linux.git/drivers/staging, branch v4.8-rc5 Linux kernel source tree Merge tag 'iio-fixes-for-4.8a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into work-linus 2016-08-23T21:39:31+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-08-23T21:39:31+00:00 eafe5cfe718926c1ed8b3dacd2191c189b3cdcd2 Jonathan writes: First round of IIO fixes for the 4.8 cycle. This is somewhat of a bumper set due to my unavailabilty earlier in the month. The only slightly unusual ones are the dts updates for the rockchip adc reset. The fix in the driver only makes sense with these and the rockchip maintainer is happy with them going through IIO to reach mainline. Core stuff * Fix an issue with a blocking op when !TASK_RUNNING. This been there a while and snuck in with seemingly minor additions to some core code paths. * Tools - generic_buffer failed to initialize the channel array pointer thus in the case of no channels blows up trying to free a random memory address. * sw-trigger: - Fix config group initialization when configfs is built as a module. Drivers * ad5933 - Fix an incorrect overwrite of an error value. * ad799x - A missed assignment of the update_scan_mode callback means buffered mode doesn't work on the ad7991, ad7995 or ad7999. * ads1015 - wrong pointer returned from i2c_get_clientdata (missmatch of assumptions) * am2315 - Timestamps are reported, but never actually acquired from anywhere (so always 0) - missing buffer selects in Kconfig * am335x adc - Protect fifo1 from concurrent access. - Increase timeout waiting for ADC to be long enough in all cases. * as3935 - Timestamps are reported, but never actually acquired from anywhere (so always 0) * at91 - Fix reading of channel 3. * atlas-ph-sensor - Typo means that the scale of electrical conductivity readings is way off. * bma220 - Timestamps are reported, but never actually acquired from anywhere (so always 0) - Missing buffer selects in Kconfig * bmp280 - pass the write pointer to PTR_ERR (i.e. the one that was just checked with IS_ERR). - suspend /resume crash due to wrong assumption about what dev_get_drvdata would return. * hdc100x - It superficially appeared that smbus_read_byte commands would allow reading of the outputs in two goes. In reality it doesn't work, but instead returns the same for the upper and lower bytes (nice catch from Alison!) * kxsd9 - Fix raw read return value to ensure it actually reports the value rather than a blank string. * max44000 - Missing buffer selects in Kconfig * rockchip_saradc - Add use of reset controller to enforce a clean state of the ADC. Some bootloaders can leave it in an 'intersting' state and effectively frozen without this. A couple of associated dts updates. * stk8ba50 - Missing buffer selects in Kconfig * stx104 - Fix a possible race due to use of devm_iio_device_register when there was other stuff in the remove function. 
Jonathan writes:

First round of IIO fixes for the 4.8 cycle.

This is somewhat of a bumper set due to my unavailabilty earlier in the
month.  The only slightly unusual ones are the dts updates for the
rockchip adc reset.  The fix in the driver only makes sense with these
and the rockchip maintainer is happy with them going through IIO to
reach mainline.

Core stuff

* Fix an issue with a blocking op when !TASK_RUNNING. This been there
  a while and snuck in with seemingly minor additions to some core
  code paths.
* Tools
  - generic_buffer failed to initialize the channel array pointer thus
    in the case of no channels blows up trying to free a random memory
    address.
* sw-trigger:
  - Fix config group initialization when configfs is built as a module.

Drivers

* ad5933
  - Fix an incorrect overwrite of an error value.
* ad799x
  - A missed assignment of the update_scan_mode callback means buffered mode
    doesn't work on the ad7991, ad7995 or ad7999.
* ads1015
  - wrong pointer returned from i2c_get_clientdata (missmatch of assumptions)
* am2315
  - Timestamps are reported, but never actually acquired from anywhere
    (so always 0)
  - missing buffer selects in Kconfig
* am335x adc
  - Protect fifo1 from concurrent access.
  - Increase timeout waiting for ADC to be long enough in all cases.
* as3935
  - Timestamps are reported, but never actually acquired from anywhere
    (so always 0)
* at91
  - Fix reading of channel 3.
* atlas-ph-sensor
  - Typo means that the scale of electrical conductivity readings is way off.
* bma220
  - Timestamps are reported, but never actually acquired from anywhere
    (so always 0)
  - Missing buffer selects in Kconfig
* bmp280
  - pass the write pointer to PTR_ERR (i.e. the one that was just checked
    with IS_ERR).
  - suspend /resume crash due to wrong assumption about what dev_get_drvdata
    would return.
* hdc100x
  - It superficially appeared that smbus_read_byte commands would allow
  reading of the outputs in two goes.  In reality it doesn't work, but
  instead returns the same for the upper and lower bytes (nice catch from
  Alison!)
* kxsd9
  - Fix raw read return value to ensure it actually reports the value rather
  than a blank string.
* max44000
  - Missing buffer selects in Kconfig
* rockchip_saradc
  - Add use of reset controller to enforce a clean state of the ADC.
    Some bootloaders can leave it in an 'intersting' state and effectively
    frozen without this. A couple of associated dts updates.
* stk8ba50
  - Missing buffer selects in Kconfig
* stx104
  - Fix a possible race due to use of devm_iio_device_register when there
    was other stuff in the remove function.
staging: wilc1000: correctly check if associatedsta has not been found 2016-08-21T15:28:21+00:00 Colin Ian King colin.king@canonical.com 2016-08-15T16:09:52+00:00 6c08fda0306916135291103f23cc17248c422c49 The current check for associatedsta being set to -1 to indicate it has not been found is not working because associatedsta is initialized to zero and will never be -1. Fix this by initializing it to ~0 and checking for ~0 instead. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The current check for associatedsta being set to -1 to indicate it has
not been found is not working because associatedsta is initialized to
zero and will never be -1.  Fix this by initializing it to ~0 and checking
for ~0 instead.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: wilc1000: NULL dereference on error 2016-08-21T15:28:21+00:00 Dan Carpenter dan.carpenter@oracle.com 2016-07-16T10:07:55+00:00 23436825e671cdd55c45d151ddc66fd3c47d10e9 We can't pass NULL pointers to destroy_workqueue(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We can't pass NULL pointers to destroy_workqueue().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: wilc1000: txq_event: Fix coding error 2016-08-21T15:28:21+00:00 Binoy Jayan binoy.jayan@linaro.org 2016-07-21T07:56:56+00:00 23535c1322e42e71f32bfbeae9970f4dba31e3bd Fix incorrect usage of completion interface by replacing 'wait_for_completion' with 'complete'. This error was introduced accidentally while replacing semaphores with mutexes. Reported-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Fix incorrect usage of completion interface by replacing
'wait_for_completion' with 'complete'. This error was introduced
accidentally while replacing semaphores with mutexes.

Reported-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility 2016-08-21T15:07:19+00:00 Ian Abbott abbotti@mev.co.uk 2016-07-19T11:17:39+00:00 f0f4b0cc3a8cffd983f5940d46cd0227f3f5710a Commit ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use") introduced a backwards compatibility issue in the use of asynchronous commands on the AO subdevice when `start_src` is `TRIG_EXT`. Valid values for `start_src` are `TRIG_INT` (for internal, software trigger), and `TRIG_EXT` (for external trigger). When set to `TRIG_EXT`. In both cases, the driver relies on an internal, software trigger to set things up (allowing the user application to write sufficient samples to the data buffer before the trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case. The software trigger is handled by `ni_ao_inttrig()`. Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg` was required to be 0, and `ni_ao_inttrig()` checked that the software trigger number was also 0. After the above change, when `start_src` was `TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()` checked that the software trigger number matched this `start_arg` value. The backwards compatibility issue is that the internal trigger number now has to match `start_arg` when `start_src` is `TRIG_EXT` when it previously had to be 0. Fix the backwards compatibility issue in `ni_ao_inttrig()` by always allowing software trigger number 0 when `start_src` is something other than `TRIG_INT`. Thanks to Spencer Olson for reporting the issue. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reported-by: Spencer Olson <olsonse@umich.edu> Fixes: ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use") Cc: stable <stable@vger.kernel.org> Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Commit ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the
cmd->start_arg validation and use") introduced a backwards compatibility
issue in the use of asynchronous commands on the AO subdevice when
`start_src` is `TRIG_EXT`.  Valid values for `start_src` are `TRIG_INT`
(for internal, software trigger), and `TRIG_EXT` (for external trigger).
When set to `TRIG_EXT`.  In both cases, the driver relies on an
internal, software trigger to set things up (allowing the user
application to write sufficient samples to the data buffer before the
trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case.
The software trigger is handled by `ni_ao_inttrig()`.

Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg`
was required to be 0, and `ni_ao_inttrig()` checked that the software
trigger number was also 0.  After the above change, when `start_src` was
`TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()`
checked that the software trigger number matched this `start_arg` value.
The backwards compatibility issue is that the internal trigger number
now has to match `start_arg` when `start_src` is `TRIG_EXT` when it
previously had to be 0.

Fix the backwards compatibility issue in `ni_ao_inttrig()` by always
allowing software trigger number 0 when `start_src` is something other
than `TRIG_INT`.

Thanks to Spencer Olson for reporting the issue.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reported-by: Spencer Olson <olsonse@umich.edu>
Fixes: ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: dt2811: fix a precedence bug 2016-08-21T15:07:19+00:00 Dan Carpenter dan.carpenter@oracle.com 2016-06-21T11:46:21+00:00 5ac5c3bcf57419d0aa3f53b12b8c07599a13fdcc Bitwise | has higher precedence than ?: so we need to add some parenthesis for this to work as intended. Fixes: 7c9574090d30 ('staging: comedi: dt2811: simplify A/D reference configuration') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Bitwise | has higher precedence than ?: so we need to add some
parenthesis for this to work as intended.

Fixes: 7c9574090d30 ('staging: comedi: dt2811: simplify A/D reference configuration')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN. 2016-08-21T15:07:19+00:00 Phil Turnbull phil.turnbull@oracle.com 2016-07-29T13:43:56+00:00 c71f20ee76342376e3c4c67cdbe7421d8c4e886e The CMDF_ROUND_DOWN case falls through and so always returns -EINVAL. Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support") Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The CMDF_ROUND_DOWN case falls through and so always returns -EINVAL.

Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: ni_mio_common: fix wrong insn_write handler 2016-08-21T15:07:19+00:00 Ian Abbott abbotti@mev.co.uk 2016-07-20T16:07:34+00:00 5ca05345c56cb979e1a25ab6146437002f95cac8 For counter subdevices, the `s->insn_write` handler is being set to the wrong function, `ni_tio_insn_read()`. It should be `ni_tio_insn_write()`. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reported-by: Éric Piel <piel@delmic.com> Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)" Cc: <stable@vger.kernel.org> # 3.17+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
For counter subdevices, the `s->insn_write` handler is being set to the
wrong function, `ni_tio_insn_read()`.  It should be
`ni_tio_insn_write()`.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reported-by: Éric Piel <piel@delmic.com>
Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a
  proper comedi (*insn_write)"
Cc: <stable@vger.kernel.org> # 3.17+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: comedi_test: fix timer race conditions 2016-08-21T15:07:19+00:00 Ian Abbott abbotti@mev.co.uk 2016-06-30T18:58:32+00:00 403fe7f34e3327ddac2e06a15e76a293d613381e Commit 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") fixed a lock-up in the timer routine `waveform_ai_timer()` (which was called `waveform_ai_interrupt()` at the time) caused by commit 240512474424 ("staging: comedi: comedi_test: use comedi_handle_events()"). However, it introduced a race condition that can result in the timer routine misbehaving, such as accessing freed memory or dereferencing a NULL pointer. 73e0... changed the timer routine to do nothing unless a `WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()` to clear the flag and replace a call to `del_timer_sync()` with a call to `del_timer()`. `waveform_ai_cancel()` may be called from the timer routine itself (via `comedi_handle_events()`), or from `do_cancel()`. (`do_cancel()` is called as a result of a file operation (usually a `COMEDI_CANCEL` ioctl command, or a release), or during device removal.) When called from `do_cancel()`, the call to `waveform_ai_cancel()` is followed by a call to `do_become_nonbusy()`, which frees up stuff for the current asynchronous command under the assumption that it is now safe to do so. The race condition occurs when the timer routine `waveform_ai_timer()` checks the `WAVEFORM_AI_RUNNING` flag just before it is cleared by `waveform_ai_cancel()`, and is still running during the call to `do_become_nonbusy()`. In particular, it can lead to a NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffffc0c63add>] waveform_ai_timer+0x17d/0x290 [comedi_test] That corresponds to this line in `waveform_ai_timer()`: unsigned int chanspec = cmd->chanlist[async->cur_chan]; but `do_become_nonbusy()` frees `cmd->chanlist` and sets it to `NULL`. Fix the race by calling `del_timer_sync()` instead of `del_timer()` in `waveform_ai_cancel()` when not in an interrupt context. The only time `waveform_ai_cancel()` is called in an interrupt context is when it is called from the timer routine itself, via `comedi_handle_events()`. There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get rid of it. The bug was copied from the AI subdevice to the AO when support for commands on the AO subdevice was added by commit 0cf55bbef2f9 ("staging: comedi: comedi_test: implement commands on AO subdevice"). That involves the timer routine `waveform_ao_timer()`, the comedi "cancel" routine `waveform_ao_cancel()`, and the flag `WAVEFORM_AO_RUNNING`. Fix it in the same way as for the AI subdevice. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Fixes: 0cf55bbef2f9 ("staging: comedi: comedi_test: implement commands on AO subdevice") Reported-by: Éric Piel <piel@delmic.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: <stable@vger.kernel.org> # 4.4+ Cc: Éric Piel <piel@delmic.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Commit 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
fixed a lock-up in the timer routine `waveform_ai_timer()` (which was
called `waveform_ai_interrupt()` at the time) caused by
commit 240512474424 ("staging: comedi: comedi_test: use
comedi_handle_events()").  However, it introduced a race condition that
can result in the timer routine misbehaving, such as accessing freed
memory or dereferencing a NULL pointer.

73e0... changed the timer routine to do nothing unless a
`WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()`
to clear the flag and replace a call to `del_timer_sync()` with a call
to `del_timer()`.  `waveform_ai_cancel()` may be called from the timer
routine itself (via `comedi_handle_events()`), or from `do_cancel()`.
(`do_cancel()` is called as a result of a file operation (usually a
`COMEDI_CANCEL` ioctl command, or a release), or during device removal.)
When called from `do_cancel()`, the call to `waveform_ai_cancel()` is
followed by a call to `do_become_nonbusy()`, which frees up stuff for
the current asynchronous command under the assumption that it is now
safe to do so.  The race condition occurs when the timer routine
`waveform_ai_timer()` checks the `WAVEFORM_AI_RUNNING` flag just before
it is cleared by `waveform_ai_cancel()`, and is still running during the
call to `do_become_nonbusy()`.  In particular, it can lead to a NULL
pointer dereference:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffffc0c63add>] waveform_ai_timer+0x17d/0x290 [comedi_test]

That corresponds to this line in `waveform_ai_timer()`:

		unsigned int chanspec = cmd->chanlist[async->cur_chan];

but `do_become_nonbusy()` frees `cmd->chanlist` and sets it to `NULL`.

Fix the race by calling `del_timer_sync()` instead of `del_timer()` in
`waveform_ai_cancel()` when not in an interrupt context.  The only time
`waveform_ai_cancel()` is called in an interrupt context is when it is
called from the timer routine itself, via `comedi_handle_events()`.

There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get
rid of it.

The bug was copied from the AI subdevice to the AO when support for
commands on the AO subdevice was added by commit 0cf55bbef2f9 ("staging:
comedi: comedi_test: implement commands on AO subdevice").  That
involves the timer routine `waveform_ao_timer()`, the comedi "cancel"
routine `waveform_ao_cancel()`, and the flag `WAVEFORM_AO_RUNNING`.  Fix
it in the same way as for the AI subdevice.

Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
Fixes: 0cf55bbef2f9 ("staging: comedi: comedi_test: implement commands
 on AO subdevice")
Reported-by: Éric Piel <piel@delmic.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 4.4+
Cc: Éric Piel <piel@delmic.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: daqboard2000: bug fix board type matching code 2016-08-21T15:07:19+00:00 Ian Abbott abbotti@mev.co.uk 2016-06-29T19:27:44+00:00 80e162ee9b31d77d851b10f8c5299132be1e120f `daqboard2000_find_boardinfo()` is supposed to check if the DaqBoard/2000 series model is supported, based on the PCI subvendor and subdevice ID. The current code is wrong as it is comparing the PCI device's subdevice ID to an expected, fixed value for the subvendor ID. It should be comparing the PCI device's subvendor ID to this fixed value. Correct it. Fixes: 7e8401b23e7f ("staging: comedi: daqboard2000: add back subsystem_device check") Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: <stable@vger.kernel.org> # 3.7+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
`daqboard2000_find_boardinfo()` is supposed to check if the
DaqBoard/2000 series model is supported, based on the PCI subvendor and
subdevice ID.  The current code is wrong as it is comparing the PCI
device's subdevice ID to an expected, fixed value for the subvendor ID.
It should be comparing the PCI device's subvendor ID to this fixed
value.  Correct it.

Fixes: 7e8401b23e7f ("staging: comedi: daqboard2000: add back
subsystem_device check")
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 3.7+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>