From: Greg Kroah-Hartman Date: Thu, 11 May 2017 08:26:11 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.68~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efd9c417abc04b12d647e95a42a8e828669e31fa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch staging-emxx_udc-remove-incorrect-__init-annotations.patch staging-wlan-ng-add-missing-byte-order-conversion.patch --- diff --git a/queue-4.4/alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch b/queue-4.4/alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch new file mode 100644 index 00000000000..85bbd3cb60a --- /dev/null +++ b/queue-4.4/alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch @@ -0,0 +1,71 @@ +From ab949d519601880fd46e8bc1445d6a453bf2dc09 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 2 Jan 2017 11:37:04 +0100 +Subject: ALSA: hda - Fix deadlock of controller device lock at unbinding + +From: Takashi Iwai + +commit ab949d519601880fd46e8bc1445d6a453bf2dc09 upstream. + +Imre Deak reported a deadlock of HD-audio driver at unbinding while +it's still in probing. Since we probe the codecs asynchronously in a +work, the codec driver probe may still be kicked off while the +controller itself is being unbound. And, azx_remove() tries to +process all pending tasks via cancel_work_sync() for fixing the other +races (see commit [0b8c82190c12: ALSA: hda - Cancel probe work instead +of flush at remove]), now we may meet a bizarre deadlock: + +Unbind snd_hda_intel via sysfs: + device_release_driver() -> + device_lock(snd_hda_intel) -> + azx_remove() -> + cancel_work_sync(azx_probe_work) + +azx_probe_work(): + codec driver probe() -> + __driver_attach() -> + device_lock(snd_hda_intel) + +This deadlock is caused by the fact that both device_release_driver() +and driver_probe_device() take both the device and its parent locks at +the same time. The codec device sets the controller device as its +parent, and this lock is taken before the probe() callback is called, +while the controller remove() callback gets called also with the same +lock. + +In this patch, as an ugly workaround, we unlock the controller device +temporarily during cancel_work_sync() call. The race against another +bind call should be still suppressed by the parent's device lock. + +Reported-by: Imre Deak +Fixes: 0b8c82190c12 ("ALSA: hda - Cancel probe work instead of flush at remove") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2166,7 +2166,20 @@ static void azx_remove(struct pci_dev *p + /* cancel the pending probing work */ + chip = card->private_data; + hda = container_of(chip, struct hda_intel, chip); ++ /* FIXME: below is an ugly workaround. ++ * Both device_release_driver() and driver_probe_device() ++ * take *both* the device's and its parent's lock before ++ * calling the remove() and probe() callbacks. The codec ++ * probe takes the locks of both the codec itself and its ++ * parent, i.e. the PCI controller dev. Meanwhile, when ++ * the PCI controller is unbound, it takes its lock, too ++ * ==> ouch, a deadlock! ++ * As a workaround, we unlock temporarily here the controller ++ * device during cancel_work_sync() call. ++ */ ++ device_unlock(&pci->dev); + cancel_work_sync(&hda->probe_work); ++ device_lock(&pci->dev); + + snd_card_free(card); + } diff --git a/queue-4.4/series b/queue-4.4/series index c6eb05ac6b8..3fc25b8297d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -43,3 +43,6 @@ scsi-scsi_dh_emc-return-success-in-clariion_std_inquiry.patch mips-r2-on-r6-multu-maddu-msubu-emulation-bugfix.patch brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch brcmfmac-make-skb-header-writable-before-use.patch +staging-wlan-ng-add-missing-byte-order-conversion.patch +staging-emxx_udc-remove-incorrect-__init-annotations.patch +alsa-hda-fix-deadlock-of-controller-device-lock-at-unbinding.patch diff --git a/queue-4.4/staging-emxx_udc-remove-incorrect-__init-annotations.patch b/queue-4.4/staging-emxx_udc-remove-incorrect-__init-annotations.patch new file mode 100644 index 00000000000..a064c9120d5 --- /dev/null +++ b/queue-4.4/staging-emxx_udc-remove-incorrect-__init-annotations.patch @@ -0,0 +1,46 @@ +From 4f3445067d5f78fb8d1970b02610f85c2f377ea4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 16 Dec 2016 10:09:39 +0100 +Subject: staging: emxx_udc: remove incorrect __init annotations + +From: Arnd Bergmann + +commit 4f3445067d5f78fb8d1970b02610f85c2f377ea4 upstream. + +The probe function is not marked __init, but some other functions +are. This leads to a warning on older compilers (e.g. gcc-4.3), +and can cause executing freed memory when built with those +compilers: + +WARNING: drivers/staging/emxx_udc/emxx_udc.o(.text+0x2d78): Section mismatch in reference from the function nbu2ss_drv_probe() to the function .init.text:nbu2ss_drv_contest_init() + +This removes the annotations. + +Fixes: 33aa8d45a4fe ("staging: emxx_udc: Add Emma Mobile USB Gadget driver") +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/emxx_udc/emxx_udc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/emxx_udc/emxx_udc.c ++++ b/drivers/staging/emxx_udc/emxx_udc.c +@@ -3181,7 +3181,7 @@ static const struct { + }; + + /*-------------------------------------------------------------------------*/ +-static void __init nbu2ss_drv_ep_init(struct nbu2ss_udc *udc) ++static void nbu2ss_drv_ep_init(struct nbu2ss_udc *udc) + { + int i; + +@@ -3211,7 +3211,7 @@ static void __init nbu2ss_drv_ep_init(st + + /*-------------------------------------------------------------------------*/ + /* platform_driver */ +-static int __init nbu2ss_drv_contest_init( ++static int nbu2ss_drv_contest_init( + struct platform_device *pdev, + struct nbu2ss_udc *udc) + { diff --git a/queue-4.4/staging-wlan-ng-add-missing-byte-order-conversion.patch b/queue-4.4/staging-wlan-ng-add-missing-byte-order-conversion.patch new file mode 100644 index 00000000000..7bcf9ade45b --- /dev/null +++ b/queue-4.4/staging-wlan-ng-add-missing-byte-order-conversion.patch @@ -0,0 +1,35 @@ +From 2c474b8579e9b67ff72b2bcefce9f53c7f4469d4 Mon Sep 17 00:00:00 2001 +From: Igor Pylypiv +Date: Mon, 30 Jan 2017 21:39:54 -0800 +Subject: staging: wlan-ng: add missing byte order conversion + +From: Igor Pylypiv + +commit 2c474b8579e9b67ff72b2bcefce9f53c7f4469d4 upstream. + +Conversion macros le16_to_cpu was removed and that caused new sparse warning + +sparse output: +drivers/staging/wlan-ng/p80211netdev.c:241:44: warning: incorrect type in argument 2 (different base types) +drivers/staging/wlan-ng/p80211netdev.c:241:44: expected unsigned short [unsigned] [usertype] fc +drivers/staging/wlan-ng/p80211netdev.c:241:44: got restricted __le16 [usertype] fc + +Fixes: 7ad82572348c ("staging:wlan-ng:Fix sparse warning") +Signed-off-by: Igor Pylypiv +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/p80211netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/p80211netdev.c ++++ b/drivers/staging/wlan-ng/p80211netdev.c +@@ -232,7 +232,7 @@ static int p80211_convert_to_ether(wland + struct p80211_hdr_a3 *hdr; + + hdr = (struct p80211_hdr_a3 *) skb->data; +- if (p80211_rx_typedrop(wlandev, hdr->fc)) ++ if (p80211_rx_typedrop(wlandev, le16_to_cpu(hdr->fc))) + return CONV_TO_ETHER_SKIPPED; + + /* perform mcast filtering: allow my local address through but reject