Commit Graph

691900 Commits

Author SHA1 Message Date
Toshi Kani 4e3f0701f2 libnvdimm: fix badblock range handling of ARS range
__add_badblock_range() does not account sector alignment when
it sets 'num_sectors'.  Therefore, an ARS error record range
spanning across two sectors is set to a single sector length,
which leaves the 2nd sector unprotected.

Change __add_badblock_range() to set 'num_sectors' properly.

Cc: <stable@vger.kernel.org>
Fixes: 0caeef63e6 ("libnvdimm: Add a poison list and export badblocks")
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2017-07-17 11:43:58 -07:00
Geert Uytterhoeven cb0fbbf22a Blackfin: flat: Use %x to format u32
Several variables had their types changed from unsigned long to u32,
but the printk()-style format to print them wasn't updated, leading to:

    arch/blackfin/kernel/flat.c: In function 'bfin_get_addr_from_rp':
    arch/blackfin/kernel/flat.c:35:3: warning: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'u32' [-Wformat]
    arch/blackfin/kernel/flat.c: In function 'bfin_put_addr_at_rp':
    arch/blackfin/kernel/flat.c:80:3: warning: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'u32' [-Wformat]

Fixes: 468138d785 ("binfmt_flat: flat_{get,put}_addr_from_rp() should be able to fail")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-17 11:40:33 -07:00
Trond Myklebust eff7936877 nfsd: Fix a memory scribble in the callback channel
The offset of the entry in struct rpc_version has to match the version
number.

Reported-by: Dave Jones <davej@codemonkey.org.uk>
Fixes: 1c5876ddbd ("sunrpc: move p_count out of struct rpc_procinfo")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-07-17 13:15:06 -04:00
Jakub Kicinski 13c401f33e jhash: fix -Wimplicit-fallthrough warnings
GCC 7 added a new -Wimplicit-fallthrough warning.  It's only enabled
with W=1, but since linux/jhash.h is included in over hundred places
(including other global headers) it seems worthwhile fixing this
warning.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-17 09:22:34 -07:00
Sean Paul ef434a0c2c Merge branch 'drm-misc-next-fixes' into drm-misc-fixes
Pick up

1ed134e652 drm/vc4: Fix VBLANK handling in crtc->enable() path

From drm-misc-next-fixes, it was applied after the last pull request
was sent from that branch. We'll send it through drm-fixes instead.
2017-07-17 11:56:07 -04:00
Moni Shoua cbd09aebc2 IB/core: Don't resolve IP address to the loopback device
When resolving an IP address that is on the host of the caller the
result from querying the routing table is the loopback device. This is
not a valid response, because it doesn't represent the RDMA device and
the port.

Therefore, callers need to check the resolved device and if it is a
loopback device find an alternative way to resolve it. To avoid this we
make sure that the response from rdma_resolve_ip() will not be the
loopback device.

While that, we fix an static checker warning about dereferencing an
unintitialized pointer using the same solution as in commit abeffce90c
("net/mlx5e: Fix a -Wmaybe-uninitialized warning") as a reference.

Signed-off-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-17 11:45:42 -04:00
Moni Shoua bebb2a473a IB/core: Namespace is mandatory input for address resolution
In function addr_resolve() the namespace is a required input parameter
and not an output. It is passed later for searching the routing table
and device addresses. Also, it shouldn't be copied back to the caller.

Fixes: 565edd1d55 ('IB/addr: Pass network namespace as a parameter')
Cc: <stable@vger.kernel.org> # v4.3+
Signed-off-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-17 11:45:34 -04:00
Vladimir Neyelov c8c16d3bae IB/iser: Fix connection teardown race condition
Under heavy iser target(scst) start/stop stress during login/logout
on iser intitiator side happened trace call provided below.

The function iscsi_iser_slave_alloc iser_conn pointer could be NULL,
due to the fact that function iscsi_iser_conn_stop can be called before
and free iser connection. Let's protect that flow by introducing global mutex.

BUG: unable to handle kernel paging request at 0000000000001018
IP: [<ffffffffc0426f7e>] iscsi_iser_slave_alloc+0x1e/0x50 [ib_iser]
Call Trace:
? scsi_alloc_sdev+0x242/0x300
scsi_probe_and_add_lun+0x9e1/0xea0
? kfree_const+0x21/0x30
? kobject_set_name_vargs+0x76/0x90
? __pm_runtime_resume+0x5b/0x70
__scsi_scan_target+0xf6/0x250
scsi_scan_target+0xea/0x100
iscsi_user_scan_session.part.13+0x101/0x130 [scsi_transport_iscsi]
? iscsi_user_scan_session.part.13+0x130/0x130 [scsi_transport_iscsi]
iscsi_user_scan_session+0x1e/0x30 [scsi_transport_iscsi]
device_for_each_child+0x50/0x90
iscsi_user_scan+0x44/0x60 [scsi_transport_iscsi]
store_scan+0xa8/0x100
? common_file_perm+0x5d/0x1c0
dev_attr_store+0x18/0x30
sysfs_kf_write+0x37/0x40
kernfs_fop_write+0x12c/0x1c0
__vfs_write+0x18/0x40
vfs_write+0xb5/0x1a0
SyS_write+0x55/0xc0

Fixes: 318d311e8f ("iser: Accept arbitrary sg lists mapping if the device supports it")
Cc: <stable@vger.kernel.org> # v4.5+
Signed-off-by: Vladimir Neyelov <vladimirn@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimbeg.me>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-17 11:45:25 -04:00
Gustavo A. R. Silva 28b5b3a23b RDMA/core: Document confusing code
While looking into Coverity ID 1351047 I ran into the following
piece of code at
drivers/infiniband/core/verbs.c:496:

ret = rdma_addr_find_l2_eth_by_grh(&dgid, &sgid,
                                   ah_attr->dmac,
                                   wc->wc_flags & IB_WC_WITH_VLAN ?
                                   NULL : &vlan_id,
                                   &if_index, &hoplimit);

The issue here is that the position of arguments in the call to
rdma_addr_find_l2_eth_by_grh() function do not match the order of
the parameters:

&dgid is passed to sgid
&sgid is passed to dgid

This is the function prototype:

int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid,
 				 const union ib_gid *dgid,
 				 u8 *dmac, u16 *vlan_id, int *if_index,
 				 int *hoplimit)

My question here is if this is intentional?

Answer:
Yes. ib_init_ah_from_wc() creates ah from the incoming packet.
Incoming packet has dgid of the receiver node on which this code is
getting executed and sgid contains the GID of the sender.

When resolving mac address of destination, you use arrived dgid as
sgid and use sgid as dgid because sgid contains destinations GID whom to
respond to.

Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-17 11:45:17 -04:00
Bart Van Assche 99975cd4fd mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms[] array
ib_map_mr_sg() can pass an SG-list to .map_mr_sg() that is larger
than what fits into a single MR. .map_mr_sg() must not attempt to
map more SG-list elements than what fits into a single MR.
Hence make sure that mlx5_ib_sg_to_klms() does not write outside
the MR klms[] array.

Fixes: b005d31647 ("mlx5: Add arbitrary sg list support")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Cc: Sagi Grimberg <sagi@grimberg.me>
Cc: Leon Romanovsky <leonro@mellanox.com>
Cc: Israel Rukshin <israelr@mellanox.com>
Cc: <stable@vger.kernel.org>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-17 11:45:07 -04:00
Dennis Dalessandro 91647f4c2d IB/hfi1: Ensure dd->gi_mask can not be overflowed
As the code stands today the array access in remap_intr() is OK. To
future proof the code though we should explicitly check to ensure the
index value is not outside of the valid range. This is not a straight
forward calculation so err on the side of caution.

Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-17 11:39:45 -04:00
Doug Ledford 3d886aa3be Linux v4.13-rc1
-----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJZapWhAAoJEHm+PkMAQRiGKb0IAJM6b7SbWaw69Og7+qiFB+zZ
 xp29iXqbE9fPISC6a5BRQV1ONjeDM6opGixGHqGC8Hla6k2IYz25VDNoF8wd0MXN
 cz/Ih20vd3C5afxXGe5cTT8lsPAlV0mWXxForlu6j8jPeL62FPfq6RhEkw7AcrYL
 yfYy3k3qSdOrrvBdII0WAAUi46UfIs+we9BQgbsMbkHOiqV2K0MOrzKE84Xbgepq
 RAy2xg6P4b4+hTx8xTrYc1MXwpnqjRc0oJ08gdmiwW3AOOU7LxYFn7zDkLPWi9Rr
 g4x6r4YhBTGxT4wNvovLIiqd9QFs//dMCuPWYwEtTICG48umIqqq24beQ0mvCdg=
 =08Ic
 -----END PGP SIGNATURE-----

Merge tag 'v4.13-rc1' into k.o/for-4.13-rc

Linux v4.13-rc1
2017-07-17 11:26:58 -04:00
Gleb Fotengauer-Malinovskiy c632517923 tty: Fix TIOCGPTPEER ioctl definition
This ioctl does nothing to justify an _IOC_READ or _IOC_WRITE flag
because it doesn't copy anything from/to userspace to access the
argument.

Fixes: 54ebbfb160 ("tty: add TIOCGPTPEER ioctl")
Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
Acked-by: Aleksa Sarai <asarai@suse.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 17:04:41 +02:00
Arnd Bergmann 6509f30962 tty: hide unused pty_get_peer function
TIOCGPTPEER is only used for unix98 PTYs, and we get a warning
when those are disabled:

drivers/tty/pty.c:466:12: error: 'pty_get_peer' defined but not used [-Werror=unused-function]

This moves the respective functions inside of the existing #ifdef.

Fixes: 54ebbfb160 ("tty: add TIOCGPTPEER ioctl")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Aleksa Sarai <asarai@suse.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 17:04:41 +02:00
Florian Westphal 36ac344e16 netfilter: expect: fix crash when putting uninited expectation
We crash in __nf_ct_expect_check, it calls nf_ct_remove_expect on the
uninitialised expectation instead of existing one, so del_timer chokes
on random memory address.

Fixes: ec0e3f0111 ("netfilter: nf_ct_expect: Add nf_ct_remove_expect()")
Reported-by: Sergey Kvachonok <ravenexp@gmail.com>
Tested-by: Sergey Kvachonok <ravenexp@gmail.com>
Cc: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-17 17:03:12 +02:00
Florian Westphal 974292defe netfilter: nf_tables: only allow in/output for arp packets
arp packets cannot be forwarded.

They can be bridged, but then they can be filtered using
either ebtables or nftables bridge family.

The bridge netfilter exposes a "call-arptables" switch which
pushes packets into arptables, but lets not expose this for nftables, so better
close this asap.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-17 17:02:44 +02:00
Florian Westphal 97772bcd56 netfilter: nat: fix src map lookup
When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().

When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.

We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.

This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.

Fixes: 870190a9ec ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon <jaco@uls.co.za>
Tested-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-17 17:02:19 +02:00
Florian Westphal cf56c2f892 netfilter: remove old pre-netns era hook api
no more users in the tree, remove this.

The old api is racy wrt. module removal, all users have been converted
to the netns-aware api.

The old api pretended we still have global hooks but that has not been
true for a long time.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-17 17:01:10 +02:00
minimumlaw@rambler.ru 5b20a43683 regmap: regmap-w1: Fix build troubles
Fixes: cc5d0db390 ("regmap: Add 1-Wire bus support")
Commit de0d6dbdbd ("w1: Add subsystem kernel public interface")
Fix place off w1.h header file

Cosmetic: Fix company name (local to international)
Signed-off-by: Alex A. Mihaylov <minimumlaw@rambler.ru>
Signed-off-by: Mark Brown <broonie@kernel.org>
2017-07-17 15:53:00 +01:00
Gustavo A. R. Silva c89876dda0 w1: omap-hdq: fix error return code in omap_hdq_probe()
platform_get_irq() returns an error code, but the omap_hdq
driver ignores it and always returns -ENXIO. This is not correct,
and prevents -EPROBE_DEFER from being propagated properly.
Notice that platform_get_irq() no longer returns 0 on error.

Print error message and propagate the return value of
platform_get_irq on failure.

Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:48:15 +02:00
Alex A. Mihaylov cc84b824e4 regmap: regmap-w1: Fix build troubles
Fixes: cc5d0db390 ("regmap: Add 1-Wire bus support")
Commit de0d6dbdbd ("w1: Add subsystem kernel public interface")
Fix place off w1.h header file

Cosmetic: Fix company name (local to international)

Signed-off-by: Alex A. Mihaylov <minimumlaw@rambler.ru>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Cc: Mark Brown <broonie@kernel.org>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:45:16 +02:00
Alex A. Mihaylov 2c927c0c73 w1: Fix slave count on 1-Wire bus (resend)
1-Wire bus have very fast algorith for exchange with single slave
device. Fix incorrect count of slave devices on connect second slave
device. This case on slave device probe() step we need use generic
(multislave) functions for read/write device.

Signed-off-by: Alex A. Mihaylov <minimumlaw@rambler.ru>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:45:16 +02:00
Kuppuswamy Sathyanarayanan 998849967c mux: mux-core: unregister mux_class in mux_exit()
Fixes an obvious and nasty typo.

Fixes: a3b02a9c65 ("mux: minimal mux subsystem")
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:38:35 +02:00
Peter Rosin 4c19c0ec73 mux: remove the Kconfig question for the subsystem
The MULTIPLEXER question in the Kconfig might be confusing and is
of dubious value. Remove it. This makes consumers responsible for
selecting MULTIPLEXER, which they already do.

Signed-off-by: Peter Rosin <peda@axentia.se>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:37:30 +02:00
Frank Wang d6e4bd1b52 nvmem: rockchip-efuse: amend compatible rk322x-efuse to rk3228-efuse
As the comments from Heiko Stuebner <heiko@sntech.de> that compatible
should not contain any placeholders, this patch fix it for rk3228 SoC.

Note that this is a fix for v4.13, due to fixing the current non-standard
binding name that should not become part of an official kernel release.

Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
Acked-by: Rob Herring <robh@kernel.org>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:15:57 +02:00
Arnd Bergmann ceb8a12ff2 drivers/fsi: fix fsi_slave_mode prototype
gcc warns about the return type of this function:

drivers/fsi/fsi-core.c:535:8: error: type qualifiers ignored on function return type [-Werror=ignored-qualifiers]

This removes the 'const' attribute, as suggested by the warning.

Fixes: 2b37c3e285 ("drivers/fsi: Set slave SMODE to init communication")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:13:54 +02:00
Joel Stanley 496f8931b6 fsi: core: register with postcore_initcall
When testing an i2c driver that is a fsi bus driver, I saw the following
oops:

 kernel BUG at drivers/base/driver.c:153!
 Internal error: Oops - BUG: 0 [#1] ARM

 [<8027cb1c>] (driver_register) from [<80344e88>] (fsi_driver_register+0x2c/0x38)
 [<80344e88>] (fsi_driver_register) from [<805f5ebc>] (fsi_i2c_driver_init+0x1c/0x24)
 [<805f5ebc>] (fsi_i2c_driver_init) from [<805d1f14>] (do_one_initcall+0xb4/0x170)
 [<805d1f14>] (do_one_initcall) from [<805d20f0>] (kernel_init_freeable+0x120/0x1dc)
 [<805d20f0>] (kernel_init_freeable) from [<8043f4a8>] (kernel_init+0x18/0x104)
 [<8043f4a8>] (kernel_init) from [<8000a5e8>] (ret_from_fork+0x14/0x2c)

This is because the fsi bus had not been registered. This fix registers the bus
with postcore_initcall instead, to ensure it is registered earlier on.

When the fsi core is used as a module this should not be a problem as the fsi
driver will depend on the fsi bus type symbol, and will therefore load the core
before the driver.

Fixes: 0508ad1fff ("drivers/fsi: Add empty fsi bus definitions")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Acked-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 16:13:54 +02:00
Philipp Zabel 799ee29704 drm/imx: parallel-display: Accept drm_of_find_panel_or_bridge failure
The parallel panel driver should continue to work without having an
endpoint linking to an panel in DT for backwards compatibility.
With the recent switch to drm_of_find_panel_or_bridge, an absent
panel results in a failure with -ENODEV error return code. To restore
the old behaviour, ignore the -ENODEV return code.

Reported-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
Fixes: ebc9446135 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
Tested-by: Chris Healy <cphealy@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
2017-07-17 15:57:52 +02:00
Laurentiu Palcu f2ad99fc46 drm/imx: fix typo in ipu_plane_formats[]
The BGRA8888 appears twice in the ipu_plane_formats[] list. The
duplicate should be BGRX8888.

The original commit is:

commit 59d6b7189a ("drm/imx: ipuv3-plane: enable support for RGBX8888
and RGBA8888 pixel formats")

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@nxp.com>
Fixes: 59d6b7189a ("drm/imx: ipuv3-plane: enable support for RGBX8888 and RGBA8888 pixel")
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
2017-07-17 15:57:51 +02:00
Mika Westerberg 800161bd02 thunderbolt: Correct access permissions for active NVM contents
Firmware upgrade tools that decide which NVM image should be uploaded to
the Thunderbolt controller need to access active parts of the NVM even
if they are not run as root. The information in active NVM is not
considered security critical so we can use the default permissions set
by the NVMem framework.

Writing the NVM image is still left as root only operation.

While there mark the active NVM as read-only in the filesystem.

Reported-by: Yehezkel Bernat <yehezkel.bernat@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andreas Noever <andreas.noever@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 15:55:08 +02:00
Stephen Hemminger 6463a4571c vmbus: re-enable channel tasklet
This problem shows up in 4.11 when netvsc driver is removed and reloaded.
The problem is that the channel is closed during module removal and the
tasklet for processing responses is disabled. When module is reloaded
the channel is reopened but the tasklet is marked as disabled.
The fix is to re-enable tasklet at the end of close which gets it back
to the initial state.

The issue is less urgent in 4.12 since network driver now uses NAPI
and not the tasklet; and other VMBUS devices are rarely unloaded/reloaded.

Fixes: dad72a1d28 ("vmbus: remove hv_event_tasklet_disable/enable")

Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 15:00:47 +02:00
Stephen Boyd eba9718ed2 spmi: pmic-arb: Always allocate ppid_to_apid table
After commit 7f1d4e58da ("spmi: pmic-arb: optimize table
lookups") we always need the ppid_to_apid table regardless of the
version of pmic arbiter we have. Otherwise, we will try to deref
the array when we don't allocate it on v2 hardware like the
msm8974 SoCs.

Cc: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
Cc: Kiran Gunda <kgunda@codeaurora.org>
Fixes: 7f1d4e58da ("spmi: pmic-arb: optimize table lookups")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Tested-by: Luca Weiss <luca@z3ntu.xyz>
Reviewed-by: Kiran Gunda <kgunda@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 15:00:47 +02:00
Stephen Boyd 6b71016e4b MAINTAINERS: Add entry for SPMI subsystem
I have the hardware and I've been reviewing SPMI patches when
they come on the list. Add myself as a reviewer in this area and
add the linux-arm-msm list because people subscribed there also
have the hardware.

Cc: Kiran Gunda <kgunda@codeaurora.org>
Cc: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Acked-by: Andy Gross <andy.gross@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 15:00:47 +02:00
Bjorn Andersson d50daa2af2 spmi: Include OF based modalias in device uevent
Include the OF-based modalias in the uevent sent when registering SPMI
devices, so that user space has a chance to autoload the kernel module
for the device.

Tested-by: Rob Clark <robdclark@gmail.com>
Reported-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 15:00:47 +02:00
Dan Carpenter 7c40b22f6f libceph: potential NULL dereference in ceph_msg_data_create()
If kmem_cache_zalloc() returns NULL then the INIT_LIST_HEAD(&data->links);
will Oops.  The callers aren't really prepared for NULL returns so it
doesn't make a lot of difference in real life.

Fixes: 5240d9f95d ("libceph: replace message data pointer with list")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:59 +02:00
Yan, Zheng 84583cfb97 ceph: fix race in concurrent readdir
For a large directory, program needs to issue multiple readdir
syscalls to get all dentries. When there are multiple programs
read the directory concurrently. Following sequence of events
can happen.

 - program calls readdir with pos = 2. ceph sends readdir request
   to mds. The reply contains N1 entries. ceph adds these N1 entries
   to readdir cache.
 - program calls readdir with pos = N1+2. The readdir is satisfied
   by the readdir cache, N2 entries are returned. (Other program
   calls readdir in the middle, which fills the cache)
 - program calls readdir with pos = N1+N2+2. ceph sends readdir
   request to mds. The reply contains N3 entries and it reaches
   directory end. ceph adds these N3 entries to the readdir cache
   and marks directory complete.

The second readdir call does not update fi->readdir_cache_idx.
ceph add the last N3 entries to wrong places.

Cc: stable@vger.kernel.org # v4.3+
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:59 +02:00
Ilya Dryomov 914902af4f libceph: don't call encode_request_finish() on MOSDBackoff messages
encode_request_finish() is for MOSDOp messages.  Calling it on
MOSDBackoff ack-block messages corrupts them.

Fixes: a02a946dfe ("libceph: respect RADOS_BACKOFF backoffs")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:59 +02:00
Ilya Dryomov f5cc689865 libceph: use alloc_pg_mapping() in __decode_pg_upmap_items()
... otherwise we die in insert_pg_mapping(), which wants pg->node to be
empty, i.e. initialized with RB_CLEAR_NODE.

Fixes: 6f428df47d ("libceph: pg_upmap[_items] infrastructure")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:58 +02:00
Ilya Dryomov c2acfd95d0 libceph: set -EINVAL in one place in crush_decode()
No sooner than Dan had fixed this issue in commit 293dffaad8
("libceph: NULL deref on crush_decode() error path"), I brought it
back.  Add a new label and set -EINVAL once, right before failing.

Fixes: 278b1d709c ("libceph: ceph_decode_skip_* helpers")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:58 +02:00
Dan Carpenter 00c8ebb360 libceph: NULL deref on osdmap_apply_incremental() error path
There are hidden gotos in the ceph_decode_* macros.  We need to set the
"err" variable on these error paths otherwise we end up returning
ERR_PTR(0) which is NULL.  It causes NULL dereferences in the callers.

Fixes: 6f428df47d ("libceph: pg_upmap[_items] infrastructure")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[idryomov@gmail.com: similar bug in osdmap_decode(), changelog tweak]
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:58 +02:00
Arnd Bergmann e67ae2b7b2 libceph: fix old style declaration warnings
The new macros don't follow the usual style for declarations,
which we get a warning for with 'make W=1':

In file included from fs/ceph/mds_client.c:16:0:
include/linux/ceph/ceph_features.h:74:1: error: 'static' is not at beginning of declaration [-Werror=old-style-declaration]

This moves the 'static' keyword to the front of the
declaration.

Fixes: f179d3ba8c ("libceph: new features macros")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-07-17 14:54:58 +02:00
Riley Andrews 00b40d6133 binder: Use wake up hint for synchronous transactions.
Use wake_up_interruptible_sync() to hint to the scheduler binder
transactions are synchronous wakeups. Disable preemption while waking
to avoid ping-ponging on the binder lock.

Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org>
Cc: stable <stable@vger.kernel.org> # 4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 14:44:19 +02:00
Todd Kjos c4ea41ba19 binder: use group leader instead of open thread
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.

Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org> # 4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 14:44:19 +02:00
Todd Kjos a2b18708ee Revert "android: binder: Sanity check at binder ioctl"
This reverts commit a906d6931f.

The patch introduced a race in the binder driver. An attempt to fix the
race was submitted in "[PATCH v2] android: binder: fix dangling pointer
comparison", however the conclusion in the discussion for that patch
was that the original patch should be reverted.

The reversion is being done as part of the fine-grained locking
patchset since the patch would need to be refactored when
proc->vmm_vm_mm is removed from struct binder_proc and added
in the binder allocator.

Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org> # 4.6+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 14:44:19 +02:00
Fabio Estevam 3ee5447e8c tty: serial: lpuart: Fix the logic for detecting the 32-bit type UART
Commit 0d6fce9044 ("tty: serial: lpuart: introduce lpuart_soc_data to
represent SoC property") introduced a buggy logic for detecting the 32-bit
type UART since the condition: "if (sport->port.iotype & UPIO_MEM32BE)"
is always true.

Performing such bitfield AND operation is not correct, because in the
case of Vybrid UART iotype is UPIO_MEM (2), so:

UPIO_MEM & UPIO_MEM32BE = 010 & 110 = 010, which is true.

Such logic tells the driver to always treat the UART operations as 32-bit,
leading to the driver misbehavior on Vybrid.

Fix the 32-bit type detection logic to avoid UART breakage on Vybrid.

While at it, introduce a lpuart_is_32() function to help readability.

Fixes: 0d6fce9044 ("tty: serial: lpuart: introduce lpuart_soc_data to represent SoC property")
Reported-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
Tested-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 14:14:24 +02:00
Ian Jamison 514ab34dba serial: imx: Prevent TX buffer PIO write when a DMA has been started
Function imx_transmit_buffer starts a TX DMA if DMA is enabled, since
commit 91a1a909f9 ("serial: imx: Support sw flow control in DMA mode").
It also carries on and attempts to write the same TX buffer using PIO.
This results in TX data corruption and double-incrementing xmit->tail
with the knock-on effect of tail passing head and a page of garbage
being sent out.

This seems to be triggered mostly when using RS485 half duplex on SMP
systems, but is probably not limited to just those.

Tested locally on an i.MX6Q with an RS485 half duplex transceiver on
UART3, and also by Clemens Gruber.

Tested-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Signed-off-by: Ian Jamison <ian.dev@arkver.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 14:14:24 +02:00
Greg Kroah-Hartman 351ea50df5 Revert "serial: imx-serial - move DMA buffer configuration to DT"
This reverts commit a3015affdf as there
are complaints that it is incorrect.

Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Cc: Nandor Han <nandor.han@ge.com>
Cc: Romain Perier <romain.perier@collabora.com>
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
2017-07-17 13:48:58 +02:00
Michael Ellerman a70b487b07 powerpc/powernv: Fix boot on Power8 bare metal due to opal_configure_cores()
In commit 1c0eaf0f56 ("powerpc/powernv: Tell OPAL about our MMU mode
on POWER9"), we added additional flags to the OPAL call to configure
CPUs at boot.

These flags only work on Power9 firmwares, and worse can cause boot
failures on Power8 machines, so we check for CPU_FTR_ARCH_300 (aka POWER9)
before adding the extra flags.

Unfortunately we forgot that opal_configure_cores() is called before
the CPU feature checks are dynamically patched, meaning the check
always returns true.

We definitely need to do something to make the CPU feature checks less
prone to bugs like this, but for now the minimal fix is to use
early_cpu_has_feature().

Reported-and-tested-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Fixes: 1c0eaf0f56 ("powerpc/powernv: Tell OPAL about our MMU mode on POWER9")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-07-17 21:30:32 +10:00
Mateusz Jurczyk f55ce7b024 netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < NLMSG_HDRLEN expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-17 13:27:46 +02:00
Dan Carpenter 4ab3c51e05 serial: sh-sci: Uninitialized variables in sysfs files
The kstrtol() function returns -ERANGE as well as -EINVAL so these tests
are not enough.  It's not a super serious bug, but my static checker
correctly complains that the "r" variable might be used uninitialized.

Fixes: 5d23188a47 ("serial: sh-sci: make RX FIFO parameters tunable via sysfs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-17 13:19:19 +02:00