from:"Sasha Levin"

[PATCH AUTOSEL 4.18 075/136] staging: android: ashmem: Fix mmap size validation

2018-09-16 Thread Sasha Levin

From: Alistair Strachan 

[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos 
Cc: de...@driverdev.osuosl.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Joel Fernandes 
Signed-off-by: Alistair Strachan 
Acked-by: Joel Fernandes (Google) 
Reviewed-by: Martijn Coenen 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/android/ashmem.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index d5d33e12e952..716573c21579 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -366,6 +366,12 @@ static int ashmem_mmap(struct file *file, struct 
vm_area_struct *vma)
goto out;
}
 
+   /* requested mapping size larger than object size */
+   if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
+   ret = -EINVAL;
+   goto out;
+   }
+
/* requested protection bits must match our allowed protection mask */
if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
 calc_vm_prot_bits(PROT_MASK, 0))) {
-- 
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 56/87] staging: android: ashmem: Fix mmap size validation

2018-09-16 Thread Sasha Levin

From: Alistair Strachan 

[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos 
Cc: de...@driverdev.osuosl.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Joel Fernandes 
Signed-off-by: Alistair Strachan 
Acked-by: Joel Fernandes (Google) 
Reviewed-by: Martijn Coenen 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/android/ashmem.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 893b2836089c..4151bb44a410 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -374,6 +374,12 @@ static int ashmem_mmap(struct file *file, struct 
vm_area_struct *vma)
goto out;
}
 
+   /* requested mapping size larger than object size */
+   if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
+   ret = -EINVAL;
+   goto out;
+   }
+
/* requested protection bits must match our allowed protection mask */
if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
 calc_vm_prot_bits(PROT_MASK, 0))) {
-- 
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.4 28/43] staging: android: ashmem: Fix mmap size validation

2018-09-16 Thread Sasha Levin

From: Alistair Strachan 

[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos 
Cc: de...@driverdev.osuosl.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Joel Fernandes 
Signed-off-by: Alistair Strachan 
Acked-by: Joel Fernandes (Google) 
Reviewed-by: Martijn Coenen 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/android/ashmem.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 013b33760639..e9c74c41aece 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -370,6 +370,12 @@ static int ashmem_mmap(struct file *file, struct 
vm_area_struct *vma)
goto out;
}
 
+   /* requested mapping size larger than object size */
+   if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
+   ret = -EINVAL;
+   goto out;
+   }
+
/* requested protection bits must match our allowed protection mask */
if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask)) &
 calc_vm_prot_bits(PROT_MASK))) {
-- 
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 3.18 17/29] staging: android: ashmem: Fix mmap size validation

2018-09-16 Thread Sasha Levin

From: Alistair Strachan 

[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos 
Cc: de...@driverdev.osuosl.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Joel Fernandes 
Signed-off-by: Alistair Strachan 
Acked-by: Joel Fernandes (Google) 
Reviewed-by: Martijn Coenen 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/android/ashmem.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index cf7c597e598f..22ddd4ce9dd6 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -370,6 +370,12 @@ static int ashmem_mmap(struct file *file, struct 
vm_area_struct *vma)
goto out;
}
 
+   /* requested mapping size larger than object size */
+   if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
+   ret = -EINVAL;
+   goto out;
+   }
+
/* requested protection bits must match our allowed protection mask */
if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask)) &
 calc_vm_prot_bits(PROT_MASK))) {
-- 
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.9 35/57] staging: android: ashmem: Fix mmap size validation

2018-09-16 Thread Sasha Levin

From: Alistair Strachan 

[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]

The ashmem driver did not check that the size/offset of the vma passed
to its .mmap() function was not larger than the ashmem object being
mapped. This could cause mmap() to succeed, even though accessing parts
of the mapping would later fail with a segmentation fault.

Ensure an error is returned by the ashmem_mmap() function if the vma
size is larger than the ashmem object size. This enables safer handling
of the problem in userspace.

Cc: Todd Kjos 
Cc: de...@driverdev.osuosl.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Joel Fernandes 
Signed-off-by: Alistair Strachan 
Acked-by: Joel Fernandes (Google) 
Reviewed-by: Martijn Coenen 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/android/ashmem.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 6d690e5fa9bb..c6314d1552ea 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -383,6 +383,12 @@ static int ashmem_mmap(struct file *file, struct 
vm_area_struct *vma)
goto out;
}
 
+   /* requested mapping size larger than object size */
+   if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) {
+   ret = -EINVAL;
+   goto out;
+   }
+
/* requested protection bits must match our allowed protection mask */
if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
 calc_vm_prot_bits(PROT_MASK, 0))) {
-- 
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH v2] staging: iio: ad7816: Switch to the gpio descriptor interface

2018-10-17 Thread Sasha Levin


On Wed, Oct 17, 2018 at 08:17:20PM +0530, Nishad Kamdar wrote:

+   chip->rdwr_pin = devm_gpiod_get(&spi_dev->dev, "rdwr", GPIOD_IN);
+   if (IS_ERR(chip->rdwr_pin)) {
+   ret = PTR_ERR(chip->rdwr_pin);
+   dev_err(&spi_dev->dev, "Failed to request rdwr GPIO: %d\n",
+   ret);
return ret;
}
-   gpio_direction_input(chip->rdwr_pin);
-   ret = devm_gpio_request(&spi_dev->dev, chip->convert_pin,
-   spi_get_device_id(spi_dev)->name);
-   if (ret) {
-   dev_err(&spi_dev->dev, "Fail to request convert gpio PIN %d.\n",
-   chip->convert_pin);
+   chip->convert_pin = devm_gpiod_get(&spi_dev->dev, "convert", GPIOD_IN);
+   if (IS_ERR(chip->convert_pin)) {
+   ret = PTR_ERR(chip->convert_pin);
+   dev_err(&spi_dev->dev, "Failed to request convert GPIO: %d\n",
+   ret);
return ret;
}
-   gpio_direction_input(chip->convert_pin);
-   ret = devm_gpio_request(&spi_dev->dev, chip->busy_pin,
-   spi_get_device_id(spi_dev)->name);
-   if (ret) {
-   dev_err(&spi_dev->dev, "Fail to request busy gpio PIN %d.\n",
-   chip->busy_pin);
+   chip->busy_pin = devm_gpiod_get(&spi_dev->dev, "busy", GPIOD_IN);
+   if (IS_ERR(chip->busy_pin)) {
+   ret = PTR_ERR(chip->busy_pin);
+   dev_err(&spi_dev->dev, "Failed to request busy GPIO: %d\n",
+   ret);
return ret;
}


Hm, from what I can tell devm_gpio_request() is allocating some memory,
which makes this a series of 4 allocations.

What happens if the fourth allocation fails? Do we leak the first three?

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [Outreachy kernel] [RESEND PATCH 2/2] staging: vboxvideo: Use unsigned int instead bool

2018-10-26 Thread Sasha Levin


On Fri, Oct 26, 2018 at 04:04:45PM -0300, Shayenne da Luz Moura wrote:

This change was suggested by checkpath.pl. Use unsigned int with bitfield
allocate only one bit to the boolean variable.

CHECK: Avoid using bool structure members because of possible alignment
issues

Signed-off-by: Shayenne da Luz Moura 
---
drivers/staging/vboxvideo/vbox_drv.h| 14 +++---
drivers/staging/vboxvideo/vboxvideo_guest.h |  2 +-
2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/vboxvideo/vbox_drv.h 
b/drivers/staging/vboxvideo/vbox_drv.h
index 594f84272957..7d3e329a6b1c 100644
--- a/drivers/staging/vboxvideo/vbox_drv.h
+++ b/drivers/staging/vboxvideo/vbox_drv.h
@@ -81,7 +81,7 @@ struct vbox_private {
u8 __iomem *vbva_buffers;
struct gen_pool *guest_pool;
struct vbva_buf_ctx *vbva_info;
-   bool any_pitch;
+   unsigned int any_pitch:1;
u32 num_crtcs;
/** Amount of available VRAM, including space used for buffers. */
u32 full_vram_size;


Using bitfields for booleans in these cases is less efficient than just
using "regular" booleans for two reasons:

1. It will use the same amount of space. Due to alignment requirements,
the compiler can't squeeze in anything into the 7 bits that are now
"free". Each member, unless it's another bitfield, must start at a whole
byte.

2. This is actually less efficient (slower) for the compiler to work
with. The smallest granularity we have to access memory is 1 byte; we
can't set individual bits directly in memory. For the original code, the
assembly for 'vbox_private.any_pitch = true' would look something like
this:

movl   $0x1,-0x10(%rsp)

As you can see, the compiler can directly write into the variable.
However, when we switch to using bitfields, the compiler must preserve
the original value of the other 7 bits, so it must first read them from
memory, manipulate the value and write it back. The assembly would
look something like this:

movzbl -0x10(%rsp),%eax
or $0x1,%eax
mov%al,-0x10(%rsp)

Which is less efficient than what was previously happening.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [Outreachy kernel] Re: [PATCH v2] staging: vboxvideo: Remove unnecessary parentheses

2018-10-30 Thread Sasha Levin


On Tue, Oct 30, 2018 at 08:17:57PM -0300, Shayenne Moura wrote:

On 10/30, Greg Kroah-Hartman wrote:

On Tue, Oct 23, 2018 at 02:43:04PM -0300, Shayenne da Luz Moura wrote:
> Remove unneeded parentheses around the arguments of ||. This reduces
> clutter and code behave in the same way.
> Change suggested by checkpatch.pl.
>
> vbox_main.c:119: CHECK: Unnecessary parentheses around 'rects[i].x2 <
> crtc->x'
>
> Signed-off-by: Shayenne da Luz Moura 
> Reviewed-by: Hans de Goede 
> ---
> Changes in v2:
>   - Make the commit message more clearer.

This patch does not apply to the latest kernel tree at all :(

Please fix up and resend.

thanks,

greg k-h


Hi Greg!

Sorry, I do not know what branch are expected to be used.
I used the drm-misc-next to create this patch and I could not
find any merge problem.

Could you please tell me the details?


Hi Shayenne,

There's an easy trick for this: the kernel tree has a script that can
help you find both the relevant maintainers, and their development tree
for each file in the kernel.

Simply run:

./scripts/get_maintainer.pl --scm -f [filename]

For example, in this case, you'd run:

$ ./scripts/get_maintainer.pl --scm -f 
drivers/staging/vboxvideo/vbox_main.c
Greg Kroah-Hartman  (supporter:STAGING 
SUBSYSTEM,commit_signer:10/10=100%)
Hans de Goede  
(commit_signer:7/10=70%,authored:6/10=60%,added_lines:31/37=84%,removed_lines:153/159=96%)
Fabio Rafael da Rosa  
(commit_signer:1/10=10%,authored:1/10=10%)
Alexander Kapshuk  
(commit_signer:1/10=10%,authored:1/10=10%)
Nicholas Mc Guire  (commit_signer:1/10=10%)
Thomas Zimmermann  
(authored:1/10=10%,added_lines:2/37=5%)
Daniel Junho  (authored:1/10=10%,added_lines:2/37=5%)
de...@driverdev.osuosl.org (open list:STAGING SUBSYSTEM)
linux-ker...@vger.kernel.org (open list)
git git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git

The list of people and mailing lists are the ones that should be the
recipients of your patch, and the last line is the git tree on which the
patch should be based on.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH 2/2] Drivers: hv: vmbus: offload the handling of channels to two workqueues

2018-11-25 Thread Sasha Levin


On Mon, Nov 26, 2018 at 02:29:57AM +, k...@linuxonhyperv.com wrote:

From: Dexuan Cui 

vmbus_process_offer() mustn't call channel->sc_creation_callback()
directly for sub-channels, because sc_creation_callback() ->
vmbus_open() may never get the host's response to the
OPEN_CHANNEL message (the host may rescind a channel at any time,
e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
may not wake up the vmbus_open() as it's blocked due to a non-zero
vmbus_connection.offer_in_progress, and finally we have a deadlock.

The above is also true for primary channels, if the related device
drivers use sync probing mode by default.

And, usually the handling of primary channels and sub-channels can
depend on each other, so we should offload them to different
workqueues to avoid possible deadlock, e.g. in sync-probing mode,
NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
and waits for all the sub-channels to appear, but the latter
can't get the rtnl_lock and this blocks the handling of sub-channels.

The patch can fix the multiple-NIC deadlock described above for
v3.x kernels (e.g. RHEL 7.x) which don't support async-probing
of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing
but don't enable async-probing for Hyper-V drivers (yet).

The patch can also fix the hang issue in sub-channel's handling described
above for all versions of kernels, including v4.19 and v4.20-rc3.

So the patch should be applied to all the existing kernels.

Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug")
Cc: sta...@vger.kernel.org
Cc: Stephen Hemminger 
Cc: K. Y. Srinivasan 
Cc: Haiyang Zhang 
Signed-off-by: Dexuan Cui 
Signed-off-by: K. Y. Srinivasan 


This patch doesn't apply on next/linus/char-misc; there seems to be a
missing patch that touches vmbus_process_offer() which isn't a part of
this series.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] scsi: storvsc: Fix a race in sub-channel creation that can cause panic

2018-11-25 Thread Sasha Levin


On Mon, Nov 26, 2018 at 12:26:17AM +, k...@linuxonhyperv.com wrote:

From: Dexuan Cui 

We can concurrently try to open the same sub-channel from 2 paths:

path #1: vmbus_onoffer() -> vmbus_process_offer() -> handle_sc_creation().
path #2: storvsc_probe() -> storvsc_connect_to_vsp() ->
 -> storvsc_channel_init() -> handle_multichannel_storage() ->
 -> vmbus_are_subchannels_present() -> handle_sc_creation().

They conflict with each other, but it was not an issue before the recent
commit ae6935ed7d42 ("vmbus: split ring buffer allocation from open"),
because at the beginning of vmbus_open() we checked newchannel->state so
only one path could succeed, and the other would return with -EINVAL.

After ae6935ed7d42, the failing path frees the channel's ringbuffer by
vmbus_free_ring(), and this causes a panic later.

Commit ae6935ed7d42 itself is good, and it just reveals the longstanding
race. We can resolve the issue by removing path #2, i.e. removing the
second vmbus_are_subchannels_present() in handle_multichannel_storage().

BTW, the comment "Check to see if sub-channels have already been created"
in handle_multichannel_storage() is incorrect: when we unload the driver,
we first close the sub-channel(s) and then close the primary channel, next
the host sends rescind-offer message(s) so primary->sc_list will become
empty. This means the first vmbus_are_subchannels_present() in
handle_multichannel_storage() is never useful.

Fixes: ae6935ed7d42 ("vmbus: split ring buffer allocation from open")
Cc: sta...@vger.kernel.org
Cc: Long Li 
Cc: Stephen Hemminger 
Cc: K. Y. Srinivasan 
Cc: Haiyang Zhang 
Signed-off-by: Dexuan Cui 
Signed-off-by: K. Y. Srinivasan 


Just a heads-up: ae6935ed7d42 ("vmbus: split ring buffer allocation from
open") was merged in the 4.20 merge window, so this fix won't actually
apply to any of the current stable trees.

However, it's good to have tags (fixes + cc: stable) here since this fix
might end up (for whatever reason) getting merged only for 4.21, which
will then make these tags relevant.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 007/123] staging: rtl8723bs: Fix the return value in case of error in 'rtw_wx_read32()'

2018-12-05 Thread Sasha Levin

From: Christophe JAILLET 

[ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ]

We return 0 unconditionally in 'rtw_wx_read32()'.
However, 'ret' is set to some error codes in several error handling paths.

Return 'ret' instead to propagate the error code.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Signed-off-by: Christophe JAILLET 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c 
b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index c38298d960ff..4f120e72c7d2 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -2289,7 +2289,7 @@ static int rtw_wx_read32(struct net_device *dev,
 exit:
kfree(ptmp);
 
-   return 0;
+   return ret;
 }
 
 static int rtw_wx_write32(struct net_device *dev,
-- 
2.17.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 04/69] staging: rtl8723bs: Fix the return value in case of error in 'rtw_wx_read32()'

2018-12-05 Thread Sasha Levin

From: Christophe JAILLET 

[ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ]

We return 0 unconditionally in 'rtw_wx_read32()'.
However, 'ret' is set to some error codes in several error handling paths.

Return 'ret' instead to propagate the error code.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Signed-off-by: Christophe JAILLET 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c 
b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index d5e5f830f2a1..1b61da61690b 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -2383,7 +2383,7 @@ static int rtw_wx_read32(struct net_device *dev,
 exit:
kfree(ptmp);
 
-   return 0;
+   return ret;
 }
 
 static int rtw_wx_write32(struct net_device *dev,
-- 
2.17.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH] MAINTAINERS: Patch monkey for the Hyper-V code

2018-12-11 Thread Sasha Levin

Now the Hyper-V code has it's own monkey on a tree!

Make it easier to manage patch flow to upper level maintainers.

Acked-by: Haiyang Zhang 
Acked-by: K. Y. Srinivasan 
Signed-off-by: Sasha Levin 
---
 MAINTAINERS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 8119141a926f..553b1ed1d01f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -6901,8 +6901,10 @@ Hyper-V CORE AND DRIVERS
 M: "K. Y. Srinivasan" 
 M: Haiyang Zhang 
 M: Stephen Hemminger 
+M: Sasha Levin 
+T: git git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux.git
 L: de...@linuxdriverproject.org
-S: Maintained
+S: Supported
 F: Documentation/networking/netvsc.txt
 F: arch/x86/include/asm/mshyperv.h
 F: arch/x86/include/asm/trace/hyperv.h
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] MAINTAINERS: Patch monkey for the Hyper-V code

2018-12-11 Thread Sasha Levin


On Tue, Dec 11, 2018 at 07:09:59PM +0100, Greg KH wrote:

On Tue, Dec 11, 2018 at 12:09:49PM -0500, Sasha Levin wrote:

Now the Hyper-V code has it's own monkey on a tree!

Make it easier to manage patch flow to upper level maintainers.

Acked-by: Haiyang Zhang 
Acked-by: K. Y. Srinivasan 
Signed-off-by: Sasha Levin 
---
 MAINTAINERS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 8119141a926f..553b1ed1d01f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -6901,8 +6901,10 @@ Hyper-V CORE AND DRIVERS
 M: "K. Y. Srinivasan" 
 M: Haiyang Zhang 
 M: Stephen Hemminger 
+M: Sasha Levin 
+T: git git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux.git


A "project" git tree, that's odd for such a small subsystem...


Indeed. Two things drove this change:

1. We have multiple maintainers we work with; patches go into the net,
scsi, or char-misc trees, which is tricky to manage if we have one
change that spawns multiple trees (like we did a few weeks ago).

2. We plan on continuing working with external interns (such as
Outreachy), so being able to access a common tree makes life easier for
everyone.


 L: de...@linuxdriverproject.org
-S: Maintained
+S: Supported


Yeah!  Finally someone is getting paid to do this :)


I managed to negotiate them to two bananas/day! :)

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 14/36] media: rkisp1: uapi: change hist_bins array type from u16 to u32

2021-02-08 Thread Sasha Levin

From: Dafna Hirschfeld 

[ Upstream commit 31f190e0ccac8b75d33fdc95a797c526cf9b149e ]

Each entry in the array is a 20 bits value composed of 16 bits unsigned
integer and 4 bits fractional part. So the type should change to __u32.
In addition add a documentation of how the measurements are done.

Signed-off-by: Dafna Hirschfeld 
Acked-by: Helen Koike 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/rkisp1/uapi/rkisp1-config.h | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/media/rkisp1/uapi/rkisp1-config.h 
b/drivers/staging/media/rkisp1/uapi/rkisp1-config.h
index 432cb6be55b47..c19fe059c2442 100644
--- a/drivers/staging/media/rkisp1/uapi/rkisp1-config.h
+++ b/drivers/staging/media/rkisp1/uapi/rkisp1-config.h
@@ -848,13 +848,18 @@ struct rkisp1_cif_isp_af_stat {
 /**
  * struct rkisp1_cif_isp_hist_stat - statistics histogram data
  *
- * @hist_bins: measured bin counters
+ * @hist_bins: measured bin counters. Each bin is a 20 bits unsigned fixed 
point
+ *type. Bits 0-4 are the fractional part and bits 5-19 are the
+ *integer part.
  *
- * Measurement window divided into 25 sub-windows, set
- * with ISP_HIST_XXX
+ * The window of the measurements area is divided to 5x5 sub-windows. The
+ * histogram is then computed for each sub-window independently and the final
+ * result is a weighted average of the histogram measurements on all
+ * sub-windows. The window of the measurements area and the weight of each
+ * sub-window are configurable using struct @rkisp1_cif_isp_hst_config.
  */
 struct rkisp1_cif_isp_hist_stat {
-   __u16 hist_bins[RKISP1_CIF_ISP_HIST_BIN_N_MAX];
+   __u32 hist_bins[RKISP1_CIF_ISP_HIST_BIN_N_MAX];
 };
 
 /**
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 15/36] media: rkisp1: stats: remove a wrong cast to u8

2021-02-08 Thread Sasha Levin

From: Dafna Hirschfeld 

[ Upstream commit a76f8dc8be471028540df24749e99a3ec0ac7c94 ]

hist_bins is an array of type __u32. Each entry represent
a 20 bit fixed point value as documented inline.
The cast to u8 when setting the values is wrong. Remove it.

Signed-off-by: Dafna Hirschfeld 
Reviewed-by: Heiko Stuebner 
Acked-by: Helen Koike 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/rkisp1/rkisp1-stats.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/staging/media/rkisp1/rkisp1-stats.c 
b/drivers/staging/media/rkisp1/rkisp1-stats.c
index 51c64f75fe29a..8fdf646c4b75b 100644
--- a/drivers/staging/media/rkisp1/rkisp1-stats.c
+++ b/drivers/staging/media/rkisp1/rkisp1-stats.c
@@ -253,8 +253,7 @@ static void rkisp1_stats_get_hst_meas(struct rkisp1_stats 
*stats,
pbuf->meas_type |= RKISP1_CIF_ISP_STAT_HIST;
for (i = 0; i < RKISP1_CIF_ISP_HIST_BIN_N_MAX; i++)
pbuf->params.hist.hist_bins[i] =
-   (u8)rkisp1_read(rkisp1,
-   RKISP1_CIF_ISP_HIST_BIN_0 + i * 4);
+   rkisp1_read(rkisp1, RKISP1_CIF_ISP_HIST_BIN_0 + i * 4);
 }
 
 static void rkisp1_stats_get_bls_meas(struct rkisp1_stats *stats,
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 16/36] media: rkisp1: stats: mask the hist_bins values

2021-02-08 Thread Sasha Levin

From: Dafna Hirschfeld 

[ Upstream commit a802a0430b863f03bc01aaea2d2bf6ff464f03e7 ]

hist_bins is an array of type __u32. Each entry represents
a 20 bit value. So mask out the unused bits.

Signed-off-by: Dafna Hirschfeld 
Acked-by: Helen Koike 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/rkisp1/rkisp1-regs.h  | 1 +
 drivers/staging/media/rkisp1/rkisp1-stats.c | 8 +---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/media/rkisp1/rkisp1-regs.h 
b/drivers/staging/media/rkisp1/rkisp1-regs.h
index 049f6c3a11df5..5819e58b2e557 100644
--- a/drivers/staging/media/rkisp1/rkisp1-regs.h
+++ b/drivers/staging/media/rkisp1/rkisp1-regs.h
@@ -365,6 +365,7 @@
 #define RKISP1_CIF_ISP_MAX_HIST_PREDIVIDER 0x007F
 #define RKISP1_CIF_ISP_HIST_ROW_NUM5
 #define RKISP1_CIF_ISP_HIST_COLUMN_NUM 5
+#define RKISP1_CIF_ISP_HIST_GET_BIN(x) ((x) & 0x000F)
 
 /* AUTO FOCUS MEASUREMENT:  ISP_AFM_CTRL */
 #define RKISP1_ISP_AFM_CTRL_ENABLE BIT(0)
diff --git a/drivers/staging/media/rkisp1/rkisp1-stats.c 
b/drivers/staging/media/rkisp1/rkisp1-stats.c
index 8fdf646c4b75b..e52ba9b154e90 100644
--- a/drivers/staging/media/rkisp1/rkisp1-stats.c
+++ b/drivers/staging/media/rkisp1/rkisp1-stats.c
@@ -251,9 +251,11 @@ static void rkisp1_stats_get_hst_meas(struct rkisp1_stats 
*stats,
unsigned int i;
 
pbuf->meas_type |= RKISP1_CIF_ISP_STAT_HIST;
-   for (i = 0; i < RKISP1_CIF_ISP_HIST_BIN_N_MAX; i++)
-   pbuf->params.hist.hist_bins[i] =
-   rkisp1_read(rkisp1, RKISP1_CIF_ISP_HIST_BIN_0 + i * 4);
+   for (i = 0; i < RKISP1_CIF_ISP_HIST_BIN_N_MAX; i++) {
+   u32 reg_val = rkisp1_read(rkisp1, RKISP1_CIF_ISP_HIST_BIN_0 + i 
* 4);
+
+   pbuf->params.hist.hist_bins[i] = 
RKISP1_CIF_ISP_HIST_GET_BIN(reg_val);
+   }
 }
 
 static void rkisp1_stats_get_bls_meas(struct rkisp1_stats *stats,
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH AUTOSEL 5.10 14/36] media: rkisp1: uapi: change hist_bins array type from u16 to u32

2021-02-10 Thread Sasha Levin

On Tue, Feb 09, 2021 at 02:44:19PM +0100, Greg Kroah-Hartman wrote:

On Tue, Feb 09, 2021 at 02:39:41PM +0100, Hans Verkuil wrote:

On 09/02/2021 14:02, Greg Kroah-Hartman wrote:
> On Tue, Feb 09, 2021 at 01:45:35PM +0100, Dafna Hirschfeld wrote:
>>
>>
>> Am 08.02.21 um 21:46 schrieb Hans Verkuil:
>>> On 08/02/2021 18:57, Sasha Levin wrote:
>>>> From: Dafna Hirschfeld 
>>>>
>>>> [ Upstream commit 31f190e0ccac8b75d33fdc95a797c526cf9b149e ]
>>>>
>>>> Each entry in the array is a 20 bits value composed of 16 bits unsigned
>>>> integer and 4 bits fractional part. So the type should change to __u32.
>>>> In addition add a documentation of how the measurements are done.
>>>
>>> Dafna, Helen, does it make sense at all to backport these three patches to
>>> when rkisp1 was a staging driver?
>>>
>>> I would be inclined not to backport this.
>>
>> I also don't think it makes sense since this changes the uapi and it is not 
really a bug fix.
>
> Why was it ok to change the uapi in a newer kernel and not an older one?

In the older kernels this was a staging driver and the driver API was not 
public.
It's debatable whether there is any benefit from trying to backport patches like
this to a staging driver like that.

Also, these backports are incomplete, there are other patches that would need to
be applied to make this work. Applying just these three patches without the 
other
three (commits 66d81de7ea9d, fc672d806bd7 and ef357e02b6c4) makes it very messy
indeed.

I'd just leave the staging driver in older kernels as-is. Certainly don't just
apply these three patches without the other three commits, that would make it
even worse.

Fair enough, Sasha, can you drop these?

Yup.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.11 03/67] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index db83d34cd6779..c368082aae1aa 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2189,6 +2189,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2271,6 +2272,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.11 19/67] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/sound/sound.c 
b/drivers/staging/most/sound/sound.c
index 3a1a590580427..45befb8c11268 100644
--- a/drivers/staging/most/sound/sound.c
+++ b/drivers/staging/most/sound/sound.c
@@ -86,6 +86,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.11 20/67] staging: bcm2835-audio: Replace unsafe strcpy() with strscpy()

2021-02-24 Thread Sasha Levin

From: Juerg Haefliger 

[ Upstream commit 4964a4300660d27907ceb655f219ac47e5941534 ]

Replace strcpy() with strscpy() in bcm2835-audio/bcm2835.c to prevent the
following when loading snd-bcm2835:

[   58.480634] [ cut here ]
[   58.485321] kernel BUG at lib/string.c:1149!
[   58.489650] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[   58.495214] Modules linked in: snd_bcm2835(COE+) snd_pcm snd_timer snd 
dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua btsdio bluetooth 
ecdh_generic ecc bcm2835_v4l2(CE) bcm2835_codec(CE) brcmfmac bcm2835_isp(CE) 
bcm2835_mmal_vchiq(CE) brcmutil cfg80211 v4l2_mem2mem videobuf2_vmalloc 
videobuf2_dma_contig videobuf2_memops raspberrypi_hwmon videobuf2_v4l2 
videobuf2_common videodev bcm2835_gpiomem mc vc_sm_cma(CE) rpivid_mem 
uio_pdrv_genirq uio sch_fq_codel drm ip_tables x_tables autofs4 btrfs 
blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear 
dwc2 roles spidev udc_core crct10dif_ce xhci_pci xhci_pci_renesas phy_generic 
aes_neon_bs aes_neon_blk crypto_simd cryptd
[   58.563787] CPU: 3 PID: 1959 Comm: insmod Tainted: G C OE 
5.11.0-1001-raspi #1
[   58.572172] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
[   58.578086] pstate: 6045 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[   58.584178] pc : fortify_panic+0x20/0x24
[   58.588161] lr : fortify_panic+0x20/0x24
[   58.592136] sp : 800010a83990
[   58.595491] x29: 800010a83990 x28: 0002
[   58.600879] x27: b0b07cb72928 x26: 
[   58.606268] x25: 39e884973838 x24: b0b07cb74190
[   58.611655] x23: b0b07cb72030 x22: 
[   58.617042] x21: 39e884973014 x20: 39e88b793010
[   58.622428] x19: b0b07cb72670 x18: 0030
[   58.627814] x17:  x16: b0b092ce2c1c
[   58.633200] x15: 39e88b901500 x14: 0720072007200720
[   58.638588] x13: 0720072007200720 x12: 0720072007200720
[   58.643979] x11: b0b0936cbdf0 x10: f000
[   58.649366] x9 : b0b09220cfa8 x8 : 
[   58.654752] x7 : b0b093673df0 x6 : b0b09364e000
[   58.660140] x5 :  x4 : 39e93b7db948
[   58.665526] x3 : 39e93b7ebcf0 x2 : 
[   58.670913] x1 :  x0 : 0022
[   58.676299] Call trace:
[   58.678775]  fortify_panic+0x20/0x24
[   58.682402]  snd_bcm2835_alsa_probe+0x5b8/0x7d8 [snd_bcm2835]
[   58.688247]  platform_probe+0x74/0xe4
[   58.691963]  really_probe+0xf0/0x510
[   58.695585]  driver_probe_device+0xe0/0x100
[   58.699826]  device_driver_attach+0xcc/0xd4
[   58.704068]  __driver_attach+0xb0/0x17c
[   58.707956]  bus_for_each_dev+0x7c/0xd4
[   58.711843]  driver_attach+0x30/0x40
[   58.715467]  bus_add_driver+0x154/0x250
[   58.719354]  driver_register+0x84/0x140
[   58.723242]  __platform_driver_register+0x34/0x40
[   58.728013]  bcm2835_alsa_driver_init+0x30/0x1000 [snd_bcm2835]
[   58.734024]  do_one_initcall+0x54/0x300
[   58.737914]  do_init_module+0x60/0x280
[   58.741719]  load_module+0x680/0x770
[   58.745344]  __do_sys_finit_module+0xbc/0x130
[   58.749761]  __arm64_sys_finit_module+0x2c/0x40
[   58.754356]  el0_svc_common.constprop.0+0x88/0x220
[   58.759216]  do_el0_svc+0x30/0xa0
[   58.762575]  el0_svc+0x28/0x70
[   58.765669]  el0_sync_handler+0x1a4/0x1b0
[   58.769732]  el0_sync+0x178/0x180
[   58.773095] Code: aa0003e1 91366040 910003fd 97ffee21 (d421)
[   58.779275] ---[ end trace 29be5b17497bd898 ]---
[   58.783955] note: insmod[1959] exited with preempt_count 1
[   58.791921] [ cut here ]

For the sake of it, replace all the other occurences of strcpy() under
bcm2835-audio/ as well.

Signed-off-by: Juerg Haefliger 
Link: https://lore.kernel.org/r/20210205072502.10907-1-jue...@canonical.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c | 6 +++---
 drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c | 2 +-
 drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c 
b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
index 4c2cae99776b9..3703409715dab 100644
--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
@@ -224,7 +224,7 @@ int snd_bcm2835_new_ctl(struct bcm2835_chip *chip)
 {
int err;
 
-   strcpy(chip->card->mixername, "Broadcom Mixer");
+   strscpy(chip->card->mixername, "Broadcom Mixer", 
sizeof(chip->card->mixername));
err = create_ctls(chip, ARRAY_SIZE(snd_bcm2835_ctl), snd_bcm2835_ctl);
if (err < 0)
return err;
@@ -261,7 +261,7 @@ static const struct snd_kcontrol_new

[PATCH AUTOSEL 5.10 02/56] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index db83d34cd6779..c368082aae1aa 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2189,6 +2189,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2271,6 +2272,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 15/56] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/sound/sound.c 
b/drivers/staging/most/sound/sound.c
index 8a449ab9bdce4..b7666a7b1760a 100644
--- a/drivers/staging/most/sound/sound.c
+++ b/drivers/staging/most/sound/sound.c
@@ -96,6 +96,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 16/56] staging: bcm2835-audio: Replace unsafe strcpy() with strscpy()

2021-02-24 Thread Sasha Levin

From: Juerg Haefliger 

[ Upstream commit 4964a4300660d27907ceb655f219ac47e5941534 ]

Replace strcpy() with strscpy() in bcm2835-audio/bcm2835.c to prevent the
following when loading snd-bcm2835:

[   58.480634] [ cut here ]
[   58.485321] kernel BUG at lib/string.c:1149!
[   58.489650] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[   58.495214] Modules linked in: snd_bcm2835(COE+) snd_pcm snd_timer snd 
dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua btsdio bluetooth 
ecdh_generic ecc bcm2835_v4l2(CE) bcm2835_codec(CE) brcmfmac bcm2835_isp(CE) 
bcm2835_mmal_vchiq(CE) brcmutil cfg80211 v4l2_mem2mem videobuf2_vmalloc 
videobuf2_dma_contig videobuf2_memops raspberrypi_hwmon videobuf2_v4l2 
videobuf2_common videodev bcm2835_gpiomem mc vc_sm_cma(CE) rpivid_mem 
uio_pdrv_genirq uio sch_fq_codel drm ip_tables x_tables autofs4 btrfs 
blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear 
dwc2 roles spidev udc_core crct10dif_ce xhci_pci xhci_pci_renesas phy_generic 
aes_neon_bs aes_neon_blk crypto_simd cryptd
[   58.563787] CPU: 3 PID: 1959 Comm: insmod Tainted: G C OE 
5.11.0-1001-raspi #1
[   58.572172] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
[   58.578086] pstate: 6045 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[   58.584178] pc : fortify_panic+0x20/0x24
[   58.588161] lr : fortify_panic+0x20/0x24
[   58.592136] sp : 800010a83990
[   58.595491] x29: 800010a83990 x28: 0002
[   58.600879] x27: b0b07cb72928 x26: 
[   58.606268] x25: 39e884973838 x24: b0b07cb74190
[   58.611655] x23: b0b07cb72030 x22: 
[   58.617042] x21: 39e884973014 x20: 39e88b793010
[   58.622428] x19: b0b07cb72670 x18: 0030
[   58.627814] x17:  x16: b0b092ce2c1c
[   58.633200] x15: 39e88b901500 x14: 0720072007200720
[   58.638588] x13: 0720072007200720 x12: 0720072007200720
[   58.643979] x11: b0b0936cbdf0 x10: f000
[   58.649366] x9 : b0b09220cfa8 x8 : 
[   58.654752] x7 : b0b093673df0 x6 : b0b09364e000
[   58.660140] x5 :  x4 : 39e93b7db948
[   58.665526] x3 : 39e93b7ebcf0 x2 : 
[   58.670913] x1 :  x0 : 0022
[   58.676299] Call trace:
[   58.678775]  fortify_panic+0x20/0x24
[   58.682402]  snd_bcm2835_alsa_probe+0x5b8/0x7d8 [snd_bcm2835]
[   58.688247]  platform_probe+0x74/0xe4
[   58.691963]  really_probe+0xf0/0x510
[   58.695585]  driver_probe_device+0xe0/0x100
[   58.699826]  device_driver_attach+0xcc/0xd4
[   58.704068]  __driver_attach+0xb0/0x17c
[   58.707956]  bus_for_each_dev+0x7c/0xd4
[   58.711843]  driver_attach+0x30/0x40
[   58.715467]  bus_add_driver+0x154/0x250
[   58.719354]  driver_register+0x84/0x140
[   58.723242]  __platform_driver_register+0x34/0x40
[   58.728013]  bcm2835_alsa_driver_init+0x30/0x1000 [snd_bcm2835]
[   58.734024]  do_one_initcall+0x54/0x300
[   58.737914]  do_init_module+0x60/0x280
[   58.741719]  load_module+0x680/0x770
[   58.745344]  __do_sys_finit_module+0xbc/0x130
[   58.749761]  __arm64_sys_finit_module+0x2c/0x40
[   58.754356]  el0_svc_common.constprop.0+0x88/0x220
[   58.759216]  do_el0_svc+0x30/0xa0
[   58.762575]  el0_svc+0x28/0x70
[   58.765669]  el0_sync_handler+0x1a4/0x1b0
[   58.769732]  el0_sync+0x178/0x180
[   58.773095] Code: aa0003e1 91366040 910003fd 97ffee21 (d421)
[   58.779275] ---[ end trace 29be5b17497bd898 ]---
[   58.783955] note: insmod[1959] exited with preempt_count 1
[   58.791921] [ cut here ]

For the sake of it, replace all the other occurences of strcpy() under
bcm2835-audio/ as well.

Signed-off-by: Juerg Haefliger 
Link: https://lore.kernel.org/r/20210205072502.10907-1-jue...@canonical.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c | 6 +++---
 drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c | 2 +-
 drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c 
b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
index 4c2cae99776b9..3703409715dab 100644
--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
@@ -224,7 +224,7 @@ int snd_bcm2835_new_ctl(struct bcm2835_chip *chip)
 {
int err;
 
-   strcpy(chip->card->mixername, "Broadcom Mixer");
+   strscpy(chip->card->mixername, "Broadcom Mixer", 
sizeof(chip->card->mixername));
err = create_ctls(chip, ARRAY_SIZE(snd_bcm2835_ctl), snd_bcm2835_ctl);
if (err < 0)
return err;
@@ -261,7 +261,7 @@ static const struct snd_kcontrol_new

[PATCH AUTOSEL 5.4 01/40] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index aec0f19597a94..4df6e3c1ea96c 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2189,6 +2189,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2271,6 +2272,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 10/40] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/sound/sound.c 
b/drivers/staging/most/sound/sound.c
index 79817061fcfa4..4225ee9fcf7bf 100644
--- a/drivers/staging/most/sound/sound.c
+++ b/drivers/staging/most/sound/sound.c
@@ -98,6 +98,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 11/40] staging: bcm2835-audio: Replace unsafe strcpy() with strscpy()

2021-02-24 Thread Sasha Levin

From: Juerg Haefliger 

[ Upstream commit 4964a4300660d27907ceb655f219ac47e5941534 ]

Replace strcpy() with strscpy() in bcm2835-audio/bcm2835.c to prevent the
following when loading snd-bcm2835:

[   58.480634] [ cut here ]
[   58.485321] kernel BUG at lib/string.c:1149!
[   58.489650] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[   58.495214] Modules linked in: snd_bcm2835(COE+) snd_pcm snd_timer snd 
dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua btsdio bluetooth 
ecdh_generic ecc bcm2835_v4l2(CE) bcm2835_codec(CE) brcmfmac bcm2835_isp(CE) 
bcm2835_mmal_vchiq(CE) brcmutil cfg80211 v4l2_mem2mem videobuf2_vmalloc 
videobuf2_dma_contig videobuf2_memops raspberrypi_hwmon videobuf2_v4l2 
videobuf2_common videodev bcm2835_gpiomem mc vc_sm_cma(CE) rpivid_mem 
uio_pdrv_genirq uio sch_fq_codel drm ip_tables x_tables autofs4 btrfs 
blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear 
dwc2 roles spidev udc_core crct10dif_ce xhci_pci xhci_pci_renesas phy_generic 
aes_neon_bs aes_neon_blk crypto_simd cryptd
[   58.563787] CPU: 3 PID: 1959 Comm: insmod Tainted: G C OE 
5.11.0-1001-raspi #1
[   58.572172] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
[   58.578086] pstate: 6045 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[   58.584178] pc : fortify_panic+0x20/0x24
[   58.588161] lr : fortify_panic+0x20/0x24
[   58.592136] sp : 800010a83990
[   58.595491] x29: 800010a83990 x28: 0002
[   58.600879] x27: b0b07cb72928 x26: 
[   58.606268] x25: 39e884973838 x24: b0b07cb74190
[   58.611655] x23: b0b07cb72030 x22: 
[   58.617042] x21: 39e884973014 x20: 39e88b793010
[   58.622428] x19: b0b07cb72670 x18: 0030
[   58.627814] x17:  x16: b0b092ce2c1c
[   58.633200] x15: 39e88b901500 x14: 0720072007200720
[   58.638588] x13: 0720072007200720 x12: 0720072007200720
[   58.643979] x11: b0b0936cbdf0 x10: f000
[   58.649366] x9 : b0b09220cfa8 x8 : 
[   58.654752] x7 : b0b093673df0 x6 : b0b09364e000
[   58.660140] x5 :  x4 : 39e93b7db948
[   58.665526] x3 : 39e93b7ebcf0 x2 : 
[   58.670913] x1 :  x0 : 0022
[   58.676299] Call trace:
[   58.678775]  fortify_panic+0x20/0x24
[   58.682402]  snd_bcm2835_alsa_probe+0x5b8/0x7d8 [snd_bcm2835]
[   58.688247]  platform_probe+0x74/0xe4
[   58.691963]  really_probe+0xf0/0x510
[   58.695585]  driver_probe_device+0xe0/0x100
[   58.699826]  device_driver_attach+0xcc/0xd4
[   58.704068]  __driver_attach+0xb0/0x17c
[   58.707956]  bus_for_each_dev+0x7c/0xd4
[   58.711843]  driver_attach+0x30/0x40
[   58.715467]  bus_add_driver+0x154/0x250
[   58.719354]  driver_register+0x84/0x140
[   58.723242]  __platform_driver_register+0x34/0x40
[   58.728013]  bcm2835_alsa_driver_init+0x30/0x1000 [snd_bcm2835]
[   58.734024]  do_one_initcall+0x54/0x300
[   58.737914]  do_init_module+0x60/0x280
[   58.741719]  load_module+0x680/0x770
[   58.745344]  __do_sys_finit_module+0xbc/0x130
[   58.749761]  __arm64_sys_finit_module+0x2c/0x40
[   58.754356]  el0_svc_common.constprop.0+0x88/0x220
[   58.759216]  do_el0_svc+0x30/0xa0
[   58.762575]  el0_svc+0x28/0x70
[   58.765669]  el0_sync_handler+0x1a4/0x1b0
[   58.769732]  el0_sync+0x178/0x180
[   58.773095] Code: aa0003e1 91366040 910003fd 97ffee21 (d421)
[   58.779275] ---[ end trace 29be5b17497bd898 ]---
[   58.783955] note: insmod[1959] exited with preempt_count 1
[   58.791921] [ cut here ]

For the sake of it, replace all the other occurences of strcpy() under
bcm2835-audio/ as well.

Signed-off-by: Juerg Haefliger 
Link: https://lore.kernel.org/r/20210205072502.10907-1-jue...@canonical.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c | 6 +++---
 drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c | 2 +-
 drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c 
b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
index 4c2cae99776b9..3703409715dab 100644
--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
@@ -224,7 +224,7 @@ int snd_bcm2835_new_ctl(struct bcm2835_chip *chip)
 {
int err;
 
-   strcpy(chip->card->mixername, "Broadcom Mixer");
+   strscpy(chip->card->mixername, "Broadcom Mixer", 
sizeof(chip->card->mixername));
err = create_ctls(chip, ARRAY_SIZE(snd_bcm2835_ctl), snd_bcm2835_ctl);
if (err < 0)
return err;
@@ -261,7 +261,7 @@ static const struct snd_kcontrol_new

[PATCH AUTOSEL 4.19 01/26] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index fa0dd425b4549..cd062628a46b0 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2219,6 +2219,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2301,6 +2302,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 10/26] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/sound/sound.c 
b/drivers/staging/most/sound/sound.c
index 89b02fc305b8b..fd9245d7eeb9a 100644
--- a/drivers/staging/most/sound/sound.c
+++ b/drivers/staging/most/sound/sound.c
@@ -86,6 +86,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 01/16] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index 41a49c8194e50..b19c46bd2557c 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2249,6 +2249,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2331,6 +2332,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 09/16] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/aim-sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/aim-sound/sound.c 
b/drivers/staging/most/aim-sound/sound.c
index ea1366a440083..e259bf4956ab6 100644
--- a/drivers/staging/most/aim-sound/sound.c
+++ b/drivers/staging/most/aim-sound/sound.c
@@ -92,6 +92,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.9 01/12] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index 49c718b91e55a..16f6f35954fb5 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2255,6 +2255,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2337,6 +2338,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.9 09/12] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/aim-sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/aim-sound/sound.c 
b/drivers/staging/most/aim-sound/sound.c
index e4198e5e064b5..288c7bf129457 100644
--- a/drivers/staging/most/aim-sound/sound.c
+++ b/drivers/staging/most/aim-sound/sound.c
@@ -92,6 +92,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.4 01/11] staging: fwserial: Fix error handling in fwserial_create

2021-02-24 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]

When fw_core_add_address_handler() fails, we need to destroy
the port by tty_port_destroy(). Also we need to unregister
the address handler by fw_core_remove_address_handler() on
failure.

Signed-off-by: Dinghao Liu 
Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fwserial/fwserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/fwserial/fwserial.c 
b/drivers/staging/fwserial/fwserial.c
index b3ea4bb54e2c7..68ed97398fafb 100644
--- a/drivers/staging/fwserial/fwserial.c
+++ b/drivers/staging/fwserial/fwserial.c
@@ -2255,6 +2255,7 @@ static int fwserial_create(struct fw_unit *unit)
err = fw_core_add_address_handler(&port->rx_handler,
  &fw_high_memory_region);
if (err) {
+   tty_port_destroy(&port->port);
kfree(port);
goto free_ports;
}
@@ -2337,6 +2338,7 @@ static int fwserial_create(struct fw_unit *unit)
 
 free_ports:
for (--i; i >= 0; --i) {
+   fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
tty_port_destroy(&serial->ports[i]->port);
kfree(serial->ports[i]);
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.4 09/11] staging: most: sound: add sanity check for function argument

2021-02-24 Thread Sasha Levin

From: Christian Gromm 

[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]

This patch checks the function parameter 'bytes' before doing the
subtraction to prevent memory corruption.

Signed-off-by: Christian Gromm 
Reported-by: Dan Carpenter 
Link: 
https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gr...@microchip.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/most/aim-sound/sound.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/most/aim-sound/sound.c 
b/drivers/staging/most/aim-sound/sound.c
index 9c645801cff4d..532ec0f7100eb 100644
--- a/drivers/staging/most/aim-sound/sound.c
+++ b/drivers/staging/most/aim-sound/sound.c
@@ -92,6 +92,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned 
int bytes)
 {
unsigned int i = 0;
 
+   if (bytes < 2)
+   return;
while (i < bytes - 2) {
dest[i] = source[i + 2];
dest[i + 1] = source[i + 1];
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.11 37/61] staging: rtl8192e: fix kconfig dependency on CRYPTO

2021-03-16 Thread Sasha Levin

From: Julian Braha 

[ Upstream commit 7c36194558cf49a86a53b5f60db8046c5e3013ae ]

When RTLLIB_CRYPTO_TKIP is enabled and CRYPTO is disabled,
Kbuild gives the following warning:

WARNING: unmet direct dependencies detected for CRYPTO_MICHAEL_MIC
  Depends on [n]: CRYPTO [=n]
  Selected by [m]:
  - RTLLIB_CRYPTO_TKIP [=m] && STAGING [=y] && RTLLIB [=m]

WARNING: unmet direct dependencies detected for CRYPTO_LIB_ARC4
  Depends on [n]: CRYPTO [=n]
  Selected by [m]:
  - RTLLIB_CRYPTO_TKIP [=m] && STAGING [=y] && RTLLIB [=m]
  - RTLLIB_CRYPTO_WEP [=m] && STAGING [=y] && RTLLIB [=m]

This is because RTLLIB_CRYPTO_TKIP selects CRYPTO_MICHAEL_MIC and
CRYPTO_LIB_ARC4, without depending on or selecting CRYPTO,
despite those config options being subordinate to CRYPTO.

Acked-by: Randy Dunlap 
Signed-off-by: Julian Braha 
Link: https://lore.kernel.org/r/20210222180607.399753-1-julianbr...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192e/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/rtl8192e/Kconfig b/drivers/staging/rtl8192e/Kconfig
index 03fcc23516fd..6e7d84ac06f5 100644
--- a/drivers/staging/rtl8192e/Kconfig
+++ b/drivers/staging/rtl8192e/Kconfig
@@ -26,6 +26,7 @@ config RTLLIB_CRYPTO_CCMP
 config RTLLIB_CRYPTO_TKIP
tristate "Support for rtllib TKIP crypto"
depends on RTLLIB
+   select CRYPTO
select CRYPTO_LIB_ARC4
select CRYPTO_MICHAEL_MIC
default y
-- 
2.30.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 35/54] staging: rtl8192e: fix kconfig dependency on CRYPTO

2021-03-16 Thread Sasha Levin

From: Julian Braha 

[ Upstream commit 7c36194558cf49a86a53b5f60db8046c5e3013ae ]

When RTLLIB_CRYPTO_TKIP is enabled and CRYPTO is disabled,
Kbuild gives the following warning:

WARNING: unmet direct dependencies detected for CRYPTO_MICHAEL_MIC
  Depends on [n]: CRYPTO [=n]
  Selected by [m]:
  - RTLLIB_CRYPTO_TKIP [=m] && STAGING [=y] && RTLLIB [=m]

WARNING: unmet direct dependencies detected for CRYPTO_LIB_ARC4
  Depends on [n]: CRYPTO [=n]
  Selected by [m]:
  - RTLLIB_CRYPTO_TKIP [=m] && STAGING [=y] && RTLLIB [=m]
  - RTLLIB_CRYPTO_WEP [=m] && STAGING [=y] && RTLLIB [=m]

This is because RTLLIB_CRYPTO_TKIP selects CRYPTO_MICHAEL_MIC and
CRYPTO_LIB_ARC4, without depending on or selecting CRYPTO,
despite those config options being subordinate to CRYPTO.

Acked-by: Randy Dunlap 
Signed-off-by: Julian Braha 
Link: https://lore.kernel.org/r/20210222180607.399753-1-julianbr...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192e/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/rtl8192e/Kconfig b/drivers/staging/rtl8192e/Kconfig
index 03fcc23516fd..6e7d84ac06f5 100644
--- a/drivers/staging/rtl8192e/Kconfig
+++ b/drivers/staging/rtl8192e/Kconfig
@@ -26,6 +26,7 @@ config RTLLIB_CRYPTO_CCMP
 config RTLLIB_CRYPTO_TKIP
tristate "Support for rtllib TKIP crypto"
depends on RTLLIB
+   select CRYPTO
select CRYPTO_LIB_ARC4
select CRYPTO_MICHAEL_MIC
default y
-- 
2.30.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.15 07/82] staging: wfx: ensure IRQ is ready before enabling it

2021-11-09 Thread Sasha Levin

From: Jérôme Pouiller 

[ Upstream commit 5e57c668dc097c6c27c973504706edec53f79281 ]

Since commit 5561770f80b1 ("staging: wfx: repair external IRQ for
SDIO"), wfx_sdio_irq_subscribe() enforce the device to use IRQs.
However, there is currently a race in this code. An IRQ may happen
before the IRQ has been registered.

The problem has observed during debug session when the device crashes
before the IRQ set up:

[ 1.546] wfx-sdio mmc0:0001:1: started firmware 3.12.2 
"WF200_ASIC_WFM_(Jenkins)_FW3.12.2" (API: 3.7, keyset: C0, caps: 0x0002)
[ 2.559] wfx-sdio mmc0:0001:1: time out while polling control register
[ 3.565] wfx-sdio mmc0:0001:1: chip is abnormally long to answer
[ 6.563] wfx-sdio mmc0:0001:1: chip did not answer
[ 6.568] wfx-sdio mmc0:0001:1: hardware request CONFIGURATION (0x09) on vif 
2 returned error -110
[ 6.577] wfx-sdio mmc0:0001:1: PDS bytes 0 to 12: chip didn't reply 
(corrupted file?)
[ 6.585] Unable to handle kernel NULL pointer dereference at virtual 
address 
[ 6.592] pgd = c0004000
[ 6.595] [] *pgd=
[ 6.598] Internal error: Oops - BUG: 17 [#1] THUMB2
[ 6.603] Modules linked in:
[ 6.606] CPU: 0 PID: 23 Comm: kworker/u2:1 Not tainted 3.18.19 #78
[ 6.612] Workqueue: kmmcd mmc_rescan
[ 6.616] task: c176d100 ti: c0e5 task.ti: c0e5
[ 6.621] PC is at wake_up_process+0xa/0x14
[ 6.625] LR is at sdio_irq+0x61/0x250
[ 6.629] pc : [] lr : [] psr: 61b3
[ 6.629] sp : c0e51bd8 ip : c0e51cc8 fp : 0001
[ 6.640] r10: 0003 r9 :  r8 : c0003c34
[ 6.644] r7 : c0e51bd8 r6 : c0003c30 r5 : 0001 r4 : c0e78c00
[ 6.651] r3 :  r2 :  r1 : 0003 r0 : 
[ 6.657] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA Thumb Segment kernel
[ 6.664] Control: 50c53c7d Table: 11fd8059 DAC: 0015
[ 6.670] Process kworker/u2:1 (pid: 23, stack limit = 0xc0e501b0)
[ 6.676] Stack: (0xc0e51bd8 to 0xc0e52000)
[...]
[ 6.949] [] (wake_up_process) from [] 
(sdio_irq+0x61/0x250)
[ 6.956] [] (sdio_irq) from [] 
(handle_irq_event_percpu+0x17/0x92)
[ 6.964] [] (handle_irq_event_percpu) from [] 
(handle_irq_event+0x1b/0x24)
[ 6.973] [] (handle_irq_event) from [] 
(handle_level_irq+0x5d/0x76)
[ 6.981] [] (handle_level_irq) from [] 
(generic_handle_irq+0x13/0x1c)
[ 6.989] [] (generic_handle_irq) from [] 
(__handle_domain_irq+0x31/0x48)
[ 6.997] [] (__handle_domain_irq) from [] 
(ov_handle_irq+0x31/0xe0)
[ 7.005] [] (ov_handle_irq) from [] 
(__irq_svc+0x3b/0x5c)
[ 7.013] Exception stack(0xc0e51c68 to 0xc0e51cb0)
[...]
[ 7.038] [] (__irq_svc) from [] 
(wait_for_common+0x9e/0xc4)
[ 7.045] [] (wait_for_common) from [] 
(mmc_wait_for_req+0x4b/0xdc)
[ 7.053] [] (mmc_wait_for_req) from [] 
(mmc_wait_for_cmd+0x2f/0x34)
[ 7.061] [] (mmc_wait_for_cmd) from [] 
(mmc_io_rw_direct_host+0x71/0xac)
[ 7.070] [] (mmc_io_rw_direct_host) from [] 
(sdio_claim_irq+0x6b/0x116)
[ 7.078] [] (sdio_claim_irq) from [] 
(wfx_sdio_irq_subscribe+0x19/0x94)
[ 7.086] [] (wfx_sdio_irq_subscribe) from [] 
(wfx_probe+0x189/0x2ac)
[ 7.095] [] (wfx_probe) from [] 
(wfx_sdio_probe+0x8f/0xcc)
[ 7.102] [] (wfx_sdio_probe) from [] 
(sdio_bus_probe+0x5f/0xa8)
[ 7.109] [] (sdio_bus_probe) from [] 
(driver_probe_device+0x59/0x134)
[ 7.118] [] (driver_probe_device) from [] 
(bus_for_each_drv+0x3f/0x4a)
[ 7.126] [] (bus_for_each_drv) from [] 
(device_attach+0x3b/0x52)
[ 7.134] [] (device_attach) from [] 
(bus_probe_device+0x17/0x4c)
[ 7.141] [] (bus_probe_device) from [] 
(device_add+0x2c5/0x334)
[ 7.149] [] (device_add) from [] 
(sdio_add_func+0x23/0x44)
[ 7.156] [] (sdio_add_func) from [] 
(mmc_attach_sdio+0x187/0x1ec)
[ 7.164] [] (mmc_attach_sdio) from [] 
(mmc_rescan+0x18d/0x1fc)
[ 7.172] [] (mmc_rescan) from [] 
(process_one_work+0xd7/0x170)
[ 7.179] [] (process_one_work) from [] 
(worker_thread+0x103/0x1bc)
[ 7.187] [] (worker_thread) from [] (kthread+0x7d/0x90)
[ 7.194] [] (kthread) from [] (ret_from_fork+0x11/0x30)
[ 7.201] Code: 2103 b580 2200 af00 (681b) 46bd
[ 7.206] ---[ end trace 3ab50aced42eedb4 ]---

Signed-off-by: Jérôme Pouiller 
Link: 
https://lore.kernel.org/r/20210913130203.1903622-33-jerome.pouil...@silabs.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/wfx/bus_sdio.c | 17 ++---
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/wfx/bus_sdio.c b/drivers/staging/wfx/bus_sdio.c
index e06d7e1ebe9c3..61b8cc05f2935 100644
--- a/drivers/staging/wfx/bus_sdio.c
+++ b/drivers/staging/wfx/bus_sdio.c
@@ -120,19 +120,22 @@ static int wfx_sdio_irq_subscribe(void *priv)
return ret;
}
 
+   flags = irq_get_trigger_type(bus->of_irq);
+   if (!flags)
+   flags = IRQF_TRIGGER_HIGH;
+   flags

[PATCH AUTOSEL 5.15 24/82] staging: rtl8723bs: remove possible deadlock when disconnect (v2)

2021-11-09 Thread Sasha Levin

are name: LENOVO 80NR/Madrid, BIOS DACN25WW 08/20/2015
[  682.859517] Call Trace:
[  682.859531]  dump_stack_lvl+0x56/0x6f
[  682.859551]  check_noncircular+0xdb/0xf0
[  682.859579]  __lock_acquire+0xfd9/0x1b50
[  682.859606]  lock_acquire+0xb4/0x2c0
[  682.859623]  ? rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.859752]  ? mark_held_locks+0x48/0x70
[  682.859769]  ? rtw_free_stainfo+0x4a/0x4a0 [r8723bs]
[  682.859898]  _raw_spin_lock_bh+0x34/0x40
[  682.859914]  ? rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.860039]  rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.860171]  rtw_free_assoc_resources+0x53/0x110 [r8723bs]
[  682.860286]  cfg80211_rtw_disconnect+0x4b/0x70 [r8723bs]
[  682.860397]  cfg80211_disconnect+0x12e/0x2f0 [cfg80211]
[  682.860629]  cfg80211_leave+0x2b/0x40 [cfg80211]
[  682.860836]  cfg80211_netdev_notifier_call+0xa9/0x560 [cfg80211]
[  682.861048]  ? __lock_acquire+0x4dc/0x1b50
[  682.861070]  ? lock_is_held_type+0xa8/0x110
[  682.861089]  ? lock_is_held_type+0xa8/0x110
[  682.861104]  ? find_held_lock+0x2d/0x90
[  682.861120]  ? packet_notifier+0x173/0x300
[  682.861141]  ? lock_release+0xb3/0x250
[  682.861160]  ? packet_notifier+0x192/0x300
[  682.861184]  raw_notifier_call_chain+0x41/0x50
[  682.861205]  __dev_close_many+0x62/0x100
[  682.861224]  dev_close_many+0x7d/0x120
[  682.861245]  unregister_netdevice_many+0x416/0x680
[  682.861264]  ? find_held_lock+0x2d/0x90
[  682.861284]  unregister_netdevice_queue+0xab/0xf0
[  682.861306]  unregister_netdev+0x18/0x20
[  682.861325]  rtw_unregister_netdevs+0x28/0x40 [r8723bs]
[  682.861434]  rtw_dev_remove+0x24/0xd0 [r8723bs]
[  682.861542]  sdio_bus_remove+0x31/0xd0 [mmc_core]
[  682.861615]  device_release_driver_internal+0xf7/0x1d0
[  682.861637]  driver_detach+0x47/0x90
[  682.861656]  bus_remove_driver+0x77/0xd0
[  682.861674]  rtw_drv_halt+0xc/0x678 [r8723bs]
[  682.861782]  __x64_sys_delete_module+0x13f/0x250
[  682.861801]  ? lockdep_hardirqs_on_prepare+0xf3/0x170
[  682.861817]  ? syscall_enter_from_user_mode+0x20/0x70
[  682.861836]  do_syscall_64+0x3a/0x80
[  682.861855]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  682.861873] RIP: 0033:0x7f6dbe85400b
[  682.861890] Code: 73 01 c3 48 8b 0d 6d 1e 0c 00 f7 d8 64 89
01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d
1e 0c 00 f7 d8 64 89 01 48
[  682.861906] RSP: 002b:7ffe7a82f538 EFLAGS: 0206 ORIG_RAX: 
00b0
[  682.861923] RAX: ffda RBX: 55a64693bd20 RCX: 7f6dbe85400b
[  682.861935] RDX:  RSI: 0800 RDI: 55a64693bd88
[  682.861946] RBP: 55a64693bd20 R08:  R09: 
[  682.861957] R10: 7f6dbe8c7ac0 R11: 0206 R12: 55a64693bd88
[  682.861967] R13:  R14: 55a64693bd88 R15: 7ffe7a831848

This happens because when we enqueue a frame for
transmission we do it under xmit_priv lock, then calling
rtw_get_stainfo (needed for enqueuing) takes sta_hash_lock
and this leads to the following lock dependency:

xmit_priv->lock -> sta_hash_lock

Turning off a connection will bring to call
rtw_free_assoc_resources which will set up
the inverse dependency:

sta_hash_lock -> xmit_priv_lock

This could lead to a deadlock as lockdep complains.

Fix it by removing the xmit_priv->lock around
rtw_xmitframe_enqueue call inside rtl8723bs_hal_xmit
and put it in a smaller critical section inside
rtw_xmit_classifier, the only place where
xmit_priv data are actually accessed.

Replace spin_{lock,unlock}_bh(pxmitpriv->lock)
in other tx paths leading to rtw_xmitframe_enqueue
call with spin_{lock,unlock}_bh(psta->sleep_q.lock)
- it's not clear why accessing a sleep_q was protected
by a spinlock on xmitpriv->lock.

This way is avoided the same faulty lock nesting
order.

Extra changes in v2 by Hans de Goede:
-Lift the taking of the struct __queue.lock spinlock out of
 rtw_free_xmitframe_queue() into the callers this allows also
 protecting a bunch of related state in rtw_free_stainfo():
-Protect psta->sleepq_len on rtw_free_xmitframe_queue(&psta->sleep_q);
-Protect struct tx_servq.tx_pending and tx_servq.qcnt when
 calling rtw_free_xmitframe_queue(&tx_servq.sta_pending)
-This also allows moving the spin_lock_bh(&pxmitpriv->lock); to below
 the sleep_q free-ing code, avoiding another ABBA locking issue

CC: Larry Finger 
Co-developed-by: Hans de Goede 
Tested-on: Lenovo Ideapad MiiX 300-10IBY
Signed-off-by: Fabio Aiuto 
Signed-off-by: Hans de Goede 
Link: https://lore.kernel.org/r/20210920145502.155454-1-hdego...@redhat.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |  7 ++
 drivers/staging/rtl8723bs/core/rtw_recv.c | 10 +++--
 drivers/staging/rtl8723bs/core/rtw_sta_mgt.c  | 22 ++-
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 16 ++
 ..

[PATCH AUTOSEL 5.15 25/82] staging: rtl8723bs: remove a second possible deadlock

2021-11-09 Thread Sasha Levin

From: Hans de Goede 

[ Upstream commit a7ac783c338bafc04d3259600646350dba989043 ]

Lockdep complains about rtw_free_assoc_resources() taking the sta_hash_lock
followed by it calling rtw_free_stainfo() which takes xmitpriv->lock.
While the rtl8723bs_xmit_thread takes the sta_hash_lock while already
holding the xmitpriv->lock:

[  103.849756] ==
[  103.849761] WARNING: possible circular locking dependency detected
[  103.849767] 5.15.0-rc1+ #470 Tainted: G C  E
[  103.849773] --
[  103.849776] wpa_supplicant/695 is trying to acquire lock:
[  103.849781] a5d0c0562b00 (&pxmitpriv->lock){+.-.}-{2:2}, at: 
rtw_free_stainfo+0x8a/0x510 [r8723bs]
[  103.849840]
   but task is already holding lock:
[  103.849843] a5d0c05636a8 (&pstapriv->sta_hash_lock){+.-.}-{2:2}, at: 
rtw_free_assoc_resources+0x48/0x110 [r8723bs]
[  103.849881]
   which lock already depends on the new lock.

[  103.849884]
   the existing dependency chain (in reverse order) is:
[  103.849887]
   -> #1 (&pstapriv->sta_hash_lock){+.-.}-{2:2}:
[  103.849898]_raw_spin_lock_bh+0x34/0x40
[  103.849913]rtw_get_stainfo+0x93/0x110 [r8723bs]
[  103.849948]rtw_make_wlanhdr+0x14a/0x270 [r8723bs]
[  103.849983]rtw_xmitframe_coalesce+0x5c/0x6c0 [r8723bs]
[  103.850019]rtl8723bs_xmit_thread+0x4ac/0x620 [r8723bs]
[  103.850050]kthread+0x143/0x160
[  103.850058]ret_from_fork+0x22/0x30
[  103.850067]
   -> #0 (&pxmitpriv->lock){+.-.}-{2:2}:
[  103.850077]__lock_acquire+0x1158/0x1de0
[  103.850084]lock_acquire+0xb5/0x2b0
[  103.850090]_raw_spin_lock_bh+0x34/0x40
[  103.850095]rtw_free_stainfo+0x8a/0x510 [r8723bs]
[  103.850130]rtw_free_assoc_resources+0x53/0x110 [r8723bs]
[  103.850159]PHY_IQCalibrate_8723B+0x122b/0x36a0 [r8723bs]
[  103.850189]cfg80211_disconnect+0x173/0x320 [cfg80211]
[  103.850331]nl80211_disconnect+0x6e/0xb0 [cfg80211]
[  103.850422]genl_family_rcv_msg_doit+0xcd/0x110
[  103.850430]genl_rcv_msg+0xce/0x1c0
[  103.850435]netlink_rcv_skb+0x50/0xf0
[  103.850441]genl_rcv+0x24/0x40
[  103.850446]netlink_unicast+0x16d/0x230
[  103.850452]netlink_sendmsg+0x22b/0x450
[  103.850457]sock_sendmsg+0x5e/0x60
[  103.850465]sys_sendmsg+0x22f/0x270
[  103.850472]___sys_sendmsg+0x81/0xc0
[  103.850479]__sys_sendmsg+0x49/0x80
[  103.850485]do_syscall_64+0x3b/0x90
[  103.850493]entry_SYSCALL_64_after_hwframe+0x44/0xae
[  103.850500]
   other info that might help us debug this:

[  103.850504]  Possible unsafe locking scenario:

[  103.850507]CPU0CPU1
[  103.850510]
[  103.850512]   lock(&pstapriv->sta_hash_lock);
[  103.850518]lock(&pxmitpriv->lock);
[  103.850524]lock(&pstapriv->sta_hash_lock);
[  103.850530]   lock(&pxmitpriv->lock);
[  103.850535]
*** DEADLOCK ***

Push the taking of sta_hash_lock down into rtw_free_stainfo(),
where the critical section is, this allows taking the lock after
rtw_free_stainfo() has released pxmitpriv->lock.

This requires changing rtw_free_all_stainfo() so that it does its freeing
in 2 steps, first moving all stainfo-s to free to a local list while
holding the sta_hash_lock and then walking that list to call
rtw_free_stainfo() on them without holding the sta_hash_lock.

Pushing the taking of sta_hash_lock down into rtw_free_stainfo(),
also fixes a whole bunch of callers of rtw_free_stainfo() which
were not holding that lock even though they should.

Note that this also fixes the deadlock from the "remove possible
deadlock when disconnect" patch in a different way. But the
changes from that patch offer a nice locking cleanup regardless.

Signed-off-by: Hans de Goede 
Link: https://lore.kernel.org/r/20210920145502.155454-2-hdego...@redhat.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/core/rtw_mlme.c  |  5 -
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c  |  4 
 drivers/staging/rtl8723bs/core/rtw_sta_mgt.c   | 11 +--
 drivers/staging/rtl8723bs/os_dep/ioctl_linux.c |  2 --
 4 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c 
b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index ab6a24d70cc96..1f49c49e10b45 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -897,7 +897,6 @@ void rtw_free_assoc_resources(struct adapter *adapter, int 
lock_scanned_queue)
 {
struct  mlme_priv *pmlmepriv = &adapter->mlmepriv;

[PATCH AUTOSEL 5.15 26/82] staging: rtl8723bs: remove a third possible deadlock

2021-11-09 Thread Sasha Levin

  rtw_cmd_thread+0x168/0x3c0 [r8723bs]
[  363.143712]kthread+0x143/0x160
[  363.143732]ret_from_fork+0x22/0x30
[  363.143757]
   other info that might help us debug this:

[  363.143768] Chain exists of:
 &pmlmepriv->lock --> &pmlmepriv->scanned_queue.lock --> 
(&pmlmepriv->assoc_timer)

[  363.143809]  Possible unsafe locking scenario:

[  363.143819]CPU0CPU1
[  363.143831]
[  363.143841]   lock((&pmlmepriv->assoc_timer));
[  363.143862]
lock(&pmlmepriv->scanned_queue.lock);
[  363.143882]lock((&pmlmepriv->assoc_timer));
[  363.143902]   lock(&pmlmepriv->lock);
[  363.143921]
*** DEADLOCK ***

Make rtw_joinbss_event_prehandle() release the scanned_queue.lock before
it deletes the timer to avoid this (it is still holding pmlmepriv->lock
protecting against racing the timer).

Signed-off-by: Hans de Goede 
Link: https://lore.kernel.org/r/20210920145502.155454-3-hdego...@redhat.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/core/rtw_mlme.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c 
b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index 1f49c49e10b45..cf79bec916c51 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -1234,16 +1234,13 @@ void rtw_joinbss_event_prehandle(struct adapter 
*adapter, u8 *pbuf)
rtw_indicate_connect(adapter);
}
 
+   spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
+
/* s5. Cancel assoc_timer */
del_timer_sync(&pmlmepriv->assoc_timer);
-
} else {
spin_unlock_bh(&(pmlmepriv->scanned_queue.lock));
-   goto ignore_joinbss_callback;
}
-
-   spin_unlock_bh(&(pmlmepriv->scanned_queue.lock));
-
} else if (pnetwork->join_res == -4) {
rtw_reset_securitypriv(adapter);
_set_timer(&pmlmepriv->assoc_timer, 1);
-- 
2.33.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.14 07/75] staging: wfx: ensure IRQ is ready before enabling it

2021-11-09 Thread Sasha Levin

From: Jérôme Pouiller 

[ Upstream commit 5e57c668dc097c6c27c973504706edec53f79281 ]

Since commit 5561770f80b1 ("staging: wfx: repair external IRQ for
SDIO"), wfx_sdio_irq_subscribe() enforce the device to use IRQs.
However, there is currently a race in this code. An IRQ may happen
before the IRQ has been registered.

The problem has observed during debug session when the device crashes
before the IRQ set up:

[ 1.546] wfx-sdio mmc0:0001:1: started firmware 3.12.2 
"WF200_ASIC_WFM_(Jenkins)_FW3.12.2" (API: 3.7, keyset: C0, caps: 0x0002)
[ 2.559] wfx-sdio mmc0:0001:1: time out while polling control register
[ 3.565] wfx-sdio mmc0:0001:1: chip is abnormally long to answer
[ 6.563] wfx-sdio mmc0:0001:1: chip did not answer
[ 6.568] wfx-sdio mmc0:0001:1: hardware request CONFIGURATION (0x09) on vif 
2 returned error -110
[ 6.577] wfx-sdio mmc0:0001:1: PDS bytes 0 to 12: chip didn't reply 
(corrupted file?)
[ 6.585] Unable to handle kernel NULL pointer dereference at virtual 
address 
[ 6.592] pgd = c0004000
[ 6.595] [] *pgd=
[ 6.598] Internal error: Oops - BUG: 17 [#1] THUMB2
[ 6.603] Modules linked in:
[ 6.606] CPU: 0 PID: 23 Comm: kworker/u2:1 Not tainted 3.18.19 #78
[ 6.612] Workqueue: kmmcd mmc_rescan
[ 6.616] task: c176d100 ti: c0e5 task.ti: c0e5
[ 6.621] PC is at wake_up_process+0xa/0x14
[ 6.625] LR is at sdio_irq+0x61/0x250
[ 6.629] pc : [] lr : [] psr: 61b3
[ 6.629] sp : c0e51bd8 ip : c0e51cc8 fp : 0001
[ 6.640] r10: 0003 r9 :  r8 : c0003c34
[ 6.644] r7 : c0e51bd8 r6 : c0003c30 r5 : 0001 r4 : c0e78c00
[ 6.651] r3 :  r2 :  r1 : 0003 r0 : 
[ 6.657] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA Thumb Segment kernel
[ 6.664] Control: 50c53c7d Table: 11fd8059 DAC: 0015
[ 6.670] Process kworker/u2:1 (pid: 23, stack limit = 0xc0e501b0)
[ 6.676] Stack: (0xc0e51bd8 to 0xc0e52000)
[...]
[ 6.949] [] (wake_up_process) from [] 
(sdio_irq+0x61/0x250)
[ 6.956] [] (sdio_irq) from [] 
(handle_irq_event_percpu+0x17/0x92)
[ 6.964] [] (handle_irq_event_percpu) from [] 
(handle_irq_event+0x1b/0x24)
[ 6.973] [] (handle_irq_event) from [] 
(handle_level_irq+0x5d/0x76)
[ 6.981] [] (handle_level_irq) from [] 
(generic_handle_irq+0x13/0x1c)
[ 6.989] [] (generic_handle_irq) from [] 
(__handle_domain_irq+0x31/0x48)
[ 6.997] [] (__handle_domain_irq) from [] 
(ov_handle_irq+0x31/0xe0)
[ 7.005] [] (ov_handle_irq) from [] 
(__irq_svc+0x3b/0x5c)
[ 7.013] Exception stack(0xc0e51c68 to 0xc0e51cb0)
[...]
[ 7.038] [] (__irq_svc) from [] 
(wait_for_common+0x9e/0xc4)
[ 7.045] [] (wait_for_common) from [] 
(mmc_wait_for_req+0x4b/0xdc)
[ 7.053] [] (mmc_wait_for_req) from [] 
(mmc_wait_for_cmd+0x2f/0x34)
[ 7.061] [] (mmc_wait_for_cmd) from [] 
(mmc_io_rw_direct_host+0x71/0xac)
[ 7.070] [] (mmc_io_rw_direct_host) from [] 
(sdio_claim_irq+0x6b/0x116)
[ 7.078] [] (sdio_claim_irq) from [] 
(wfx_sdio_irq_subscribe+0x19/0x94)
[ 7.086] [] (wfx_sdio_irq_subscribe) from [] 
(wfx_probe+0x189/0x2ac)
[ 7.095] [] (wfx_probe) from [] 
(wfx_sdio_probe+0x8f/0xcc)
[ 7.102] [] (wfx_sdio_probe) from [] 
(sdio_bus_probe+0x5f/0xa8)
[ 7.109] [] (sdio_bus_probe) from [] 
(driver_probe_device+0x59/0x134)
[ 7.118] [] (driver_probe_device) from [] 
(bus_for_each_drv+0x3f/0x4a)
[ 7.126] [] (bus_for_each_drv) from [] 
(device_attach+0x3b/0x52)
[ 7.134] [] (device_attach) from [] 
(bus_probe_device+0x17/0x4c)
[ 7.141] [] (bus_probe_device) from [] 
(device_add+0x2c5/0x334)
[ 7.149] [] (device_add) from [] 
(sdio_add_func+0x23/0x44)
[ 7.156] [] (sdio_add_func) from [] 
(mmc_attach_sdio+0x187/0x1ec)
[ 7.164] [] (mmc_attach_sdio) from [] 
(mmc_rescan+0x18d/0x1fc)
[ 7.172] [] (mmc_rescan) from [] 
(process_one_work+0xd7/0x170)
[ 7.179] [] (process_one_work) from [] 
(worker_thread+0x103/0x1bc)
[ 7.187] [] (worker_thread) from [] (kthread+0x7d/0x90)
[ 7.194] [] (kthread) from [] (ret_from_fork+0x11/0x30)
[ 7.201] Code: 2103 b580 2200 af00 (681b) 46bd
[ 7.206] ---[ end trace 3ab50aced42eedb4 ]---

Signed-off-by: Jérôme Pouiller 
Link: 
https://lore.kernel.org/r/20210913130203.1903622-33-jerome.pouil...@silabs.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/wfx/bus_sdio.c | 17 ++---
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/wfx/bus_sdio.c b/drivers/staging/wfx/bus_sdio.c
index e06d7e1ebe9c3..61b8cc05f2935 100644
--- a/drivers/staging/wfx/bus_sdio.c
+++ b/drivers/staging/wfx/bus_sdio.c
@@ -120,19 +120,22 @@ static int wfx_sdio_irq_subscribe(void *priv)
return ret;
}
 
+   flags = irq_get_trigger_type(bus->of_irq);
+   if (!flags)
+   flags = IRQF_TRIGGER_HIGH;
+   flags

[PATCH AUTOSEL 5.14 23/75] staging: rtl8723bs: remove possible deadlock when disconnect (v2)

2021-11-09 Thread Sasha Levin

are name: LENOVO 80NR/Madrid, BIOS DACN25WW 08/20/2015
[  682.859517] Call Trace:
[  682.859531]  dump_stack_lvl+0x56/0x6f
[  682.859551]  check_noncircular+0xdb/0xf0
[  682.859579]  __lock_acquire+0xfd9/0x1b50
[  682.859606]  lock_acquire+0xb4/0x2c0
[  682.859623]  ? rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.859752]  ? mark_held_locks+0x48/0x70
[  682.859769]  ? rtw_free_stainfo+0x4a/0x4a0 [r8723bs]
[  682.859898]  _raw_spin_lock_bh+0x34/0x40
[  682.859914]  ? rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.860039]  rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.860171]  rtw_free_assoc_resources+0x53/0x110 [r8723bs]
[  682.860286]  cfg80211_rtw_disconnect+0x4b/0x70 [r8723bs]
[  682.860397]  cfg80211_disconnect+0x12e/0x2f0 [cfg80211]
[  682.860629]  cfg80211_leave+0x2b/0x40 [cfg80211]
[  682.860836]  cfg80211_netdev_notifier_call+0xa9/0x560 [cfg80211]
[  682.861048]  ? __lock_acquire+0x4dc/0x1b50
[  682.861070]  ? lock_is_held_type+0xa8/0x110
[  682.861089]  ? lock_is_held_type+0xa8/0x110
[  682.861104]  ? find_held_lock+0x2d/0x90
[  682.861120]  ? packet_notifier+0x173/0x300
[  682.861141]  ? lock_release+0xb3/0x250
[  682.861160]  ? packet_notifier+0x192/0x300
[  682.861184]  raw_notifier_call_chain+0x41/0x50
[  682.861205]  __dev_close_many+0x62/0x100
[  682.861224]  dev_close_many+0x7d/0x120
[  682.861245]  unregister_netdevice_many+0x416/0x680
[  682.861264]  ? find_held_lock+0x2d/0x90
[  682.861284]  unregister_netdevice_queue+0xab/0xf0
[  682.861306]  unregister_netdev+0x18/0x20
[  682.861325]  rtw_unregister_netdevs+0x28/0x40 [r8723bs]
[  682.861434]  rtw_dev_remove+0x24/0xd0 [r8723bs]
[  682.861542]  sdio_bus_remove+0x31/0xd0 [mmc_core]
[  682.861615]  device_release_driver_internal+0xf7/0x1d0
[  682.861637]  driver_detach+0x47/0x90
[  682.861656]  bus_remove_driver+0x77/0xd0
[  682.861674]  rtw_drv_halt+0xc/0x678 [r8723bs]
[  682.861782]  __x64_sys_delete_module+0x13f/0x250
[  682.861801]  ? lockdep_hardirqs_on_prepare+0xf3/0x170
[  682.861817]  ? syscall_enter_from_user_mode+0x20/0x70
[  682.861836]  do_syscall_64+0x3a/0x80
[  682.861855]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  682.861873] RIP: 0033:0x7f6dbe85400b
[  682.861890] Code: 73 01 c3 48 8b 0d 6d 1e 0c 00 f7 d8 64 89
01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d
1e 0c 00 f7 d8 64 89 01 48
[  682.861906] RSP: 002b:7ffe7a82f538 EFLAGS: 0206 ORIG_RAX: 
00b0
[  682.861923] RAX: ffda RBX: 55a64693bd20 RCX: 7f6dbe85400b
[  682.861935] RDX:  RSI: 0800 RDI: 55a64693bd88
[  682.861946] RBP: 55a64693bd20 R08:  R09: 
[  682.861957] R10: 7f6dbe8c7ac0 R11: 0206 R12: 55a64693bd88
[  682.861967] R13:  R14: 55a64693bd88 R15: 7ffe7a831848

This happens because when we enqueue a frame for
transmission we do it under xmit_priv lock, then calling
rtw_get_stainfo (needed for enqueuing) takes sta_hash_lock
and this leads to the following lock dependency:

xmit_priv->lock -> sta_hash_lock

Turning off a connection will bring to call
rtw_free_assoc_resources which will set up
the inverse dependency:

sta_hash_lock -> xmit_priv_lock

This could lead to a deadlock as lockdep complains.

Fix it by removing the xmit_priv->lock around
rtw_xmitframe_enqueue call inside rtl8723bs_hal_xmit
and put it in a smaller critical section inside
rtw_xmit_classifier, the only place where
xmit_priv data are actually accessed.

Replace spin_{lock,unlock}_bh(pxmitpriv->lock)
in other tx paths leading to rtw_xmitframe_enqueue
call with spin_{lock,unlock}_bh(psta->sleep_q.lock)
- it's not clear why accessing a sleep_q was protected
by a spinlock on xmitpriv->lock.

This way is avoided the same faulty lock nesting
order.

Extra changes in v2 by Hans de Goede:
-Lift the taking of the struct __queue.lock spinlock out of
 rtw_free_xmitframe_queue() into the callers this allows also
 protecting a bunch of related state in rtw_free_stainfo():
-Protect psta->sleepq_len on rtw_free_xmitframe_queue(&psta->sleep_q);
-Protect struct tx_servq.tx_pending and tx_servq.qcnt when
 calling rtw_free_xmitframe_queue(&tx_servq.sta_pending)
-This also allows moving the spin_lock_bh(&pxmitpriv->lock); to below
 the sleep_q free-ing code, avoiding another ABBA locking issue

CC: Larry Finger 
Co-developed-by: Hans de Goede 
Tested-on: Lenovo Ideapad MiiX 300-10IBY
Signed-off-by: Fabio Aiuto 
Signed-off-by: Hans de Goede 
Link: https://lore.kernel.org/r/20210920145502.155454-1-hdego...@redhat.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |  7 ++
 drivers/staging/rtl8723bs/core/rtw_recv.c | 10 +++--
 drivers/staging/rtl8723bs/core/rtw_sta_mgt.c  | 22 ++-
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 16 ++
 ..

[PATCH AUTOSEL 5.14 24/75] staging: rtl8723bs: remove a third possible deadlock

2021-11-09 Thread Sasha Levin

  rtw_cmd_thread+0x168/0x3c0 [r8723bs]
[  363.143712]kthread+0x143/0x160
[  363.143732]ret_from_fork+0x22/0x30
[  363.143757]
   other info that might help us debug this:

[  363.143768] Chain exists of:
 &pmlmepriv->lock --> &pmlmepriv->scanned_queue.lock --> 
(&pmlmepriv->assoc_timer)

[  363.143809]  Possible unsafe locking scenario:

[  363.143819]CPU0CPU1
[  363.143831]
[  363.143841]   lock((&pmlmepriv->assoc_timer));
[  363.143862]
lock(&pmlmepriv->scanned_queue.lock);
[  363.143882]lock((&pmlmepriv->assoc_timer));
[  363.143902]   lock(&pmlmepriv->lock);
[  363.143921]
*** DEADLOCK ***

Make rtw_joinbss_event_prehandle() release the scanned_queue.lock before
it deletes the timer to avoid this (it is still holding pmlmepriv->lock
protecting against racing the timer).

Signed-off-by: Hans de Goede 
Link: https://lore.kernel.org/r/20210920145502.155454-3-hdego...@redhat.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/core/rtw_mlme.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c 
b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index 2dd75e0072392..ed1398fbb8ce0 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -1240,16 +1240,13 @@ void rtw_joinbss_event_prehandle(struct adapter 
*adapter, u8 *pbuf)
rtw_indicate_connect(adapter);
}
 
+   spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
+
/* s5. Cancel assoc_timer */
del_timer_sync(&pmlmepriv->assoc_timer);
-
} else {
spin_unlock_bh(&(pmlmepriv->scanned_queue.lock));
-   goto ignore_joinbss_callback;
}
-
-   spin_unlock_bh(&(pmlmepriv->scanned_queue.lock));
-
} else if (pnetwork->join_res == -4) {
rtw_reset_securitypriv(adapter);
_set_timer(&pmlmepriv->assoc_timer, 1);
-- 
2.33.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 06/50] staging: wfx: ensure IRQ is ready before enabling it

2021-11-09 Thread Sasha Levin

From: Jérôme Pouiller 

[ Upstream commit 5e57c668dc097c6c27c973504706edec53f79281 ]

Since commit 5561770f80b1 ("staging: wfx: repair external IRQ for
SDIO"), wfx_sdio_irq_subscribe() enforce the device to use IRQs.
However, there is currently a race in this code. An IRQ may happen
before the IRQ has been registered.

The problem has observed during debug session when the device crashes
before the IRQ set up:

[ 1.546] wfx-sdio mmc0:0001:1: started firmware 3.12.2 
"WF200_ASIC_WFM_(Jenkins)_FW3.12.2" (API: 3.7, keyset: C0, caps: 0x0002)
[ 2.559] wfx-sdio mmc0:0001:1: time out while polling control register
[ 3.565] wfx-sdio mmc0:0001:1: chip is abnormally long to answer
[ 6.563] wfx-sdio mmc0:0001:1: chip did not answer
[ 6.568] wfx-sdio mmc0:0001:1: hardware request CONFIGURATION (0x09) on vif 
2 returned error -110
[ 6.577] wfx-sdio mmc0:0001:1: PDS bytes 0 to 12: chip didn't reply 
(corrupted file?)
[ 6.585] Unable to handle kernel NULL pointer dereference at virtual 
address 
[ 6.592] pgd = c0004000
[ 6.595] [] *pgd=
[ 6.598] Internal error: Oops - BUG: 17 [#1] THUMB2
[ 6.603] Modules linked in:
[ 6.606] CPU: 0 PID: 23 Comm: kworker/u2:1 Not tainted 3.18.19 #78
[ 6.612] Workqueue: kmmcd mmc_rescan
[ 6.616] task: c176d100 ti: c0e5 task.ti: c0e5
[ 6.621] PC is at wake_up_process+0xa/0x14
[ 6.625] LR is at sdio_irq+0x61/0x250
[ 6.629] pc : [] lr : [] psr: 61b3
[ 6.629] sp : c0e51bd8 ip : c0e51cc8 fp : 0001
[ 6.640] r10: 0003 r9 :  r8 : c0003c34
[ 6.644] r7 : c0e51bd8 r6 : c0003c30 r5 : 0001 r4 : c0e78c00
[ 6.651] r3 :  r2 :  r1 : 0003 r0 : 
[ 6.657] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA Thumb Segment kernel
[ 6.664] Control: 50c53c7d Table: 11fd8059 DAC: 0015
[ 6.670] Process kworker/u2:1 (pid: 23, stack limit = 0xc0e501b0)
[ 6.676] Stack: (0xc0e51bd8 to 0xc0e52000)
[...]
[ 6.949] [] (wake_up_process) from [] 
(sdio_irq+0x61/0x250)
[ 6.956] [] (sdio_irq) from [] 
(handle_irq_event_percpu+0x17/0x92)
[ 6.964] [] (handle_irq_event_percpu) from [] 
(handle_irq_event+0x1b/0x24)
[ 6.973] [] (handle_irq_event) from [] 
(handle_level_irq+0x5d/0x76)
[ 6.981] [] (handle_level_irq) from [] 
(generic_handle_irq+0x13/0x1c)
[ 6.989] [] (generic_handle_irq) from [] 
(__handle_domain_irq+0x31/0x48)
[ 6.997] [] (__handle_domain_irq) from [] 
(ov_handle_irq+0x31/0xe0)
[ 7.005] [] (ov_handle_irq) from [] 
(__irq_svc+0x3b/0x5c)
[ 7.013] Exception stack(0xc0e51c68 to 0xc0e51cb0)
[...]
[ 7.038] [] (__irq_svc) from [] 
(wait_for_common+0x9e/0xc4)
[ 7.045] [] (wait_for_common) from [] 
(mmc_wait_for_req+0x4b/0xdc)
[ 7.053] [] (mmc_wait_for_req) from [] 
(mmc_wait_for_cmd+0x2f/0x34)
[ 7.061] [] (mmc_wait_for_cmd) from [] 
(mmc_io_rw_direct_host+0x71/0xac)
[ 7.070] [] (mmc_io_rw_direct_host) from [] 
(sdio_claim_irq+0x6b/0x116)
[ 7.078] [] (sdio_claim_irq) from [] 
(wfx_sdio_irq_subscribe+0x19/0x94)
[ 7.086] [] (wfx_sdio_irq_subscribe) from [] 
(wfx_probe+0x189/0x2ac)
[ 7.095] [] (wfx_probe) from [] 
(wfx_sdio_probe+0x8f/0xcc)
[ 7.102] [] (wfx_sdio_probe) from [] 
(sdio_bus_probe+0x5f/0xa8)
[ 7.109] [] (sdio_bus_probe) from [] 
(driver_probe_device+0x59/0x134)
[ 7.118] [] (driver_probe_device) from [] 
(bus_for_each_drv+0x3f/0x4a)
[ 7.126] [] (bus_for_each_drv) from [] 
(device_attach+0x3b/0x52)
[ 7.134] [] (device_attach) from [] 
(bus_probe_device+0x17/0x4c)
[ 7.141] [] (bus_probe_device) from [] 
(device_add+0x2c5/0x334)
[ 7.149] [] (device_add) from [] 
(sdio_add_func+0x23/0x44)
[ 7.156] [] (sdio_add_func) from [] 
(mmc_attach_sdio+0x187/0x1ec)
[ 7.164] [] (mmc_attach_sdio) from [] 
(mmc_rescan+0x18d/0x1fc)
[ 7.172] [] (mmc_rescan) from [] 
(process_one_work+0xd7/0x170)
[ 7.179] [] (process_one_work) from [] 
(worker_thread+0x103/0x1bc)
[ 7.187] [] (worker_thread) from [] (kthread+0x7d/0x90)
[ 7.194] [] (kthread) from [] (ret_from_fork+0x11/0x30)
[ 7.201] Code: 2103 b580 2200 af00 (681b) 46bd
[ 7.206] ---[ end trace 3ab50aced42eedb4 ]---

Signed-off-by: Jérôme Pouiller 
Link: 
https://lore.kernel.org/r/20210913130203.1903622-33-jerome.pouil...@silabs.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/wfx/bus_sdio.c | 17 ++---
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/wfx/bus_sdio.c b/drivers/staging/wfx/bus_sdio.c
index e06d7e1ebe9c3..61b8cc05f2935 100644
--- a/drivers/staging/wfx/bus_sdio.c
+++ b/drivers/staging/wfx/bus_sdio.c
@@ -120,19 +120,22 @@ static int wfx_sdio_irq_subscribe(void *priv)
return ret;
}
 
+   flags = irq_get_trigger_type(bus->of_irq);
+   if (!flags)
+   flags = IRQF_TRIGGER_HIGH;
+   flags

[PATCH AUTOSEL 5.10 19/50] staging: rtl8723bs: remove possible deadlock when disconnect (v2)

2021-11-09 Thread Sasha Levin

are name: LENOVO 80NR/Madrid, BIOS DACN25WW 08/20/2015
[  682.859517] Call Trace:
[  682.859531]  dump_stack_lvl+0x56/0x6f
[  682.859551]  check_noncircular+0xdb/0xf0
[  682.859579]  __lock_acquire+0xfd9/0x1b50
[  682.859606]  lock_acquire+0xb4/0x2c0
[  682.859623]  ? rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.859752]  ? mark_held_locks+0x48/0x70
[  682.859769]  ? rtw_free_stainfo+0x4a/0x4a0 [r8723bs]
[  682.859898]  _raw_spin_lock_bh+0x34/0x40
[  682.859914]  ? rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.860039]  rtw_free_stainfo+0x52/0x4a0 [r8723bs]
[  682.860171]  rtw_free_assoc_resources+0x53/0x110 [r8723bs]
[  682.860286]  cfg80211_rtw_disconnect+0x4b/0x70 [r8723bs]
[  682.860397]  cfg80211_disconnect+0x12e/0x2f0 [cfg80211]
[  682.860629]  cfg80211_leave+0x2b/0x40 [cfg80211]
[  682.860836]  cfg80211_netdev_notifier_call+0xa9/0x560 [cfg80211]
[  682.861048]  ? __lock_acquire+0x4dc/0x1b50
[  682.861070]  ? lock_is_held_type+0xa8/0x110
[  682.861089]  ? lock_is_held_type+0xa8/0x110
[  682.861104]  ? find_held_lock+0x2d/0x90
[  682.861120]  ? packet_notifier+0x173/0x300
[  682.861141]  ? lock_release+0xb3/0x250
[  682.861160]  ? packet_notifier+0x192/0x300
[  682.861184]  raw_notifier_call_chain+0x41/0x50
[  682.861205]  __dev_close_many+0x62/0x100
[  682.861224]  dev_close_many+0x7d/0x120
[  682.861245]  unregister_netdevice_many+0x416/0x680
[  682.861264]  ? find_held_lock+0x2d/0x90
[  682.861284]  unregister_netdevice_queue+0xab/0xf0
[  682.861306]  unregister_netdev+0x18/0x20
[  682.861325]  rtw_unregister_netdevs+0x28/0x40 [r8723bs]
[  682.861434]  rtw_dev_remove+0x24/0xd0 [r8723bs]
[  682.861542]  sdio_bus_remove+0x31/0xd0 [mmc_core]
[  682.861615]  device_release_driver_internal+0xf7/0x1d0
[  682.861637]  driver_detach+0x47/0x90
[  682.861656]  bus_remove_driver+0x77/0xd0
[  682.861674]  rtw_drv_halt+0xc/0x678 [r8723bs]
[  682.861782]  __x64_sys_delete_module+0x13f/0x250
[  682.861801]  ? lockdep_hardirqs_on_prepare+0xf3/0x170
[  682.861817]  ? syscall_enter_from_user_mode+0x20/0x70
[  682.861836]  do_syscall_64+0x3a/0x80
[  682.861855]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  682.861873] RIP: 0033:0x7f6dbe85400b
[  682.861890] Code: 73 01 c3 48 8b 0d 6d 1e 0c 00 f7 d8 64 89
01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d
1e 0c 00 f7 d8 64 89 01 48
[  682.861906] RSP: 002b:7ffe7a82f538 EFLAGS: 0206 ORIG_RAX: 
00b0
[  682.861923] RAX: ffda RBX: 55a64693bd20 RCX: 7f6dbe85400b
[  682.861935] RDX:  RSI: 0800 RDI: 55a64693bd88
[  682.861946] RBP: 55a64693bd20 R08:  R09: 
[  682.861957] R10: 7f6dbe8c7ac0 R11: 0206 R12: 55a64693bd88
[  682.861967] R13:  R14: 55a64693bd88 R15: 7ffe7a831848

This happens because when we enqueue a frame for
transmission we do it under xmit_priv lock, then calling
rtw_get_stainfo (needed for enqueuing) takes sta_hash_lock
and this leads to the following lock dependency:

xmit_priv->lock -> sta_hash_lock

Turning off a connection will bring to call
rtw_free_assoc_resources which will set up
the inverse dependency:

sta_hash_lock -> xmit_priv_lock

This could lead to a deadlock as lockdep complains.

Fix it by removing the xmit_priv->lock around
rtw_xmitframe_enqueue call inside rtl8723bs_hal_xmit
and put it in a smaller critical section inside
rtw_xmit_classifier, the only place where
xmit_priv data are actually accessed.

Replace spin_{lock,unlock}_bh(pxmitpriv->lock)
in other tx paths leading to rtw_xmitframe_enqueue
call with spin_{lock,unlock}_bh(psta->sleep_q.lock)
- it's not clear why accessing a sleep_q was protected
by a spinlock on xmitpriv->lock.

This way is avoided the same faulty lock nesting
order.

Extra changes in v2 by Hans de Goede:
-Lift the taking of the struct __queue.lock spinlock out of
 rtw_free_xmitframe_queue() into the callers this allows also
 protecting a bunch of related state in rtw_free_stainfo():
-Protect psta->sleepq_len on rtw_free_xmitframe_queue(&psta->sleep_q);
-Protect struct tx_servq.tx_pending and tx_servq.qcnt when
 calling rtw_free_xmitframe_queue(&tx_servq.sta_pending)
-This also allows moving the spin_lock_bh(&pxmitpriv->lock); to below
 the sleep_q free-ing code, avoiding another ABBA locking issue

CC: Larry Finger 
Co-developed-by: Hans de Goede 
Tested-on: Lenovo Ideapad MiiX 300-10IBY
Signed-off-by: Fabio Aiuto 
Signed-off-by: Hans de Goede 
Link: https://lore.kernel.org/r/20210920145502.155454-1-hdego...@redhat.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c |  7 ++
 drivers/staging/rtl8723bs/core/rtw_recv.c | 10 +++--
 drivers/staging/rtl8723bs/core/rtw_sta_mgt.c  | 22 ++-
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 16 ++
 ..

Re: [PATCH AUTOSEL 5.8 07/42] speakup: Fix wait_for_xmitr for ttyio case

2020-09-05 Thread Sasha Levin


On Mon, Aug 31, 2020 at 05:33:45PM +0200, Greg Kroah-Hartman wrote:

On Mon, Aug 31, 2020 at 11:28:59AM -0400, Sasha Levin wrote:

From: Samuel Thibault 

[ Upstream commit 2b86d9b8ec6efb86fc5ea44f2d49b1df17f699a1 ]

This was missed while introducing the tty-based serial access.

The only remaining use of wait_for_xmitr with tty-based access is in
spk_synth_is_alive_restart to check whether the synth can be restarted.
With tty-based this is up to the tty layer to cope with the buffering
etc. so we can just say yes.

Signed-off-by: Samuel Thibault 
Link: https://lore.kernel.org/r/20200804160637.x3iycau5izywbgzl@function
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/speakup/serialio.c  | 8 +---
 drivers/staging/speakup/spk_priv.h  | 1 -
 drivers/staging/speakup/spk_ttyio.c | 7 +++
 drivers/staging/speakup/spk_types.h | 1 +
 drivers/staging/speakup/synth.c | 2 +-
 5 files changed, 14 insertions(+), 5 deletions(-)


Not needed for 5.8 or older, sorry, this was a 5.9-rc1+ issue only.


Dropped, thanks!

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 137/330] media: staging/imx: Missing assignment in imx_media_capture_device_register()

2020-09-17 Thread Sasha Levin

From: Dan Carpenter 

[ Upstream commit ef0ed05dcef8a74178a8b480cce23a377b1de2b8 ]

There was supposed to be a "ret = " assignment here, otherwise the
error handling on the next line won't work.

Fixes: 64b5a49df486 ("[media] media: imx: Add Capture Device Interface")
Signed-off-by: Dan Carpenter 
Reviewed-by: Steve Longerbeam 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/imx/imx-media-capture.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/imx/imx-media-capture.c 
b/drivers/staging/media/imx/imx-media-capture.c
index 46576e32581f0..d151cd6d31884 100644
--- a/drivers/staging/media/imx/imx-media-capture.c
+++ b/drivers/staging/media/imx/imx-media-capture.c
@@ -785,7 +785,7 @@ int imx_media_capture_device_register(struct 
imx_media_video_dev *vdev)
/* setup default format */
fmt_src.pad = priv->src_sd_pad;
fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE;
-   v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
+   ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
if (ret) {
v4l2_err(sd, "failed to get src_sd format\n");
goto unreg;
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 246/330] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion

2020-09-17 Thread Sasha Levin

From: Ivan Safonov 

[ Upstream commit 628cbd971a927abe6388d44320e351c337b331e4 ]

skb clones use same data buffer,
so tail of one skb is corrupted by beginning of next skb.

Signed-off-by: Ivan Safonov 
Link: https://lore.kernel.org/r/20200423191404.12028-1-insafo...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8188eu/core/rtw_recv.c | 19 ++-
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c 
b/drivers/staging/rtl8188eu/core/rtw_recv.c
index d4278361e0028..a036ef104198e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
+++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
@@ -1525,21 +1525,14 @@ static int amsdu_to_msdu(struct adapter *padapter, 
struct recv_frame *prframe)
 
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
-   if (sub_skb) {
-   skb_reserve(sub_skb, 12);
-   skb_put_data(sub_skb, pdata, nSubframe_Length);
-   } else {
-   sub_skb = skb_clone(prframe->pkt, GFP_ATOMIC);
-   if (sub_skb) {
-   sub_skb->data = pdata;
-   sub_skb->len = nSubframe_Length;
-   skb_set_tail_pointer(sub_skb, nSubframe_Length);
-   } else {
-   DBG_88E("skb_clone() Fail!!! , 
nr_subframes=%d\n", nr_subframes);
-   break;
-   }
+   if (!sub_skb) {
+   DBG_88E("dev_alloc_skb() Fail!!! , nr_subframes=%d\n", 
nr_subframes);
+   break;
}
 
+   skb_reserve(sub_skb, 12);
+   skb_put_data(sub_skb, pdata, nSubframe_Length);
+
subframes[nr_subframes++] = sub_skb;
 
if (nr_subframes >= MAX_SUBFRAME_COUNT) {
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 085/206] media: staging/imx: Missing assignment in imx_media_capture_device_register()

2020-09-17 Thread Sasha Levin

From: Dan Carpenter 

[ Upstream commit ef0ed05dcef8a74178a8b480cce23a377b1de2b8 ]

There was supposed to be a "ret = " assignment here, otherwise the
error handling on the next line won't work.

Fixes: 64b5a49df486 ("[media] media: imx: Add Capture Device Interface")
Signed-off-by: Dan Carpenter 
Reviewed-by: Steve Longerbeam 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/imx/imx-media-capture.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/imx/imx-media-capture.c 
b/drivers/staging/media/imx/imx-media-capture.c
index 256039ce561e6..81a3370551dbc 100644
--- a/drivers/staging/media/imx/imx-media-capture.c
+++ b/drivers/staging/media/imx/imx-media-capture.c
@@ -678,7 +678,7 @@ int imx_media_capture_device_register(struct 
imx_media_video_dev *vdev)
/* setup default format */
fmt_src.pad = priv->src_sd_pad;
fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE;
-   v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
+   ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
if (ret) {
v4l2_err(sd, "failed to get src_sd format\n");
goto unreg;
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 151/206] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion

2020-09-17 Thread Sasha Levin

From: Ivan Safonov 

[ Upstream commit 628cbd971a927abe6388d44320e351c337b331e4 ]

skb clones use same data buffer,
so tail of one skb is corrupted by beginning of next skb.

Signed-off-by: Ivan Safonov 
Link: https://lore.kernel.org/r/20200423191404.12028-1-insafo...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8188eu/core/rtw_recv.c | 19 ++-
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c 
b/drivers/staging/rtl8188eu/core/rtw_recv.c
index 17b4b9257b495..0ddf41b5a734a 100644
--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
+++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
@@ -1535,21 +1535,14 @@ static int amsdu_to_msdu(struct adapter *padapter, 
struct recv_frame *prframe)
 
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
-   if (sub_skb) {
-   skb_reserve(sub_skb, 12);
-   skb_put_data(sub_skb, pdata, nSubframe_Length);
-   } else {
-   sub_skb = skb_clone(prframe->pkt, GFP_ATOMIC);
-   if (sub_skb) {
-   sub_skb->data = pdata;
-   sub_skb->len = nSubframe_Length;
-   skb_set_tail_pointer(sub_skb, nSubframe_Length);
-   } else {
-   DBG_88E("skb_clone() Fail!!! , 
nr_subframes=%d\n", nr_subframes);
-   break;
-   }
+   if (!sub_skb) {
+   DBG_88E("dev_alloc_skb() Fail!!! , nr_subframes=%d\n", 
nr_subframes);
+   break;
}
 
+   skb_reserve(sub_skb, 12);
+   skb_put_data(sub_skb, pdata, nSubframe_Length);
+
subframes[nr_subframes++] = sub_skb;
 
if (nr_subframes >= MAX_SUBFRAME_COUNT) {
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 051/127] media: staging/imx: Missing assignment in imx_media_capture_device_register()

2020-09-17 Thread Sasha Levin

From: Dan Carpenter 

[ Upstream commit ef0ed05dcef8a74178a8b480cce23a377b1de2b8 ]

There was supposed to be a "ret = " assignment here, otherwise the
error handling on the next line won't work.

Fixes: 64b5a49df486 ("[media] media: imx: Add Capture Device Interface")
Signed-off-by: Dan Carpenter 
Reviewed-by: Steve Longerbeam 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/imx/imx-media-capture.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/imx/imx-media-capture.c 
b/drivers/staging/media/imx/imx-media-capture.c
index ea145bafb880a..8ff8843df5141 100644
--- a/drivers/staging/media/imx/imx-media-capture.c
+++ b/drivers/staging/media/imx/imx-media-capture.c
@@ -685,7 +685,7 @@ int imx_media_capture_device_register(struct 
imx_media_video_dev *vdev)
/* setup default format */
fmt_src.pad = priv->src_sd_pad;
fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE;
-   v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
+   ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
if (ret) {
v4l2_err(sd, "failed to get src_sd format\n");
goto unreg;
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 090/127] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion

2020-09-17 Thread Sasha Levin

From: Ivan Safonov 

[ Upstream commit 628cbd971a927abe6388d44320e351c337b331e4 ]

skb clones use same data buffer,
so tail of one skb is corrupted by beginning of next skb.

Signed-off-by: Ivan Safonov 
Link: https://lore.kernel.org/r/20200423191404.12028-1-insafo...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8188eu/core/rtw_recv.c | 19 ++-
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c 
b/drivers/staging/rtl8188eu/core/rtw_recv.c
index afb9dadc1cfe9..77685bae21eda 100644
--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
+++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
@@ -1541,21 +1541,14 @@ static int amsdu_to_msdu(struct adapter *padapter, 
struct recv_frame *prframe)
 
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
-   if (sub_skb) {
-   skb_reserve(sub_skb, 12);
-   skb_put_data(sub_skb, pdata, nSubframe_Length);
-   } else {
-   sub_skb = skb_clone(prframe->pkt, GFP_ATOMIC);
-   if (sub_skb) {
-   sub_skb->data = pdata;
-   sub_skb->len = nSubframe_Length;
-   skb_set_tail_pointer(sub_skb, nSubframe_Length);
-   } else {
-   DBG_88E("skb_clone() Fail!!! , 
nr_subframes=%d\n", nr_subframes);
-   break;
-   }
+   if (!sub_skb) {
+   DBG_88E("dev_alloc_skb() Fail!!! , nr_subframes=%d\n", 
nr_subframes);
+   break;
}
 
+   skb_reserve(sub_skb, 12);
+   skb_put_data(sub_skb, pdata, nSubframe_Length);
+
subframes[nr_subframes++] = sub_skb;
 
if (nr_subframes >= MAX_SUBFRAME_COUNT) {
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.9 029/111] media: atomisp: fix memleak in ia_css_stream_create

2020-10-18 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit c1bca5b5ced0cbd779d56f60cdbc9f5e6f6449fe ]

When aspect_ratio_crop_init() fails, curr_stream needs
to be freed just like what we've done in the following
error paths. However, current code is returning directly
and ends up leaking memory.

Signed-off-by: Dinghao Liu 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/atomisp/pci/sh_css.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css.c 
b/drivers/staging/media/atomisp/pci/sh_css.c
index a68cbb4995f0f..33a0f8ff82aa8 100644
--- a/drivers/staging/media/atomisp/pci/sh_css.c
+++ b/drivers/staging/media/atomisp/pci/sh_css.c
@@ -9521,7 +9521,7 @@ ia_css_stream_create(const struct ia_css_stream_config 
*stream_config,
if (err)
{
IA_CSS_LEAVE_ERR(err);
-   return err;
+   goto ERR;
}
 #endif
for (i = 0; i < num_pipes; i++)
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.9 039/111] staging: wfx: fix handling of MMIC error

2020-10-18 Thread Sasha Levin

From: Jérôme Pouiller 

[ Upstream commit 8d350c14ee5eb62ecd40b0991248bfbce511954d ]

As expected, when the device detect a MMIC error, it returns a specific
status. However, it also strip IV from the frame (don't ask me why).

So, with the current code, mac80211 detects a corrupted frame and it
drops it before it handle the MMIC error. The expected behavior would be
to detect MMIC error then to renegotiate the EAP session.

So, this patch correctly informs mac80211 that IV is not available. So,
mac80211 correctly takes into account the MMIC error.

Signed-off-by: Jérôme Pouiller 
Link: 
https://lore.kernel.org/r/20201007101943.749898-2-jerome.pouil...@silabs.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/wfx/data_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/wfx/data_rx.c b/drivers/staging/wfx/data_rx.c
index 6fb0788807426..81c37ec0f2834 100644
--- a/drivers/staging/wfx/data_rx.c
+++ b/drivers/staging/wfx/data_rx.c
@@ -41,7 +41,7 @@ void wfx_rx_cb(struct wfx_vif *wvif,
memset(hdr, 0, sizeof(*hdr));
 
if (arg->status == HIF_STATUS_RX_FAIL_MIC)
-   hdr->flag |= RX_FLAG_MMIC_ERROR;
+   hdr->flag |= RX_FLAG_MMIC_ERROR | RX_FLAG_IV_STRIPPED;
else if (arg->status)
goto drop;
 
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.8 037/101] staging: wfx: fix handling of MMIC error

2020-10-18 Thread Sasha Levin

From: Jérôme Pouiller 

[ Upstream commit 8d350c14ee5eb62ecd40b0991248bfbce511954d ]

As expected, when the device detect a MMIC error, it returns a specific
status. However, it also strip IV from the frame (don't ask me why).

So, with the current code, mac80211 detects a corrupted frame and it
drops it before it handle the MMIC error. The expected behavior would be
to detect MMIC error then to renegotiate the EAP session.

So, this patch correctly informs mac80211 that IV is not available. So,
mac80211 correctly takes into account the MMIC error.

Signed-off-by: Jérôme Pouiller 
Link: 
https://lore.kernel.org/r/20201007101943.749898-2-jerome.pouil...@silabs.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/wfx/data_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/wfx/data_rx.c b/drivers/staging/wfx/data_rx.c
index 0e959ebc38b56..a9fb5165b33d9 100644
--- a/drivers/staging/wfx/data_rx.c
+++ b/drivers/staging/wfx/data_rx.c
@@ -80,7 +80,7 @@ void wfx_rx_cb(struct wfx_vif *wvif,
goto drop;
 
if (arg->status == HIF_STATUS_RX_FAIL_MIC)
-   hdr->flag |= RX_FLAG_MMIC_ERROR;
+   hdr->flag |= RX_FLAG_MMIC_ERROR | RX_FLAG_IV_STRIPPED;
else if (arg->status)
goto drop;
 
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.8 028/101] media: atomisp: fix memleak in ia_css_stream_create

2020-10-18 Thread Sasha Levin

From: Dinghao Liu 

[ Upstream commit c1bca5b5ced0cbd779d56f60cdbc9f5e6f6449fe ]

When aspect_ratio_crop_init() fails, curr_stream needs
to be freed just like what we've done in the following
error paths. However, current code is returning directly
and ends up leaking memory.

Signed-off-by: Dinghao Liu 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/atomisp/pci/sh_css.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css.c 
b/drivers/staging/media/atomisp/pci/sh_css.c
index 54434c2dbaf90..8473e14370747 100644
--- a/drivers/staging/media/atomisp/pci/sh_css.c
+++ b/drivers/staging/media/atomisp/pci/sh_css.c
@@ -9521,7 +9521,7 @@ ia_css_stream_create(const struct ia_css_stream_config 
*stream_config,
if (err)
{
IA_CSS_LEAVE_ERR(err);
-   return err;
+   goto ERR;
}
 #endif
for (i = 0; i < num_pipes; i++)
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.9 045/147] staging: wfx: fix potential use before init

2020-10-26 Thread Sasha Levin

From: Jérôme Pouiller 

[ Upstream commit ce3653a8d3db096aa163fc80239d8ec1305c81fa ]

The trace below can appear:

[83613.832200] INFO: trying to register non-static key.
[83613.837248] the code is fine but needs lockdep annotation.
[83613.842808] turning off the locking correctness validator.
[83613.848375] CPU: 3 PID: 141 Comm: kworker/3:2H Tainted: G   O
  5.6.13-silabs15 #2
[83613.857019] Hardware name: BCM2835
[83613.860605] Workqueue: events_highpri bh_work [wfx]
[83613.865552] Backtrace:
[83613.868041] [] (dump_backtrace) from [] 
(show_stack+0x20/0x24)
[83613.881463] [] (show_stack) from [] 
(dump_stack+0xe8/0x114)
[83613.82] [] (dump_stack) from [] 
(register_lock_class+0x748/0x768)
[83613.905035] [] (register_lock_class) from [] 
(__lock_acquire+0x88/0x13dc)
[83613.924192] [] (__lock_acquire) from [] 
(lock_acquire+0xe8/0x274)
[83613.942644] [] (lock_acquire) from [] 
(_raw_spin_lock_irqsave+0x58/0x6c)
[83613.961714] [] (_raw_spin_lock_irqsave) from [] 
(skb_dequeue+0x24/0x78)
[83613.974967] [] (skb_dequeue) from [] 
(wfx_tx_queues_get+0x96c/0x1294 [wfx])
[83613.989728] [] (wfx_tx_queues_get [wfx]) from [] 
(bh_work+0x454/0x26d8 [wfx])
[83614.009337] [] (bh_work [wfx]) from [] 
(process_one_work+0x23c/0x7ec)
[83614.028141] [] (process_one_work) from [] 
(worker_thread+0x4c/0x55c)
[83614.046861] [] (worker_thread) from [] 
(kthread+0x138/0x168)
[83614.064876] [] (kthread) from [] 
(ret_from_fork+0x14/0x20)
[83614.072200] Exception stack(0xecad3fb0 to 0xecad3ff8)
[83614.077323] 3fa0:   
 
[83614.085620] 3fc0:       
 
[83614.093914] 3fe0:     0013 

Indeed, the code of wfx_add_interface() shows that the interface is
enabled to early. So, the spinlock associated with some skb_queue may
not yet initialized when wfx_tx_queues_get() is called.

Signed-off-by: Jérôme Pouiller 
Link: 
https://lore.kernel.org/r/20200825085828.399505-8-jerome.pouil...@silabs.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/wfx/sta.c | 28 ++--
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/drivers/staging/wfx/sta.c b/drivers/staging/wfx/sta.c
index 4e30ab17a93d4..b96c83671caeb 100644
--- a/drivers/staging/wfx/sta.c
+++ b/drivers/staging/wfx/sta.c
@@ -760,17 +760,6 @@ int wfx_add_interface(struct ieee80211_hw *hw, struct 
ieee80211_vif *vif)
return -EOPNOTSUPP;
}
 
-   for (i = 0; i < ARRAY_SIZE(wdev->vif); i++) {
-   if (!wdev->vif[i]) {
-   wdev->vif[i] = vif;
-   wvif->id = i;
-   break;
-   }
-   }
-   if (i == ARRAY_SIZE(wdev->vif)) {
-   mutex_unlock(&wdev->conf_mutex);
-   return -EOPNOTSUPP;
-   }
// FIXME: prefer use of container_of() to get vif
wvif->vif = vif;
wvif->wdev = wdev;
@@ -787,12 +776,22 @@ int wfx_add_interface(struct ieee80211_hw *hw, struct 
ieee80211_vif *vif)
init_completion(&wvif->scan_complete);
INIT_WORK(&wvif->scan_work, wfx_hw_scan_work);
 
-   mutex_unlock(&wdev->conf_mutex);
+   wfx_tx_queues_init(wvif);
+   wfx_tx_policy_init(wvif);
+
+   for (i = 0; i < ARRAY_SIZE(wdev->vif); i++) {
+   if (!wdev->vif[i]) {
+   wdev->vif[i] = vif;
+   wvif->id = i;
+   break;
+   }
+   }
+   WARN(i == ARRAY_SIZE(wdev->vif), "try to instantiate more vif than 
supported");
 
hif_set_macaddr(wvif, vif->addr);
 
-   wfx_tx_queues_init(wvif);
-   wfx_tx_policy_init(wvif);
+   mutex_unlock(&wdev->conf_mutex);
+
wvif = NULL;
while ((wvif = wvif_iterate(wdev, wvif)) != NULL) {
// Combo mode does not support Block Acks. We can re-enable them
@@ -824,6 +823,7 @@ void wfx_remove_interface(struct ieee80211_hw *hw, struct 
ieee80211_vif *vif)
wvif->vif = NULL;
 
mutex_unlock(&wdev->conf_mutex);
+
wvif = NULL;
while ((wvif = wvif_iterate(wdev, wvif)) != NULL) {
// Combo mode does not support Block Acks. We can re-enable them
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.9 19/30] bus/fsl_mc: Do not rely on caller to provide non NULL mc_io

2020-10-26 Thread Sasha Levin

From: Diana Craciun 

[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ]

Before destroying the mc_io, check first that it was
allocated.

Reviewed-by: Laurentiu Tudor 
Acked-by: Laurentiu Tudor 
Signed-off-by: Diana Craciun 
Link: 
https://lore.kernel.org/r/20200929085441.17448-11-diana.crac...@oss.nxp.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fsl-mc/bus/mc-io.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/fsl-mc/bus/mc-io.c 
b/drivers/staging/fsl-mc/bus/mc-io.c
index 798c965fe2033..3fa6774946fae 100644
--- a/drivers/staging/fsl-mc/bus/mc-io.c
+++ b/drivers/staging/fsl-mc/bus/mc-io.c
@@ -167,7 +167,12 @@ int __must_check fsl_create_mc_io(struct device *dev,
  */
 void fsl_destroy_mc_io(struct fsl_mc_io *mc_io)
 {
-   struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev;
+   struct fsl_mc_device *dpmcp_dev;
+
+   if (!mc_io)
+   return;
+
+   dpmcp_dev = mc_io->dpmcp_dev;
 
if (dpmcp_dev)
fsl_mc_io_unset_dpmcp(mc_io);
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 16/46] usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart

2020-10-26 Thread Sasha Levin

From: Badhri Jagan Sridharan 

[ Upstream commit 6bbe2a90a0bb4af8dd99c3565e907fe9b5e7fd88 ]

The patch addresses the compliance test failures while running
TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 of the "Deterministic PD
Compliance MOI" test plan published in https://www.usb.org/usbc.
For a product to be Type-C compliant, it's expected that these tests
are run on usb.org certified Type-C compliance tester as mentioned in
https://www.usb.org/usbc.

The purpose of the tests TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 is to
verify the PR_SWAP response of the device. While doing so, the test
asserts that Source Capabilities message is NOT received from the test
device within tSwapSourceStart min (20 ms) from the time the last bit
of GoodCRC corresponding to the RS_RDY message sent by the UUT was
sent. If it does then the test fails.

This is in line with the requirements from the USB Power Delivery
Specification Revision 3.0, Version 1.2:
"6.6.8.1 SwapSourceStartTimer
The SwapSourceStartTimer Shall be used by the new Source, after a
Power Role Swap or Fast Role Swap, to ensure that it does not send
Source_Capabilities Message before the new Sink is ready to receive
the
Source_Capabilities Message. The new Source Shall Not send the
Source_Capabilities Message earlier than tSwapSourceStart after the
last bit of the EOP of GoodCRC Message sent in response to the PS_RDY
Message sent by the new Source indicating that its power supply is
ready."

The patch makes sure that TCPM does not send the Source_Capabilities
Message within tSwapSourceStart(20ms) by transitioning into
SRC_STARTUP only after  tSwapSourceStart(20ms).

Signed-off-by: Badhri Jagan Sridharan 
Reviewed-by: Guenter Roeck 
Reviewed-by: Heikki Krogerus 
Link: https://lore.kernel.org/r/20200817183828.1895015-1-bad...@google.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/typec/pd.h   | 1 +
 drivers/staging/typec/tcpm.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/typec/pd.h b/drivers/staging/typec/pd.h
index 30b32ad72acd7..a18ab898fa668 100644
--- a/drivers/staging/typec/pd.h
+++ b/drivers/staging/typec/pd.h
@@ -280,6 +280,7 @@ static inline unsigned int rdo_max_power(u32 rdo)
 #define PD_T_ERROR_RECOVERY100 /* minimum 25 is insufficient */
 #define PD_T_SRCSWAPSTDBY  625 /* Maximum of 650ms */
 #define PD_T_NEWSRC250 /* Maximum of 275ms */
+#define PD_T_SWAP_SRC_START20  /* Minimum of 20ms */
 
 #define PD_T_DRP_TRY   100 /* 75 - 150 ms */
 #define PD_T_DRP_TRYWAIT   600 /* 400 - 800 ms */
diff --git a/drivers/staging/typec/tcpm.c b/drivers/staging/typec/tcpm.c
index f237e31926f4c..686037a498c19 100644
--- a/drivers/staging/typec/tcpm.c
+++ b/drivers/staging/typec/tcpm.c
@@ -2741,7 +2741,7 @@ static void run_state_machine(struct tcpm_port *port)
 */
tcpm_set_pwr_role(port, TYPEC_SOURCE);
tcpm_pd_send_control(port, PD_CTRL_PS_RDY);
-   tcpm_set_state(port, SRC_STARTUP, 0);
+   tcpm_set_state(port, SRC_STARTUP, PD_T_SWAP_SRC_START);
break;
 
case VCONN_SWAP_ACCEPT:
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 29/46] bus/fsl_mc: Do not rely on caller to provide non NULL mc_io

2020-10-26 Thread Sasha Levin

From: Diana Craciun 

[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ]

Before destroying the mc_io, check first that it was
allocated.

Reviewed-by: Laurentiu Tudor 
Acked-by: Laurentiu Tudor 
Signed-off-by: Diana Craciun 
Link: 
https://lore.kernel.org/r/20200929085441.17448-11-diana.crac...@oss.nxp.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fsl-mc/bus/mc-io.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/fsl-mc/bus/mc-io.c 
b/drivers/staging/fsl-mc/bus/mc-io.c
index f65c23ce83f16..deec2d04c2dd9 100644
--- a/drivers/staging/fsl-mc/bus/mc-io.c
+++ b/drivers/staging/fsl-mc/bus/mc-io.c
@@ -166,7 +166,12 @@ int __must_check fsl_create_mc_io(struct device *dev,
  */
 void fsl_destroy_mc_io(struct fsl_mc_io *mc_io)
 {
-   struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev;
+   struct fsl_mc_device *dpmcp_dev;
+
+   if (!mc_io)
+   return;
+
+   dpmcp_dev = mc_io->dpmcp_dev;
 
if (dpmcp_dev)
fsl_mc_io_unset_dpmcp(mc_io);
-- 
2.25.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.9 29/35] staging: mmal-vchiq: Fix memory leak for vchiq_instance

2020-11-02 Thread Sasha Levin

From: Seung-Woo Kim 

[ Upstream commit b6ae84d648954fae096d94faea1ddb6518b27841 ]

The vchiq_instance is allocated with vchiq_initialise() but never
freed properly. Fix memory leak for the vchiq_instance.

Reported-by: Jaehoon Chung 
Signed-off-by: Seung-Woo Kim 
Link: 
https://lore.kernel.org/r/1603706150-10806-1-git-send-email-sw0312@samsung.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 .../vc04_services/vchiq-mmal/mmal-vchiq.c | 19 +++
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c 
b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
index e798d494f00ff..bbf033ca47362 100644
--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
@@ -179,6 +179,9 @@ struct vchiq_mmal_instance {
 
/* ordered workqueue to process all bulk operations */
struct workqueue_struct *bulk_wq;
+
+   /* handle for a vchiq instance */
+   struct vchiq_instance *vchiq_instance;
 };
 
 static struct mmal_msg_context *
@@ -1840,6 +1843,7 @@ int vchiq_mmal_finalise(struct vchiq_mmal_instance 
*instance)
 
mutex_unlock(&instance->vchiq_mutex);
 
+   vchiq_shutdown(instance->vchiq_instance);
flush_workqueue(instance->bulk_wq);
destroy_workqueue(instance->bulk_wq);
 
@@ -1856,6 +1860,7 @@ EXPORT_SYMBOL_GPL(vchiq_mmal_finalise);
 int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance)
 {
int status;
+   int err = -ENODEV;
struct vchiq_mmal_instance *instance;
static struct vchiq_instance *vchiq_instance;
struct vchiq_service_params params = {
@@ -1890,17 +1895,21 @@ int vchiq_mmal_init(struct vchiq_mmal_instance 
**out_instance)
status = vchiq_connect(vchiq_instance);
if (status) {
pr_err("Failed to connect VCHI instance (status=%d)\n", status);
-   return -EIO;
+   err = -EIO;
+   goto err_shutdown_vchiq;
}
 
instance = kzalloc(sizeof(*instance), GFP_KERNEL);
 
-   if (!instance)
-   return -ENOMEM;
+   if (!instance) {
+   err = -ENOMEM;
+   goto err_shutdown_vchiq;
+   }
 
mutex_init(&instance->vchiq_mutex);
 
instance->bulk_scratch = vmalloc(PAGE_SIZE);
+   instance->vchiq_instance = vchiq_instance;
 
mutex_init(&instance->context_map_lock);
idr_init_base(&instance->context_map, 1);
@@ -1932,7 +1941,9 @@ int vchiq_mmal_init(struct vchiq_mmal_instance 
**out_instance)
 err_free:
vfree(instance->bulk_scratch);
kfree(instance);
-   return -ENODEV;
+err_shutdown_vchiq:
+   vchiq_shutdown(vchiq_instance);
+   return err;
 }
 EXPORT_SYMBOL_GPL(vchiq_mmal_init);
 
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.9 07/33] staging: ralink-gdma: fix kconfig dependency bug for DMA_RALINK

2020-11-25 Thread Sasha Levin

From: Necip Fazil Yildiran 

[ Upstream commit 06ea594051707c6b8834ef5b24e9b0730edd391b ]

When DMA_RALINK is enabled and DMADEVICES is disabled, it results in the
following Kbuild warnings:

WARNING: unmet direct dependencies detected for DMA_ENGINE
  Depends on [n]: DMADEVICES [=n]
  Selected by [y]:
  - DMA_RALINK [=y] && STAGING [=y] && RALINK [=y] && !SOC_RT288X [=n]

WARNING: unmet direct dependencies detected for DMA_VIRTUAL_CHANNELS
  Depends on [n]: DMADEVICES [=n]
  Selected by [y]:
  - DMA_RALINK [=y] && STAGING [=y] && RALINK [=y] && !SOC_RT288X [=n]

The reason is that DMA_RALINK selects DMA_ENGINE and DMA_VIRTUAL_CHANNELS
without depending on or selecting DMADEVICES while DMA_ENGINE and
DMA_VIRTUAL_CHANNELS are subordinate to DMADEVICES. This can also fail
building the kernel as demonstrated in a bug report.

Honor the kconfig dependency to remove unmet direct dependency warnings
and avoid any potential build failures.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=210055
Signed-off-by: Necip Fazil Yildiran 
Link: https://lore.kernel.org/r/20201104181522.43567-1-fazilyildi...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/ralink-gdma/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/ralink-gdma/Kconfig 
b/drivers/staging/ralink-gdma/Kconfig
index 54e8029e6b1af..0017376234e28 100644
--- a/drivers/staging/ralink-gdma/Kconfig
+++ b/drivers/staging/ralink-gdma/Kconfig
@@ -2,6 +2,7 @@
 config DMA_RALINK
tristate "RALINK DMA support"
depends on RALINK && !SOC_RT288X
+   depends on DMADEVICES
select DMA_ENGINE
select DMA_VIRTUAL_CHANNELS
 
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 07/23] staging: ralink-gdma: fix kconfig dependency bug for DMA_RALINK

2020-11-25 Thread Sasha Levin

From: Necip Fazil Yildiran 

[ Upstream commit 06ea594051707c6b8834ef5b24e9b0730edd391b ]

When DMA_RALINK is enabled and DMADEVICES is disabled, it results in the
following Kbuild warnings:

WARNING: unmet direct dependencies detected for DMA_ENGINE
  Depends on [n]: DMADEVICES [=n]
  Selected by [y]:
  - DMA_RALINK [=y] && STAGING [=y] && RALINK [=y] && !SOC_RT288X [=n]

WARNING: unmet direct dependencies detected for DMA_VIRTUAL_CHANNELS
  Depends on [n]: DMADEVICES [=n]
  Selected by [y]:
  - DMA_RALINK [=y] && STAGING [=y] && RALINK [=y] && !SOC_RT288X [=n]

The reason is that DMA_RALINK selects DMA_ENGINE and DMA_VIRTUAL_CHANNELS
without depending on or selecting DMADEVICES while DMA_ENGINE and
DMA_VIRTUAL_CHANNELS are subordinate to DMADEVICES. This can also fail
building the kernel as demonstrated in a bug report.

Honor the kconfig dependency to remove unmet direct dependency warnings
and avoid any potential build failures.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=210055
Signed-off-by: Necip Fazil Yildiran 
Link: https://lore.kernel.org/r/20201104181522.43567-1-fazilyildi...@gmail.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/ralink-gdma/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/ralink-gdma/Kconfig 
b/drivers/staging/ralink-gdma/Kconfig
index 54e8029e6b1af..0017376234e28 100644
--- a/drivers/staging/ralink-gdma/Kconfig
+++ b/drivers/staging/ralink-gdma/Kconfig
@@ -2,6 +2,7 @@
 config DMA_RALINK
tristate "RALINK DMA support"
depends on RALINK && !SOC_RT288X
+   depends on DMADEVICES
select DMA_ENGINE
select DMA_VIRTUAL_CHANNELS
 
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 8/9] soc: fsl: dpio: Get the cpumask through cpumask_of(cpu)

2020-12-03 Thread Sasha Levin

From: Hao Si 

[ Upstream commit 2663b3388551230cbc4606a40fabf3331ceb59e4 ]

The local variable 'cpumask_t mask' is in the stack memory, and its address
is assigned to 'desc->affinity' in 'irq_set_affinity_hint()'.
But the memory area where this variable is located is at risk of being
modified.

During LTP testing, the following error was generated:

Unable to handle kernel paging request at virtual address 12e9b790
Mem abort info:
  ESR = 0x9607
  Exception class = DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
Data abort info:
  ISV = 0, ISS = 0x0007
  CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp = 75ac5e07
[12e9b790] pgd=0027dbffe003, pud=0027dbffd003,
pmd=0027b6d61003, pte=
Internal error: Oops: 9607 [#1] PREEMPT SMP
Modules linked in: xt_conntrack
Process read_all (pid: 20171, stack limit = 0x44ea4095)
CPU: 14 PID: 20171 Comm: read_all Tainted: GB   W
Hardware name: NXP Layerscape LX2160ARDB (DT)
pstate: 8085 (Nzcv daIf -PAN -UAO)
pc : irq_affinity_hint_proc_show+0x54/0xb0
lr : irq_affinity_hint_proc_show+0x4c/0xb0
sp : 1138bc10
x29: 1138bc10 x28: d131d1e0
x27: 007000c0 x26: 8025b9480dc0
x25: 8025b9480da8 x24: 03ff
x23: 8027334f8300 x22: 80272e97d000
x21: 80272e97d0b0 x20: 8025b9480d80
x19: 09a49000 x18: 
x17:  x16: 
x15:  x14: 
x13:  x12: 0040
x11:  x10: 802735b79b88
x9 :  x8 : 
x7 : 09a49848 x6 : 0003
x5 :  x4 : 08157d6c
x3 : 1138bc10 x2 : 12e9b790
x1 :  x0 : 
Call trace:
 irq_affinity_hint_proc_show+0x54/0xb0
 seq_read+0x1b0/0x440
 proc_reg_read+0x80/0xd8
 __vfs_read+0x60/0x178
 vfs_read+0x94/0x150
 ksys_read+0x74/0xf0
 __arm64_sys_read+0x24/0x30
 el0_svc_common.constprop.0+0xd8/0x1a0
 el0_svc_handler+0x34/0x88
 el0_svc+0x10/0x14
Code: f9001bbf 943e0732 f94066c2 b462 (f9400041)
---[ end trace b495bdcb0b3b732b ]---
Kernel panic - not syncing: Fatal exception
SMP: stopping secondary CPUs
SMP: failed to stop secondary CPUs 0,2-4,6,8,11,13-15
Kernel Offset: disabled
CPU features: 0x0,21006008
Memory Limit: none
---[ end Kernel panic - not syncing: Fatal exception ]---

Fix it by using 'cpumask_of(cpu)' to get the cpumask.

Signed-off-by: Hao Si 
Signed-off-by: Lin Chen 
Signed-off-by: Yi Wang 
Signed-off-by: Li Yang 
Signed-off-by: Sasha Levin 
---
 drivers/staging/fsl-mc/bus/dpio/dpio-driver.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/staging/fsl-mc/bus/dpio/dpio-driver.c 
b/drivers/staging/fsl-mc/bus/dpio/dpio-driver.c
index e36da20a2796b..e7856a9e685f4 100644
--- a/drivers/staging/fsl-mc/bus/dpio/dpio-driver.c
+++ b/drivers/staging/fsl-mc/bus/dpio/dpio-driver.c
@@ -77,7 +77,6 @@ static int register_dpio_irq_handlers(struct fsl_mc_device 
*dpio_dev, int cpu)
struct dpio_priv *priv;
int error;
struct fsl_mc_device_irq *irq;
-   cpumask_t mask;
 
priv = dev_get_drvdata(&dpio_dev->dev);
 
@@ -96,9 +95,7 @@ static int register_dpio_irq_handlers(struct fsl_mc_device 
*dpio_dev, int cpu)
}
 
/* set the affinity hint */
-   cpumask_clear(&mask);
-   cpumask_set_cpu(cpu, &mask);
-   if (irq_set_affinity_hint(irq->msi_desc->irq, &mask))
+   if (irq_set_affinity_hint(irq->msi_desc->irq, cpumask_of(cpu)))
dev_err(&dpio_dev->dev,
"irq_set_affinity failed irq %d cpu %d\n",
irq->msi_desc->irq, cpu);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.9 15/23] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-12 Thread Sasha Levin

From: "Andrea Parri (Microsoft)" 

[ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]

Check that the packet is of the expected size at least, don't copy data
past the packet.

Link: https://lore.kernel.org/r/20201118145348.109879-1-parri.and...@gmail.com
Cc: "James E.J. Bottomley" 
Cc: "Martin K. Petersen" 
Cc: linux-s...@vger.kernel.org
Reported-by: Saruhan Karademir 
Signed-off-by: Andrea Parri (Microsoft) 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/scsi/storvsc_drv.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 8f5f5dc863a4a..6779ee4edfee3 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1246,6 +1246,11 @@ static void storvsc_on_channel_callback(void *context)
request = (struct storvsc_cmd_request *)
((unsigned long)desc->trans_id);
 
+   if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) - 
vmscsi_size_delta) {
+   dev_err(&device->device, "Invalid packet len\n");
+   continue;
+   }
+
if (request == &stor_device->init_request ||
request == &stor_device->reset_request) {
memcpy(&request->vstor_packet, packet,
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 08/14] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-12 Thread Sasha Levin

From: "Andrea Parri (Microsoft)" 

[ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]

Check that the packet is of the expected size at least, don't copy data
past the packet.

Link: https://lore.kernel.org/r/20201118145348.109879-1-parri.and...@gmail.com
Cc: "James E.J. Bottomley" 
Cc: "Martin K. Petersen" 
Cc: linux-s...@vger.kernel.org
Reported-by: Saruhan Karademir 
Signed-off-by: Andrea Parri (Microsoft) 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/scsi/storvsc_drv.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 5087ed6afbdc3..9f78630e332f9 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1170,6 +1170,11 @@ static void storvsc_on_channel_callback(void *context)
request = (struct storvsc_cmd_request *)
((unsigned long)desc->trans_id);
 
+   if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) - 
vmscsi_size_delta) {
+   dev_err(&device->device, "Invalid packet len\n");
+   continue;
+   }
+
if (request == &stor_device->init_request ||
request == &stor_device->reset_request) {
memcpy(&request->vstor_packet, packet,
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 7/9] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-12 Thread Sasha Levin

From: "Andrea Parri (Microsoft)" 

[ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]

Check that the packet is of the expected size at least, don't copy data
past the packet.

Link: https://lore.kernel.org/r/20201118145348.109879-1-parri.and...@gmail.com
Cc: "James E.J. Bottomley" 
Cc: "Martin K. Petersen" 
Cc: linux-s...@vger.kernel.org
Reported-by: Saruhan Karademir 
Signed-off-by: Andrea Parri (Microsoft) 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/scsi/storvsc_drv.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 0c2ba075bc713..d6ccfcdbc323f 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1181,6 +1181,11 @@ static void storvsc_on_channel_callback(void *context)
request = (struct storvsc_cmd_request *)
((unsigned long)desc->trans_id);
 
+   if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) - 
vmscsi_size_delta) {
+   dev_err(&device->device, "Invalid packet len\n");
+   continue;
+   }
+
if (request == &stor_device->init_request ||
request == &stor_device->reset_request) {
memcpy(&request->vstor_packet, packet,
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 6/8] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-12 Thread Sasha Levin

From: "Andrea Parri (Microsoft)" 

[ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]

Check that the packet is of the expected size at least, don't copy data
past the packet.

Link: https://lore.kernel.org/r/20201118145348.109879-1-parri.and...@gmail.com
Cc: "James E.J. Bottomley" 
Cc: "Martin K. Petersen" 
Cc: linux-s...@vger.kernel.org
Reported-by: Saruhan Karademir 
Signed-off-by: Andrea Parri (Microsoft) 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Sasha Levin 
---
 drivers/scsi/storvsc_drv.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 5adeb1e4b1869..2e0d8566dedba 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1179,6 +1179,11 @@ static void storvsc_on_channel_callback(void *context)
request = (struct storvsc_cmd_request *)
((unsigned long)desc->trans_id);
 
+   if (hv_pkt_datalen(desc) < sizeof(struct vstor_packet) - 
vmscsi_size_delta) {
+   dev_err(&device->device, "Invalid packet len\n");
+   continue;
+   }
+
if (request == &stor_device->init_request ||
request == &stor_device->reset_request) {
memcpy(&request->vstor_packet, packet,
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH AUTOSEL 5.9 15/23] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-13 Thread Sasha Levin


On Sat, Dec 12, 2020 at 07:09:01PM +0100, Andrea Parri wrote:

Hi Sasha,

On Sat, Dec 12, 2020 at 11:07:56AM -0500, Sasha Levin wrote:

From: "Andrea Parri (Microsoft)" 

[ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]


FYI, we found that this commit introduced a regression and posted a
revert:

 https://lkml.kernel.org/r/20201211131404.21359-1-parri.and...@gmail.com

Same comment for the AUTOSEL 5.4, 4.19 and 4.14 you've just posted.


I'll drop those, thanks!

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH AUTOSEL 5.9 15/23] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-14 Thread Sasha Levin

On Mon, Dec 14, 2020 at 08:06:25AM -0500, Konstantin Ryabitsev wrote:

On Mon, Dec 14, 2020 at 02:07:11PM +0300, Dan Carpenter wrote:

On Sat, Dec 12, 2020 at 07:09:01PM +0100, Andrea Parri wrote:
> Hi Sasha,
>
> On Sat, Dec 12, 2020 at 11:07:56AM -0500, Sasha Levin wrote:
> > From: "Andrea Parri (Microsoft)" 
> >
> > [ Upstream commit 3b8c72d076c42bf27284cda7b2b2b522810686f8 ]
>
> FYI, we found that this commit introduced a regression and posted a
> revert:
>
>   https://lkml.kernel.org/r/20201211131404.21359-1-parri.and...@gmail.com
>
> Same comment for the AUTOSEL 5.4, 4.19 and 4.14 you've just posted.
>

Konstantin, is there anyway we could make searching lore.kernel.org
search all the mailing lists?  Right now we can only search one mailing
list at a time.

This functionality is coming in the next version of public-inbox and
should be available on lore.kernel.org within the next little while.

That's a good idea Dan; I had something running on linux-next, but I
guess it's not enough and cases such as these sneak in.

I wrote a script to do what you've suggested by simply cloning the repos
on erol.kernel.org locally and then doing a simple search for the
"Fixes:" and revert patterns.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 038/217] staging: ks7010: fix missing destroy_workqueue() on error in ks7010_sdio_probe

2020-12-22 Thread Sasha Levin

From: Qinglang Miao 

[ Upstream commit d1e7550ad081fa5e9260f636dd51e1c496e0fd5f ]

Add the missing destroy_workqueue() before return from
ks7010_sdio_probe in the error handling case.

Signed-off-by: Qinglang Miao 
Link: https://lore.kernel.org/r/20201028091552.136445-1-miaoqingl...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/ks7010/ks7010_sdio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/ks7010/ks7010_sdio.c 
b/drivers/staging/ks7010/ks7010_sdio.c
index 78dc8beeae98e..cbc0032c16045 100644
--- a/drivers/staging/ks7010/ks7010_sdio.c
+++ b/drivers/staging/ks7010/ks7010_sdio.c
@@ -1029,10 +1029,12 @@ static int ks7010_sdio_probe(struct sdio_func *func,
 
ret = register_netdev(priv->net_dev);
if (ret)
-   goto err_free_netdev;
+   goto err_destroy_wq;
 
return 0;
 
+ err_destroy_wq:
+   destroy_workqueue(priv->wq);
  err_free_netdev:
free_netdev(netdev);
  err_release_irq:
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 039/217] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]

The 'EPERM' cannot appear in the previous path, we
should use '-EPERM' to check it. For example:

Call trace:
->rtl8192_rx_isr
->usb_submit_urb
   ->usb_hcd_submit_urb
   ->rh_urb_enqueue
   ->rh_queue_status
   ->usb_hcd_link_urb_to_ep

Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192u/r8192U_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c 
b/drivers/staging/rtl8192u/r8192U_core.c
index 27dc181c4c9b6..93676af986290 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -867,7 +867,7 @@ static void rtl8192_rx_isr(struct urb *urb)
urb->context = skb;
skb_queue_tail(&priv->rx_queue, skb);
err = usb_submit_urb(urb, GFP_ATOMIC);
-   if (err && err != EPERM)
+   if (err && err != -EPERM)
netdev_err(dev,
   "can not submit rxurb, err is %x, URB status is 
%x\n",
   err, urb->status);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 062/217] binder: change error code from postive to negative in binder_transaction

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 88f6c77927e4aee04e0193fd94e13a55753a72b0 ]

Depending on the context, the error return value
here (extra_buffers_size < added_size) should be
negative.

Acked-by: Martijn Coenen 
Acked-by: Christian Brauner 
Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201026110314.135481-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/android/binder.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index b5117576792bc..8bbfb9124fa29 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3103,7 +3103,7 @@ static void binder_transaction(struct binder_proc *proc,
if (extra_buffers_size < added_size) {
/* integer overflow of extra_buffers_size */
return_error = BR_FAILED_REPLY;
-   return_error_param = EINVAL;
+   return_error_param = -EINVAL;
return_error_line = __LINE__;
goto err_bad_extra_size;
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 017/130] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]

The 'EPERM' cannot appear in the previous path, we
should use '-EPERM' to check it. For example:

Call trace:
->rtl8192_rx_isr
->usb_submit_urb
   ->usb_hcd_submit_urb
   ->rh_urb_enqueue
   ->rh_queue_status
   ->usb_hcd_link_urb_to_ep

Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192u/r8192U_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c 
b/drivers/staging/rtl8192u/r8192U_core.c
index ddc09616248a5..56655a0b16906 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -883,7 +883,7 @@ static void rtl8192_rx_isr(struct urb *urb)
urb->context = skb;
skb_queue_tail(&priv->rx_queue, skb);
err = usb_submit_urb(urb, GFP_ATOMIC);
-   if (err && err != EPERM)
+   if (err && err != -EPERM)
netdev_err(dev,
   "can not submit rxurb, err is %x, URB status is 
%x\n",
   err, urb->status);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 016/130] staging: ks7010: fix missing destroy_workqueue() on error in ks7010_sdio_probe

2020-12-22 Thread Sasha Levin

From: Qinglang Miao 

[ Upstream commit d1e7550ad081fa5e9260f636dd51e1c496e0fd5f ]

Add the missing destroy_workqueue() before return from
ks7010_sdio_probe in the error handling case.

Signed-off-by: Qinglang Miao 
Link: https://lore.kernel.org/r/20201028091552.136445-1-miaoqingl...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/ks7010/ks7010_sdio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/ks7010/ks7010_sdio.c 
b/drivers/staging/ks7010/ks7010_sdio.c
index 4b379542ecd50..bd864f9ce37ac 100644
--- a/drivers/staging/ks7010/ks7010_sdio.c
+++ b/drivers/staging/ks7010/ks7010_sdio.c
@@ -1028,10 +1028,12 @@ static int ks7010_sdio_probe(struct sdio_func *func,
 
ret = register_netdev(priv->net_dev);
if (ret)
-   goto err_free_netdev;
+   goto err_destroy_wq;
 
return 0;
 
+ err_destroy_wq:
+   destroy_workqueue(priv->wq);
  err_free_netdev:
free_netdev(netdev);
  err_release_irq:
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.4 028/130] binder: change error code from postive to negative in binder_transaction

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 88f6c77927e4aee04e0193fd94e13a55753a72b0 ]

Depending on the context, the error return value
here (extra_buffers_size < added_size) should be
negative.

Acked-by: Martijn Coenen 
Acked-by: Christian Brauner 
Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201026110314.135481-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/android/binder.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index b62b1ab6bb699..6091a3e20506d 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3107,7 +3107,7 @@ static void binder_transaction(struct binder_proc *proc,
if (extra_buffers_size < added_size) {
/* integer overflow of extra_buffers_size */
return_error = BR_FAILED_REPLY;
-   return_error_param = EINVAL;
+   return_error_param = -EINVAL;
return_error_line = __LINE__;
goto err_bad_extra_size;
}
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 08/87] staging: ks7010: fix missing destroy_workqueue() on error in ks7010_sdio_probe

2020-12-22 Thread Sasha Levin

From: Qinglang Miao 

[ Upstream commit d1e7550ad081fa5e9260f636dd51e1c496e0fd5f ]

Add the missing destroy_workqueue() before return from
ks7010_sdio_probe in the error handling case.

Signed-off-by: Qinglang Miao 
Link: https://lore.kernel.org/r/20201028091552.136445-1-miaoqingl...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/ks7010/ks7010_sdio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/ks7010/ks7010_sdio.c 
b/drivers/staging/ks7010/ks7010_sdio.c
index 74551eb717fc7..b3445a19db6f1 100644
--- a/drivers/staging/ks7010/ks7010_sdio.c
+++ b/drivers/staging/ks7010/ks7010_sdio.c
@@ -1028,10 +1028,12 @@ static int ks7010_sdio_probe(struct sdio_func *func,
 
ret = register_netdev(priv->net_dev);
if (ret)
-   goto err_free_netdev;
+   goto err_destroy_wq;
 
return 0;
 
+ err_destroy_wq:
+   destroy_workqueue(priv->wq);
  err_free_netdev:
free_netdev(netdev);
  err_release_irq:
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 09/87] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]

The 'EPERM' cannot appear in the previous path, we
should use '-EPERM' to check it. For example:

Call trace:
->rtl8192_rx_isr
->usb_submit_urb
   ->usb_hcd_submit_urb
   ->rh_urb_enqueue
   ->rh_queue_status
   ->usb_hcd_link_urb_to_ep

Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192u/r8192U_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c 
b/drivers/staging/rtl8192u/r8192U_core.c
index 87244a2089763..e141a0086f8d5 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -928,7 +928,7 @@ static void rtl8192_rx_isr(struct urb *urb)
urb->context = skb;
skb_queue_tail(&priv->rx_queue, skb);
err = usb_submit_urb(urb, GFP_ATOMIC);
-   if (err && err != EPERM)
+   if (err && err != -EPERM)
netdev_err(dev,
   "can not submit rxurb, err is %x, URB status is 
%x\n",
   err, urb->status);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 07/66] staging: ks7010: fix missing destroy_workqueue() on error in ks7010_sdio_probe

2020-12-22 Thread Sasha Levin

From: Qinglang Miao 

[ Upstream commit d1e7550ad081fa5e9260f636dd51e1c496e0fd5f ]

Add the missing destroy_workqueue() before return from
ks7010_sdio_probe in the error handling case.

Signed-off-by: Qinglang Miao 
Link: https://lore.kernel.org/r/20201028091552.136445-1-miaoqingl...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/ks7010/ks7010_sdio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/ks7010/ks7010_sdio.c 
b/drivers/staging/ks7010/ks7010_sdio.c
index 8cfdff198334b..46d26423d3935 100644
--- a/drivers/staging/ks7010/ks7010_sdio.c
+++ b/drivers/staging/ks7010/ks7010_sdio.c
@@ -952,10 +952,12 @@ static int ks7010_sdio_probe(struct sdio_func *func,
 
ret = register_netdev(priv->net_dev);
if (ret)
-   goto err_free_netdev;
+   goto err_destroy_wq;
 
return 0;
 
+ err_destroy_wq:
+   destroy_workqueue(priv->wq);
  err_free_netdev:
free_netdev(priv->net_dev);
card->priv = NULL;
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 08/66] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]

The 'EPERM' cannot appear in the previous path, we
should use '-EPERM' to check it. For example:

Call trace:
->rtl8192_rx_isr
->usb_submit_urb
   ->usb_hcd_submit_urb
   ->rh_urb_enqueue
   ->rh_queue_status
   ->usb_hcd_link_urb_to_ep

Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192u/r8192U_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c 
b/drivers/staging/rtl8192u/r8192U_core.c
index b5941ae410d9a..fbeee8654781d 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -967,7 +967,7 @@ static void rtl8192_rx_isr(struct urb *urb)
urb->context = skb;
skb_queue_tail(&priv->rx_queue, skb);
err = usb_submit_urb(urb, GFP_ATOMIC);
-   if (err && err != EPERM)
+   if (err && err != -EPERM)
netdev_err(dev,
   "can not submit rxurb, err is %x, URB status is 
%x\n",
   err, urb->status);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 57/66] USB: typec: tcpm: Fix PR_SWAP error handling

2020-12-22 Thread Sasha Levin

From: Kyle Tso 

[ Upstream commit 301a633c1b5b2caa4c4b97a83270d4a1d60c53bf ]

PD rev3.0 8.3.3.16.3.6 PE_PRS_SRC_SNK_Wait_Source_on State
The Policy Enging Shall transition to the ErrorRecovery state when the
PSSourceOnTimer times out ...

Cc: Guenter Roeck 
Cc: Heikki Krogerus 
Cc: Badhri Jagan Sridharan 
Reviewed-by: Guenter Roeck 
Acked-by: Heikki Krogerus 
Signed-off-by: Kyle Tso 
Signed-off-by: Will McVicker 
Signed-off-by: Greg Kroah-Hartman 
Link: 
https://lore.kernel.org/r/20201210160521.3417426-4-gre...@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/typec/tcpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/typec/tcpm.c b/drivers/staging/typec/tcpm.c
index 686037a498c19..39f99a80daf73 100644
--- a/drivers/staging/typec/tcpm.c
+++ b/drivers/staging/typec/tcpm.c
@@ -2710,7 +2710,7 @@ static void run_state_machine(struct tcpm_port *port)
tcpm_set_state(port, ERROR_RECOVERY, 0);
break;
}
-   tcpm_set_state_cond(port, SNK_UNATTACHED, PD_T_PS_SOURCE_ON);
+   tcpm_set_state(port, ERROR_RECOVERY, PD_T_PS_SOURCE_ON);
break;
case PR_SWAP_SRC_SNK_SINK_ON:
tcpm_set_state(port, SNK_STARTUP, 0);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 58/66] USB: typec: tcpm: Add a 30ms room for tPSSourceOn in PR_SWAP

2020-12-22 Thread Sasha Levin

From: Kyle Tso 

[ Upstream commit fe79d5de77204dd946cfad76a9bec23354b1a500 ]

TCPM state machine needs 20-25ms to enter the ErrorRecovery state after
tPSSourceOn timer timeouts. Change the timer from max 480ms to 450ms to
ensure that the timer complies with the Spec. In order to keep the
flexibility for other usecases using tPSSourceOn, add another timer only
for PR_SWAP.

Cc: Guenter Roeck 
Cc: Heikki Krogerus 
Cc: Badhri Jagan Sridharan 
Reviewed-by: Guenter Roeck 
Acked-by: Heikki Krogerus 
Signed-off-by: Kyle Tso 
Signed-off-by: Will McVicker 
Signed-off-by: Greg Kroah-Hartman 
Link: 
https://lore.kernel.org/r/20201210160521.3417426-5-gre...@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/typec/pd.h   | 1 +
 drivers/staging/typec/tcpm.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/typec/pd.h b/drivers/staging/typec/pd.h
index a18ab898fa668..62766585e2f98 100644
--- a/drivers/staging/typec/pd.h
+++ b/drivers/staging/typec/pd.h
@@ -270,6 +270,7 @@ static inline unsigned int rdo_max_power(u32 rdo)
 #define PD_T_DRP_SRC   30
 #define PD_T_PS_SOURCE_OFF 920
 #define PD_T_PS_SOURCE_ON  480
+#define PD_T_PS_SOURCE_ON_PRS  450 /* 390 - 480ms */
 #define PD_T_PS_HARD_RESET 30
 #define PD_T_SRC_RECOVER   760
 #define PD_T_SRC_RECOVER_MAX   1000
diff --git a/drivers/staging/typec/tcpm.c b/drivers/staging/typec/tcpm.c
index 39f99a80daf73..3a2a9d0ba720c 100644
--- a/drivers/staging/typec/tcpm.c
+++ b/drivers/staging/typec/tcpm.c
@@ -2710,7 +2710,7 @@ static void run_state_machine(struct tcpm_port *port)
tcpm_set_state(port, ERROR_RECOVERY, 0);
break;
}
-   tcpm_set_state(port, ERROR_RECOVERY, PD_T_PS_SOURCE_ON);
+   tcpm_set_state(port, ERROR_RECOVERY, PD_T_PS_SOURCE_ON_PRS);
break;
case PR_SWAP_SRC_SNK_SINK_ON:
tcpm_set_state(port, SNK_STARTUP, 0);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.9 07/48] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]

The 'EPERM' cannot appear in the previous path, we
should use '-EPERM' to check it. For example:

Call trace:
->rtl8192_rx_isr
->usb_submit_urb
   ->usb_hcd_submit_urb
   ->rh_urb_enqueue
   ->rh_queue_status
   ->usb_hcd_link_urb_to_ep

Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192u/r8192U_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c 
b/drivers/staging/rtl8192u/r8192U_core.c
index fa4c47c7d2166..f5e53df9d49db 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -970,7 +970,7 @@ static void rtl8192_rx_isr(struct urb *urb)
urb->context = skb;
skb_queue_tail(&priv->rx_queue, skb);
err = usb_submit_urb(urb, GFP_ATOMIC);
-   if (err && err != EPERM)
+   if (err && err != -EPERM)
netdev_err(dev,
   "can not submit rxurb, err is %x, URB status is 
%x\n",
   err, urb->status);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.9 17/48] media: cec-core: first mark device unregistered, then wake up fhs

2020-12-22 Thread Sasha Levin

From: Hans Verkuil 

[ Upstream commit e91c255733d9bbb4978a372f44fb5ed689ccdbd1 ]

If a CEC device node is unregistered, then it should be marked as
unregistered before waking up any filehandles that are waiting for
an event.

This ensures that there is no race condition where an application can
call CEC_DQEVENT and have the ioctl return 0 instead of ENODEV.

Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/cec/cec-core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/media/cec/cec-core.c 
b/drivers/staging/media/cec/cec-core.c
index b0137e247dc9a..bb189f753c3ac 100644
--- a/drivers/staging/media/cec/cec-core.c
+++ b/drivers/staging/media/cec/cec-core.c
@@ -183,12 +183,12 @@ static void cec_devnode_unregister(struct cec_devnode 
*devnode)
mutex_unlock(&devnode->lock);
return;
}
+   devnode->registered = false;
+   devnode->unregistered = true;
 
list_for_each_entry(fh, &devnode->fhs, list)
wake_up_interruptible(&fh->wait);
 
-   devnode->registered = false;
-   devnode->unregistered = true;
mutex_unlock(&devnode->lock);
 
device_del(&devnode->dev);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.4 06/38] staging: rtl8192u: fix wrong judgement in rtl8192_rx_isr

2020-12-22 Thread Sasha Levin

From: Zhang Qilong 

[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]

The 'EPERM' cannot appear in the previous path, we
should use '-EPERM' to check it. For example:

Call trace:
->rtl8192_rx_isr
->usb_submit_urb
   ->usb_hcd_submit_urb
   ->rh_urb_enqueue
   ->rh_queue_status
   ->usb_hcd_link_urb_to_ep

Signed-off-by: Zhang Qilong 
Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilo...@huawei.com
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 drivers/staging/rtl8192u/r8192U_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8192u/r8192U_core.c 
b/drivers/staging/rtl8192u/r8192U_core.c
index 1e0d2a33787e1..89ce39872ffec 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -1003,7 +1003,7 @@ static void rtl8192_rx_isr(struct urb *urb)
urb->context = skb;
skb_queue_tail(&priv->rx_queue, skb);
err = usb_submit_urb(urb, GFP_ATOMIC);
-   if (err && err != EPERM)
+   if (err && err != -EPERM)
netdev_err(dev,
   "can not submit rxurb, err is %x, URB status is 
%x\n",
   err, urb->status);
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 5.10 22/51] staging: spmi: hisi-spmi-controller: Fix some error handling paths

2021-01-12 Thread Sasha Levin

From: Christophe JAILLET 

[ Upstream commit 12b38ea040b3bb2a30eb9cd488376df5be7ea81f ]

IN the probe function, if an error occurs after calling
'spmi_controller_alloc()', it must be undone by a corresponding
'spmi_controller_put() call.

In the remove function, use 'spmi_controller_put(ctrl)' instead of
'kfree(ctrl)'.

While a it fix an error message
(s/spmi_add_controller/spmi_controller_add/)

Signed-off-by: Christophe JAILLET 
Link: 
https://lore.kernel.org/r/20201213151105.137731-1-christophe.jail...@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Sasha Levin 
---
 .../staging/hikey9xx/hisi-spmi-controller.c   | 21 +--
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/hikey9xx/hisi-spmi-controller.c 
b/drivers/staging/hikey9xx/hisi-spmi-controller.c
index f831c43f4783f..29f226503668d 100644
--- a/drivers/staging/hikey9xx/hisi-spmi-controller.c
+++ b/drivers/staging/hikey9xx/hisi-spmi-controller.c
@@ -278,21 +278,24 @@ static int spmi_controller_probe(struct platform_device 
*pdev)
iores = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!iores) {
dev_err(&pdev->dev, "can not get resource!\n");
-   return -EINVAL;
+   ret = -EINVAL;
+   goto err_put_controller;
}
 
spmi_controller->base = devm_ioremap(&pdev->dev, iores->start,
 resource_size(iores));
if (!spmi_controller->base) {
dev_err(&pdev->dev, "can not remap base addr!\n");
-   return -EADDRNOTAVAIL;
+   ret = -EADDRNOTAVAIL;
+   goto err_put_controller;
}
 
ret = of_property_read_u32(pdev->dev.of_node, "spmi-channel",
   &spmi_controller->channel);
if (ret) {
dev_err(&pdev->dev, "can not get channel\n");
-   return -ENODEV;
+   ret = -ENODEV;
+   goto err_put_controller;
}
 
platform_set_drvdata(pdev, spmi_controller);
@@ -309,9 +312,15 @@ static int spmi_controller_probe(struct platform_device 
*pdev)
ctrl->write_cmd = spmi_write_cmd;
 
ret = spmi_controller_add(ctrl);
-   if (ret)
-   dev_err(&pdev->dev, "spmi_add_controller failed with error 
%d!\n", ret);
+   if (ret) {
+   dev_err(&pdev->dev, "spmi_controller_add failed with error 
%d!\n", ret);
+   goto err_put_controller;
+   }
+
+   return 0;
 
+err_put_controller:
+   spmi_controller_put(ctrl);
return ret;
 }
 
@@ -320,7 +329,7 @@ static int spmi_del_controller(struct platform_device *pdev)
struct spmi_controller *ctrl = platform_get_drvdata(pdev);
 
spmi_controller_remove(ctrl);
-   kfree(ctrl);
+   spmi_controller_put(ctrl);
return 0;
 }
 
-- 
2.27.0

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 02/73] Input: hyper-v - fix wakeup from suspend-to-idle

2018-12-12 Thread Sasha Levin

From: Vitaly Kuznetsov 

[ Upstream commit 10f91c73cc41ceead210a905dbd196398e99c7d2 ]

It makes little sense but still possible to put Hyper-V guests into
suspend-to-idle state. To wake them up two wakeup sources were registered
in the past: hyperv-keyboard and hid-hyperv. However, since
commit eed4d47efe95 ("ACPI / sleep: Ignore spurious SCI wakeups from
suspend-to-idle") pm_wakeup_event() from these devices is ignored. Switch
to pm_wakeup_hard_event() API as these devices are actually the only
possible way to wakeup Hyper-V guests.

Fixes: eed4d47efe95 (ACPI / sleep: Ignore spurious SCI wakeups from 
suspend-to-idle)
Reviewed-by: Rafael J. Wysocki 
Acked-by: K. Y. Srinivasan 
Acked-by: Jiri Kosina 
Signed-off-by: Vitaly Kuznetsov 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-hyperv.c  | 2 +-
 drivers/input/serio/hyperv-keyboard.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c
index b372854cf38d..704049e62d58 100644
--- a/drivers/hid/hid-hyperv.c
+++ b/drivers/hid/hid-hyperv.c
@@ -309,7 +309,7 @@ static void mousevsc_on_receive(struct hv_device *device,
hid_input_report(input_dev->hid_device, HID_INPUT_REPORT,
 input_dev->input_buf, len, 1);
 
-   pm_wakeup_event(&input_dev->device->device, 0);
+   pm_wakeup_hard_event(&input_dev->device->device);
 
break;
default:
diff --git a/drivers/input/serio/hyperv-keyboard.c 
b/drivers/input/serio/hyperv-keyboard.c
index 47a0e81a2989..a8b9be3e28db 100644
--- a/drivers/input/serio/hyperv-keyboard.c
+++ b/drivers/input/serio/hyperv-keyboard.c
@@ -177,7 +177,7 @@ static void hv_kbd_on_receive(struct hv_device *hv_dev,
 * state because the Enter-UP can trigger a wakeup at once.
 */
if (!(info & IS_BREAK))
-   pm_wakeup_event(&hv_dev->device, 0);
+   pm_wakeup_hard_event(&hv_dev->device);
 
break;
 
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 02/41] Input: hyper-v - fix wakeup from suspend-to-idle

2018-12-12 Thread Sasha Levin

From: Vitaly Kuznetsov 

[ Upstream commit 10f91c73cc41ceead210a905dbd196398e99c7d2 ]

It makes little sense but still possible to put Hyper-V guests into
suspend-to-idle state. To wake them up two wakeup sources were registered
in the past: hyperv-keyboard and hid-hyperv. However, since
commit eed4d47efe95 ("ACPI / sleep: Ignore spurious SCI wakeups from
suspend-to-idle") pm_wakeup_event() from these devices is ignored. Switch
to pm_wakeup_hard_event() API as these devices are actually the only
possible way to wakeup Hyper-V guests.

Fixes: eed4d47efe95 (ACPI / sleep: Ignore spurious SCI wakeups from 
suspend-to-idle)
Reviewed-by: Rafael J. Wysocki 
Acked-by: K. Y. Srinivasan 
Acked-by: Jiri Kosina 
Signed-off-by: Vitaly Kuznetsov 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Sasha Levin 
---
 drivers/hid/hid-hyperv.c  | 2 +-
 drivers/input/serio/hyperv-keyboard.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c
index 6039f071fab1..5f1de24206ab 100644
--- a/drivers/hid/hid-hyperv.c
+++ b/drivers/hid/hid-hyperv.c
@@ -309,7 +309,7 @@ static void mousevsc_on_receive(struct hv_device *device,
hid_input_report(input_dev->hid_device, HID_INPUT_REPORT,
 input_dev->input_buf, len, 1);
 
-   pm_wakeup_event(&input_dev->device->device, 0);
+   pm_wakeup_hard_event(&input_dev->device->device);
 
break;
default:
diff --git a/drivers/input/serio/hyperv-keyboard.c 
b/drivers/input/serio/hyperv-keyboard.c
index 25151d9214e0..55288a026e4e 100644
--- a/drivers/input/serio/hyperv-keyboard.c
+++ b/drivers/input/serio/hyperv-keyboard.c
@@ -177,7 +177,7 @@ static void hv_kbd_on_receive(struct hv_device *hv_dev,
 * state because the Enter-UP can trigger a wakeup at once.
 */
if (!(info & IS_BREAK))
-   pm_wakeup_event(&hv_dev->device, 0);
+   pm_wakeup_hard_event(&hv_dev->device);
 
break;
 
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels

2018-12-13 Thread Sasha Levin


On Thu, Dec 13, 2018 at 04:35:43PM +, Dexuan Cui wrote:


Before 98f4c651762c, we returned zeros for unopened channels.
With 98f4c651762c, we started to return random on-stack values.

We'd better return -EINVAL instead.

Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups")
Cc: sta...@vger.kernel.org
Cc: K. Y. Srinivasan 
Cc: Haiyang Zhang 
Cc: Stephen Hemminger 
Signed-off-by: Dexuan Cui 


Queued up, thank you.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] Drivers: hv: vmbus: Check for ring when getting debug info

2018-12-18 Thread Sasha Levin


On Mon, Dec 17, 2018 at 08:16:09PM +, Dexuan Cui wrote:


fc96df16a1ce is good and can already fix the "return stack garbage" issue,
but let's also improve hv_ringbuffer_get_debuginfo(), which would silently
return stack garbage, if people forget to check channel->state or
ring_info->ring_buffer, when using the function in the future.

Having an error check in the function would eliminate the potential risk.

Add a Fixes tag to indicate the patch depdendency.

Fixes: fc96df16a1ce ("Drivers: hv: vmbus: Return -EINVAL for the sys files for 
unopened channels")
Cc: sta...@vger.kernel.org
Cc: K. Y. Srinivasan 
Cc: Haiyang Zhang 
Signed-off-by: Stephen Hemminger 
Signed-off-by: Dexuan Cui 
---

*NOTE*: the patch is based on char-misc's char-misc-linus branch.


Queued up, thank you.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH 1/1] x86/hyper-v: Fix 'set but not used' warnings

2018-12-23 Thread Sasha Levin


On Sat, Dec 22, 2018 at 12:06:58AM +, Michael Kelley wrote:

In these two cases, a value returned by rdmsr() or rdmsrl()
is ignored. Indicate that ignoring the value is intentional, so
that with the W=1 compilation option no warning is generated.

Signed-off-by: Michael Kelley 


Queued up, thank you.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 46/97] x86, hyperv: remove PCI dependency

2018-12-26 Thread Sasha Levin

From: Sinan Kaya 

[ Upstream commit c629421a990033ba539eb8585e73a2e6fa9ea631 ]

Need to be able to boot without PCI devices present.

Signed-off-by: Sinan Kaya 
Signed-off-by: Sasha Levin 
---
 drivers/hv/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig
index 97954f575c3f..1c1a2514d6f3 100644
--- a/drivers/hv/Kconfig
+++ b/drivers/hv/Kconfig
@@ -4,7 +4,7 @@ menu "Microsoft Hyper-V guest support"
 
 config HYPERV
tristate "Microsoft Hyper-V client drivers"
-   depends on X86 && ACPI && PCI && X86_LOCAL_APIC && HYPERVISOR_GUEST
+   depends on X86 && ACPI && X86_LOCAL_APIC && HYPERVISOR_GUEST
select PARAVIRT
help
  Select this option to run Linux as a Hyper-V client operating
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.14 29/59] x86, hyperv: remove PCI dependency

2018-12-26 Thread Sasha Levin

From: Sinan Kaya 

[ Upstream commit c629421a990033ba539eb8585e73a2e6fa9ea631 ]

Need to be able to boot without PCI devices present.

Signed-off-by: Sinan Kaya 
Signed-off-by: Sasha Levin 
---
 drivers/hv/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig
index 50b89ea0e60f..247a62604d1f 100644
--- a/drivers/hv/Kconfig
+++ b/drivers/hv/Kconfig
@@ -2,7 +2,7 @@ menu "Microsoft Hyper-V guest support"
 
 config HYPERV
tristate "Microsoft Hyper-V client drivers"
-   depends on X86 && ACPI && PCI && X86_LOCAL_APIC && HYPERVISOR_GUEST
+   depends on X86 && ACPI && X86_LOCAL_APIC && HYPERVISOR_GUEST
select PARAVIRT
help
  Select this option to run Linux as a Hyper-V client operating
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] hv_balloon: avoid touching uninitialized struct page during tail onlining

2019-01-07 Thread Sasha Levin


On Mon, Jan 07, 2019 at 02:44:30PM +0100, Vitaly Kuznetsov wrote:

David Hildenbrand  writes:

On 04.01.19 15:19, Vitaly Kuznetsov wrote:

Hyper-V memory hotplug protocol has 2M granularity and in Linux x86 we use
128M. To deal with it we implement partial section onlining by registering
custom page onlining callback (hv_online_page()). Later, when more memory
arrives we try to online the 'tail' (see hv_bring_pgs_online()).

It was found that in some cases this 'tail' onlining causes issues:

 BUG: Bad page state in process kworker/0:2  pfn:109e3a
 page:e08344278e80 count:0 mapcount:1 mapping: index:0x0
 flags: 0xf8000()
 raw: 000f8000 dead0100 dead0200 
 raw:    
 page dumped because: nonzero mapcount
 ...
 Workqueue: events hot_add_req [hv_balloon]
 Call Trace:
  dump_stack+0x5c/0x80
  bad_page.cold.112+0x7f/0xb2
  free_pcppages_bulk+0x4b8/0x690
  free_unref_page+0x54/0x70
  hv_page_online_one+0x5c/0x80 [hv_balloon]
  hot_add_req.cold.24+0x182/0x835 [hv_balloon]
  ...

Turns out that we now have deferred struct page initialization for memory
hotplug so e.g. memory_block_action() in drivers/base/memory.c does
pages_correctly_probed() check and in that check it avoids inspecting
struct pages and checks sections instead. But in Hyper-V balloon driver we
do PageReserved(pfn_to_page()) check and this is now wrong.

Switch to checking online_section_nr() instead.

Signed-off-by: Vitaly Kuznetsov 
---
 drivers/hv/hv_balloon.c | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
index 5301fef16c31..7c6349a50ef1 100644
--- a/drivers/hv/hv_balloon.c
+++ b/drivers/hv/hv_balloon.c
@@ -888,12 +888,14 @@ static unsigned long handle_pg_range(unsigned long 
pg_start,
pfn_cnt -= pgs_ol;
/*
 * Check if the corresponding memory block is already
-* online by checking its last previously backed page.
-* In case it is we need to bring rest (which was not
-* backed previously) online too.
+* online. It is possible to observe struct pages still
+* being uninitialized here so check section instead.
+* In case the section is online we need to bring the
+* rest of pfns (which were not backed previously)
+* online too.
 */
if (start_pfn > has->start_pfn &&
-   !PageReserved(pfn_to_page(start_pfn - 1)))
+   online_section_nr(pfn_to_section_nr(start_pfn)))
hv_bring_pgs_online(has, start_pfn, pgs_ol);

}



I wonder if you should use pfn_to_online_page() and check for PageOffline().

(I guess online_section_nr() should also do the trick)


I'm worried a bit about racing with mm code here as we're not doing
mem_hotplug_begin()/done() so I'd slightly prefer keeping
online_section_nr() (pfn_to_online_page() also uses it but then it gets
to the particular struct page). Moreover, with pfn_to_online_page() we
will be looking at some other pfn - because the start_pfn is definitelly
offline (pre-patch we were looking at start_pfn-1). Just looking at the
whole section seems cleaner.

P.S. I still think about bringing mem_hotplug_begin()/done() to
hv_balloon but that's going to be a separate discussion, here I want to
have a small fix backportable to stable.


This should probably be marked for stable then :)

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.20 055/117] staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'

2019-01-08 Thread Sasha Levin

From: Gao Xiang 

[ Upstream commit 848bd9acdcd00c164b42b14aacec242949ecd471 ]

The root cause is the race as follows:
 Thread #0 Thread #1

 z_erofs_vle_unzip_kickoff z_erofs_submit_and_unzip

struct z_erofs_vle_unzip_io io[]
   atomic_add_return()
wait_event()
[end of function]
   wake_up()

Fix it by taking the waitqueue lock between atomic_add_return and
wake_up to close such the race.

kernel message:

Unable to handle kernel paging request at virtual address 97f7052caa1303dc
...
Workqueue: kverityd verity_work
task: ffe32bcb8000 task.stack: ffe3298a
PC is at __wake_up_common+0x48/0xa8
LR is at __wake_up+0x3c/0x58
...
Call trace:
...
[] __wake_up_common+0x48/0xa8
[] __wake_up+0x3c/0x58
[] z_erofs_vle_unzip_kickoff+0x40/0x64
[] z_erofs_vle_read_endio+0x94/0x134
[] bio_endio+0xe4/0xf8
[] dec_pending+0x134/0x32c
[] clone_endio+0x90/0xf4
[] bio_endio+0xe4/0xf8
[] verity_work+0x210/0x368
[] process_one_work+0x188/0x4b4
[] worker_thread+0x140/0x458
[] kthread+0xec/0x108
[] ret_from_fork+0x10/0x1c
Code: d1006273 54000260 f9400804 b9400019 (b85fc081)
---[ end trace be9dde154f677cd1 ]---

Reviewed-by: Chao Yu 
Signed-off-by: Gao Xiang 
Signed-off-by: Greg Kroah-Hartman 

Signed-off-by: Sasha Levin 
---
 drivers/staging/erofs/unzip_vle.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/erofs/unzip_vle.c 
b/drivers/staging/erofs/unzip_vle.c
index 79d3ba62b298..45e88bada907 100644
--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -717,13 +717,18 @@ static void z_erofs_vle_unzip_kickoff(void *ptr, int bios)
struct z_erofs_vle_unzip_io *io = tagptr_unfold_ptr(t);
bool background = tagptr_unfold_tags(t);
 
-   if (atomic_add_return(bios, &io->pending_bios))
+   if (!background) {
+   unsigned long flags;
+
+   spin_lock_irqsave(&io->u.wait.lock, flags);
+   if (!atomic_add_return(bios, &io->pending_bios))
+   wake_up_locked(&io->u.wait);
+   spin_unlock_irqrestore(&io->u.wait.lock, flags);
return;
+   }
 
-   if (background)
+   if (!atomic_add_return(bios, &io->pending_bios))
queue_work(z_erofs_workqueue, &io->u.work);
-   else
-   wake_up(&io->u.wait);
 }
 
 static inline void z_erofs_vle_read_endio(struct bio *bio)
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.20 056/117] media: cedrus: don't initialize pointers with zero

2019-01-08 Thread Sasha Levin

From: Mauro Carvalho Chehab 

[ Upstream commit e4d7b113fdccde1acf8638c5879f2a450d492303 ]

A common mistake is to assume that initializing a var with:
struct foo f = { 0 };

Would initialize a zeroed struct. Actually, what this does is
to initialize the first element of the struct to zero.

According to C99 Standard 6.7.8.21:

"If there are fewer initializers in a brace-enclosed
 list than there are elements or members of an aggregate,
 or fewer characters in a string literal used to initialize
 an array of known size than there are elements in the array,
 the remainder of the aggregate shall be initialized implicitly
 the same as objects that have static storage duration."

So, in practice, it could zero the entire struct, but, if the
first element is not an integer, it will produce warnings:


drivers/staging/media/sunxi/cedrus/cedrus.c:drivers/staging/media/sunxi/cedrus/cedrus.c:78:49:
  warning: Using plain integer as NULL pointer

drivers/staging/media/sunxi/cedrus/cedrus_dec.c:drivers/staging/media/sunxi/cedrus/cedrus_dec.c:29:35:
  warning: Using plain integer as NULL pointer

As the right initialization would be, instead:

struct foo f = { NULL };

Another way to initialize it with gcc is to use:

struct foo f = {};

That seems to be a gcc extension, but clang also does the right thing,
and that's a clean way for doing it.

Anyway, I decided to check upstream what's the most commonly pattern.
The "= {}" pattern has about 2000 entries:

$ git grep -E "=\s*\{\s*\}"|wc -l
1951

The standard-C compliant pattern has about 2500 entries:

$ git grep -E "=\s*\{\s*NULL\s*\}"|wc -l
137
$ git grep -E "=\s*\{\s*0\s*\}"|wc -l
2323

Meaning that developers have split options on that.

So, let's opt to the simpler form.

Signed-off-by: Mauro Carvalho Chehab 
Acked-by: Paul Kocialkowski 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Sasha Levin 
---
 drivers/staging/media/sunxi/cedrus/cedrus.c | 2 +-
 drivers/staging/media/sunxi/cedrus/cedrus_dec.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c 
b/drivers/staging/media/sunxi/cedrus/cedrus.c
index c912c70b3ef7..f18077e8810a 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -75,7 +75,7 @@ static int cedrus_init_ctrls(struct cedrus_dev *dev, struct 
cedrus_ctx *ctx)
memset(ctx->ctrls, 0, ctrl_size);
 
for (i = 0; i < CEDRUS_CONTROLS_COUNT; i++) {
-   struct v4l2_ctrl_config cfg = { 0 };
+   struct v4l2_ctrl_config cfg = {};
 
cfg.elem_size = cedrus_controls[i].elem_size;
cfg.id = cedrus_controls[i].id;
diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_dec.c 
b/drivers/staging/media/sunxi/cedrus/cedrus_dec.c
index e40180a33951..f10c25f5460e 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus_dec.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_dec.c
@@ -26,7 +26,7 @@ void cedrus_device_run(void *priv)
 {
struct cedrus_ctx *ctx = priv;
struct cedrus_dev *dev = ctx->dev;
-   struct cedrus_run run = { 0 };
+   struct cedrus_run run = {};
struct media_request *src_req;
unsigned long flags;
 
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

[PATCH AUTOSEL 4.19 44/97] staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'

2019-01-08 Thread Sasha Levin

From: Gao Xiang 

[ Upstream commit 848bd9acdcd00c164b42b14aacec242949ecd471 ]

The root cause is the race as follows:
 Thread #0 Thread #1

 z_erofs_vle_unzip_kickoff z_erofs_submit_and_unzip

struct z_erofs_vle_unzip_io io[]
   atomic_add_return()
wait_event()
[end of function]
   wake_up()

Fix it by taking the waitqueue lock between atomic_add_return and
wake_up to close such the race.

kernel message:

Unable to handle kernel paging request at virtual address 97f7052caa1303dc
...
Workqueue: kverityd verity_work
task: ffe32bcb8000 task.stack: ffe3298a
PC is at __wake_up_common+0x48/0xa8
LR is at __wake_up+0x3c/0x58
...
Call trace:
...
[] __wake_up_common+0x48/0xa8
[] __wake_up+0x3c/0x58
[] z_erofs_vle_unzip_kickoff+0x40/0x64
[] z_erofs_vle_read_endio+0x94/0x134
[] bio_endio+0xe4/0xf8
[] dec_pending+0x134/0x32c
[] clone_endio+0x90/0xf4
[] bio_endio+0xe4/0xf8
[] verity_work+0x210/0x368
[] process_one_work+0x188/0x4b4
[] worker_thread+0x140/0x458
[] kthread+0xec/0x108
[] ret_from_fork+0x10/0x1c
Code: d1006273 54000260 f9400804 b9400019 (b85fc081)
---[ end trace be9dde154f677cd1 ]---

Reviewed-by: Chao Yu 
Signed-off-by: Gao Xiang 
Signed-off-by: Greg Kroah-Hartman 

Signed-off-by: Sasha Levin 
---
 drivers/staging/erofs/unzip_vle.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/erofs/unzip_vle.c 
b/drivers/staging/erofs/unzip_vle.c
index 14da8cc2246a..0346630b67c8 100644
--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -724,13 +724,18 @@ static void z_erofs_vle_unzip_kickoff(void *ptr, int bios)
struct z_erofs_vle_unzip_io *io = tagptr_unfold_ptr(t);
bool background = tagptr_unfold_tags(t);
 
-   if (atomic_add_return(bios, &io->pending_bios))
+   if (!background) {
+   unsigned long flags;
+
+   spin_lock_irqsave(&io->u.wait.lock, flags);
+   if (!atomic_add_return(bios, &io->pending_bios))
+   wake_up_locked(&io->u.wait);
+   spin_unlock_irqrestore(&io->u.wait.lock, flags);
return;
+   }
 
-   if (background)
+   if (!atomic_add_return(bios, &io->pending_bios))
queue_work(z_erofs_workqueue, &io->u.work);
-   else
-   wake_up(&io->u.wait);
 }
 
 static inline void z_erofs_vle_read_endio(struct bio *bio)
-- 
2.19.1

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] hv_balloon: avoid touching uninitialized struct page during tail onlining

2019-01-08 Thread Sasha Levin


On Mon, Jan 07, 2019 at 07:38:20PM +0100, Vitaly Kuznetsov wrote:

Sasha Levin  writes:


On Mon, Jan 07, 2019 at 02:44:30PM +0100, Vitaly Kuznetsov wrote:

P.S. I still think about bringing mem_hotplug_begin()/done() to
hv_balloon but that's going to be a separate discussion, here I want to
have a small fix backportable to stable.


This should probably be marked for stable then :)



Yes, please :-)


Queued up for hyperv-fixes with a -stable tag, thank you!

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH][re-post] vmbus: fix subchannel removal

2019-01-09 Thread Sasha Levin


On Wed, Jan 09, 2019 at 08:56:06PM +, Dexuan Cui wrote:


The changes to split ring allocation from open/close, broke
the cleanup of subchannels. This resulted in problems using
uio on network devices because the subchannel was left behind
when the network device was unbound.

The cause was in the disconnect logic which used list splice
to move the subchannel list into a local variable. This won't
work because the subchannel list is needed later during the
process of the rescind messages (relid2channel).

The fix is to just leave the subchannel list in place
which is what the original code did. The list is cleaned
up later when the host rescind is processed.

Without the fix, we have a lot of "hang" issues in netvsc when we
try to change the NIC's MTU, set the number of channels, etc.

Fixes: ae6935ed7d42 ("vmbus: split ring buffer allocation from open")
Cc: sta...@vger.kernel.org
Signed-off-by: Stephen Hemminger 
Signed-off-by: Dexuan Cui 


Queued, thank you.

--
Thanks,
Sasha
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

1 2 3 4 5 >

1 - 100 of 457 matches

Mail list logo