| Age | Commit message (Collapse) | Author |
|---|
|
In usb_dmac_of_xlate(), variable ‘uchan’ is initialized but never used, which
leads to warning with W=1
drivers/dma/sh/usb-dmac.c: In function ‘usb_dmac_of_xlate’:
drivers/dma/sh/usb-dmac.c:655:24: warning: variable ‘uchan’ set but not used [-Wunused-but-set-variable]
struct usb_dmac_chan *uchan;
So remove it.
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
|
|
In __cleanup(), variable ‘res’ is initialized but never used, which
leads to warning with W=1
drivers/dma/ioat/dma.c: In function ‘__cleanup’:
drivers/dma/ioat/dma.c:614:28: warning: variable ‘res’ set but not used [-Wunused-but-set-variable]
struct dmaengine_result res;
So remove it.
Cc: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
|
|
In ioat_tx_submit_unlock(), variable ‘ioat_dma’ is initialized but never
used, which leads to warning with W=1
drivers/dma/ioat/dma.c: In function ‘ioat_alloc_ring_ent’:
drivers/dma/ioat/dma.c:341:25: warning: variable ‘ioat_dma’ set but not used [-Wunused-but-set-variable]
struct ioatdma_device *ioat_dma;
So remove it.
Cc: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
|
|
In ioat3_dma_probe(), variable ‘is_raid_device’ is initialized but never
used, which leads to warning with W=1
drivers/dma/ioat/init.c: In function ‘ioat3_dma_probe’:
drivers/dma/ioat/init.c:1084:7: warning: variable ‘is_raid_device’ set
but not used [-Wunused-but-set-variable]
bool is_raid_device = false;
So remove it.
Cc: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
|
|
Pull Openrisc updates from Stafford Horne:
- changes to MAINTAINER for openrisc
- probably biggest actual change is the move to memblock from bootmem
- ... plus several bug and build fixes
* tag 'openrisc-for-linus' of git://github.com/openrisc/linux:
openrisc: prevent VGA console, fix builds
openrisc: include l.swa in check for write data pagefault
openrisc: Updates after openrisc.net has been lost
openrisc: Consolidate setup to use memblock instead of bootmem
openrisc: remove the redundant of_platform_populate
openrisc: add NR_CPUS Kconfig default value
openrisc: Support both old (or32) and new (or1k) toolchain
openrisc: Add thread-local storage (TLS) support
openrisc: restore all regs on rt_sigreturn
openrisc: fix PTRS_PER_PGD define
|
|
There is at least one Chelsio 10Gb card which uses VPD area to store some
non-standard blocks (example below). However pci_vpd_size() returns the
length of the first block only assuming that there can be only one VPD "End
Tag".
Since 4e1a635552d3 ("vfio/pci: Use kernel VPD access functions"), VFIO
blocks access beyond that offset, which prevents the guest "cxgb3" driver
from probing the device. The host system does not have this problem as its
driver accesses the config space directly without pci_read_vpd().
Add a quirk to override the VPD size to a bigger value. The maximum size
is taken from EEPROMSIZE in drivers/net/ethernet/chelsio/cxgb3/common.h.
We do not read the tag as the cxgb3 driver does as the driver supports
writing to EEPROM/VPD and when it writes, it only checks for 8192 bytes
boundary. The quirk is registered for all devices supported by the cxgb3
driver.
This adds a quirk to the PCI layer (not to the cxgb3 driver) as the cxgb3
driver itself accesses VPD directly and the problem only exists with the
vfio-pci driver (when cxgb3 is not running on the host and may not be even
loaded) which blocks accesses beyond the first block of VPD data. However
vfio-pci itself does not have quirks mechanism so we add it to PCI.
This is the controller:
Ethernet controller [0200]: Chelsio Communications Inc T310 10GbE Single Port Adapter [1425:0030]
This is what I parsed from its VPD:
===
b'\x82*\x0010 Gigabit Ethernet-SR PCI Express Adapter\x90J\x00EC\x07D76809 FN\x0746K'
0000 Large item 42 bytes; name 0x2 Identifier String
b'10 Gigabit Ethernet-SR PCI Express Adapter'
002d Large item 74 bytes; name 0x10
#00 [EC] len=7: b'D76809 '
#0a [FN] len=7: b'46K7897'
#14 [PN] len=7: b'46K7897'
#1e [MN] len=4: b'1037'
#25 [FC] len=4: b'5769'
#2c [SN] len=12: b'YL102035603V'
#3b [NA] len=12: b'00145E992ED1'
007a Small item 1 bytes; name 0xf End Tag
0c00 Large item 16 bytes; name 0x2 Identifier String
b'S310E-SR-X '
0c13 Large item 234 bytes; name 0x10
#00 [PN] len=16: b'TBD '
#13 [EC] len=16: b'110107730D2 '
#26 [SN] len=16: b'97YL102035603V '
#39 [NA] len=12: b'00145E992ED1'
#48 [V0] len=6: b'175000'
#51 [V1] len=6: b'266666'
#5a [V2] len=6: b'266666'
#63 [V3] len=6: b'2000 '
#6c [V4] len=2: b'1 '
#71 [V5] len=6: b'c2 '
#7a [V6] len=6: b'0 '
#83 [V7] len=2: b'1 '
#88 [V8] len=2: b'0 '
#8d [V9] len=2: b'0 '
#92 [VA] len=2: b'0 '
#97 [RV] len=80: b's\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...
0d00 Large item 252 bytes; name 0x11
#00 [VC] len=16: b'122310_1222 dp '
#13 [VD] len=16: b'610-0001-00 H1\x00\x00'
#26 [VE] len=16: b'122310_1353 fp '
#39 [VF] len=16: b'610-0001-00 H1\x00\x00'
#4c [RW] len=173: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...
0dff Small item 0 bytes; name 0xf End Tag
10f3 Large item 13315 bytes; name 0x62
!!! unknown item name 98: b'\xd0\x03\x00@`\x0c\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00'
===
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
It's not very enlightening to see
pci 0000:07:00.0: [Firmware Bug]: VPD access disabled
in the dmesg log because there's no clue about what the firmware bug is.
Expand the message to explain why we're disabling VPD.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
Remove the "PCI Express Hot Plug Controller Driver" version message. I
don't think it contains any useful information. Remove unused #defines
and move the author information to a comment.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
Remove the "PCI Hot Plug PCI Core" version message. I don't think it
contains any useful information. Remove unused #defines and move the
author information to a comment.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
Remove the "service driver %s loaded" and unloaded messages. All service
drivers already log something in their probe functions, where they can log
more useful details.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
Add a log message when we enable AER on a Root Port and the hierarchy below
it.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
All other AER-related log messages use the PCI device, e.g.,
"pci 0000:00:1c.0", not the PCIe service device, e.g.,
"aer 0000:00:1c.0:pcie02".
Change the probe error messages to match the rest and include a little
context.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
Remove the unused DRIVER_VERSION, DRIVER_AUTHOR, and DRIVER_DESC macros.
The author information is already included in a comment above.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
We already log a "Signaling PME" whenever the PME service driver claims a
Root Port. In fact, we also log the same message for every device in the
hierarchy below the Root Port.
Log the "Signaling PME" once (only for the Root Port, since we can
trivially find out which devices are below the Root Port), and include the
IRQ number in the message to help connect the dots with /proc/interrupts.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
|
Since we register pcie_pme_driver only for PCI_EXP_TYPE_ROOT_PORT, the PME
driver never claims Root Complex Event Collectors.
Remove unused code related to Root Complex Event Collectors.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
|
Move PCI configuration space size macros (PCI_CFG_SPACE_SIZE and
PCI_CFG_SPACE_EXP_SIZE) from drivers/pci/pci.h to
include/uapi/linux/pci_regs.h so they can be used by more drivers and
eliminate duplicate definitions.
[bhelgaas: Expand comment to include PCI-X details]
Signed-off-by: Wang Sheng-Hui <shhuiw@foxmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
'spi/topic/ti-qspi', 'spi/topic/topcliff-pch' and 'spi/topic/xlp' into spi-next
|
|
'spi/topic/rspi' and 'spi/topic/s3c64xx' into spi-next
|
|
'spi/topic/jcore' and 'spi/topic/omap' into spi-next
|
|
'spi/topic/fsl-dspi' and 'spi/topic/fsl-espi' into spi-next
|
|
'spi/topic/atmel' and 'spi/topic/axi' into spi-next
|
|
|
|
|
|
|
|
'spi/fix/spidev' into spi-linus
|
|
'asoc/topic/qcom' and 'asoc/topic/rk808' into asoc-next
|
|
'asoc/topic/max98504' and 'asoc/topic/nau8825' into asoc-next
|
|
'asoc/topic/extcon' and 'asoc/topic/fsl' into asoc-next
|
|
This struct never needs to be modified. The size of pci-mid.o ELF
sections changes thusly:
-.data 56
+.data 0
-.rodata 32
+.rodata 88
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
|
|
Once upon a time it made sense to keep the mmc block device driver and its
related code, in its own directory called card. Over time, more an more
functions/structures have become shared through generic mmc header files,
between the core and the card directory. In other words, the relationship
between them has become closer.
By sharing functions/structures via generic header files, it becomes easy
for outside users to abuse them. In a way to avoid that from happen, let's
move the files from card directory into the core directory, as it enables
us to move definitions of functions/structures into mmc core specific
header files.
Note, this is only the first step in providing a cleaner mmc interface for
outside users. Following changes will do the actual cleanup, as that is not
part of this change.
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
|
|
Only mark a page as managed when it is released back to the allocator.
This ensures that the managed page count does not get falsely increased
when a VM is running. Correspondingly change it so that pages are
marked as unmanaged after getting them from the allocator.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
|
|
/proc/xen/xenbus does not work correctly. A read blocked waiting for
a xenstore message holds the mutex needed for atomic file position
updates. This blocks any writes on the same file handle, which can
deadlock if the write is needed to unblock the read.
Clear FMODE_ATOMIC_POS when opening this device to always get
character device like sematics.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
|
|
OpenRISC does not support VGA console, so prevent that kconfig symbol
from being enabled for OpenRISC, thus fixing these build errors:
drivers/built-in.o: In function `vgacon_save_screen':
vgacon.c:(.text+0x20e0): undefined reference to `screen_info'
vgacon.c:(.text+0x20e8): undefined reference to `screen_info'
drivers/built-in.o: In function `vgacon_init':
vgacon.c:(.text+0x284c): undefined reference to `screen_info'
vgacon.c:(.text+0x2850): undefined reference to `screen_info'
drivers/built-in.o: In function `vgacon_startup':
vgacon.c:(.text+0x28d8): undefined reference to `screen_info'
drivers/built-in.o:vgacon.c:(.text+0x28f0): more undefined references to `screen_info' follow
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: Chen Gang <gang.chen@asianux.com>
Cc: Jonas Bonn <jonas@southpole.se>
Signed-off-by: Stafford Horne <shorne@gmail.com>
|
|
'regulator/topic/twl' into regulator-next
|
|
'regulator/topic/lp873x', 'regulator/topic/max77620', 'regulator/topic/pwm' and 'regulator/topic/tps6507x' into regulator-next
|
|
'regulator/topic/bypass', 'regulator/topic/error' and 'regulator/topic/fixed' into regulator-next
|
|
|
|
'regulator/fix/tps65086' into regulator-linus
|
|
|
|
With this feature, the DASD device driver more robustly handles DASDs
that are attached via multiple channel paths and are subject to
constant Interface-Control-Checks (IFCCs) and Channel-Control-Checks
(CCCs) or loss of High-Performance-FICON (HPF) functionality on one or
more of these paths.
If a channel path does not work correctly, it is removed from normal
operation as long as other channel paths are available. All extended
error recovery states can be queried and reset via user space
interfaces.
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: Jan Hoeppner <hoeppner@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
|
Store flags and path_data per channel path.
Implement get/set functions for various path masks.
The patch does not add functional changes.
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: Jan Hoeppner <hoeppner@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
|
A break is missing resulting in the hue control enabling or disabling
the decode completely. Fix it.
Fixes: c43875f66140 ("[media] tvp5150: replace MEDIA_ENT_F_CONN_TEST by a control")
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The function is large and called in several places, don't inline it.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The function is only referenced as a handler in the tvp5150_sd_media_ops
structure, which is only used when CONFIG_MEDIA_CONTROLLER is set. Don't
define the function and the structure when the configuration option is
unset to avoid an unused function warning.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Now that we're storing usb_interface at em28xx struct,
there's no good reason to keep storing usb_device, as we can
get it from usb_interface. So, get rid of it.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The usb_device->dev is not the right device for dev_foo() calls.
Instead, it should use usb_interface->dev.
Tested-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Changing the device name, causes it to be unable to remove the
sysfs file, causing troubles if a device is removed and then
re-inserted.
[ 1010.310320] WARNING: CPU: 3 PID: 119 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x7b/0x90
[ 1010.310323] sysfs: cannot create duplicate filename '/bus/usb/devices/1-3.3'
[ 1010.310325] Modules linked in: lgdt330x em28xx_dvb dvb_core em28xx_alsa tuner_xc2028 tuner tvp5150 em28xx_v4l videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core em28xx tveeprom v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables cmac bnep cpufreq_powersave cpufreq_conservative cpufreq_userspace binfmt_misc parport_pc ppdev lp parport snd_hda_codec_hdmi iTCO_wdt snd_hda_codec_realtek iTCO_vendor_support snd_hda_codec_generic arc4 intel_rapl x86_pkg_temp_thermal iwlmvm intel_powerclamp coretemp kvm_intel mac80211 kvm i915
[ 1010.310383] irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel iwlwifi pl2303 aesni_intel btusb aes_x86_64 usbserial lrw btrtl gf128mul glue_helper btbcm ablk_helper cryptd btintel bluetooth drm_kms_helper cfg80211 drm psmouse pcspkr i2c_i801 e1000e serio_raw snd_hda_intel snd_soc_rt5640 snd_hda_codec snd_soc_rl6231 snd_soc_ssm4567 mei_me i2c_smbus rfkill snd_hda_core ptp mei snd_soc_core ehci_pci sg lpc_ich shpchp mfd_core ehci_hcd pps_core snd_hwdep i2c_algo_bit snd_compress snd_pcm sdhci_acpi snd_timer battery snd sdhci elan_i2c snd_soc_sst_acpi mmc_core fjes dw_dmac i2c_hid soundcore snd_soc_sst_match i2c_designware_platform video i2c_designware_core acpi_pad acpi_als kfifo_buf tpm_tis button industrialio tpm_tis_core tpm ext4 crc16 jbd2 fscrypto mbcache dm_mod joydev evdev hid_logitech_hidpp
[ 1010.310449] sd_mod hid_logitech_dj usbhid hid ahci libahci crc32c_intel libata xhci_pci xhci_hcd scsi_mod usbcore fan thermal
[ 1010.310464] CPU: 3 PID: 119 Comm: kworker/3:2 Not tainted 4.9.0-rc8+ #14
[ 1010.310466] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[ 1010.310487] Workqueue: usb_hub_wq hub_event [usbcore]
[ 1010.310490] 0000000000000000 ffffffff848f56c5 ffff8803b1f7f858 0000000000000000
[ 1010.310496] ffffffff8414f8f8 ffff88030000001f ffffed00763eff07 ffff8803b1f7f8f0
[ 1010.310501] ffff8803b3ea1e60 0000000000000001 ffffffffffffffef ffff8803b45c6840
[ 1010.310505] Call Trace:
[ 1010.310517] [<ffffffff848f56c5>] ? dump_stack+0x5c/0x77
[ 1010.310522] [<ffffffff8414f8f8>] ? __warn+0x168/0x1a0
[ 1010.310526] [<ffffffff8414f9e4>] ? warn_slowpath_fmt+0xb4/0xf0
[ 1010.310529] [<ffffffff8414f930>] ? __warn+0x1a0/0x1a0
[ 1010.310534] [<ffffffff845436c6>] ? kasan_kmalloc+0xa6/0xd0
[ 1010.310539] [<ffffffff846ec2fa>] ? kernfs_path_from_node+0x4a/0x60
[ 1010.310543] [<ffffffff846f66eb>] ? sysfs_warn_dup+0x7b/0x90
[ 1010.310547] [<ffffffff846f6f26>] ? sysfs_do_create_link_sd.isra.2+0xb6/0xd0
[ 1010.310553] [<ffffffff84cd5a08>] ? bus_add_device+0x318/0x6b0
[ 1010.310557] [<ffffffff846f8693>] ? sysfs_create_groups+0x83/0x110
[ 1010.310562] [<ffffffff84ccff87>] ? device_add+0x777/0x1350
[ 1010.310567] [<ffffffff84ccf810>] ? device_private_init+0x180/0x180
[ 1010.310583] [<ffffffffc00c0f77>] ? usb_new_device+0x707/0x1030 [usbcore]
[ 1010.310598] [<ffffffffc00c58c5>] ? hub_event+0x1d65/0x3280 [usbcore]
[ 1010.310604] [<ffffffff841eb4ab>] ? account_entity_dequeue+0x30b/0x4a0
[ 1010.310618] [<ffffffffc00c3b60>] ? hub_port_debounce+0x280/0x280 [usbcore]
[ 1010.310624] [<ffffffff8407ccd0>] ? compat_start_thread+0x80/0x80
[ 1010.310629] [<ffffffff851f5cb4>] ? __schedule+0x704/0x1770
[ 1010.310633] [<ffffffff851f55b0>] ? io_schedule_timeout+0x390/0x390
[ 1010.310638] [<ffffffff84541783>] ? cache_reap+0x173/0x200
[ 1010.310642] [<ffffffff84197bed>] ? process_one_work+0x4ed/0xe60
[ 1010.310646] [<ffffffff84198642>] ? worker_thread+0xe2/0xfd0
[ 1010.310650] [<ffffffff8421f76c>] ? __wake_up_common+0xbc/0x160
[ 1010.310654] [<ffffffff84198560>] ? process_one_work+0xe60/0xe60
[ 1010.310658] [<ffffffff841a837c>] ? kthread+0x1cc/0x220
[ 1010.310663] [<ffffffff841a81b0>] ? kthread_park+0x80/0x80
[ 1010.310667] [<ffffffff841a81b0>] ? kthread_park+0x80/0x80
[ 1010.310671] [<ffffffff841a81b0>] ? kthread_park+0x80/0x80
[ 1010.310675] [<ffffffff852016f5>] ? ret_from_fork+0x25/0x30
Tested-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
commit ba18a9314a94 ("Revert "HID: i2c-hid: Add support for ACPI GPIO
interrupts"") removed the need for storing the irq in struct i2c_hid.
But then commit de3c99488609 ("HID: i2c-hid: Disable IRQ before freeing
buffers") forgot to update the location of the irq.
Fix this by using the actual I2C client irq.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
Add a forgotten include that I've by mistake omitted when resolving
merge conflict in ead0687fe30 ("HID: i2c-hid: support regulator power
on/off").
Fixes: ead0687fe30 ("HID: i2c-hid: support regulator power on/off")
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
The HID report buffers that are initially allocated on i2c_hid_probe()
might not be big enough to hold the HID reports from a specific device,
in which case they will be freed and new ones will be allocated in
i2c_hid_start(), at point which the device's report size is known. But
at this point ihid->irq is already running, and may call
i2c_hid_get_input() which passes ihid->inbuf to i2c_master_recv(). Since
this handler runs in a separate thread, ihid->inbuf may be freed at this
very moment, and i2c_master_recv() will write on memory which may be
already owned by a different part of the kernel, corrupting its data.
This problem has been observed on an Asus UX360UA laptop which has an
I2C touchpad, and results in a complete system freeze or an unusable
slowness with a lof of "BUG: unable to handle kernel paging request at
<address>" warnings. Enabling SLUB debugging shows a use-after-free
warning on memory allocated in i2c_hid_alloc_buffers() and freed in
i2c_hid_free_buffers():
=============================================================================
BUG kmalloc-64 (Not tainted): Poison overwritten
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: 0xffff880264083273-0xffff88026408329e. first byte 0x0 instead of 0x6b
INFO: Allocated in i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] age=35793 cpu=2 pid=430
___slab_alloc+0x41e/0x460
__slab_alloc+0x20/0x40
__kmalloc+0x210/0x280
i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid]
i2c_hid_probe+0x12f/0x5e0 [i2c_hid]
i2c_device_probe+0x10a/0x1b0
driver_probe_device+0x220/0x4a0
__device_attach_driver+0x71/0xa0
bus_for_each_drv+0x67/0xb0
__device_attach+0xdc/0x170
device_initial_probe+0x13/0x20
bus_probe_device+0x92/0xa0
device_add+0x4aa/0x670
device_register+0x1a/0x20
i2c_new_device+0x18e/0x230
acpi_i2c_add_device+0x1a0/0x210
INFO: Freed in i2c_hid_free_buffers+0x16/0x60 [i2c_hid] age=7552 cpu=1 pid=1473
__slab_free+0x221/0x330
kfree+0x139/0x160
i2c_hid_free_buffers+0x16/0x60 [i2c_hid]
i2c_hid_start+0x2a9/0x2df [i2c_hid]
mt_probe+0x160/0x22e [hid_multitouch]
hid_device_probe+0xd7/0x150 [hid]
driver_probe_device+0x220/0x4a0
__driver_attach+0x84/0x90
bus_for_each_dev+0x6c/0xc0
driver_attach+0x1e/0x20
bus_add_driver+0x1c3/0x280
driver_register+0x60/0xe0
__hid_register_driver+0x53/0x90 [hid]
0xffffffffc004f01e
do_one_initcall+0xb3/0x1f0
do_init_module+0x5f/0x1d0
INFO: Slab 0xffffea0009902080 objects=20 used=20 fp=0x (null) flags=0x17fff8000004080
INFO: Object 0xffff880264083260 @offset=4704 fp=0x (null)
Bytes b4 ffff880264083250: 8d e6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
Object ffff880264083260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880264083270: 6b 6b 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 kkk.............
Object ffff880264083280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880264083290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Redzone ffff8802640832a0: bb bb bb bb bb bb bb bb ........
Padding ffff8802640833e0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
CPU: 1 PID: 1503 Comm: python3 Tainted: G B 4.4.21+ #10
Hardware name: ASUSTeK COMPUTER INC. UX360UA/UX360UA, BIOS UX360UA.200 05/05/2016
0000000000000086 00000000622d48a2 ffff88026061ba38 ffffffff813f6044
ffff880264082010 ffff880264083260 ffff88026061ba78 ffffffff811e8eab
0000000000000008 ffff880200000001 ffff88026408329f ffff88026a007700
Call Trace:
[<ffffffff813f6044>] dump_stack+0x63/0x8f
[<ffffffff811e8eab>] print_trailer+0x14b/0x1f0
[<ffffffff811e94c1>] check_bytes_and_report+0xc1/0x100
[<ffffffff811e96c4>] check_object+0x1c4/0x240
[<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
[<ffffffff811e9b44>] alloc_debug_processing+0x104/0x180
[<ffffffff811eb7be>] ___slab_alloc+0x41e/0x460
[<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
[<ffffffff8124590b>] ? __getblk_gfp+0x2b/0x60
[<ffffffff8129b969>] ? ext4_getblk+0xa9/0x190
[<ffffffff811eb820>] __slab_alloc+0x20/0x40
[<ffffffff811ed320>] __kmalloc+0x210/0x280
[<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
[<ffffffff812c1602>] ? ext4fs_dirhash+0xc2/0x2a0
[<ffffffff81293fde>] ext4_htree_store_dirent+0x3e/0x120
[<ffffffff812a4f47>] htree_dirblock_to_tree+0x187/0x1b0
[<ffffffff812a5fd2>] ext4_htree_fill_tree+0xb2/0x2e0
[<ffffffff811ebb7a>] ? kmem_cache_alloc_trace+0x1fa/0x220
[<ffffffff81293e45>] ? ext4_readdir+0x775/0x8b0
[<ffffffff81293cb1>] ext4_readdir+0x5e1/0x8b0
[<ffffffff81221c82>] iterate_dir+0x92/0x120
[<ffffffff81222118>] SyS_getdents+0x98/0x110
[<ffffffff81221d10>] ? iterate_dir+0x120/0x120
[<ffffffff818157f2>] entry_SYSCALL_64_fastpath+0x16/0x71
FIX kmalloc-64: Restoring 0xffff880264083273-0xffff88026408329e=0x6b
FIX kmalloc-64: Marking all objects used
Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
