1. 26 Aug, 2017 16 commits
    • Johan Hovold's avatar
      mceusb: fix NULL-deref at probe · 7a960cbd
      Johan Hovold authored
      commit 03eb2a55 upstream.
      
      Make sure to check for the required out endpoint to avoid dereferencing
      a NULL-pointer in mce_request_packet should a malicious device lack such
      an endpoint. Note that this path is hit during probe.
      
      Fixes: 66e89522 ("V4L/DVB: IR: add mceusb IR receiver driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7a960cbd
    • Sean Young's avatar
      serial_ir: iommap is a memory address, not bool · 63ab9f0e
      Sean Young authored
      commit 069f3b10 upstream.
      
      This has been broken for a long time, so presumably it is not used. I
      have no hardware to test this on.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=61401
      
      Fixes: 90ab5ee9 ("module_param: make bool parameters really bool")
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      63ab9f0e
    • Thomas Petazzoni's avatar
      mtd: nand: fsmc: fix NAND width handling · 11ab03e1
      Thomas Petazzoni authored
      commit ee56874f upstream.
      
      In commit eea62819 ("mtd: Add device-tree support to fsmc_nand"),
      Device Tree support was added to the fmsc_nand driver. However, this
      code has a bug in how it handles the bank-width DT property to set the
      bus width.
      
      Indeed, in the function fsmc_nand_probe_config_dt() that parses the
      Device Tree, it sets pdata->width to either 8 or 16 depending on the
      value of the bank-width DT property.
      
      Then, the ->probe() function will test if pdata->width is equal to
      FSMC_NAND_BW16 (which is 2) to set NAND_BUSWIDTH_16 in
      nand->options. Therefore, with the DT probing, this condition will never
      match.
      
      This commit fixes that by removing the "width" field from
      fsmc_nand_platform_data and instead have the fsmc_nand_probe_config_dt()
      function directly set the appropriate nand->options value.
      
      It is worth mentioning that if this commit gets backported to older
      kernels, prior to the drop of non-DT probing, then non-DT probing will
      be broken because nand->options will no longer be set to
      NAND_BUSWIDTH_16.
      
      Fixes: eea62819 ("mtd: Add device-tree support to fsmc_nand")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      [bwh: Backported to 3.16: keep fsmc_and_platform_data::width and the
       test in fsmc_nand_probe()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      11ab03e1
    • Guenter Roeck's avatar
      usb: hub: Do not attempt to autosuspend disconnected devices · c45304b8
      Guenter Roeck authored
      commit f5cccf49 upstream.
      
      While running a bind/unbind stress test with the dwc3 usb driver on rk3399,
      the following crash was observed.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000218
      pgd = ffffffc00165f000
      [00000218] *pgd=000000000174f003, *pud=000000000174f003,
      				*pmd=0000000001750003, *pte=00e8000001751713
      Internal error: Oops: 96000005 [#1] PREEMPT SMP
      Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac
      ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm
      xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth
      ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev
      snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async
      ppp_generic slhc tun
      CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507
      Hardware name: Google Kevin (DT)
      Workqueue: pm pm_runtime_work
      task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000
      PC is at autosuspend_check+0x74/0x174
      LR is at autosuspend_check+0x70/0x174
      ...
      Call trace:
      [<ffffffc00080dcc0>] autosuspend_check+0x74/0x174
      [<ffffffc000810500>] usb_runtime_idle+0x20/0x40
      [<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
      [<ffffffc000786af0>] rpm_idle+0x1e8/0x498
      [<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc
      [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
      [<ffffffc00024abcc>] worker_thread+0x480/0x610
      [<ffffffc000251a80>] kthread+0x164/0x178
      [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
      
      Source:
      
      (gdb) l *0xffffffc00080dcc0
      0xffffffc00080dcc0 is in autosuspend_check
      (drivers/usb/core/driver.c:1778).
      1773		/* We don't need to check interfaces that are
      1774		 * disabled for runtime PM.  Either they are unbound
      1775		 * or else their drivers don't support autosuspend
      1776		 * and so they are permanently active.
      1777		 */
      1778		if (intf->dev.power.disable_depth)
      1779			continue;
      1780		if (atomic_read(&intf->dev.power.usage_count) > 0)
      1781			return -EBUSY;
      1782		w |= intf->needs_remote_wakeup;
      
      Code analysis shows that intf is set to NULL in usb_disable_device() prior
      to setting actconfig to NULL. At the same time, usb_runtime_idle() does not
      lock the usb device, and neither does any of the functions in the
      traceback. This means that there is no protection against a race condition
      where usb_disable_device() is removing dev->actconfig->interface[] pointers
      while those are being accessed from autosuspend_check().
      
      To solve the problem, synchronize and validate device state between
      autosuspend_check() and usb_disconnect().
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c45304b8
    • Guenter Roeck's avatar
      usb: hub: Fix error loop seen after hub communication errors · daeaf55a
      Guenter Roeck authored
      commit 245b2eec upstream.
      
      While stress testing a usb controller using a bind/unbind looop, the
      following error loop was observed.
      
      usb 7-1.2: new low-speed USB device number 3 using xhci-hcd
      usb 7-1.2: hub failed to enable device, error -108
      usb 7-1-port2: cannot disable (err = -22)
      usb 7-1-port2: couldn't allocate usb_device
      usb 7-1-port2: cannot disable (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: activate --> -22
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      ** 57 printk messages dropped ** hub 7-1:1.0: activate --> -22
      ** 82 printk messages dropped ** hub 7-1:1.0: hub_ext_port_status failed (err = -22)
      
      This continues forever. After adding tracebacks into the code,
      the call sequence leading to this is found to be as follows.
      
      [<ffffffc0007fc8e0>] hub_activate+0x368/0x7b8
      [<ffffffc0007fceb4>] hub_resume+0x2c/0x3c
      [<ffffffc00080b3b8>] usb_resume_interface.isra.6+0x128/0x158
      [<ffffffc00080b5d0>] usb_suspend_both+0x1e8/0x288
      [<ffffffc00080c9c4>] usb_runtime_suspend+0x3c/0x98
      [<ffffffc0007820a0>] __rpm_callback+0x48/0x7c
      [<ffffffc00078217c>] rpm_callback+0xa8/0xd4
      [<ffffffc000786234>] rpm_suspend+0x84/0x758
      [<ffffffc000786ca4>] rpm_idle+0x2c8/0x498
      [<ffffffc000786ed4>] __pm_runtime_idle+0x60/0xac
      [<ffffffc00080eba8>] usb_autopm_put_interface+0x6c/0x7c
      [<ffffffc000803798>] hub_event+0x10ac/0x12ac
      [<ffffffc000249bb8>] process_one_work+0x390/0x6b8
      [<ffffffc00024abcc>] worker_thread+0x480/0x610
      [<ffffffc000251a80>] kthread+0x164/0x178
      [<ffffffc0002045d0>] ret_from_fork+0x10/0x40
      
      kick_hub_wq() is called from hub_activate() even after failures to
      communicate with the hub. This results in an endless sequence of
      hub event -> hub activate -> wq trigger -> hub event -> ...
      
      Provide two solutions for the problem.
      
      - Only trigger the hub event queue if communication with the hub
        is successful.
      - After a suspend failure, only resume already suspended interfaces
        if the communication with the device is still possible.
      
      Each of the changes fixes the observed problem. Use both to improve
      robustness.
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      daeaf55a
    • Johan Hovold's avatar
      zd1211rw: fix NULL-deref at probe · 7698ed67
      Johan Hovold authored
      commit ca260ece upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      Fixes: a1030e92 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
      Cc: Daniel Drake <dsd@gentoo.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7698ed67
    • Geert Uytterhoeven's avatar
      pinctrl: sh-pfc: Update info pointer after SoC-specific init · b1b37565
      Geert Uytterhoeven authored
      commit 3091ae77 upstream.
      
      Update the sh_pfc_soc_info pointer after calling the SoC-specific
      initialization function, as it may have been updated to e.g. handle
      different SoC revisions.  This makes sure the correct subdriver name is
      printed later.
      
      Fixes: 0c151062 ("sh-pfc: Add support for SoC-specific initialization")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b1b37565
    • Takatoshi Akiyama's avatar
      serial: sh-sci: Fix panic when serial console and DMA are enabled · e9ef18fa
      Takatoshi Akiyama authored
      commit 3c910176 upstream.
      
      This patch fixes an issue that kernel panic happens when DMA is enabled
      and we press enter key while the kernel booting on the serial console.
      
      * An interrupt may occur after sci_request_irq().
      * DMA transfer area is initialized by setup_timer() in sci_request_dma()
        and used in interrupt.
      
      If an interrupt occurred between sci_request_irq() and setup_timer() in
      sci_request_dma(), DMA transfer area has not been initialized yet.
      So, this patch changes the order of sci_request_irq() and
      sci_request_dma().
      
      Fixes: 73a19e4c ("serial: sh-sci: Add DMA support.")
      Signed-off-by: default avatarTakatoshi Akiyama <takatoshi.akiyama.kj@ps.hitachi-solutions.com>
      [Shimoda changes the commit log]
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e9ef18fa
    • Changbin Du's avatar
      perf hists browser: Fix typo in function switch_data_file · f71b4718
      Changbin Du authored
      commit 3ef5b402 upstream.
      
      Should clear buf 'abs_path', not 'options'.
      Signed-off-by: default avatarChangbin Du <changbin.du@intel.com>
      Cc: Feng Tang <feng.tang@intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Fixes: 341487ab ("perf hists browser: Add option for runtime switching perf data file")
      Link: http://lkml.kernel.org/r/20170313114652.9207-1-changbin.du@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f71b4718
    • Dmitry Tunin's avatar
      ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device · f05ff3f2
      Dmitry Tunin authored
      commit 16ff1fb0 upstream.
      
      T:  Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#=  7 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs=  1
      P:  Vendor=1eda ProdID=2315 Rev=01.08
      S:  Manufacturer=ATHEROS
      S:  Product=USB2.0 WLAN
      S:  SerialNumber=12345
      C:  #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f05ff3f2
    • Leon Nardella's avatar
      ath9k_htc: Add new USB ID · d7c1a5d3
      Leon Nardella authored
      commit 0088d27b upstream.
      
      This device is a dongle made by Philips to enhance their TVs with wireless capabilities,
      but works flawlessly on any upstream kernel, provided that the ath9k_htc module is attached to it.
      It's correctly recognized by lsusb as "0471:209e Philips (or NXP) PTA01 Wireless Adapter" and the
      patch has been tested on real hardware.
      Signed-off-by: default avatarLeon Nardella <leon.nardella@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d7c1a5d3
    • Daniel Glöckner's avatar
      ima: accept previously set IMA_NEW_FILE · b297f0a2
      Daniel Glöckner authored
      commit 1ac202e9 upstream.
      
      Modifying the attributes of a file makes ima_inode_post_setattr reset
      the IMA cache flags. So if the file, which has just been created,
      is opened a second time before the first file descriptor is closed,
      verification fails since the security.ima xattr has not been written
      yet. We therefore have to look at the IMA_NEW_FILE even if the file
      already existed.
      
      With this patch there should no longer be an error when cat tries to
      open testfile:
      
      $ rm -f testfile
      $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
      
      A file being new is no reason to accept that it is missing a digital
      signature demanded by the policy.
      Signed-off-by: default avatarDaniel Glöckner <dg@emlix.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b297f0a2
    • Dmitry Kasatkin's avatar
      ima: pass 'opened' flag to identify newly created files · ad4b000f
      Dmitry Kasatkin authored
      commit 3034a146 upstream.
      
      Empty files and missing xattrs do not guarantee that a file was
      just created.  This patch passes FILE_CREATED flag to IMA to
      reliably identify new files.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      [bwh: Backported to 3.16: drop change to ima_fw_from_file()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ad4b000f
    • Ian Abbott's avatar
      staging: comedi: jr3_pci: cope with jiffies wraparound · f5f27dab
      Ian Abbott authored
      commit 8ec04a49 upstream.
      
      The timer expiry routine `jr3_pci_poll_dev()` checks for expiry by
      checking whether the absolute value of `jiffies` (stored in local
      variable `now`) is greater than the expected expiry time in jiffy units.
      This will fail when `jiffies` wraps around.  Also, it seems to make
      sense to handle the expiry one jiffy earlier than the current test.  Use
      `time_after_eq()` to check for expiry.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f5f27dab
    • Ian Abbott's avatar
      staging: comedi: jr3_pci: fix possible null pointer dereference · e86ba264
      Ian Abbott authored
      commit 45292be0 upstream.
      
      For some reason, the driver does not consider allocation of the
      subdevice private data to be a fatal error when attaching the COMEDI
      device.  It tests the subdevice private data pointer for validity at
      certain points, but omits some crucial tests.  In particular,
      `jr3_pci_auto_attach()` calls `jr3_pci_alloc_spriv()` to allocate and
      initialize the subdevice private data, but the same function
      subsequently dereferences the pointer to access the `next_time_min` and
      `next_time_max` members without checking it first.  The other missing
      test is in the timer expiry routine `jr3_pci_poll_dev()`, but it will
      crash before it gets that far.
      
      Fix the bug by returning `-ENOMEM` from `jr3_pci_auto_attach()` as soon
      as one of the calls to `jr3_pci_alloc_spriv()` returns `NULL`.  The
      COMEDI core will subsequently call `jr3_pci_detach()` to clean up.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e86ba264
    • Arnd Bergmann's avatar
      pvrusb2: reduce stack usage pvr2_eeprom_analyze() · a6334ec1
      Arnd Bergmann authored
      commit 6830733d upstream.
      
      The driver uses a relatively large data structure on the stack, which
      showed up on my radar as we get a warning with the "latent entropy"
      GCC plugin:
      
      drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]
      
      The warning is usually hidden as we raise the warning limit to 2048
      when the plugin is enabled, but I'd like to lower that again in the
      future, and making this function smaller helps to do that without
      build regressions.
      
      Further analysis shows that putting an 'i2c_client' structure on
      the stack is not really supported, as the embedded 'struct device'
      is not initialized here, and we are only saved by the fact that
      the function that is called here does not use the pointer at all.
      
      Fixes: d855497e ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a6334ec1
  2. 18 Jul, 2017 24 commits