1. 10 Nov, 2016 3 commits
    • Ville Syrjälä's avatar
      drm/dp/mst: Clear port->pdt when tearing down the i2c adapter · 44084f15
      Ville Syrjälä authored
      commit 36e3fa6a upstream.
      
      The i2c adapter is only relevant for some peer device types, so
      let's clear the pdt if it's still the same as the old_pdt when we
      tear down the i2c adapter.
      
      I don't really like this design pattern of updating port->whatever
      before doing the accompanying changes and passing around old_whatever
      to figure stuff out. Would make much more sense to me to the pass the
      new value around and only update the port->whatever when things are
      consistent. But let's try to work with what we have right now.
      
      Quoting a follow-up from Ville:
      
      "And naturally I forgot to amend the commit message w.r.t. this guy
      [the change in drm_dp_destroy_port].  We don't really need to do this
      here, but I figured I'd try to be a bit more consistent by having it,
      just to avoid accidental mistakes if/when someone changes this stuff
      again later."
      
      v2: Clear port->pdt in the caller, if needed (Daniel)
      
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Cc: Carlos Santa <carlos.santa@intel.com>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Tested-by: default avatarCarlos Santa <carlos.santa@intel.com>
      Tested-by: default avatarKirill A. Shutemov <kirill@shutemov.name>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97666Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1477488633-16544-1-git-send-email-ville.syrjala@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44084f15
    • Vladimir Zapolskiy's avatar
      i2c: core: fix NULL pointer dereference under race condition · 4125fe7f
      Vladimir Zapolskiy authored
      commit 147b36d5 upstream.
      
      Race condition between registering an I2C device driver and
      deregistering an I2C adapter device which is assumed to manage that
      I2C device may lead to a NULL pointer dereference due to the
      uninitialized list head of driver clients.
      
      The root cause of the issue is that the I2C bus may know about the
      registered device driver and thus it is matched by bus_for_each_drv(),
      but the list of clients is not initialized and commonly it is NULL,
      because I2C device drivers define struct i2c_driver as static and
      clients field is expected to be initialized by I2C core:
      
        i2c_register_driver()             i2c_del_adapter()
          driver_register()                 ...
            bus_add_driver()                ...
              ...                           bus_for_each_drv(..., __process_removed_adapter)
            ...                               i2c_do_del_adapter()
          ...                                   list_for_each_entry_safe(..., &driver->clients, ...)
          INIT_LIST_HEAD(&driver->clients);
      
      To solve the problem it is sufficient to do clients list head
      initialization before calling driver_register().
      
      The problem was found while using an I2C device driver with a sluggish
      registration routine on a bus provided by a physically detachable I2C
      master controller, but practically the oops may be reproduced under
      the race between arbitraty I2C device driver registration and managing
      I2C bus device removal e.g. by unbinding the latter over sysfs:
      
      % echo 21a4000.i2c > /sys/bus/platform/drivers/imx-i2c/unbind
        Unable to handle kernel NULL pointer dereference at virtual address 00000000
        Internal error: Oops: 17 [#1] SMP ARM
        CPU: 2 PID: 533 Comm: sh Not tainted 4.9.0-rc3+ #61
        Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
        task: e5ada400 task.stack: e4936000
        PC is at i2c_do_del_adapter+0x20/0xcc
        LR is at __process_removed_adapter+0x14/0x1c
        Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
        Control: 10c5387d  Table: 35bd004a  DAC: 00000051
        Process sh (pid: 533, stack limit = 0xe4936210)
        Stack: (0xe4937d28 to 0xe4938000)
        Backtrace:
        [<c0667be0>] (i2c_do_del_adapter) from [<c0667cc0>] (__process_removed_adapter+0x14/0x1c)
        [<c0667cac>] (__process_removed_adapter) from [<c0516998>] (bus_for_each_drv+0x6c/0xa0)
        [<c051692c>] (bus_for_each_drv) from [<c06685ec>] (i2c_del_adapter+0xbc/0x284)
        [<c0668530>] (i2c_del_adapter) from [<bf0110ec>] (i2c_imx_remove+0x44/0x164 [i2c_imx])
        [<bf0110a8>] (i2c_imx_remove [i2c_imx]) from [<c051a838>] (platform_drv_remove+0x2c/0x44)
        [<c051a80c>] (platform_drv_remove) from [<c05183d8>] (__device_release_driver+0x90/0x12c)
        [<c0518348>] (__device_release_driver) from [<c051849c>] (device_release_driver+0x28/0x34)
        [<c0518474>] (device_release_driver) from [<c0517150>] (unbind_store+0x80/0x104)
        [<c05170d0>] (unbind_store) from [<c0516520>] (drv_attr_store+0x28/0x34)
        [<c05164f8>] (drv_attr_store) from [<c0298acc>] (sysfs_kf_write+0x50/0x54)
        [<c0298a7c>] (sysfs_kf_write) from [<c029801c>] (kernfs_fop_write+0x100/0x214)
        [<c0297f1c>] (kernfs_fop_write) from [<c0220130>] (__vfs_write+0x34/0x120)
        [<c02200fc>] (__vfs_write) from [<c0221088>] (vfs_write+0xa8/0x170)
        [<c0220fe0>] (vfs_write) from [<c0221e74>] (SyS_write+0x4c/0xa8)
        [<c0221e28>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c)
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4125fe7f
    • Hoan Tran's avatar
      i2c: xgene: Avoid dma_buffer overrun · eeb1846d
      Hoan Tran authored
      commit 60361601 upstream.
      
      SMBus block command uses the first byte of buffer for the data length.
      The dma_buffer should be increased by 1 to avoid the overrun issue.
      Reported-by: default avatarPhil Endecott <phil_gjouf_endecott@chezphil.org>
      Signed-off-by: default avatarHoan Tran <hotran@apm.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eeb1846d
  2. 01 Nov, 2016 3 commits
  3. 31 Oct, 2016 34 commits