| Age | Commit message (Collapse) | Author |
|---|
|
The au0828 dev_state is actually a bit mask. It should not be
checking with "==" but, instead, with a logic and. There are some
places where it was doing it wrong.
Fix that by replacing the dev_state set/clear/test with the
bitops.
As reviewed by Shuah:
"Looks good. Tested running bind/unbind au0828 loop for 1000 times.
Didn't see any problems and the v4l2_querycap() problem has been
fixed with this patch.
After the above test, ran bind/unbind snd_usb_audio 1000 times.
Didn't see any problems. Generated media graph and the graph
looks good."
Cc: stable@vger.kernel.org
Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
detect the device disconnected state correctly, if au0828_v4l2_open() runs
to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
by increasing the likelihood of au0828_v4l2_open() occurring while unbind
is in progress. When au0828_v4l2_close() fails to detect that the device
is in disconnect state, it attempts to power down the device and fails with
the following general protection fault:
[ 260.992962] Call Trace:
[ 260.993008] [<ffffffffa0f80f0f>] ? xc5000_sleep+0x8f/0xd0 [xc5000]
[ 260.993095] [<ffffffffa0f6803c>] ? fe_standby+0x3c/0x50 [tuner]
[ 260.993186] [<ffffffffa0ef541c>] au0828_v4l2_close+0x53c/0x620 [au0828]
[ 260.993298] [<ffffffffa0d08ec0>] v4l2_release+0xf0/0x210 [videodev]
[ 260.993382] [<ffffffff81570f9c>] __fput+0x1fc/0x6c0
[ 260.993449] [<ffffffff815714ce>] ____fput+0xe/0x10
[ 260.993519] [<ffffffff8116eb83>] task_work_run+0x133/0x1f0
[ 260.993602] [<ffffffff810035d0>] exit_to_usermode_loop+0x140/0x170
[ 260.993681] [<ffffffff810061ca>] syscall_return_slowpath+0x16a/0x1a0
[ 260.993754] [<ffffffff82835fb3>] entry_SYSCALL_64_fastpath+0xa6/0xa8
Cc: stable@vger.kernel.org
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Fix to clear enable/disable/change source handlers in the media device
when media device is unregistered in au0828_unregister_media_device().
When au0828 module is removed, snd-usb-audio shouldn't call the handlers.
Clearing will ensure snd-usb-audio won't call them once au0828 is removed.
[mchehab@osg.samsung.com: fix a compilation breakage]
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
A previous patch removing dtv_demod needed to be rebased,
but the hunk removing the data was not merged by mistake.
Fixes: 840f5b0572ea ('media: au0828 disable tuner to demod link in au0828_media_device_register()']
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
For au0828_enable_source() to work, the tuner links should be
disabled and the tuner/decoder should be cached at au0828 struct.
While here, put dev->decoder cache together with dev->tuner, as
it makes easier to drop both latter if/when we move the enable
routines to the V4L2 core.
Fixes: 9822f4173f84 ('[media] au0828: use v4l2_mc_create_media_graph()')
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
|
|
Xiao Ni reported below crash:
[26396.335146] BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
[26396.342990] IP: [<ffffffffa0425b00>] super_written+0x20/0x80 [md_mod]
[26396.349449] PGD 0
[26396.351468] Oops: 0002 [#1] SMP
[26396.354898] Modules linked in: ext4 mbcache jbd2 raid456 async_raid6_recov async_memcpy async_pq async_xor xor async_td
[26396.408404] CPU: 5 PID: 3261 Comm: loop0 Not tainted 4.5.0 #1
[26396.414140] Hardware name: Dell Inc. PowerEdge R715/0G2DP3, BIOS 3.2.2 09/15/2014
[26396.421608] task: ffff8808339be680 ti: ffff8808365f4000 task.ti: ffff8808365f4000
[26396.429074] RIP: 0010:[<ffffffffa0425b00>] [<ffffffffa0425b00>] super_written+0x20/0x80 [md_mod]
[26396.437952] RSP: 0018:ffff8808365f7c38 EFLAGS: 00010046
[26396.443252] RAX: ffffffffa0425ae0 RBX: ffff8804336a7900 RCX: ffffe8f9f7b41198
[26396.450371] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8804336a7900
[26396.457489] RBP: ffff8808365f7c50 R08: 0000000000000005 R09: 00001801e02ce3d7
[26396.464608] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[26396.471728] R13: ffff8808338d9a00 R14: 0000000000000000 R15: ffff880833f9fe00
[26396.478849] FS: 00007f9e5066d740(0000) GS:ffff880237b40000(0000) knlGS:0000000000000000
[26396.486922] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[26396.492656] CR2: 00000000000002a8 CR3: 00000000019ea000 CR4: 00000000000006e0
[26396.499775] Stack:
[26396.501781] ffff8804336a7900 0000000000000000 0000000000000000 ffff8808365f7c68
[26396.509199] ffffffff81308cd0 ffff8804336a7900 ffff8808365f7ca8 ffffffff81310637
[26396.516618] 00000000a0233a00 ffff880833f9fe00 0000000000000000 ffff880833fb0000
[26396.524038] Call Trace:
[26396.526485] [<ffffffff81308cd0>] bio_endio+0x40/0x60
[26396.531529] [<ffffffff81310637>] blk_update_request+0x87/0x320
[26396.537439] [<ffffffff8131a20a>] blk_mq_end_request+0x1a/0x70
[26396.543261] [<ffffffff81313889>] blk_flush_complete_seq+0xd9/0x2a0
[26396.549517] [<ffffffff81313ccf>] flush_end_io+0x15f/0x240
[26396.554993] [<ffffffff8131a22a>] blk_mq_end_request+0x3a/0x70
[26396.560815] [<ffffffff8131a314>] __blk_mq_complete_request+0xb4/0xe0
[26396.567246] [<ffffffff8131a35c>] blk_mq_complete_request+0x1c/0x20
[26396.573506] [<ffffffffa04182df>] loop_queue_work+0x6f/0x72c [loop]
[26396.579764] [<ffffffff81697844>] ? __schedule+0x2b4/0x8f0
[26396.585242] [<ffffffff810a7812>] kthread_worker_fn+0x52/0x170
[26396.591065] [<ffffffff810a77c0>] ? kthread_create_on_node+0x1a0/0x1a0
[26396.597582] [<ffffffff810a7238>] kthread+0xd8/0xf0
[26396.602453] [<ffffffff810a7160>] ? kthread_park+0x60/0x60
[26396.607929] [<ffffffff8169bdcf>] ret_from_fork+0x3f/0x70
[26396.613319] [<ffffffff810a7160>] ? kthread_park+0x60/0x60
md_super_write() and corresponding md_super_wait() generally are called
with reconfig_mutex locked, which prevents disk disappears. There is one
case this rule is broken. write_sb_page of bitmap.c doesn't hold the
mutex. next_active_rdev does increase rdev reference, but it decreases
the reference too early (eg, before IO finish). disk can disappear at
the window. We unconditionally increase rdev reference in
md_super_write() to avoid the race.
Reported-and-tested-by: Xiao Ni <xni@redhat.com>
Reviewed-by: Neil Brown <neilb@suse.de>
Signed-off-by: Shaohua Li <shli@fb.com>
|
|
Fix a trivial typo in md_ioctl().
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
|
|
If first_bad == this_sector when we get the WriteMostly disk
in read_balance(), valid disk will be returned with zero
max_sectors. It'll lead to a dead loop in make_request(), and
OOM will happen because of endless allocation of struct bio.
Since we can't get data from this disk in this case, so
continue for another disk.
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
|
|
The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.
See: http://seclists.org/bugtraq/2016/Mar/61
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
An attack using missing endpoints exists.
CVE-2016-3137
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The utilization update hook in the intel_pstate driver is set too
early, as it only should be set after the policy has been fully
initialized by the core. That may cause intel_pstate_update_util()
to use incorrect data and put the CPUs into incorrect P-states as
a result.
To prevent that from happening, make intel_pstate_set_policy() set
the utilization update hook instead of intel_pstate_init_cpu() so
intel_pstate_update_util() only runs when all things have been
initialized as appropriate.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue
Jeff Kirsher says:
====================
Intel Wired LAN Driver Updates 2016-03-29
This series contains fixes to ixgbe and ixgbevf.
Tushar fixes an issue which was introduced with an earlier commit, where
hardware register RAR0 default MAC address does not get set properly.
Alex fixes two issues, first being the VXLAN port number should be stored
in network order instead of in host order. The second fix corrects the ATR
code to handle IPv6 extension headers. The issue was ATR code was assuming
that it would be able to use tcp_hdr for every TCP frame that came through,
but that is not the case, which resulted in bad filters being setup.
Mark fixes a use of usleep_range() to udelay() in the case where a lock
is being held.
Stefan fixes the offline self tests where ndo_stop() should be used instead
of ndo_close(), which causes IFF_UP to be cleared and interface routes get
removed.
Emil fixes the error case where we need to return an error when a MAC
address change is rejected by the PF. This helps prevent the user from
modifying the MAC address when the operation is not permitted.
Sridhar provides three fixes for ixgbe, all dealing with traffic class
offload handling.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Here are two GPIO fixes for the v4.6 series, both in drivers:
- Prevent NULL dereference in the Xgene driver
- Fix an uninitialized spinlock in the menz127 driver"
* tag 'gpio-v4.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: xgene: Prevent NULL pointer dereference
gpio: menz127: Drop lock field from struct men_z127_gpio
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull nvdimm mcsafe_memcpy use from Dan Williams:
"Now that mcsafe_memcpy() has landed, and the return value was been
clarified in commit cbf8b5a2b649 ("x86/mm, x86/mce: Fix return
type/value for memcpy_mcsafe()"), let's hook up its primary usage in
the pmem driver.
The compilation problems from the initial posting have been fixed,
this has appeared in a -next release with no reported issues, and it
picked up an ack from Ingo. There is no pressing need to merge this
in 4.6- rc2. However, if we wait until 4.7 the new memcpy_mcsafe()
capability will ship without a user in 4.6-final"
* 'libnvdimm-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
x86, pmem: use memcpy_mcsafe() for memcpy_from_pmem()
|
|
For this SoC the register offsets changed from previous versions to be
separated by a larger amount.
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
Without this, we would fail to set the mode to gpio if trying to
configure for that mode
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
This should have been bumped to 100 when the extra pins
were added in the original pinctrl patch
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
imx doesn't have any functions for setting the gamma table, so this is
completely defunct.
Not nice to lie to userspace, so let's stop!
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Just as the function ipu_dmfc_config_wait4eot() tells, the DMFC wait4eot bit
depends on the number of DMFC slots to be used, so it should be called after
the slots are determined in the function ipu_dmfc_alloc_bandwidth().
Based on tests, this patch may eliminate display distortion issue on overlay
plane with small resolutions. To reproduce the issue, we may run this drm
modetest case - 'modetest -P 19:64x64'.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The function name 'ipu_dmfc_config_wait4eot' matches the implementation of
the function better than 'ipu_dmfc_init_channel', since it only touches the
wait4eot bits.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Since the function ipu_dmfc_init_channel() always returns zero, we may
change the return type to void to simplify the code.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
To avoid race condition issue, we should protect the function
ipu_dmfc_init_channel() with the mutex dmfc->priv->mutex, since it
configures the register DMFC_GENERAL1 at runtime which contains
several control bits for various display channels. This matches
better with fine grained locking logic in upper layer.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The IMX dw_hdmi driver just called platform_set_drvdata() to get
your hopes up that maybe, somehow, you'd be able to retrieve the 'struct
imx_hdmi' from a pointer to the 'struct device'. You can't. When
we call dw_hdmi_bind() the main driver calls dev_set_drvdata(), which
clobbers our setting.
Let's just remove the platform_set_drvdata() to avoid dashing people's
hopes.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The drm_encoder_cleanup() was missing both from the error path of
dw_hdmi_imx_bind(). This caused a crash when slub_debug was
enabled and we ended up deferring probe of HDMI at boot.
This call isn't needed from unbind() because if dw_hdmi_bind() returns
no error then it takes over the job of freeing the encoder (in
dw_hdmi_unbind).
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The driver already advertises multi-planar YUV support, but
previously the U/V offset and stride setup was missing.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The IPU addresses multiplanar formats using a base address and relative
offsets for the secondary planes. Since those offsets must be positive
and not too large, and none of the plane parameters except the base address
may be changed while scanout is active, store the pitches and u/v offsets
and check all values against IDMAC limitations.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Let ipu_cpmem_set_yuv_planar_full take a DRM_FORMAT instead of a
V4L2_PIXFMT and allow better control over U/V stride, U offset and
V offset settings in the CPMEM.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Pull up was reported as pull down and vice versa. Fix this.
Fixes: 8f1774a2a971 "pinctrl: nomadik: improve GPIO debug prints"
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
The SPICE protocol considers the position of a cursor to be the location
of its active pixel on the display, so the cursor is drawn with its
top-left corner at "(x - hot_spot_x, y - hot_spot_y)" but the DRM cursor
position gives the location where the top-left corner should be drawn,
with the hotspot being a hint for drivers that need it.
This fixes the location of the window resize cursors when using Fluxbox
with the QXL DRM driver and both the QXL and modesetting X drivers.
Signed-off-by: John Keeping <john@metanate.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Link: http://patchwork.freedesktop.org/patch/msgid/1447845445-2116-1-git-send-email-john@metanate.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
|
commit b37d83a6a414 ("usb: Parse the new USB 3.1 SuperSpeedPlus Isoc
endpoint companion descriptor") caused a regression in 4.6-rc1 and fails
to parse SuperSpeed endpoint companion descriptors.
The new SuperSpeedPlus Isoc endpoint companion parsing code incorrectly
decreased the the remaining buffer size before comparing the size with the
expected length of the descriptor.
This lead to possible failure in reading the SuperSpeed endpoint companion
descriptor of the last endpoint, displaying a message like:
"No SuperSpeed endpoint companion for config 1 interface 0 altsetting 0
ep 129: using minimum values"
Fix it by decreasing the size after comparing it.
Also finish all the SS endpoint companion parsing before calling SSP isoc
endpoint parsing function.
Fixes: b37d83a6a414
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.
Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
We need to have the WWN fully initialized before addig default groups to it,
so add a new method to add these groups after the WWN has been initialized.
Also remove the default groups in the core while we're at it.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
The iSCSI targets wants to add a default group, for which we need to
have the list of default groups initialized previously.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
Instead we can clean up the list of default ACLs in core code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
Now the rdma core offers a QP draining service in v4.6-rc1,
use it instead of our own.
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reported-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
To report flow control tx/rx settings accurately regardless of autoneg
setting, we should use link_info->req_flow_ctrl. Before this patch,
the reported settings were only correct when autoneg was on.
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The typo caused the wrong flow control bit to be set.
Reported by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The size of every padded firmware message is specified in the first
HWRM_VER_GET response message. Use this value to pad every message
after that.
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The existing code does the following:
allocate completion ring
initialize completion ring doorbell
disable interrupts on this completion ring by writing to the doorbell
We can have a race where firmware sends an asynchronous event to the host
after completion ring allocation and before doorbell is initialized.
When this happens driver can crash while ringing the doorbell using
uninitialized value as part of handling the IRQ/napi request.
Signed-off-by: Prashant Sreedharan <prashant.sreedharan@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There is an issue when we use mavtap over team:
When we replug nic links from team0, the real nics's mc list will not
include the maddr for macvtap any more. then we can't receive pkts to
macvtap device, as they are filterred by mc list of nic.
In Bonding Driver, it syncs the uc/mc addrs in bond_enslave().
We will fix this issue on team by adding the port's uc/mc addrs sync in
team_port_add.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
in the case where qed_slowpath_irq_req is not called, rc is not
assigned and so qed_int_igu_enable will return a garbage value.
Fix this by initializing rc to 0.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Yuval Mintz <Yuval.Mintz@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fix from Guenter Roeck:
"Fix crash due to NULL pointer access in max1111 driver"
* tag 'hwmon-for-linus-v4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated
|
|
This patch adds a code to surely disable TX IRQ of the pipe before
starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
may happen in rare cases when DMAC is used.
Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Cc: <stable@vger.kernel.org> # v3.1+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
|
When unexpected situation happened (e.g. tx/rx irq happened while
DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
pointer dereference like the followings:
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 80000007 [#1] SMP ARM
Modules linked in: usb_f_acm u_serial g_serial libcomposite
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
Hardware name: Generic R8A7790 (Flattened Device Tree)
task: c0729c00 ti: c0724000 task.ti: c0724000
PC is at 0x0
LR is at usbhsf_pkt_handler+0xac/0x118
pc : [<00000000>] lr : [<c03257e0>] psr: 60000193
sp : c0725db8 ip : 00000000 fp : c0725df4
r10: 00000001 r9 : 00000193 r8 : ef3ccab4
r7 : ef3cca10 r6 : eea4586c r5 : 00000000 r4 : ef19ceb4
r3 : 00000000 r2 : 0000009c r1 : c0725dc4 r0 : ef19ceb4
This patch adds a condition to avoid the dereference.
Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Cc: <stable@vger.kernel.org> # v3.1+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
|
Jan reported this:
===
After enabling CONFIG_I2C_DEBUG_CORE my system was broken
(no network, console login not possible). System log was
flooded with the this message:
...
[ 608.052077] rtc-ds1307 0-0068: uevent
[ 608.052500] rtc-ds1307 0-0068: uevent
[ 608.052925] rtc-ds1307 0-0068: uevent
...
The culprit is the dev_dbg printk in the i2c uevent handler.
If this is activated (for instance by CONFIG_I2C_DEBUG_CORE)
it results in an endless loop with systemd-journald.
This happens if user-space scans the system log and reads the uevent
file to get information about a newly created device, which seems fair
use to me. Unfortunately reading the "uevent" file uses the same
function that runs for creating the uevent for a new device,
generating the next syslog entry.
Ideally user-space would implement a recursion detection and
after reading the same device file for the 1000th time call it a
day, but nevertheless I think we should avoid this problem by
removing the debug print completely or using another print variant.
The same problem seems to be reported here:
https://bugs.freedesktop.org/show_bug.cgi?id=76886
===
His patch converted the message to pr_debug, but I think the debug can
simply go. We have other means to see code paths these days. This
enables us to clean up the function some more while we are here.
Reported-by: Jan Glauber <jglauber@cavium.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Acked-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Tested-by: Jan Glauber <jglauber@cavium.com>
|
|
buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed
devices.
That caused the OUT endpoint to freeze if the host send any data packet of
length greater than 256 bytes.
This is an example dump of what happended on that enpoint:
HOST: [DATA][Length=260][...]
DEVICE: [NAK]
HOST: [PING]
DEVICE: [NAK]
HOST: [PING]
DEVICE: [NAK]
...
HOST: [PING]
DEVICE: [NAK]
This patch fixes this problem by setting the minimum usb_request's buffer size
for the OUT endpoint as its wMaxPacketSize.
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
|
gcc warns about the use of regulators in phy_8x16_probe:
drivers/usb/phy/phy-qcom-8x16-usb.c: In function 'phy_8x16_probe':
drivers/usb/phy/phy-qcom-8x16-usb.c:284:13: error: 'regs[0].consumer' may be used uninitialized in this function [-Werror=maybe-uninitialized]
drivers/usb/phy/phy-qcom-8x16-usb.c:285:13: error: 'regs[1].consumer' may be used uninitialized in this function [-Werror=maybe-uninitialized]
drivers/usb/phy/phy-qcom-8x16-usb.c:286:12: error: 'regs[2].consumer' may be used uninitialized in this function [-Werror=maybe-uninitialized]
According to Mark Brown, this is the result of various abuses
of the PHY interfaces [1], so let's fix the driver instead.
This puts the regulator bulk data into the device structure so it
gets properly initialized and lets us call regulator_bulk_enable()
and regulator_bulk_disable() rather than open-coding them.
Setting the voltages the way the driver does is rather pointless
because for each regulator there is only one valid voltage
range, so that can just get set up in the DT. As there doesn't
seem to be any user of the newly added driver yet, we can simply
make sure the DTs are setting this up right when they get added.
I'm also fixing the handling of regulator_bulk_enable() failure.
Right now, the driver just ignores any failure, which doesn't make
sense, so I'm changing it to loudly complain (in case we actually
had a bug here) and error out.
Doing a fly-by review of the driver, I notice a couple of other
problems that I'm not addressing here:
- It really should not have been written as a USB PHY driver, but
instead should use the PHY subsystem.
- The DT compatible string does not follow the usual conventions,
and it should have a proper identifier in it rather than a wildcard.
- The example in the devicetree binding lists a register address
that is the same as the actual EHCI host controller in the SoC
as well as the otg-snps and the ci-hdrc device, which indicates
that these are probably not even distinct devices (or all but
one of them are wrong), and if more than one of them tries to
request the resources correctly, they fail.
[1] https://lkml.org/lkml/2016/1/26/267
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
|
A recent change to the mbus driver added a warning printk that
prints a phys_addr_t using the %x format string, which fails in
case we build with 64-bit phys_addr_t:
drivers/bus/mvebu-mbus.c: In function 'mvebu_mbus_get_dram_win_info':
drivers/bus/mvebu-mbus.c:975:9: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'phys_addr_t {aka long long unsigned int}' [-Werror=format=]
This uses the special %pa format string instead, so we always
print the correct type.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: f2900acea801 ("bus: mvebu-mbus: provide api for obtaining IO and DRAM window information")
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
|
|
There is unexpected gpio interrupt after irq_enable. If not
implemeted gpio_irq_enable callback, irq_enable calls irq_unmask
instead. But if there was interrupt set before the irq_enable,
unmask it may trigger the unexpected interrupt. By implementing
the gpio_irq_enable callback, do interrupt status ack, the issue
has gone.
Signed-off-by: Qi Zheng <qi.zheng@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Qipeng Zha <qipeng.zha@intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
