Commit Graph

648275 Commits

Author SHA1 Message Date
Linus Torvalds
c8b4ec8351 Two fscrypt bug fixes, one of which was unmasked by an update to the
crypto tree during the merge window.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEK2m5VNv+CHkogTfJ8vlZVpUNgaMFAlhrCIIACgkQ8vlZVpUN
 gaP0rAf8DehnxAXTdGwCDKJ76Xgkd4C0vYwNYsWrwbEsD6dMXPmfhDVA40ZefFWY
 4UQaPeoDSXQnIxw+6gi6LFCJeYs+dc9ZWHk++w5kEMclIUONomODDAQLMJbpG+5t
 pkEwOzjTaKbIQ5n4r3rMJtlBlrZX+ZVJmMt3sYAMWhIq7Bf7dRy6AC7+vyM5VTce
 AYvFpureLd7pJT0AcNvg5oPnXIFiPlKi6knlmAdJ32I4FQQO07aDA37mLPKdff4/
 uKs4PGKTa9MCGw+blMDJ/208kBQPPn8JZ7yGQCdGw16CUaoSXLregqu6SNs2MKaQ
 WjmBFyEUssScTeAq8rYJVlU7FYxwdQ==
 =VVfb
 -----END PGP SIGNATURE-----

Merge tag 'fscrypt-for-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt

Pull fscrypt fixes from Ted Ts'o:
 "Two fscrypt bug fixes, one of which was unmasked by an update to the
  crypto tree during the merge window"

* tag 'fscrypt-for-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt:
  fscrypt: fix renaming and linking special files
  fscrypt: fix the test_dummy_encryption mount option
2017-01-02 18:32:59 -08:00
Chanwoo Choi
32dd773169 PM / devfreq: exynos-bus: Fix the wrong return value
This patch fixes the wrong return value. If devfreq driver requires the wrong
and non-available governor, it is fail. So, this patch returns the error
insead of -EPROBE_DEFER.

Fixes: 403e0689d2 (PM / devfreq: exynos: Add support of bus frequency of sub-blocks using passive governor)
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2017-01-03 00:21:45 +01:00
Chanwoo Choi
73613b16cb PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL
This patch fixes the bug of devfreq_add_device(). The devfreq device must
have the default governor. If find_devfreq_governor() returns error,
devfreq_add_device() fail to add the devfreq instance.

Fixes: 1b5c1be2c8 (PM / devfreq: map devfreq drivers to governor using name)
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2017-01-03 00:21:45 +01:00
Chanwoo Choi
9932ef3ca7 MAINTAINERS: Add myself as reviewer for DEVFREQ subsystem support
Add myself to the DEVFREQ entry as reviewer, I've been helping reviewing
and tesing the devfreq support patches for the couple of years. Also,
I'm going to contribute the improvement for devfreq subsystem. It would
be easier for me for review if I'm cc'ed for patches.

Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2017-01-03 00:21:45 +01:00
Rafael J. Wysocki
6e092c8c04 PM / docs: Drop confusing kernel-doc references from infrastructure.rst
The references to drivers/base/power/main.c and
drivers/acpi/scan.c from Documentation/driver-api/infrastructure.rst
are confusing.  They both cause descriptions of functions that are
not relevant to device drivers at all to be generated and none of
them is sufficient to cover the API in a meaningful way.

Drop them for now.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Jonathan Corbet <corbet@lwn.net>
2017-01-03 00:07:09 +01:00
Rafael J. Wysocki
c2a6bbaf0c ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
The way acpi_find_child_device() works currently is that, if there
are two (or more) devices with the same _ADR value in the same
namespace scope (which is not specifically allowed by the spec and
the OS behavior in that case is not defined), the first one of them
found to be present (with the help of _STA) will be returned.

This covers the majority of cases, but is not sufficient if some of
the devices in question have a _HID (or _CID) returning some valid
ACPI/PNP device IDs (which is disallowed by the spec) and the
ASL writers' expectation appears to be that the OS will match
devices without a valid ACPI/PNP device ID against a given bus
address first.

To cover this special case as well, modify find_child_checks()
to prefer devices without ACPI/PNP device IDs over devices that
have them.

Suggested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: Hans de Goede <hdegoede@redhat.com>
2017-01-02 22:21:59 +01:00
Alexander Alemayhu
4e5da369df Documentation/networking: fix typo in mpls-sysctl
s/utliziation/utilization

Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-02 15:49:08 -05:00
Linus Torvalds
da28756736 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:

 - regression fix (caused by me applying a wrong version of patch) for
   sensor-hub driver, from Srinivas Pandruvada

 - hid-sony fixes (mostly related to DS4 device) from Roderick
   Colenbrander

 - three device-specific quirks-fixes from Alex Wood, Brendan McGrath
   and Marcel Hasler

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: sensor-hub: Move the memset to sensor_hub_get_feature()
  HID: usbhid: Add quirk for Mayflash/Dragonrise DolphinBar.
  HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
  HID: sony: Ignore DS4 dongle reports when no device is connected
  HID: sony: Use DS4 MAC address as unique identifier on USB
  HID: sony: Fix error handling bug when touchpad registration fails
  HID: asus: Fix keyboard support
2017-01-02 12:42:50 -08:00
Michael Walle
e9572fdd13 hwmon: (lm90) fix temp1_max_alarm attribute
Since commit commit eb1c8f4325 ("hwmon: (lm90) Convert to use new hwmon
registration API") the temp1_max_alarm and temp1_crit_alarm attributes are
mapped to the same alarm bit. Fix the typo.

Fixes: eb1c8f4325 ("hwmon: (lm90) Convert to use new hwmon registration API")
Signed-off-by: Micehael Walle <michael@walle.cc>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2017-01-02 10:15:28 -08:00
Michal Tesar
7ababb7826 igmp: Make igmp group member RFC 3376 compliant
5.2. Action on Reception of a Query

 When a system receives a Query, it does not respond immediately.
 Instead, it delays its response by a random amount of time, bounded
 by the Max Resp Time value derived from the Max Resp Code in the
 received Query message.  A system may receive a variety of Queries on
 different interfaces and of different kinds (e.g., General Queries,
 Group-Specific Queries, and Group-and-Source-Specific Queries), each
 of which may require its own delayed response.

 Before scheduling a response to a Query, the system must first
 consider previously scheduled pending responses and in many cases
 schedule a combined response.  Therefore, the system must be able to
 maintain the following state:

 o A timer per interface for scheduling responses to General Queries.

 o A per-group and interface timer for scheduling responses to Group-
   Specific and Group-and-Source-Specific Queries.

 o A per-group and interface list of sources to be reported in the
   response to a Group-and-Source-Specific Query.

 When a new Query with the Router-Alert option arrives on an
 interface, provided the system has state to report, a delay for a
 response is randomly selected in the range (0, [Max Resp Time]) where
 Max Resp Time is derived from Max Resp Code in the received Query
 message.  The following rules are then used to determine if a Report
 needs to be scheduled and the type of Report to schedule.  The rules
 are considered in order and only the first matching rule is applied.

 1. If there is a pending response to a previous General Query
    scheduled sooner than the selected delay, no additional response
    needs to be scheduled.

 2. If the received Query is a General Query, the interface timer is
    used to schedule a response to the General Query after the
    selected delay.  Any previously pending response to a General
    Query is canceled.
--8<--

Currently the timer is rearmed with new random expiration time for
every incoming query regardless of possibly already pending report.
Which is not aligned with the above RFE.
It also might happen that higher rate of incoming queries can
postpone the report after the expiration time of the first query
causing group membership loss.

Now the per interface general query timer is rearmed only
when there is no pending report already scheduled on that interface or
the newly selected expiration time is before the already pending
scheduled report.

Signed-off-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-02 13:01:03 -05:00
Ian Kumlien
d0af683407 flow_dissector: Update pptp handling to avoid null pointer deref.
__skb_flow_dissect can be called with a skb or a data packet, either
can be NULL. All calls seems to have been moved to __skb_header_pointer
except the pptp handling which is still calling skb_header_pointer.

skb_header_pointer will use skb->data and thus:
[  109.556866] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
[  109.557102] IP: [<ffffffff88dc02f8>] __skb_flow_dissect+0xa88/0xce0
[  109.557263] PGD 0
[  109.557338]
[  109.557484] Oops: 0000 [#1] SMP
[  109.557562] Modules linked in: chaoskey
[  109.557783] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.9.0 #79
[  109.557867] Hardware name: Supermicro A1SRM-LN7F/LN5F/A1SRM-LN7F-2758, BIOS 1.0c 11/04/2015
[  109.557957] task: ffff94085c27bc00 task.stack: ffffb745c0068000
[  109.558041] RIP: 0010:[<ffffffff88dc02f8>]  [<ffffffff88dc02f8>] __skb_flow_dissect+0xa88/0xce0
[  109.558203] RSP: 0018:ffff94087fc83d40  EFLAGS: 00010206
[  109.558286] RAX: 0000000000000130 RBX: ffffffff8975bf80 RCX: ffff94084fab6800
[  109.558373] RDX: 0000000000000010 RSI: 000000000000000c RDI: 0000000000000000
[  109.558460] RBP: 0000000000000b88 R08: 0000000000000000 R09: 0000000000000022
[  109.558547] R10: 0000000000000008 R11: ffff94087fc83e04 R12: 0000000000000000
[  109.558763] R13: ffff94084fab6800 R14: ffff94087fc83e04 R15: 000000000000002f
[  109.558979] FS:  0000000000000000(0000) GS:ffff94087fc80000(0000) knlGS:0000000000000000
[  109.559326] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  109.559539] CR2: 0000000000000080 CR3: 0000000281809000 CR4: 00000000001026e0
[  109.559753] Stack:
[  109.559957]  000000000000000c ffff94084fab6822 0000000000000001 ffff94085c2b5fc0
[  109.560578]  0000000000000001 0000000000002000 0000000000000000 0000000000000000
[  109.561200]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  109.561820] Call Trace:
[  109.562027]  <IRQ>
[  109.562108]  [<ffffffff88dfb4fa>] ? eth_get_headlen+0x7a/0xf0
[  109.562522]  [<ffffffff88c5a35a>] ? igb_poll+0x96a/0xe80
[  109.562737]  [<ffffffff88dc912b>] ? net_rx_action+0x20b/0x350
[  109.562953]  [<ffffffff88546d68>] ? __do_softirq+0xe8/0x280
[  109.563169]  [<ffffffff8854704a>] ? irq_exit+0xaa/0xb0
[  109.563382]  [<ffffffff8847229b>] ? do_IRQ+0x4b/0xc0
[  109.563597]  [<ffffffff8902d4ff>] ? common_interrupt+0x7f/0x7f
[  109.563810]  <EOI>
[  109.563890]  [<ffffffff88d57530>] ? cpuidle_enter_state+0x130/0x2c0
[  109.564304]  [<ffffffff88d57520>] ? cpuidle_enter_state+0x120/0x2c0
[  109.564520]  [<ffffffff8857eacf>] ? cpu_startup_entry+0x19f/0x1f0
[  109.564737]  [<ffffffff8848d55a>] ? start_secondary+0x12a/0x140
[  109.564950] Code: 83 e2 20 a8 80 0f 84 60 01 00 00 c7 04 24 08 00
00 00 66 85 d2 0f 84 be fe ff ff e9 69 fe ff ff 8b 34 24 89 f2 83 c2
04 66 85 c0 <41> 8b 84 24 80 00 00 00 0f 49 d6 41 8d 31 01 d6 41 2b 84
24 84
[  109.569959] RIP  [<ffffffff88dc02f8>] __skb_flow_dissect+0xa88/0xce0
[  109.570245]  RSP <ffff94087fc83d40>
[  109.570453] CR2: 0000000000000080

Fixes: ab10dccb11 ("rps: Inspect PPTP encapsulated by GRE to get flow hash")
Signed-off-by: Ian Kumlien <ian.kumlien@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-02 12:53:34 -05:00
David S. Miller
94ba998b63 A single fix to avoid loading an skb->cb pointer too early.
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJYamWkAAoJEGt7eEactAAdVHwP/j12GsQyQQtJdGWW5e/mS5LD
 UMgPH93VQeSbSCobu2ik3zPQCB0A1k6RlOdeeoD+wnI6FDWQ7S5bkQCLJX1d4dJW
 XwAPTUoZaZ0Q50ETENtICs6eB+qq/F04+a+QGdISJTJhsUxOkmHeCnMh9veOcyEy
 qr+zXAMjwlCujk2Hye5kMh6dbYWVy2CoByCLp054OSPipXZgQKzME+YPaLZjSq85
 +/kC3IGKafrAkMPbZLbcXWuUOvdHqrmvC79xF/BfLpB7tKQyPVksnB294ptylAKa
 1XHDCKN8j/iVpNcAz4LBsFNz9aySRWwy3vdmpUKXo2wCV8LaGUAppALnlzeHnPWD
 6vJ0MfuaV5kEve6EBQOmnMR8sgaQzZd+zXush9Jk4V+vf85d6+URVdeV41fQQy7D
 9SpwbupbUEiYwqyAdT2xPjAIXijUmuLAAnX/h4LbuEM0YVWlhXD8KlMWLBmd6+2x
 WMKxygnzeEiYC3rEmcx4fcpw+62bpj7NpkfBRdoR/Zr8zqiW1lRPcjNXtycjpDan
 iQSqsEhAKwgadDitghxNgItX/ihu4rleyPovy2dElEP/CANtlPMUglMNmIUfmnGc
 D3tCIjqCWgbU9CHVZHfxr9mt/5XcbcDoU7TDSQboQTt80bqiaAqj8ZL03/ZUnVj6
 jzmNxfgm+GQq/GeU9dDl
 =EkBc
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2017-01-02' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
A single fix to avoid loading an skb->cb pointer too early.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-02 12:28:00 -05:00
Linus Torvalds
74e5c265a4 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
 "Two bug fixes for 4.10-rc3"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/kbuild: enable modversions for symbols exported from asm
  s390/vtime: correct system time accounting
2017-01-02 09:08:45 -08:00
Helge Deller
b4a9eb4cd5 parisc: Add line-break when printing segfault info
Add a leading line break else printed line gets too long.

Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v4.9
2017-01-02 18:07:25 +01:00
Linus Torvalds
71a332e560 Openrisc more fixes for 4.10
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJYabV5AAoJEMOzHC1eZifkNkoP+QHJFQfHUknblNLJ2uA9qGQB
 7q0d79XA4b6R+keaJ8Qw/Vywiq2KtfUU9R2Fa/7kAlexx51Bu65i233v4mTb2K3d
 rm2o/BgCVFL1ELrCKp9z2ClmUE0CDwtt84vKahare1efywkxnmzg9gY/DYGDHwMk
 dB/i133CDos09WMdSQuxm9pm8Xp/FJjR8LGrvw05Pp0cxVQEIzh5WaJ4BrsJf0uh
 T8xeyERchphID1uEMzDBLXV+PI29ad4inr2+PzRqHhqDj3GfUIUZLPJ/8AZ4/AVP
 qsKge6T8A5s5O7YRRVwpwzXUSqGlafLHpFXIyOeb9utJzEnxyQ9/r+DyyDJitH+H
 yGoj5MD34e4CLlyLJjON1xmb0Px6tt7vl4JJprdgavVT8fUQsh5mqTYCpmvpyXYc
 b+jnx68POFpX/ZnpOMXi3W+6mbzWxAmPHo2TNoIYWd6K2X2geubbY+/T/EBDdsA6
 H9C2ZODsKlaPFMIDzhBAiY8wU6/TQ7kd1/8YZK1uMWC0rym6EDSSCqQie1gUMt4P
 D1ngamTDklgLmrBqP7C5n+6ASRxie9VU0ZrM5UBIyI/XhU4t9zxtXM0MOAKLGpB9
 CLTkxN3T04yyw0SbFANsunS3DbQ3/IUs+oZDCMzDxKfJpoWpcGI4YcLF/RjaOUN9
 XxsDL3pBVVzGrnzUQw4R
 =iHr1
 -----END PGP SIGNATURE-----

Merge tag 'openrisc-for-linus' of git://github.com/openrisc/linux

Pull Openrisc fix from Stafford Horne:
 "There was nothing much interesting here except a build fix pointed out
  by the test robots. Highlight:

   - Defined _text symbol to fix build error"

* tag 'openrisc-for-linus' of git://github.com/openrisc/linux:
  openrisc: Add _text symbol to fix ksym build error
2017-01-02 09:00:59 -08:00
Bart Van Assche
9eca53508a block: Avoid that sparse complains about context imbalance in __wbt_wait()
This patch does not change any functionality.

Fixes: e34cbd3074 ("blk-wbt: add general throttling mechanism")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-02 09:48:47 -07:00
Bjorn Andersson
542b9f0759 ARM: dts: qcom: apq8064: Add missing scm clock
As per the device tree binding the apq8064 scm node requires the core
clock to be specified, so add this.

Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
2017-01-02 10:47:10 -06:00
Bart Van Assche
f2e0a0b292 block: Make wbt_wait() definition consistent with declaration
Fixes: e34cbd3074 ("blk-wbt: add general throttling mechanism")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-02 09:46:15 -07:00
Chandan Rajendra
6c006a9d94 clean_bdev_aliases: Prevent cleaning blocks that are not in block range
The first block to be cleaned may start at a non-zero page offset. In
such a scenario clean_bdev_aliases() will end up cleaning blocks that
do not fall in the range of blocks to be cleaned. This commit fixes the
issue by skipping blocks that do not fall in valid block range.

Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-01-02 09:35:14 -07:00
Greg Kroah-Hartman
890b73af6b First round of IIO fixes for the 4.10 cycle.
* 104-quad-8
   - Fix selecting wrong register when the index control register is desired.
   - Fix an off by one error when addressing the input/output control register.
   - Fix inverted logic on the active high / low control
 * bmi160
   - Sleep for worst case rather than best case amount of time after cmd
   execution begins.
 * max44000
   - typo fix in illuminance_integration_time_available listing.
 * st-sensors
   - Fix channel data passing.  This one took a while to get tested on 24bit
   parts. Definitely one for stable asap as the bug broke quite a few parts.
   - lis3lv02 needs a data alignment bit set and the scaling was wrong.
 * ti_am335x
   - depend on HAS_DMA
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEbilms4eEBlKRJoGxVIU0mcT0FogFAlhnxPERHGppYzIzQGtl
 cm5lbC5vcmcACgkQVIU0mcT0Fojkwg//TD9jlh6x/Xt7qi0EgC1c8Ie0Dr6iUsQr
 gYgvVMtIsjSlThXGtLWxjDLzLeW1DUpxwjy9Kqnwt5onBgBnQj5PAL/lptH7/e6z
 hxj6lXvz5j1pcjjyXzhMa4JPIZJUU75Jj4airhGoHdvTFQDzqKr9GpLKUnrf4lwt
 HWFtCcT90ckhg/PTTaxfIhI4gEHBHoVx9h1/3Tn4VImhE693rLPSs1nS7+hEQIn2
 LZbCMAtxMh3qcCIK9fYrri3e+28KJ7veiWE8mYynxBd6Wa6OGq/D316Ml616mRgZ
 3SpyDWy05YtM4nVNi1kFwKTHb3v6Ljeyno0lmP0joJlIGLwHJS1qDGL0Wps6RI87
 utrfcZKOI2hcoFm49OMYdV3MJ18umGo0asOFMlH6u0RaLXXAz7hN1l9nyB5VzejT
 8culF/8XgNYuzFhkD65Ecksoz0azfMwXphwyPm3WEt1EE5meMeXt6bVsfI+8vyhp
 e/TfhloVfLUobau5yF2C+ih7xrHkVta+f860jqCkiHqngUgzksLoah53mA2Wh36f
 2+D6RbEFEo6Fx4DoELm55CZKpVFv9Ia1ICkg2kuJCFBXL8aTAAYmyphyPDccXGSs
 G2DZCAUjJ1sP7xPVMGuLD7A/IvggUDbs8m0i2sVq4JRZVLRfBW9khjGaCmjOAWBY
 ijWzzZtUywo=
 =aYfF
 -----END PGP SIGNATURE-----

Merge tag 'iio-fixes-for-4.10a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

Jonathan writes:

First round of IIO fixes for the 4.10 cycle.

* 104-quad-8
  - Fix selecting wrong register when the index control register is desired.
  - Fix an off by one error when addressing the input/output control register.
  - Fix inverted logic on the active high / low control
* bmi160
  - Sleep for worst case rather than best case amount of time after cmd
  execution begins.
* max44000
  - typo fix in illuminance_integration_time_available listing.
* st-sensors
  - Fix channel data passing.  This one took a while to get tested on 24bit
  parts. Definitely one for stable asap as the bug broke quite a few parts.
  - lis3lv02 needs a data alignment bit set and the scaling was wrong.
* ti_am335x
  - depend on HAS_DMA
2017-01-02 16:59:44 +01:00
Srinivas Pandruvada
143fca77cc HID: sensor-hub: Move the memset to sensor_hub_get_feature()
While applying patch d443a0aa3a: "HID: hid-sensor-hub: clear memory to
avoid random data", there was some issues in applying correct version of
the patch. This resulted in the breakage of sensor functions as all
request like power-up will be reset by the memset() in the function
sensor_hub_set_feature().
The reset of caller buffer should be in the function
sensor_hub_get_feature(), not in the sensor_hub_set_feature().

Fixes: d443a0aa3a ("HID: hid-sensor-hub: clear memory to avoid random data")
Cc: Stable <stable@vger.kernel.org> # 4.9+
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-01-02 14:01:30 +01:00
Marcel Hasler
8aa2cc7e74 HID: usbhid: Add quirk for Mayflash/Dragonrise DolphinBar.
The DolphinBar by Mayflash (identified as Dragonrise) needs
HID_QUIRK_MULTI_INPUT to split it up into four input devices. Without this
quirk the adapter is falsely recognized as a tablet. See also bug 115841
(https://bugzilla.kernel.org/show_bug.cgi?id=115841).

Signed-off-by: Marcel Hasler <mahasler@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-01-02 13:20:54 +01:00
Alex Wood
f83f90cf7b HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
The Futaba TOSD-5711BB VFD crashes when the initial HID report is requested,
register the display in hid-ids and tell hid-quirks to not do the init.

Signed-off-by: Alex Wood <thetewood@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-01-02 13:19:05 +01:00
Alexandre Bailon
d1df1e01af ARM: davinci: da8xx: Fix sleeping function called from invalid context
Everytime the usb20 phy is enabled, there is a
"sleeping function called from invalid context" BUG.
In addition, there is a recursive locking happening
because of the recurse call to clk_enable().

clk_enable() from arch/arm/mach-davinci/clock.c uses
spin_lock_irqsave() before to invoke the callback
usb20_phy_clk_enable(). usb20_phy_clk_enable() uses
clk_get() and clk_enable_prepapre() which may sleep.

Replace clk_prepare_enable() by davinci_clk_enable().

Signed-off-by: Alexandre Bailon <abailon@baylibre.com>
Suggested-by: David Lechner <david@lechnology.com>
[nsekhar@ti.com: minor commit description adjustment]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
2017-01-02 16:15:07 +05:30
Alexandre Bailon
48cd30b495 ARM: davinci: Make __clk_{enable,disable} functions public
In some cases, there is a need to enable a clock as part of
clock enable callback of a different clock. For example, USB
2.0 PHY clock enable requires USB 2.0 clock to be enabled.
In this case, it is safe to instead call __clk_enable()
since the clock framework lock is already taken. Calling
clk_enable() causes recursive locking error.

A similar case arises in the clock disable path.

To enable such usage, make __clk_{enable,disable} functions
publicly available outside of clock.c. Also, call them
davinci_clk_{enable|disable} now to be consistent with how
other davinci-specific clock functions are named.

Note that these functions are not exported to drivers. They
are meant for usage in platform specific clock management
code.

Signed-off-by: Alexandre Bailon <abailon@baylibre.com>
Suggested-by: David Lechner <david@lechnology.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
2017-01-02 16:10:42 +05:30
Johannes Berg
35f432a03e mac80211: initialize fast-xmit 'info' later
In ieee80211_xmit_fast(), 'info' is initialized to point to the skb
that's passed in, but that skb may later be replaced by a clone (if
it was shared), leading to an invalid pointer.

This can lead to use-after-free and also later crashes since the
real SKB's info->hw_queue doesn't get initialized properly.

Fix this by assigning info only later, when it's needed, after the
skb replacement (may have) happened.

Cc: stable@vger.kernel.org
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-02 11:28:25 +01:00
Geert Uytterhoeven
4271576316 USB: serial: f81534: detect errors from f81534_logic_to_phy_port()
With gcc 4.1.2:

    drivers/usb/serial/f81534.c: In function ‘f81534_port_probe’:
    drivers/usb/serial/f81534.c:1250: warning: comparison is always false due to limited range of data type

f81534_logic_to_phy_port() may return a negative error value, which is
ignored by assigning it to u8 f81534_port_private.phy_num.

Use an intermediate variable of type int to fix this.
While at it, forward the actual error code instead of converting it to
-ENODEV, and drop the useless check for F81534_NUM_PORT, as the callee
always returns a valid port number in case of success.

Fixes: 0c9bd6004d ("USB: serial: add Fintek F81532/534 driver")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2017-01-02 10:31:08 +01:00
Bartosz Golaszewski
ef37427ac5 ARM: davinci: da850: don't add emac clock to lookup table twice
Similarly to the aemif clock - this screws up the linked list of clock
children. Create a separate clock for mdio inheriting the rate from
emac_clk.

Cc: <stable@vger.kernel.org> # 3.12.x-
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
[nsekhar@ti.com: add a comment over mdio_clk to explaing its existence +
		 commit headline updates]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
2017-01-02 14:37:18 +05:30
Bartosz Golaszewski
5d45b011c1 ARM: davinci: da850: fix infinite loop in clk_set_rate()
The aemif clock is added twice to the lookup table in da850.c. This
breaks the children list of pll0_sysclk3 as we're using the same list
links in struct clk. When calling clk_set_rate(), we get stuck in
propagate_rate().

Create a separate clock for nand, inheriting the rate of the aemif
clock and retrieve it in the davinci_nand module.

Cc: <stable@vger.kernel.org> # 4.9.x
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
2017-01-02 14:37:18 +05:30
Felix Hädicke
7b01738112 usb: gadget: udc: core: fix return code of usb_gadget_probe_driver()
This fixes a regression which was introduced by commit f1bddbb, by
reverting a small fragment of commit 855ed04.

If the following conditions were met, usb_gadget_probe_driver() returned
0, although the call was unsuccessful:
1. A particular UDC was specified by thge gadget driver (using member
"udc_name" of struct usb_gadget_driver).
2. The UDC with this name is available.
3. Another gadget driver is already bound to this gadget.
4. The gadget driver has the "match_existing_only" flag set.
In this case, the return code variable "ret" is set to 0, the return
code of a strcmp() call (to check for the second condition).

This also fixes an oops which could occur in the following scenario:
1. Two usb gadget instances were configured using configfs.
2. The first gadget configuration was bound to a UDC (using the configfs
attribute "UDC").
3. It was tried to bind the second gadget configuration to the same UDC
in the same way. This operation was then wrongly reported as being
successful.
4. The second gadget configuration's "UDC" attribute is cleared, to
unbind the (not really bound) second gadget configuration from the UDC.

<BUG: unable to handle kernel NULL pointer dereference
at           (null)
IP: [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
PGD 41b4c5067
PUD 41a598067
PMD 0

Oops: 0000 [#1] SMP
Modules linked in: cdc_acm usb_f_fs usb_f_serial
usb_f_acm u_serial libcomposite configfs dummy_hcd bnep intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper
ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic serio_raw
uvcvideo videobuf2_vmalloc btusb snd_usb_audio snd_hda_intel
videobuf2_memops btrtl snd_hda_codec snd_hda_core snd_usbmidi_lib btbcm
videobuf2_v4l2 btintel snd_hwdep videobuf2_core snd_seq_midi bluetooth
snd_seq_midi_event videodev xpad efi_pstore snd_pcm_oss rfkill joydev
media crc16 ff_memless snd_mixer_oss snd_rawmidi nls_ascii snd_pcm
snd_seq snd_seq_device nls_cp437 mei_me snd_timer vfat sg udc_core
lpc_ich fat
efivars mfd_core mei snd soundcore battery nuvoton_cir rc_core evdev
intel_smartconnect ie31200_edac edac_core shpchp tpm_tis tpm_tis_core
tpm parport_pc ppdev lp parport efivarfs autofs4 btrfs xor raid6_pq
hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid uas
usb_storage sr_mod cdrom sd_mod ahci libahci nouveau i915 crc32c_intel
i2c_algo_bit psmouse ttm xhci_pci libata scsi_mod ehci_pci
drm_kms_helper xhci_hcd ehci_hcd r8169 mii usbcore drm nvme nvme_core
fjes button [last unloaded: net2280]
CPU: 5 PID: 829 Comm: bash Not tainted 4.9.0-rc7 #1
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77
Extreme3, BIOS P1.50 07/11/2013
task: ffff880419ce4040 task.stack: ffffc90002ed4000
RIP: 0010:[<ffffffff94f5e5e9>]  [<ffffffff94f5e5e9>]
__list_del_entry+0x29/0xc0
RSP: 0018:ffffc90002ed7d68  EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff88041787ec30 RCX: dead000000000200
RDX: 0000000000000000 RSI: ffff880417482002 RDI: ffff88041787ec30
RBP: ffffc90002ed7d68 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: ffff880419ce4040 R12: ffff88041787eb68
R13: ffff88041787eaa8 R14: ffff88041560a2c0 R15: 0000000000000001
FS:  00007fe4e49b8700(0000) GS:ffff88042f340000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000041b4c4000 CR4: 00000000001406e0
Stack:
ffffc90002ed7d80 ffffffff94f5e68d ffffffffc0ae5ef0 ffffc90002ed7da0
ffffffffc0ae22aa ffff88041787e800 ffff88041787e800 ffffc90002ed7dc0
ffffffffc0d7a727 ffffffff952273fa ffff88041aba5760 ffffc90002ed7df8
Call Trace:
[<ffffffff94f5e68d>] list_del+0xd/0x30
[<ffffffffc0ae22aa>] usb_gadget_unregister_driver+0xaa/0xc0 [udc_core]
[<ffffffffc0d7a727>] unregister_gadget+0x27/0x60 [libcomposite]
[<ffffffff952273fa>] ? mutex_lock+0x1a/0x30
[<ffffffffc0d7a9b8>] gadget_dev_desc_UDC_store+0x88/0xe0 [libcomposite]
[<ffffffffc0af8aa0>] configfs_write_file+0xa0/0x100 [configfs]
[<ffffffff94e10d27>] __vfs_write+0x37/0x160
[<ffffffff94e31430>] ? __fd_install+0x30/0xd0
[<ffffffff95229dae>] ? _raw_spin_unlock+0xe/0x10
[<ffffffff94e11458>] vfs_write+0xb8/0x1b0
[<ffffffff94e128f8>] SyS_write+0x58/0xc0
[<ffffffff94e31594>] ? __close_fd+0x94/0xc0
[<ffffffff9522a0fb>] entry_SYSCALL_64_fastpath+0x1e/0xad
Code: 66 90 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89
e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a <4c> 8b
02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08
RIP  [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
RSP <ffffc90002ed7d68>
CR2: 0000000000000000
---[ end trace 99fc090ab3ff6cbc ]---

Fixes: f1bddbb ("usb: gadget: Fix binding to UDC via configfs
interface")
Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
Tested-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:29 +02:00
Heikki Krogerus
8f8983a568 usb: dwc3: pci: add Intel Gemini Lake PCI ID
Intel Gemini Lake SoC has the same DWC3 than Broxton. Add
the new ID to the supported Devices.

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Marek Szyprowski
86e881e7d7 usb: dwc2: fix flags for DMA descriptor allocation in dwc2_hsotg_ep_enable
dwc2_hsotg_ep_enable can be called from interrupt context, so all
allocations should be done with GFP_ATOMIC flags. This fixes following
issue on ARM architecture:

[<c010d830>] (unwind_backtrace) from [<c010a51c>] (show_stack+0x10/0x14)
[<c010a51c>] (show_stack) from [<c032930c>] (dump_stack+0x74/0x94)
[<c032930c>] (dump_stack) from [<c011cd30>] (__warn+0xd4/0x100)
[<c011cd30>] (__warn) from [<c011cd7c>] (warn_slowpath_null+0x20/0x28)
[<c011cd7c>] (warn_slowpath_null) from [<c0187e04>] (smp_call_function_many+0xcc/0x2a4)
[<c0187e04>] (smp_call_function_many) from [<c0188014>] (on_each_cpu_mask+0x38/0xa8)
[<c0188014>] (on_each_cpu_mask) from [<c01ddfe0>] (start_isolate_page_range+0x134/0x1b8)
[<c01ddfe0>] (start_isolate_page_range) from [<c01a3c14>] (alloc_contig_range+0xac/0x2f8)
[<c01a3c14>] (alloc_contig_range) from [<c01de3e4>] (cma_alloc+0xe0/0x1a8)
[<c01de3e4>] (cma_alloc) from [<c0110acc>] (__alloc_from_contiguous+0x38/0xe0)
[<c0110acc>] (__alloc_from_contiguous) from [<c0110ba4>] (cma_allocator_alloc+0x30/0x38)
[<c0110ba4>] (cma_allocator_alloc) from [<c0111034>] (__dma_alloc+0x1c0/0x2c8)
[<c0111034>] (__dma_alloc) from [<c01111b4>] (arm_dma_alloc+0x3c/0x48)
[<c01111b4>] (arm_dma_alloc) from [<c04ad800>] (dwc2_hsotg_ep_enable+0xec/0x46c)
[<c04ad800>] (dwc2_hsotg_ep_enable) from [<c04da610>] (usb_ep_enable+0x2c/0x3c)
[<c04da610>] (usb_ep_enable) from [<c04dc0c0>] (ecm_set_alt+0xa8/0x154)
[<c04dc0c0>] (ecm_set_alt) from [<c04d678c>] (composite_setup+0xd74/0x1540)
[<c04d678c>] (composite_setup) from [<c04ae048>] (dwc2_hsotg_complete_setup+0xb8/0x370)
[<c04ae048>] (dwc2_hsotg_complete_setup) from [<c04d987c>] (usb_gadget_giveback_request+0xc/0x10)
[<c04d987c>] (usb_gadget_giveback_request) from [<c04acafc>] (dwc2_hsotg_complete_request+0x78/0x128)
[<c04acafc>] (dwc2_hsotg_complete_request) from [<c04aed28>] (dwc2_hsotg_epint+0x69c/0x81c)
[<c04aed28>] (dwc2_hsotg_epint) from [<c04af6c4>] (dwc2_hsotg_irq+0xfc/0x748)
[<c04af6c4>] (dwc2_hsotg_irq) from [<c0163264>] (__handle_irq_event_percpu+0x58/0x140)
[<c0163264>] (__handle_irq_event_percpu) from [<c0163368>] (handle_irq_event_percpu+0x1c/0x58)
[<c0163368>] (handle_irq_event_percpu) from [<c01633dc>] (handle_irq_event+0x38/0x5c)
[<c01633dc>] (handle_irq_event) from [<c01666e4>] (handle_fasteoi_irq+0xc4/0x19c)
[<c01666e4>] (handle_fasteoi_irq) from [<c0162a2c>] (generic_handle_irq+0x18/0x28)
[<c0162a2c>] (generic_handle_irq) from [<c0162b40>] (__handle_domain_irq+0x6c/0xe4)
[<c0162b40>] (__handle_domain_irq) from [<c0101470>] (gic_handle_irq+0x50/0x9c)
[<c0101470>] (gic_handle_irq) from [<c010b00c>] (__irq_svc+0x6c/0xa8)

Fixes: 5f54c54b0b ("usb: dwc2: gadget: Add DDMA chain pointers to
	dwc2_hsotg_ep structure")
Acked-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
John Youn
0eae2fde16 usb: dwc3: pci: Add "linux,sysdev_is_parent" property
Calling platform_device_add_properties() replaces existing properties so
the "linux,sysdev_is_parent" property doesn't get set. Add this property
to each platform.

Fixes: d64ff406e5 ("usb: dwc3: use bus->sysdev for DMA configuration")
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Grygorii Strashko
12a7f17fac usb: dwc3: omap: fix race of pm runtime with irq handler in probe
Now races can happen between interrupt handler execution and PM runtime in
error handling code path in probe and in dwc3_omap_remove() which will lead
to system crash:

in probe:
...
 err1:
	pm_runtime_put_sync(dev);
^^ PM runtime can race with IRQ handler when deferred probing happening
   due to extcon
	pm_runtime_disable(dev);

	return ret;

in dwc3_omap_remove:
...
	dwc3_omap_disable_irqs(omap);
^^ IRQs are disabled in HW, but handler may still run
	of_platform_depopulate(omap->dev);
	pm_runtime_put_sync(&pdev->dev);
^^ PM runtime can race with IRQ handler
	pm_runtime_disable(&pdev->dev);

	return 0;

So, OMAP DWC3 IRQ need to be disabled before calling
pm_runtime_put() in probe and in dwc3_omap_remove().

Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Alan Stern
890e6c236d USB: gadgetfs: remove unnecessary assignment
The dev_config() routine in gadgetfs has a check that
dev->dev->bNumConfigurations is equal to 1, and then contains a
redundant line of code setting the value to 1.  This patch removes the
unnecessary assignment.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Alan Stern
1c069b057d USB: gadgetfs: fix checks of wTotalLength in config descriptors
Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user.  In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).

This patch adds the additional check and fixes the existing check.  It
may do a little more than strictly necessary, but one extra check
won't hurt.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Alan Stern
add333a81a USB: gadgetfs: fix use-after-free bug
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:

BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
 ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
 <IRQ> [  201.343209]  [<     inline     >] __dump_stack lib/dump_stack.c:15
 <IRQ> [  201.343209]  [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [<     inline     >] kasan_report mm/kasan/report.c:306
 [<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
 [<     inline     >] config_buf drivers/usb/gadget/legacy/inode.c:1298
 [<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
 [<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
 [<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
 [<     inline     >] expire_timers kernel/time/timer.c:1348
 [<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
 [<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
 [<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284

The cause of the bug is subtle.  The dev_config() routine gets called
twice by the fuzzer.  The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set.  But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.

The second time dev_config() is called, the user data contains only a
full-speed config descriptor.  But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config.  Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.

The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Alan Stern
faab50984f USB: gadgetfs: fix unbounded memory allocation bug
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:

BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
 ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
 [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:308
 [<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
 [<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
 [<     inline     >] copy_from_user arch/x86/include/asm/uaccess.h:689
 [<     inline     >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
 [<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
 [<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
 [<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<     inline     >] SYSC_write fs/read_write.c:607
 [<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
 [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.

This patch fixes the warning.  It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Baolin Wang
b3ce3ce02d usb: gadget: f_fs: Fix possibe deadlock
When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[   52.642225] c1 ======================================================
[   52.642228] c1 [ INFO: possible circular locking dependency detected ]
[   52.642236] c1 4.4.6+ #1 Tainted: G        W  O
[   52.642241] c1 -------------------------------------------------------
[   52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[   52.642270] c0  (udc_lock){+.+.+.}, at: [<ffffffc00065aeec>]
		usb_gadget_unregister_driver+0x3c/0xc8
[   52.642272] c1  but task is already holding lock:
[   52.642283] c0  (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
		ffs_data_clear+0x30/0x140
[   52.642285] c1 which lock already depends on the new lock.
[   52.642287] c1
               the existing dependency chain (in reverse order) is:
[   52.642295] c0
	       -> #1 (ffs_lock){+.+.+.}:
[   52.642307] c0        [<ffffffc00012340c>] __lock_acquire+0x20f0/0x2238
[   52.642314] c0        [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[   52.642322] c0        [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[   52.642328] c0        [<ffffffc00066f7bc>] ffs_func_bind+0x504/0x6e8
[   52.642334] c0        [<ffffffc000654004>] usb_add_function+0x84/0x184
[   52.642340] c0        [<ffffffc000658ca4>] configfs_composite_bind+0x264/0x39c
[   52.642346] c0        [<ffffffc00065b348>] udc_bind_to_driver+0x58/0x11c
[   52.642352] c0        [<ffffffc00065b49c>] usb_udc_attach_driver+0x90/0xc8
[   52.642358] c0        [<ffffffc0006598e0>] gadget_dev_desc_UDC_store+0xd4/0x128
[   52.642369] c0        [<ffffffc0002c14e8>] configfs_write_file+0xd0/0x13c
[   52.642376] c0        [<ffffffc00023c054>] vfs_write+0xb8/0x214
[   52.642381] c0        [<ffffffc00023cad4>] SyS_write+0x54/0xb0
[   52.642388] c0        [<ffffffc000085ff0>] el0_svc_naked+0x24/0x28
[   52.642395] c0
              -> #0 (udc_lock){+.+.+.}:
[   52.642401] c0        [<ffffffc00011e3d0>] print_circular_bug+0x84/0x2e4
[   52.642407] c0        [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[   52.642412] c0        [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[   52.642420] c0        [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[   52.642427] c0        [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642432] c0        [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[   52.642439] c0        [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[   52.642444] c0        [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[   52.642450] c0        [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[   52.642454] c0        [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[   52.642460] c0        [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[   52.642466] c0        [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[   52.642473] c0        [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[   52.642482] c0        [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[   52.642487] c0        [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[   52.642494] c0        [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[   52.642501] c0        [<ffffffc00008a8f0>] do_signal+0x154/0x518
[   52.642507] c0        [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[   52.642512] c0        [<ffffffc000085ee8>] work_pending+0x1c/0x20
[   52.642514] c1
              other info that might help us debug this:
[   52.642517] c1  Possible unsafe locking scenario:
[   52.642518] c1        CPU0                    CPU1
[   52.642520] c1        ----                    ----
[   52.642525] c0   lock(ffs_lock);
[   52.642529] c0                                lock(udc_lock);
[   52.642533] c0                                lock(ffs_lock);
[   52.642537] c0   lock(udc_lock);
[   52.642539] c1
                      *** DEADLOCK ***
[   52.642543] c1 1 lock held by usb ffs open/2808:
[   52.642555] c0  #0:  (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
		ffs_data_clear+0x30/0x140
[   52.642557] c1 stack backtrace:
[   52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[   52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[   52.642568] c1 Call trace:
[   52.642573] c1 [<ffffffc00008b430>] dump_backtrace+0x0/0x170
[   52.642577] c1 [<ffffffc00008b5c0>] show_stack+0x20/0x28
[   52.642583] c1 [<ffffffc000422694>] dump_stack+0xa8/0xe0
[   52.642587] c1 [<ffffffc00011e548>] print_circular_bug+0x1fc/0x2e4
[   52.642591] c1 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[   52.642595] c1 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[   52.642599] c1 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[   52.642604] c1 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642608] c1 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[   52.642613] c1 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[   52.642618] c1 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[   52.642621] c1 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[   52.642625] c1 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[   52.642629] c1 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[   52.642633] c1 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[   52.642636] c1 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[   52.642640] c1 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[   52.642644] c1 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[   52.642647] c1 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[   52.642651] c1 [<ffffffc00008a8f0>] do_signal+0x154/0x518
[   52.642656] c1 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[   52.642659] c1 [<ffffffc000085ee8>] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Janusz Dziedzic
d7fd41c6db usb: dwc3: skip interrupt when ep disabled
In case EP disabled pass only EPCPLT command
to be handled. In other case we could hit
Bug like below.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000003
IP:
[<ffffffff81673428>] dwc3_thread_interrupt+0x11c8/0x1790

while dep->endpoint.desc is NULL.

Signed-off-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Greg Kroah-Hartman
0994b0a257 usb: gadgetfs: restrict upper bound on device configuration size
Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.

So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Alan Stern
bcdbeb8447 USB: dummy-hcd: fix bug in stop_activity (handle ep0)
The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
 [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Vincent Pelletier
354bc45bf3 usb: gadget: f_fs: Fix ExtCompat descriptor validation
Reserved1 is documented as expected to be set to 0, but this test fails
when it it set to 0. Reverse the condition.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Vincent Pelletier
96a420d2d3 usb: gadget: f_fs: Document eventfd effect on descriptor format.
When FUNCTIONFS_EVENTFD flag is set, __ffs_data_got_descs reads a 32bits,
little-endian value right after the fixed structure header, and passes it
to eventfd_ctx_fdget. Document this.

Also, rephrase a comment to be affirmative about the role of string
descriptor at index 0. Ref: USB 2.0 spec paragraph "9.6.7 String", and
also checked to still be current in USB 3.0 spec paragraph "9.6.9 String".

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Krzysztof Opasiak
7e4da3fcf7 usb: gadget: composite: Test get_alt() presence instead of set_alt()
By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.

After commit dd4dff8b03 ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.

Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.

Fixes: dd4dff8b03 ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Hans de Goede
51c1685d95 usb: dwc3: pci: Fix dr_mode misspelling
usb_get_dr_mode() expects the device-property to be spelled
"dr_mode" not "dr-mode".

Spelling it properly fixes the following warning showing up in dmesg:
[ 8704.500545] dwc3 dwc3.2.auto: Configuration mismatch. dr_mode forced to gadget

Signed-off-by: Hans de Goede <hdegoede@redhat.com
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Felipe Balbi
e71d363d9c usb: dwc3: core: avoid Overflow events
Now that we're handling so many transfers at a time
and for some dwc3 revisions LPM events *must* be
enabled, we can fall into a situation where too many
events fire and we start receiving Overflow events.

Let's do what XHCI does and allocate a full page for
the Event Ring, this will avoid any future issues.

Cc: <stable@vger.kernel.org> # v4.9
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Felipe Balbi
d621459299 usb: dwc3: gadget: always unmap EP0 requests
commit 0416e494ce ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced") introduced a bug
where we would leak DMA resources which would cause
us to starve the system of them resulting in failing
DMA transfers.

Fix the bug by making sure that we always unmap EP0
requests since those are *always* mapped.

Fixes: 0416e494ce ("usb: dwc3: ep0: correct cache
	sync issue in case of ep0_bounced")
Cc: <stable@vger.kernel.org>
Tested-by: Tomasz Medrek <tomaszx.medrek@intel.com>
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Felipe Balbi
19ec31230e usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
Let's call dwc3_ep0_prepare_one_trb() explicitly
because there are occasions where we will need more
than one TRB to handle an EP0 transfer.

A follow-up patch will fix one bug related to
multiple-TRB Data Phases when it comes to
mapping/unmapping requests for DMA.

Cc: <stable@vger.kernel.org>
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Felipe Balbi
7931ec86c1 usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
For now this is just a cleanup patch, no functional
changes. We will be using the new function to fix a
bug introduced long ago by commit 0416e494ce
("usb: dwc3: ep0: correct cache sync issue in case
of ep0_bounced") and further worsened by commit
c0bd5456a4 ("usb: dwc3: ep0: handle non maxpacket
aligned transfers > 512")

Cc: <stable@vger.kernel.org>
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00