drivers/acpi/sysfs.c)
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a37b8344
    • Lorenzo Pieralisi's avatar
      ACPI / drivers: replace acpi_probe_lock spinlock with mutex · b0917f5d
      Lorenzo Pieralisi authored
      commit 5331d9ca upstream.
      
      Commit e647b532 ("ACPI: Add early device probing infrastructure")
      introduced code that allows inserting driver specific
      struct acpi_probe_entry probe entries into ACPI linker sections
      (one per-subsystem, eg irqchip, clocksource) that are then walked
      to retrieve the data and function hooks required to probe the
      respective kernel components.
      
      Probing for all entries in a section is triggered through
      the __acpi_probe_device_table() function, that in turn, according
      to the table ID a given probe entry reports parses the table
      with the function retrieved from the respective section structures
      (ie struct acpi_probe_entry). Owing to the current ACPI table
      parsing implementation, the __acpi_probe_device_table() function
      has to share global variables with the acpi_match_madt() function, so
      in order to guarantee mutual exclusion locking is required
      between the two functions.
      
      Current kernel code implements the locking through the acpi_probe_lock
      spinlock; this has the side effect of requiring all code called
      within the lock (ie struct acpi_probe_entry.probe_{table/subtbl} hooks)
      not to sleep.
      
      However, kernel subsystems that make use of the early probing
      infrastructure are relying on kernel APIs that may sleep (eg
      irq_domain_alloc_fwnode(), among others) in the function calls
      pointed at by struct acpi_probe_entry.{probe_table/subtbl} entries
      (eg gic_v2_acpi_init()), which is a bug.
      
      Since __acpi_probe_device_table() is called from context
      that is allowed to sleep the acpi_probe_lock spinlock can be replaced
      with a mutex; this fixes the issue whilst still guaranteeing
      mutual exclusion.
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: e647b532 (ACPI: Add early device probing infrastructure)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b0917f5d
    • Lorenzo Pieralisi's avatar
      ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro · 0b21b21b
      Lorenzo Pieralisi authored
      commit 3feab13c upstream.
      
      When the ACPI_DECLARE_PROBE_ENTRY macro was added in
      commit e647b532 ("ACPI: Add early device probing infrastructure"),
      a stub macro adding an unused entry was added for the !CONFIG_ACPI
      Kconfig option case to make sure kernel code making use of the
      macro did not require to be guarded within CONFIG_ACPI in order to
      be compiled.
      
      The stub macro was never used since all kernel code that defines
      ACPI_DECLARE_PROBE_ENTRY entries is currently guarded within
      CONFIG_ACPI; it contains a typo that should be nonetheless fixed.
      
      Fix the typo in the stub (ie !CONFIG_ACPI) ACPI_DECLARE_PROBE_ENTRY()
      macro so that it can actually be used if needed.
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: e647b532 (ACPI: Add early device probing infrastructure)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b21b21b
    • Ian Abbott's avatar
      staging: comedi: ni_mio_common: fix wrong insn_write handler · fbde41fa
      Ian Abbott authored
      commit 5ca05345 upstream.
      
      For counter subdevices, the `s->insn_write` handler is being set to the
      wrong function, `ni_tio_insn_read()`.  It should be
      `ni_tio_insn_write()`.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reported-by: default avatarÉric Piel <piel@delmic.com>
      Fixes: 10f74377 ("staging: comedi: ni_tio: make ni_tio_winsn() a
        proper comedi (*insn_write)"
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbde41fa
    • Ian Abbott's avatar
      staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility · b03ee3d0
      Ian Abbott authored
      commit f0f4b0cc upstream.
      
      Commit ebb657ba ("staging: comedi: ni_mio_common: clarify the
      cmd->start_arg validation and use") introduced a backwards compatibility
      issue in the use of asynchronous commands on the AO subdevice when
      `start_src` is `TRIG_EXT`.  Valid values for `start_src` are `TRIG_INT`
      (for internal, software trigger), and `TRIG_EXT` (for external trigger).
      When set to `TRIG_EXT`.  In both cases, the driver relies on an
      internal, software trigger to set things up (allowing the user
      application to write sufficient samples to the data buffer before the
      trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case.
      The software trigger is handled by `ni_ao_inttrig()`.
      
      Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg`
      was required to be 0, and `ni_ao_inttrig()` checked that the software
      trigger number was also 0.  After the above change, when `start_src` was
      `TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()`
      checked that the software trigger number matched this `start_arg` value.
      The backwards compatibility issue is that the internal trigger number
      now has to match `start_arg` when `start_src` is `TRIG_EXT` when it
      previously had to be 0.
      
      Fix the backwards compatibility issue in `ni_ao_inttrig()` by always
      allowing software trigger number 0 when `start_src` is something other
      than `TRIG_INT`.
      
      Thanks to Spencer Olson for reporting the issue.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reported-by: default avatarSpencer Olson <olsonse@umich.edu>
      Fixes: ebb657ba ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use")
      Reviewed-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b03ee3d0
    • Ian Abbott's avatar
      staging: comedi: comedi_test: fix timer race conditions · fd514089
      Ian Abbott authored
      commit 403fe7f3 upstream.
      
      Commit 73e0e4df ("staging: comedi: comedi_test: fix timer lock-up")
      fixed a lock-up in the timer routine `waveform_ai_timer()` (which was
      called `waveform_ai_interrupt()` at the time) caused by
      commit 24051247 ("staging: comedi: comedi_test: use
      comedi_handle_events()").  However, it introduced a race condition that
      can result in the timer routine misbehaving, such as accessing freed
      memory or dereferencing a NULL pointer.
      
      73e0... changed the timer routine to do nothing unless a
      `WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()`
      to clear the flag and replace a call to `del_timer_sync()` with a call
      to `del_timer()`.  `waveform_ai_cancel()` may be called from the timer
      routine itself (via `comedi_handle_events()`), or from `do_cancel()`.
      (`do_cancel()` is called as a result of a file operation (usually a
      `COMEDI_CANCEL` ioctl command, or a release), or during device removal.)
      When called from `do_cancel()`, the call to `waveform_ai_cancel()` is
      followed by a call to `do_become_nonbusy()`, which frees up stuff for
      the current asynchronous command under the assumption that it is now
      safe to do so.  The race condition occurs when the timer routine
      `waveform_ai_timer()` checks the `WAVEFORM_AI_RUNNING` flag just before
      it is cleared by `waveform_ai_cancel()`, and is still running during the
      call to `do_become_nonbusy()`.  In particular, it can lead to a NULL
      pointer dereference:
      
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffffc0c63add>] waveform_ai_timer+0x17d/0x290 [comedi_test]
      
      That corresponds to this line in `waveform_ai_timer()`:
      
      		unsigned int chanspec = cmd->chanlist[async->cur_chan];
      
      but `do_become_nonbusy()` frees `cmd->chanlist` and sets it to `NULL`.
      
      Fix the race by calling `del_timer_sync()` instead of `del_timer()` in
      `waveform_ai_cancel()` when not in an interrupt context.  The only time
      `waveform_ai_cancel()` is called in an interrupt context is when it is
      called from the timer routine itself, via `comedi_handle_events()`.
      
      There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get
      rid of it.
      
      The bug was copied from the AI subdevice to the AO when support for
      commands on the AO subdevice was added by commit 0cf55bbe ("staging:
      comedi: comedi_test: implement commands on AO subdevice").  That
      involves the timer routine `waveform_ao_timer()`, the comedi "cancel"
      routine `waveform_ao_cancel()`, and the flag `WAVEFORM_AO_RUNNING`.  Fix
      it in the same way as for the AI subdevice.
      
      Fixes: 73e0e4df ("staging: comedi: comedi_test: fix timer lock-up")
      Fixes: 0cf55bbe ("staging: comedi: comedi_test: implement commands
       on AO subdevice")
      Reported-by: default avatarÉric Piel <piel@delmic.com>
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: Éric Piel <piel@delmic.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd514089