From cabea695875e3a07313c205a9753c7416126dfa2 Mon Sep 17 00:00:00 2001 From: Sudip Mukherjee Date: Mon, 15 Jun 2015 20:05:49 +0530 Subject: [PATCH 1/6] parport: fix error handling After registering the device if exclusive access fails for any reason then we need to unregister the device to remove all references. Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- drivers/parport/share.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/parport/share.c b/drivers/parport/share.c index 8067f54ce050..d8079e37a606 100644 --- a/drivers/parport/share.c +++ b/drivers/parport/share.c @@ -907,7 +907,8 @@ parport_register_dev_model(struct parport *port, const char *name, spin_unlock(&port->physport->pardevice_lock); pr_debug("%s: cannot grant exclusive access for device %s\n", port->name, name); - goto err_put_dev; + device_unregister(&par_dev->dev); + goto err_put_port; } port->flags |= PARPORT_FLAG_EXCL; } From 23c405912b881e3ca516554efde852c2ad550b31 Mon Sep 17 00:00:00 2001 From: Sudip Mukherjee Date: Mon, 15 Jun 2015 20:05:50 +0530 Subject: [PATCH 2/6] parport: fix memory leak After the reference count becomes 0 when put_device() is called, it will execute the release callback where we are freeing all the allocated memory associated with the device. We missed freeing par_dev->state. Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- drivers/parport/share.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/parport/share.c b/drivers/parport/share.c index d8079e37a606..1efec44e03aa 100644 --- a/drivers/parport/share.c +++ b/drivers/parport/share.c @@ -816,6 +816,7 @@ static void free_pardevice(struct device *dev) struct pardevice *par_dev = to_pardevice(dev); kfree(par_dev->name); + kfree(par_dev->state); kfree(par_dev); } From 68d35c7b3b1aa686e3039eb2626bf5e3ea8dbe81 Mon Sep 17 00:00:00 2001 From: Sudip Mukherjee Date: Mon, 15 Jun 2015 20:05:51 +0530 Subject: [PATCH 3/6] parport: fix freeing freed memory After the reference count becomes 0 when put_device() is called, it will execute the release callback where we are freeing all the allocated memory associated with the device. So if we just continue on the error path then we are again freeing devname and trying to dereference par_dev which has already been free-ed in the release callback. Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- drivers/parport/share.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/parport/share.c b/drivers/parport/share.c index 1efec44e03aa..c02b5f27798b 100644 --- a/drivers/parport/share.c +++ b/drivers/parport/share.c @@ -892,8 +892,10 @@ parport_register_dev_model(struct parport *port, const char *name, par_dev->dev.release = free_pardevice; par_dev->devmodel = true; ret = device_register(&par_dev->dev); - if (ret) - goto err_put_dev; + if (ret) { + put_device(&par_dev->dev); + goto err_put_port; + } /* Chain this onto the list */ par_dev->prev = NULL; @@ -940,8 +942,6 @@ parport_register_dev_model(struct parport *port, const char *name, return par_dev; -err_put_dev: - put_device(&par_dev->dev); err_free_devname: kfree(devname); err_free_par_dev: From a63444375f08a18a6b2286351606f08d6e9fa63d Mon Sep 17 00:00:00 2001 From: Sudeep Dutt Date: Wed, 22 Jul 2015 11:50:10 -0700 Subject: [PATCH 4/6] misc: mic: scif bug fix for vmalloc_to_page crash v4.2-rc1 enabled huge page support for ioremap(..). Calling vmalloc_to_page after v4.2-rc1 results in the crash shown below on the host upon booting X100 coprocessors: BUG: unable to handle kernel paging request at ffffc47c00000000 IP: [] vmalloc_to_page+0x6c/0xb0 This patch fixes this crash by obtaining the fake struct page pointer which is required to be passed into dma_map_sg(..) by calling pfn_to_page(..) instead of vmalloc_to_page(..). Link: https://lkml.org/lkml/2015/7/18/110 Reviewed-by: Nikhil Rao Suggested-by: Toshi Kani Signed-off-by: Ashutosh Dixit Signed-off-by: Sudeep Dutt Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mic/scif/scif_nodeqp.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/drivers/misc/mic/scif/scif_nodeqp.c b/drivers/misc/mic/scif/scif_nodeqp.c index 41e3bdb10061..6dfdae3452d6 100644 --- a/drivers/misc/mic/scif/scif_nodeqp.c +++ b/drivers/misc/mic/scif/scif_nodeqp.c @@ -357,7 +357,7 @@ static void scif_p2p_freesg(struct scatterlist *sg) } static struct scatterlist * -scif_p2p_setsg(void __iomem *va, int page_size, int page_cnt) +scif_p2p_setsg(phys_addr_t pa, int page_size, int page_cnt) { struct scatterlist *sg; struct page *page; @@ -368,16 +368,11 @@ scif_p2p_setsg(void __iomem *va, int page_size, int page_cnt) return NULL; sg_init_table(sg, page_cnt); for (i = 0; i < page_cnt; i++) { - page = vmalloc_to_page((void __force *)va); - if (!page) - goto p2p_sg_err; + page = pfn_to_page(pa >> PAGE_SHIFT); sg_set_page(&sg[i], page, page_size, 0); - va += page_size; + pa += page_size; } return sg; -p2p_sg_err: - kfree(sg); - return NULL; } /* Init p2p mappings required to access peerdev from scifdev */ @@ -395,14 +390,14 @@ scif_init_p2p_info(struct scif_dev *scifdev, struct scif_dev *peerdev) p2p = kzalloc(sizeof(*p2p), GFP_KERNEL); if (!p2p) return NULL; - p2p->ppi_sg[SCIF_PPI_MMIO] = scif_p2p_setsg(psdev->mmio->va, + p2p->ppi_sg[SCIF_PPI_MMIO] = scif_p2p_setsg(psdev->mmio->pa, PAGE_SIZE, num_mmio_pages); if (!p2p->ppi_sg[SCIF_PPI_MMIO]) goto free_p2p; p2p->sg_nentries[SCIF_PPI_MMIO] = num_mmio_pages; sg_page_shift = get_order(min(psdev->aper->len, (u64)(1 << 30))); num_aper_chunks = num_aper_pages >> (sg_page_shift - PAGE_SHIFT); - p2p->ppi_sg[SCIF_PPI_APER] = scif_p2p_setsg(psdev->aper->va, + p2p->ppi_sg[SCIF_PPI_APER] = scif_p2p_setsg(psdev->aper->pa, 1 << sg_page_shift, num_aper_chunks); p2p->sg_nentries[SCIF_PPI_APER] = num_aper_chunks; From 154322f47376fed6ab1e4b350aa45fffa15a61aa Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Thu, 18 Jun 2015 11:41:03 +0300 Subject: [PATCH 5/6] mei: prevent unloading mei hw modules while the device is opened. chrdev_open() increases reference counter on cdev->owner. Instead of assigning the owner to mei subsystem, the owner has to be set to the underlaying HW module (mei_me or mei_txe), so once the device is opened the HW module cannot be unloaded. Cc: #3.17+ Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index 8eb0a9500a90..e9513d651cd3 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -682,7 +682,7 @@ int mei_register(struct mei_device *dev, struct device *parent) /* Fill in the data structures */ devno = MKDEV(MAJOR(mei_devt), dev->minor); cdev_init(&dev->cdev, &mei_fops); - dev->cdev.owner = mei_fops.owner; + dev->cdev.owner = parent->driver->owner; /* Add the device */ ret = cdev_add(&dev->cdev, devno, 1); From 4e5a74f1db8d6bea48306126fd445e2720f07a95 Mon Sep 17 00:00:00 2001 From: Sudip Mukherjee Date: Sat, 25 Jul 2015 13:19:40 +0530 Subject: [PATCH 6/6] parport: Revert "parport: fix memory leak" This reverts commit 23c405912b88 ("parport: fix memory leak") par_dev->state was already being removed in parport_unregister_device(). Reported-by: Ying Huang Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- drivers/parport/share.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/parport/share.c b/drivers/parport/share.c index c02b5f27798b..5ce5ef211bdb 100644 --- a/drivers/parport/share.c +++ b/drivers/parport/share.c @@ -816,7 +816,6 @@ static void free_pardevice(struct device *dev) struct pardevice *par_dev = to_pardevice(dev); kfree(par_dev->name); - kfree(par_dev->state); kfree(par_dev); }