Greg Kroah-Hartman [Sat, 15 Jul 2017 11:31:27 +0000 (13:31 +0200)]
Merge 4.9.38 into android-4.9
Changes in 4.9.38
mqueue: fix a use-after-free in sys_mq_notify()
Add "shutdown" to "struct class".
tpm: Issue a TPM2_Shutdown for TPM2 devices.
tools include: Add a __fallthrough statement
tools string: Use __fallthrough in perf_atoll()
tools strfilter: Use __fallthrough
perf top: Use __fallthrough
perf thread_map: Correctly size buffer used with dirent->dt_name
perf intel-pt: Use __fallthrough
perf tests: Avoid possible truncation with dirent->d_name + snprintf
perf bench numa: Avoid possible truncation when using snprintf()
perf header: Fix handling of PERF_EVENT_UPDATE__SCALE
perf scripting perl: Fix compile error with some perl5 versions
perf probe: Fix to probe on gcc generated symbols for offline kernel
perf probe: Add error checks to offline probe post-processing
md: fix incorrect use of lexx_to_cpu in does_sb_need_changing
md: fix super_offset endianness in super_1_rdev_size_change
locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
staging: comedi: fix clean-up of comedi_class in comedi_init()
crypto: caam - fix gfp allocation flags (part I)
crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
ext4: check return value of kstrtoull correctly in reserved_clusters_store
x86/mm/pat: Don't report PAT on CPUs that don't support it
saa7134: fix warm Medion 7134 EEPROM read
Linux 4.9.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Sat, 15 Jul 2017 10:17:55 +0000 (12:17 +0200)]
Linux 4.9.38
Maciej S. Szmigiero [Sat, 2 Jul 2016 23:27:46 +0000 (20:27 -0300)]
saa7134: fix warm Medion 7134 EEPROM read
commit
5a91206ff0d0548939f3e85a65fb76b400fb0e89 upstream.
When saa7134 module driving a Medion 7134 card is reloaded reads of this
card EEPROM (required for automatic detection of tuner model) will be
corrupted due to I2C gate in DVB-T demod being left closed.
This sometimes also happens on first saa7134 module load after a warm
reboot.
Fix this by opening this I2C gate before doing EEPROM read during i2c
initialization.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mikulas Patocka [Tue, 4 Jul 2017 23:04:23 +0000 (19:04 -0400)]
x86/mm/pat: Don't report PAT on CPUs that don't support it
commit
99c13b8c8896d7bcb92753bf0c63a8de4326e78d upstream.
The pat_enabled() logic is broken on CPUs which do not support PAT and
where the initialization code fails to call pat_init(). Due to that the
enabled flag stays true and pat_enabled() returns true wrongfully.
As a consequence the mappings, e.g. for Xorg, are set up with the wrong
caching mode and the required MTRR setups are omitted.
To cure this the following changes are required:
1) Make pat_enabled() return true only if PAT initialization was
invoked and successful.
2) Invoke init_cache_modes() unconditionally in setup_arch() and
remove the extra callsites in pat_disable() and the pat disabled
code path in pat_init().
Also rename __pat_enabled to pat_disabled to reflect the real purpose of
this variable.
Fixes:
9cd25aac1f44 ("x86/mm/pat: Emulate PAT when it is disabled")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bernhard Held <berny156@gmx.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: "Luis R. Rodriguez" <mcgrof@suse.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1707041749300.3456@file01.intranet.prod.int.rdu2.redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chao Yu [Fri, 23 Jun 2017 05:08:22 +0000 (01:08 -0400)]
ext4: check return value of kstrtoull correctly in reserved_clusters_store
commit
1ea1516fbbab2b30bf98c534ecaacba579a35208 upstream.
kstrtoull returns 0 on success, however, in reserved_clusters_store we
will return -EINVAL if kstrtoull returns 0, it makes us fail to update
reserved_clusters value through sysfs.
Fixes:
76d33bca5581b1dd5c3157fa168db849a784ada4
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Miao Xie <miaoxie@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jason A. Donenfeld [Sun, 11 Jun 2017 21:20:23 +0000 (23:20 +0200)]
crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
commit
fec17cb2231733174e039ad9054fa16bb358e2ec upstream.
Otherwise, we enable all sorts of forgeries via timing attack.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Suggested-by: Stephan Müller <smueller@chronox.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Horia Geantă [Mon, 19 Jun 2017 08:44:45 +0000 (11:44 +0300)]
crypto: caam - fix gfp allocation flags (part I)
commit
42cfcafb91dabb0f9d9e08396c39824535948c67 upstream.
Changes in the SW cts (ciphertext stealing) code in
commit
0605c41cc53ca ("crypto: cts - Convert to skcipher")
revealed a problem in the CAAM driver:
when cts(cbc(aes)) is executed and cts runs in SW,
cbc(aes) is offloaded in CAAM; cts encrypts the last block
in atomic context and CAAM incorrectly decides to use GFP_KERNEL
for memory allocation.
Fix this by allowing GFP_KERNEL (sleeping) only when MAY_SLEEP flag is
set, i.e. remove MAY_BACKLOG flag.
We split the fix in two parts - first is sent to -stable, while the
second is not (since there is no known failure case).
Link: http://lkml.kernel.org/g/20170602122446.2427-1-david@sigma-star.at
Reported-by: David Gstir <david@sigma-star.at>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ian Abbott [Fri, 16 Jun 2017 18:35:34 +0000 (19:35 +0100)]
staging: comedi: fix clean-up of comedi_class in comedi_init()
commit
a9332e9ad09c2644c99058fcf6ae2f355e93ce74 upstream.
There is a clean-up bug in the core comedi module initialization
functions, `comedi_init()`. If the `comedi_num_legacy_minors` module
parameter is non-zero (and valid), it creates that many "legacy" devices
and registers them in SysFS. A failure causes the function to clean up
and return an error. Unfortunately, it fails to destroy the "comedi"
class that was created earlier. Fix it by adding a call to
`class_destroy(comedi_class)` at the appropriate place in the clean-up
sequence.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Malcolm Priestley [Sat, 29 Apr 2017 12:03:44 +0000 (13:03 +0100)]
staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
commit
dc32190f2cd41c7dba25363ea7d618d4f5172b4e upstream.
The key table is not intialized correctly without this call.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kirill Tkhai [Fri, 16 Jun 2017 13:44:34 +0000 (16:44 +0300)]
locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
commit
a0c4acd2c220376b4e9690e75782d0c0afdaab9f upstream.
If a writer could been woken up, the above branch
if (sem->count == 0)
break;
would have moved us to taking the sem. So, it's
not the time to wake a writer now, and only readers
are allowed now. Thus, 0 must be passed to __rwsem_do_wake().
Next, __rwsem_do_wake() wakes readers unconditionally.
But we mustn't do that if the sem is owned by writer
in the moment. Otherwise, writer and reader own the sem
the same time, which leads to memory corruption in
callers.
rwsem-xadd.c does not need that, as:
1) the similar check is made lockless there,
2) in __rwsem_mark_wake::try_reader_grant we test,
that sem is not owned by writer.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Niklas Cassel <niklas.cassel@axis.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes:
17fcbd590d0c "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y"
Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomain
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jason Yan [Fri, 10 Mar 2017 03:27:23 +0000 (11:27 +0800)]
md: fix super_offset endianness in super_1_rdev_size_change
commit
3fb632e40d7667d8bedfabc28850ac06d5493f54 upstream.
The sb->super_offset should be big-endian, but the rdev->sb_start is in
host byte order, so fix this by adding cpu_to_le64.
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jason Yan [Fri, 10 Mar 2017 03:49:12 +0000 (11:49 +0800)]
md: fix incorrect use of lexx_to_cpu in does_sb_need_changing
commit
1345921393ba23b60d3fcf15933e699232ad25ae upstream.
The sb->layout is of type __le32, so we shoud use le32_to_cpu.
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Masami Hiramatsu [Wed, 11 Jan 2017 06:00:47 +0000 (15:00 +0900)]
perf probe: Add error checks to offline probe post-processing
commit
3e96dac7c956089d3f23aca98c4dfca57b6aaf8a upstream.
Add error check codes on post processing and improve it for offline
probe events as:
- post processing fails if no matched symbol found in map(-ENOENT)
or strdup() failed(-ENOMEM).
- Even if the symbol name is the same, it updates symbol address
and offset.
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/148411443738.9978.4617979132625405545.stgit@devbox
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Krister Johansen <kjlx@templeofstupid.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Masami Hiramatsu [Wed, 4 Jan 2017 03:30:19 +0000 (12:30 +0900)]
perf probe: Fix to probe on gcc generated symbols for offline kernel
commit
8a937a25a7e3c19d5fb3f9d92f605cf5fda219d8 upstream.
Fix perf-probe to show probe definition on gcc generated symbols for
offline kernel (including cross-arch kernel image).
gcc sometimes optimizes functions and generate new symbols with suffixes
such as ".constprop.N" or ".isra.N" etc. Since those symbol names are
not recorded in DWARF, we have to find correct generated symbols from
offline ELF binary to probe on it (kallsyms doesn't correct it). For
online kernel or uprobes we don't need it because those are rebased on
_text, or a section relative address.
E.g. Without this:
$ perf probe -k build-arm/vmlinux -F __slab_alloc*
__slab_alloc.constprop.9
$ perf probe -k build-arm/vmlinux -D __slab_alloc
p:probe/__slab_alloc __slab_alloc+0
If you put above definition on target machine, it should fail
because there is no __slab_alloc in kallsyms.
With this fix, perf probe shows correct probe definition on
__slab_alloc.constprop.9:
$ perf probe -k build-arm/vmlinux -D __slab_alloc
p:probe/__slab_alloc __slab_alloc.constprop.9+0
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/148350060434.19001.11864836288580083501.stgit@devbox
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Krister Johansen <kjlx@templeofstupid.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wang YanQing [Sun, 12 Feb 2017 02:46:55 +0000 (10:46 +0800)]
perf scripting perl: Fix compile error with some perl5 versions
commit
d7dd112ea5cacf91ae72c0714c3b911eb6016fea upstream.
Fix below compile error:
CC util/scripting-engines/trace-event-perl.o
In file included from /usr/lib/perl5/5.22.2/i686-linux/CORE/perl.h:5673:0,
from util/scripting-engines/trace-event-perl.c:31:
/usr/lib/perl5/5.22.2/i686-linux/CORE/inline.h: In function 'S__is_utf8_char_slow':
/usr/lib/perl5/5.22.2/i686-linux/CORE/inline.h:270:5: error: nested extern declaration of 'Perl___notused' [-Werror=nested-externs]
dTHX; /* The function called below requires thread context */
^
cc1: all warnings being treated as errors
After digging perl5 repository, I find out that we will meet this
compile error with perl from v5.21.1 to v5.25.4
Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: http://lkml.kernel.org/r/20170212024655.GA15997@udknight
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 00:57:22 +0000 (21:57 -0300)]
perf header: Fix handling of PERF_EVENT_UPDATE__SCALE
commit
8434a2ec13d5c8cb25716950bfbf7c9d7b64628a upstream.
In commit
daeecbc0c431 ("perf tools: Add event_update event scale type"), the
handling of PERF_EVENT_UPDATE__SCALE cast struct event_update_event->data to a
pointer to event_update_event_scale, uses some field from this casted struct
and then ends up falling through to the handling of another event type,
PERF_EVENT_UPDATE__CPUS were it casts that ev->data to yet another type, oops,
fix it by inserting the missing break.
Noticed when building perf using gcc 7 on Fedora Rawhide:
util/header.c: In function 'perf_event__process_event_update':
util/header.c:3207:16: error: this statement may fall through [-Werror=implicit-fallthrough=]
evsel->scale = ev_scale->scale;
~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
util/header.c:3208:2: note: here
case PERF_EVENT_UPDATE__CPUS:
^~~~
This wasn't noticed because probably PERF_EVENT_UPDATE__CPUS comes after
PERF_EVENT_UPDATE__SCALE, so we would just create a bogus evsel->own_cpus when
processing a PERF_EVENT_UPDATE__SCALE to then leak it and create a new cpu map
with the correct data.
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Fixes:
daeecbc0c431 ("perf tools: Add event_update event scale type")
Link: http://lkml.kernel.org/n/tip-lukcf9hdj092ax2914ss95at@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 17:39:42 +0000 (14:39 -0300)]
perf bench numa: Avoid possible truncation when using snprintf()
commit
3aff8ba0a4c9c9191bb788171a1c54778e1246a2 upstream.
Addressing this warning from gcc 7:
CC /tmp/build/perf/bench/numa.o
bench/numa.c: In function '__bench_numa':
bench/numa.c:1582:42: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size between 8 and 17 [-Werror=format-truncation=]
snprintf(tname, 32, "process%d:thread%d", p, t);
^~
bench/numa.c:1582:25: note: directive argument in the range [0,
2147483647]
snprintf(tname, 32, "process%d:thread%d", p, t);
^~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:939:0,
from bench/../util/util.h:47,
from bench/../builtin.h:4,
from bench/numa.c:11:
/usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 17 and 35 bytes into a destination of size 32
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Petr Holasek <pholasek@redhat.com>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-twa37vsfqcie5gwpqwnjuuz9@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 17:48:46 +0000 (14:48 -0300)]
perf tests: Avoid possible truncation with dirent->d_name + snprintf
commit
2e2bbc039fad9eabad6c4c1a473c8b2554cdd2d4 upstream.
Addressing a few cases spotted by a new warning in gcc 7:
tests/parse-events.c: In function 'test_pmu_events':
tests/parse-events.c:1790:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 90 [-Werror=format-truncation=]
snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name);
^~
In file included from /usr/include/stdio.h:939:0,
from /git/linux/tools/perf/util/map.h:9,
from /git/linux/tools/perf/util/symbol.h:7,
from /git/linux/tools/perf/util/evsel.h:10,
from tests/parse-events.c:3:
/usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 13 and 268 bytes into a destination of size 100
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tests/parse-events.c:1798:29: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 100 [-Werror=format-truncation=]
snprintf(name, MAX_NAME, "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name);
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes:
945aea220bb8 ("perf tests: Move test objects into 'tests' directory")
Link: http://lkml.kernel.org/n/tip-ty4q2p8zp1dp3mskvubxskm5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 18:22:22 +0000 (15:22 -0300)]
perf intel-pt: Use __fallthrough
commit
7ea6856d6f5629d742edc23b8b76e6263371ef45 upstream.
To address new warnings emmited by gcc 7, e.g.::
CC /tmp/build/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.o
CC /tmp/build/perf/tests/parse-events.o
util/intel-pt-decoder/intel-pt-pkt-decoder.c: In function 'intel_pt_pkt_desc':
util/intel-pt-decoder/intel-pt-pkt-decoder.c:499:6: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (!(packet->count))
^
util/intel-pt-decoder/intel-pt-pkt-decoder.c:501:2: note: here
case INTEL_PT_CYC:
^~~~
CC /tmp/build/perf/util/intel-pt-decoder/intel-pt-decoder.o
cc1: all warnings being treated as errors
Acked-by: Andi Kleen <ak@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-mf0hw789pu9x855us5l32c83@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
perf thread_map: Correctly size buffer used with dirent->dt_name
commit
bdf23a9a190d7ecea092fd5c4aabb7d4bd0a9980 upstream.
The size of dirent->dt_name is NAME_MAX + 1, but the size for the 'path'
buffer is hard coded at 256, which may truncate it because we also
prepend "/proc/", so that all that into account and thank gcc 7 for this
warning:
/git/linux/tools/perf/util/thread_map.c: In function 'thread_map__new_by_uid':
/git/linux/tools/perf/util/thread_map.c:119:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 250 [-Werror=format-truncation=]
snprintf(path, sizeof(path), "/proc/%s", dirent->d_name);
^~
In file included from /usr/include/stdio.h:939:0,
from /git/linux/tools/perf/util/thread_map.c:5:
/usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 7 and 262 bytes into a destination of size 256
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-csy0r8zrvz5efccgd4k12c82@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
perf top: Use __fallthrough
commit
7b0214b702ad8e124e039a317beeebb3f020d125 upstream.
The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:
CC /tmp/build/perf/builtin-top.o
builtin-top.c: In function 'display_thread':
builtin-top.c:644:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (errno == EINTR)
^
builtin-top.c:647:3: note: here
default:
^~~~~~~
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-lmcfnnyx9ic0m6j0aud98p4e@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
tools strfilter: Use __fallthrough
commit
d64b721d27aef3fbeb16ecda9dd22ee34818ff70 upstream.
The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:
util/strfilter.c: In function 'strfilter_node__sprint':
util/strfilter.c:270:6: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (len < 0)
^
util/strfilter.c:272:2: note: here
case '!':
^~~~
cc1: all warnings being treated as errors
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-z2dpywg7u8fim000hjfbpyfm@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
tools string: Use __fallthrough in perf_atoll()
commit
94bdd5edb34e472980d1e18b4600d6fb92bd6b0a upstream.
The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:
CC /tmp/build/perf/util/string.o
util/string.c: In function 'perf_atoll':
util/string.c:22:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (*p)
^
util/string.c:24:3: note: here
case '\0':
^~~~
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-0ophb30v9apkk6o95el0rqlq@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
tools include: Add a __fallthrough statement
commit
b5bf1733d6a391c4e90ea8f8468d83023be74a2a upstream.
For cases where implicit fall through case labels are intended,
to let us inform that to gcc >= 7:
CC /tmp/build/perf/util/string.o
util/string.c: In function 'perf_atoll':
util/string.c:22:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (*p)
^
util/string.c:24:3: note: here
case '\0':
^~~~
So we introduce:
#define __fallthrough __attribute__ ((fallthrough))
And use it in such cases.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Cc: William Cohen <wcohen@redhat.com>
Link: http://lkml.kernel.org/n/tip-qnpig0xfop4hwv6k4mv1wts5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josh Zimmerman [Sun, 25 Jun 2017 21:53:24 +0000 (14:53 -0700)]
tpm: Issue a TPM2_Shutdown for TPM2 devices.
commit
d1bd4a792d3961a04e6154118816b00167aad91a upstream.
If a TPM2 loses power without a TPM2_Shutdown command being issued (a
"disorderly reboot"), it may lose some state that has yet to be
persisted to NVRam, and will increment the DA counter. After the DA
counter gets sufficiently large, the TPM will lock the user out.
NOTE: This only changes behavior on TPM2 devices. Since TPM1 uses sysfs,
and sysfs relies on implicit locking on chip->ops, it is not safe to
allow this code to run in TPM1, or to add sysfs support to TPM2, until
that locking is made explicit.
Signed-off-by: Josh Zimmerman <joshz@google.com>
Fixes:
74d6b3ceaa17 ("tpm: fix suspend/resume paths for TPM 2.0")
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Josh Zimmerman [Sun, 25 Jun 2017 21:53:23 +0000 (14:53 -0700)]
Add "shutdown" to "struct class".
commit
f77af15165847406b15d8f70c382c4cb15846b2a upstream.
The TPM class has some common shutdown code that must be executed for
all drivers. This adds some needed functionality for that.
Signed-off-by: Josh Zimmerman <joshz@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes:
74d6b3ceaa17 ("tpm: fix suspend/resume paths for TPM 2.0")
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cong Wang [Sun, 9 Jul 2017 20:19:55 +0000 (13:19 -0700)]
mqueue: fix a use-after-free in sys_mq_notify()
commit
f991af3daabaecff34684fd51fac80319d1baad1 upstream.
The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:
1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
release the file refcnt
so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.
Setting 'sock' to NULL here should be sufficient to fix it.
Reported-by: GeneBlue <geneblue.mail@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Todd Kjos [Mon, 14 Nov 2016 19:37:41 +0000 (11:37 -0800)]
FROMLIST: binder: remove global binder lock
(from https://patchwork.kernel.org/patch/
9817773/)
Remove global mutex and rely on fine-grained locking
Change-Id: Ide1988128c155e4374dc0b222b50a804109bcb6f
Signed-off-by: Todd Kjos <tkjos@google.com>
Martijn Coenen [Mon, 22 May 2017 18:26:23 +0000 (11:26 -0700)]
FROMLIST: binder: fix death race conditions
(from https://patchwork.kernel.org/patch/
9817765/)
A race existed where one thread could register
a death notification for a node, while another
thread was cleaning up that node and sending
out death notifications for its references,
causing simultaneous access to ref->death
because different locks were held.
Change-Id: I2392eb8075ac0aee51f1749ac398a663853ef4e6
Signed-off-by: Martijn Coenen <maco@google.com>
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against stale pointers in print_binder_transaction
(from https://patchwork.kernel.org/patch/
9817761/)
When printing transactions there were several race conditions
that could cause a stale pointer to be deferenced. Fixed by
reading the pointer once and using it if valid (which is
safe). The transaction buffer also needed protection via proc
lock, so it is only printed if we are holding the correct lock.
Change-Id: I9a03129e08eaab4b8a5646eecafaf10e343dbdea
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Thu, 20 Oct 2016 23:43:34 +0000 (16:43 -0700)]
FROMLIST: binder: protect binder_ref with outer lock
(from https://patchwork.kernel.org/patch/
9817771/)
Use proc->outer_lock to protect the binder_ref structure.
The outer lock allows functions operating on the binder_ref
to do nested acquires of node and inner locks as necessary
to attach refs to nodes atomically.
Binder refs must never be accesssed without holding the
outer lock.
Change-Id: Iffb9ae47fd383b87b70ee6bec344cde9f8d24996
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Fri, 26 May 2017 00:35:02 +0000 (17:35 -0700)]
FROMLIST: binder: use inner lock to protect thread accounting
(from https://patchwork.kernel.org/patch/
9817763/)
Use the inner lock to protect thread accounting fields in
proc structure: max_threads, requested_threads,
requested_threads_started and ready_threads.
Change-Id: I8cf519f40ddfe4fd00d99b82fdb88dc069611787
Signed-off-by: Todd Kjos <tkjos@google.com>
Martijn Coenen [Fri, 2 Jun 2017 20:36:52 +0000 (13:36 -0700)]
FROMLIST: binder: protect transaction_stack with inner lock.
(from https://patchwork.kernel.org/patch/
9817779/)
This makes future changes to priority inheritance
easier, since we want to be able to look at a thread's
transaction stack when selecting a thread to inherit
priority for.
It also allows us to take just a single lock in a
few paths, where we used to take two in succession.
Change-Id: Ie30eaefe9f746577967bab76e64c49069b8a5cfa
Signed-off-by: Martijn Coenen <maco@google.com>
Todd Kjos [Thu, 25 May 2017 22:52:17 +0000 (15:52 -0700)]
FROMLIST: binder: protect proc->threads with inner_lock
(from https://patchwork.kernel.org/patch/
9817775/)
proc->threads will need to be accessed with higher
locks of other processes held so use proc->inner_lock
to protect it. proc->tmp_ref now needs to be protected
by proc->inner_lock.
Change-Id: Id4cff2c9786d900b7846ec9b1816f7a07655c429
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 12 Jun 2017 19:07:26 +0000 (12:07 -0700)]
FROMLIST: binder: protect proc->nodes with inner lock
(from https://patchwork.kernel.org/patch/
9817783/)
When locks for binder_ref handling are added, proc->nodes
will need to be modified while holding the outer lock
Change-Id: I7daf5a51d83cdf6ac31a3728b3ea3e6ab94bf2e7
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Thu, 8 Jun 2017 20:45:59 +0000 (13:45 -0700)]
FROMLIST: binder: add spinlock to protect binder_node
(from https://patchwork.kernel.org/patch/
9817769/)
node->node_lock is used to protect elements of node. No
need to acquire for fields that are invariant: debug_id,
ptr, cookie.
Change-Id: I612ecb9db2d69b1319a9f0c450ccfdc85de70c39
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Thu, 20 Oct 2016 17:33:00 +0000 (10:33 -0700)]
FROMLIST: binder: add spinlocks to protect todo lists
(from https://patchwork.kernel.org/patch/
9817769/)
The todo lists in the proc, thread, and node structures
are accessed by other procs/threads to place work
items on the queue.
The todo lists are protected by the new proc->inner_lock.
No locks should ever be nested under these locks. As the
name suggests, an outer lock will be introduced in
a later patch.
Change-Id: Iaf613f317d7c6a1409055de47c5b84cd8147102e
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Tue, 21 Mar 2017 20:06:01 +0000 (13:06 -0700)]
FROMLIST: binder: use inner lock to sync work dq and node counts
(from https://patchwork.kernel.org/patch/
9817789/)
For correct behavior we need to hold the inner lock when
dequeuing and processing node work in binder_thread_read.
We now hold the inner lock when we enter the switch statement
and release it after processing anything that might be
affected by other threads.
We also need to hold the inner lock to protect the node
weak/strong ref tracking fields as long as node->proc
is non-NULL (if it is NULL then we are guaranteed that
we don't have any node work queued).
This means that other functions that manipulate these fields
must hold the inner lock. Refactored these functions to use
the inner lock.
Change-Id: I90cb6e39a3fecf4809a0828aa3a4f3199b38b209
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 29 May 2017 23:44:24 +0000 (16:44 -0700)]
FROMLIST: binder: introduce locking helper functions
(from https://patchwork.kernel.org/patch/
9817791/)
There are 3 main spinlocks which must be acquired in this
order:
1) proc->outer_lock : protects most fields of binder_proc,
binder_thread, and binder_ref structures. binder_proc_lock()
and binder_proc_unlock() are used to acq/rel.
2) node->lock : protects most fields of binder_node.
binder_node_lock() and binder_node_unlock() are
used to acq/rel
3) proc->inner_lock : protects the thread and node lists
(proc->threads, proc->nodes) and all todo lists associated
with the binder_proc (proc->todo, thread->todo,
proc->delivered_death and node->async_todo).
binder_inner_proc_lock() and binder_inner_proc_unlock()
are used to acq/rel
Any lock under procA must never be nested under any lock at the same
level or below on procB.
Functions that require a lock held on entry indicate which lock
in the suffix of the function name:
foo_olocked() : requires node->outer_lock
foo_nlocked() : requires node->lock
foo_ilocked() : requires proc->inner_lock
foo_iolocked(): requires proc->outer_lock and proc->inner_lock
foo_nilocked(): requires node->lock and proc->inner_lock
Change-Id: Ic11bf3bf988e0a901ce0484e2fd9323b176994c3
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Tue, 9 May 2017 18:08:05 +0000 (11:08 -0700)]
FROMLIST: binder: use node->tmp_refs to ensure node safety
(from https://patchwork.kernel.org/patch/
9817795/)
When obtaining a node via binder_get_node(),
binder_get_node_from_ref() or binder_new_node(),
increment node->tmp_refs to take a
temporary reference on the node to ensure the node
persists while being used. binder_put_node() must
be called to remove the temporary reference.
Change-Id: Idb84fea1ba0ae119a6593ec2dc80b7d4e6d81bce
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 8 May 2017 16:16:27 +0000 (09:16 -0700)]
FROMLIST: binder: refactor binder ref inc/dec for thread safety
(from https://patchwork.kernel.org/patch/
9817781/)
Once locks are added, binder_ref's will only be accessed
safely with the proc lock held. Refactor the inc/dec paths
to make them atomic with the binder_get_ref* paths and
node inc/dec. For example, instead of:
ref = binder_get_ref(proc, handle, strong);
...
binder_dec_ref(ref, strong);
we now have:
ret = binder_dec_ref_for_handle(proc, handle, strong, &rdata);
Since the actual ref is no longer exposed to callers, a
new struct binder_ref_data is introduced which can be used
to return a copy of ref state.
Change-Id: I11e6a31963eb18f5788cd52ae6ec9adb4438fa48
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Fri, 12 May 2017 21:42:55 +0000 (14:42 -0700)]
FROMLIST: binder: make sure accesses to proc/thread are safe
(from https://patchwork.kernel.org/patch/
9817787/)
binder_thread and binder_proc may be accessed by other
threads when processing transaction. Therefore they
must be prevented from being freed while a transaction
is in progress that references them.
This is done by introducing a temporary reference
counter for threads and procs that indicates that the
object is in use and must not be freed. binder_thread_dec_tmpref()
and binder_proc_dec_tmpref() are used to decrement
the temporary reference.
It is safe to free a binder_thread if there
is no reference and it has been released
(indicated by thread->is_dead).
It is safe to free a binder_proc if it has no
remaining threads and no reference.
A spinlock is added to the binder_transaction
to safely access and set references for t->from
and for debug code to safely access t->to_thread
and t->to_proc.
Change-Id: Ibab67eacc55e61d00f15a6567e54fb67aef51b3f
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Fri, 26 May 2017 18:56:29 +0000 (11:56 -0700)]
FROMLIST: binder: make sure target_node has strong ref
(from https://patchwork.kernel.org/patch/
9817787/)
When initiating a transaction, the target_node must
have a strong ref on it. Then we take a second
strong ref to make sure the node survives until the
transaction is complete.
Change-Id: Ia77b1794a92a8b6b8a564e48b4a4a6b225b5c279
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Sat, 22 Apr 2017 00:35:12 +0000 (17:35 -0700)]
FROMLIST: binder: guarantee txn complete / errors delivered in-order
(from https://patchwork.kernel.org/patch/
9817805/)
Since errors are tracked in the return_error/return_error2
fields of the binder_thread object and BR_TRANSACTION_COMPLETEs
can be tracked either in those fields or via the thread todo
work list, it is possible for errors to be reported ahead
of the associated txn complete.
Use the thread todo work list for errors to guarantee
order. Also changed binder_send_failed_reply to pop
the transaction even if it failed to send a reply.
Change-Id: Ibf93b412b6236812d415bc10fec8b43826948eaa
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Fri, 31 Mar 2017 01:02:13 +0000 (18:02 -0700)]
FROMLIST: binder: refactor binder_pop_transaction
(from https://lkml.org/lkml/2017/6/29/754)
binder_pop_transaction needs to be split into 2 pieces to
to allow the proc lock to be held on entry to dequeue the
transaction stack, but no lock when kfree'ing the transaction.
Split into binder_pop_transaction_locked and binder_free_transaction
(the actual locks are still to be added).
Change-Id: I4b3d21d42ad54031f52cb94ab2b0152812747c38
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Wed, 24 May 2017 20:33:28 +0000 (13:33 -0700)]
FROMLIST: binder: use atomic for transaction_log index
(from https://patchwork.kernel.org/patch/
9817807/)
The log->next index for the transaction log was
not protected when incremented. This led to a
case where log->next++ resulted in an index
larger than ARRAY_SIZE(log->entry) and eventually
a bad access to memory.
Fixed by making the log index an atomic64 and
converting to an array by using "% ARRAY_SIZE(log->entry)"
Also added "complete" field to the log entry which is
written last to tell the print code whether the
entry is complete
Change-Id: I539f285fee3406468e7f89de3cd560285bfd9ab1
Signed-off-by: Todd Kjos <tkjos@google.com>
Martijn Coenen [Wed, 15 Mar 2017 17:22:52 +0000 (18:22 +0100)]
FROMLIST: binder: add more debug info when allocation fails.
(from https://patchwork.kernel.org/patch/
9817797/)
Display information about allocated/free space whenever
binder buffer allocation fails on synchronous
transactions.
Change-Id: Ia718c897dfbfd50991746232ea3c6c9cfab5d1a3
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against two threads freeing buffer
(from https://patchwork.kernel.org/patch/
9817815/)
Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.
Change-Id: I9461229401aaa7f3b5b2477960f79d4d1bd17fee
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Tue, 2 May 2017 00:21:51 +0000 (17:21 -0700)]
FROMLIST: binder: remove dead code in binder_get_ref_for_node
(from https://patchwork.kernel.org/patch/
9817819/)
node is always non-NULL in binder_get_ref_for_node so the
conditional and else clause are not needed
Change-Id: I89ca8c3c0a1a263624a0bd5ddb14e9093ae12009
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Fri, 6 Jan 2017 22:19:25 +0000 (14:19 -0800)]
FROMLIST: binder: don't modify thread->looper from other threads
(from https://patchwork.kernel.org/patch/
9817799/)
The looper member of struct binder_thread is a bitmask
of control bits. All of the existing bits are modified
by the affected thread except for BINDER_LOOPER_STATE_NEED_RETURN
which can be modified in binder_deferred_flush() by
another thread.
To avoid adding a spinlock around all read-mod-writes to
modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag
is replaced by a separate field in struct binder_thread.
Change-Id: I92a5d084081e813b6d8c60f970dd58cc031042d6
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Tue, 9 May 2017 15:31:32 +0000 (08:31 -0700)]
FROMLIST: binder: avoid race conditions when enqueuing txn
(from https://patchwork.kernel.org/patch/
9817813/)
Currently, the transaction complete work item is queued
after the transaction. This means that it is possible
for the transaction to be handled and a reply to be
enqueued in the current thread before the transaction
complete is enqueued, which violates the protocol
with userspace who may not expect the transaction
complete. Fixed by always enqueing the transaction
complete first.
Also, once the transaction is enqueued, it is unsafe
to access since it might be freed. Currently,
t->flags is accessed to determine whether a sync
wake is needed. Changed to access tr->flags
instead.
Change-Id: I247f25a66cfeac8a1fcb2ad65c6053d51cafe4f3
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Wed, 24 May 2017 17:51:01 +0000 (10:51 -0700)]
FROMLIST: binder: refactor queue management in binder_thread_read
(from https://patchwork.kernel.org/patch/
9817757/)
In binder_thread_read, the BINDER_WORK_NODE command is used
to communicate the references on the node to userspace. It
can take a couple of iterations in the loop to construct
the list of commands for user space. When locking is added,
the lock would need to be release on each iteration which
means the state could change. The work item is not dequeued
during this process which prevents a simpler queue management
that can just dequeue up front and handle the work item.
Fixed by changing the BINDER_WORK_NODE algorithm in
binder_thread_read to determine which commands to send
to userspace atomically in 1 pass so it stays consistent
with the kernel view.
The work item is now dequeued immediately since only
1 pass is needed.
Change-Id: I252990504866e6518cf474a1e0af6d853ac52102
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Thu, 23 Mar 2017 00:19:52 +0000 (17:19 -0700)]
FROMLIST: binder: add log information for binder transaction failures
(from https://patchwork.kernel.org/patch/
9817751/)
Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detected
Also, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)
Change-Id: If9f203dee30036003aa1823aaf3f7098f488a3e6
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Thu, 25 May 2017 17:56:00 +0000 (10:56 -0700)]
FROMLIST: binder: make binder_last_id an atomic
(from https://patchwork.kernel.org/patch/
9817809/)
Use an atomic for binder_last_id to avoid locking it
Change-Id: I582c48be4bd04a17d6c96c9a4093c3ade56c47cd
Signed-off-by: Todd Kjos <tkjos@google.com>
Badhri Jagan Sridharan [Thu, 13 Oct 2016 23:36:15 +0000 (16:36 -0700)]
FROMLIST: binder: change binder_stats to atomics
(from https://patchwork.kernel.org/patch/
9817755/)
Use atomics for stats to avoid needing to lock for
increments/decrements
Change-Id: I7e29cdab7aaa2dd5516bfe6b6c9926824955a4b3
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 17 Oct 2016 19:33:15 +0000 (12:33 -0700)]
FROMLIST: binder: add protection for non-perf cases
(from https://patchwork.kernel.org/patch/
9817749/)
Add binder_dead_nodes_lock, binder_procs_lock, and
binder_context_mgr_node_lock to protect the associated global lists
Change-Id: Iaa47e52fcd7950e227abbe5d35fc9109f6a27d2f
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Wed, 24 May 2017 18:53:13 +0000 (11:53 -0700)]
FROMLIST: binder: remove binder_debug_no_lock mechanism
(from https://patchwork.kernel.org/patch/
9817811/)
With the global lock, there was a mechanism to access
binder driver debugging information with the global
lock disabled to debug deadlocks or other issues.
This mechanism is rarely (if ever) used anymore
and wasn't needed during the development of
fine-grained locking in the binder driver.
Removing it.
Change-Id: I6f4061ddb04fbdcf1e067e7a5eeee730f14d4c01
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 10 Oct 2016 17:40:53 +0000 (10:40 -0700)]
FROMLIST: binder: move binder_alloc to separate file
(from https://patchwork.kernel.org/patch/
9817753/)
Move the binder allocator functionality to its own file
Continuation of splitting the binder allocator from the binder
driver. Split binder_alloc functions from normal binder functions.
Add kernel doc comments to functions declared extern in
binder_alloc.h
Change-Id: I6a10138d003632ebcb1589f22c7437f2bec8bff6
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 10 Oct 2016 17:40:53 +0000 (10:40 -0700)]
FROMLIST: binder: separate out binder_alloc functions
(from https://patchwork.kernel.org/patch/
9817753/)
Continuation of splitting the binder allocator from the binder
driver. Separate binder_alloc functions from normal binder
functions. Protect the allocator with a separate mutex.
Change-Id: I119b05b4d0573fc965f863f34fa2ebfae40426f7
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Fri, 21 Apr 2017 18:18:12 +0000 (11:18 -0700)]
FROMLIST: binder: remove unneeded cleanup code
(from https://patchwork.kernel.org/patch/
9817817/)
The buffer's transaction has already been freed before
binder_deferred_release. No need to do it again.
Change-Id: I2451a22aee72796d7ca1fc6c1406e22a706200c5
Signed-off-by: Todd Kjos <tkjos@google.com>
Todd Kjos [Mon, 10 Oct 2016 17:39:59 +0000 (10:39 -0700)]
FROMLIST: binder: separate binder allocator structure from binder proc
(from https://patchwork.kernel.org/patch/
9817745/)
The binder allocator is logically separate from the rest
of the binder drivers. Separating the data structures
to prepare for splitting into separate file with separate
locking.
Change-Id: Ia97d9347eaad953dc3a34bbd6fda23834dd6cef4
Signed-off-by: Todd Kjos <tkjos@google.com>
Riley Andrews [Tue, 1 Sep 2015 19:42:07 +0000 (12:42 -0700)]
FROMLIST: binder: Use wake up hint for synchronous transactions.
(from https://patchwork.kernel.org/patch/
9817747)
Use wake_up_interruptible_sync() to hint to the scheduler binder
transactions are synchronous wakeups. Disable preemption while waking
to avoid ping-ponging on the binder lock.
Change-Id: I041dd798f3d0c4c15aa461e4e6d71dc270e1ca86
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org>
Todd Kjos [Tue, 27 Jun 2017 22:18:51 +0000 (15:18 -0700)]
Revert "android: binder: Sanity check at binder ioctl"
This reverts commit
a906d6931f3ccaf7de805643190765ddd7378e27.
The patch introduced a race in the binder driver. An attempt to fix the
race was submitted in "[PATCH v2] android: binder: fix dangling pointer
comparison", however the conclusion in the discussion for that patch
was that the original patch should be reverted.
The reversion is being done as part of the fine-grained locking
patchset since the patch would need to be refactored when
proc->vmm_vm_mm is removed from struct binder_proc and added
in the binder allocator.
Also needs reversion in 4.9 LTS
Change-Id: I9777ece955c07ac30432187bb968f87cf73271d8
Signed-off-by: Todd Kjos <tkjos@google.com>
Greg Kroah-Hartman [Wed, 12 Jul 2017 15:07:29 +0000 (17:07 +0200)]
Merge 4.9.37 into android-4.9
Changes in 4.9.37
fs: add a VALID_OPEN_FLAGS
fs: completely ignore unknown open flags
driver core: platform: fix race condition with driver_override
ceph: choose readdir frag based on previous readdir reply
tracing/kprobes: Allow to create probe with a module name starting with a digit
media: entity: Fix stream count check
drm/virtio: don't leak bo on drm_gem_object_init failure
usb: dwc3: replace %p with %pK
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
Add USB quirk for HVR-950q to avoid intermittent device resets
usb: usbip: set buffer pointers to NULL after free
usb: Fix typo in the definition of Endpoint[out]Request
USB: core: fix device node leak
mac80211_hwsim: Replace bogus hrtimer clockid
sysctl: don't print negative flag for proc_douintvec
sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec
pinctrl: qcom: ipq4019: add missing pingroups for pins > 70
pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again
pinctrl: sh-pfc: r8a7794: Swap ATA signals
pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl
pinctrl: meson: meson8b: fix the NAND DQS pins
pinctrl: stm32: Fix bad function call
pinctrl: sunxi: Fix SPDIF function name for A83T
pinctrl: cherryview: Add terminate entry for dmi_system_id tables
pinctrl: mxs: atomically switch mux and drive strength config
pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
pinctrl: sh-pfc: Update info pointer after SoC-specific init
USB: serial: option: add two Longcheer device ids
USB: serial: qcserial: new Sierra Wireless EM7305 device ID
xhci: Limit USB2 port wake support for AMD Promontory hosts
gfs2: Fix glock rhashtable rcu bug
tpm: fix a kernel memory leak in tpm-sysfs.c
x86/tools: Fix gcc-7 warning in relocs.c
x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings
ath10k: override CE5 config for QCA9377
KEYS: Fix an error code in request_master_key()
crypto: drbg - Fixes panic in wait_for_completion call
RDMA/uverbs: Check port number supplied by user verbs cmds
rt286: add Thinkpad Helix 2 to force_combo_jack_table
Linux 4.9.37
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Wed, 12 Jul 2017 13:42:41 +0000 (15:42 +0200)]
Linux 4.9.37
Yifeng Li [Wed, 3 May 2017 17:34:14 +0000 (01:34 +0800)]
rt286: add Thinkpad Helix 2 to force_combo_jack_table
commit
fe0dfd6358a17c79bd7d6996af7512ba452a7059 upstream.
Thinkpad Helix 2 is a tablet PC, the audio is powered by Core M
broadwell-audio and rt286 codec. For all versions of Linux kernel,
the stereo output doesn't work properly when earphones are plugged
in, the sound was coming out from both channels even if the audio
contains only the left or right channel. Furthermore, if a music
recorded in stereo is played, the two channels cancle out each other
out, as a result, no voice but only distorted background music can be
heard, like a sound card with builtin a Karaoke sount effect.
Apparently this tablet uses a combo jack with polarity incorrectly
set by rt286 driver. This patch adds DMI information of Thinkpad Helix 2
to force_combo_jack_table[] and the issue is resolved. The microphone
input doesn't work regardless to the presence of this patch and still
needs help from other developers to investigate.
This is my first patch to LKML directly, sorry for CC-ing too many
people here.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=93841
Signed-off-by: Yifeng Li <tomli@tomli.me>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Boris Pismenny [Tue, 27 Jun 2017 12:09:13 +0000 (15:09 +0300)]
RDMA/uverbs: Check port number supplied by user verbs cmds
commit
5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.
The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures. If the value is invalid, the kernel accesses memory
it should not. To prevent this, verify the port number before using it.
BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr
ffff880018d67ab8 by task syz-executor/313
BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr
ffff88006c40ec58 by task syz-executor/819
Fixes:
67cdb40ca444 ("[IB] uverbs: Implement more commands")
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephan Mueller [Fri, 26 May 2017 10:11:31 +0000 (12:11 +0200)]
crypto: drbg - Fixes panic in wait_for_completion call
commit
b61929c654f2e725644935737c4c1ea9c741e2f8 upstream.
Initialise ctr_completion variable before use.
Cc: <stable@vger.kernel.org>
Signed-off-by: Harsh Jain <harshjain.prof@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter [Thu, 9 Feb 2017 17:17:52 +0000 (17:17 +0000)]
KEYS: Fix an error code in request_master_key()
commit
57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.
This function has two callers and neither are able to handle a NULL
return. Really, -EINVAL is the correct thing return here anyway. This
fixes some static checker warnings like:
security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.
Fixes:
7e70cb497850 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bartosz Markowski [Thu, 15 Dec 2016 09:23:22 +0000 (11:23 +0200)]
ath10k: override CE5 config for QCA9377
commit
b08b5b53a1ed2bd7a883f8fd29232c8f03604671 upstream.
Similarly to QCA6174, QCA9377 requires the CE5 configuration to be
available for other feature. Use the ath10k_pci_override_ce_config()
for it as well.
This is required for TF2.0 firmware. Previous FW revisions were
working fine without this patch.
Fixes:
a70587b3389a ("ath10k: configure copy engine 5 for HTT messages")
Signed-off-by: Bartosz Markowski <bartosz.markowski@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paolo Abeni [Thu, 29 Jun 2017 13:55:58 +0000 (15:55 +0200)]
x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings
commit
236222d39347e0e486010f10c1493e83dbbdfba8 upstream.
According to the Intel datasheet, the REP MOVSB instruction
exposes a pretty heavy setup cost (50 ticks), which hurts
short string copy operations.
This change tries to avoid this cost by calling the explicit
loop available in the unrolled code for strings shorter
than 64 bytes.
The 64 bytes cutoff value is arbitrary from the code logic
point of view - it has been selected based on measurements,
as the largest value that still ensures a measurable gain.
Micro benchmarks of the __copy_from_user() function with
lengths in the [0-63] range show this performance gain
(shorter the string, larger the gain):
- in the [55%-4%] range on Intel Xeon(R) CPU E5-2690 v4
- in the [72%-9%] range on Intel Core i7-4810MQ
Other tested CPUs - namely Intel Atom S1260 and AMD Opteron
8216 - show no difference, because they do not expose the
ERMS feature bit.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/4533a1d101fd460f80e21329a34928fad521c1d4.1498744345.git.pabeni@redhat.com
[ Clarified the changelog. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Markus Trippelsdorf [Thu, 15 Dec 2016 12:45:13 +0000 (13:45 +0100)]
x86/tools: Fix gcc-7 warning in relocs.c
commit
7ebb916782949621ff6819acf373a06902df7679 upstream.
gcc-7 warns:
In file included from arch/x86/tools/relocs_64.c:17:0:
arch/x86/tools/relocs.c: In function ‘process_64’:
arch/x86/tools/relocs.c:953:2: warning: argument 1 null where non-null expected [-Wnonnull]
qsort(r->offset, r->count, sizeof(r->offset[0]), cmp_relocs);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from arch/x86/tools/relocs.h:6:0,
from arch/x86/tools/relocs_64.c:1:
/usr/include/stdlib.h:741:13: note: in a call to function ‘qsort’ declared here
extern void qsort
This happens because relocs16 is not used for ELF_BITS == 64,
so there is no point in trying to sort it.
Make the sort_relocs(&relocs16) call 32bit only.
Signed-off-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Link: http://lkml.kernel.org/r/20161215124513.GA289@x4
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jarkko Sakkinen [Tue, 20 Jun 2017 09:38:02 +0000 (11:38 +0200)]
tpm: fix a kernel memory leak in tpm-sysfs.c
commit
13b47cfcfc60495cde216eef4c01040d76174cbe upstream.
While cleaning up sysfs callback that prints EK we discovered a kernel
memory leak. This commit fixes the issue by zeroing the buffer used for
TPM command/response.
The leak happen when we use either tpm_vtpm_proxy, tpm_ibmvtpm or
xen-tpmfront.
Fixes:
0883743825e3 ("TPM: sysfs functions consolidation")
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andreas Gruenbacher [Fri, 7 Jul 2017 18:22:05 +0000 (13:22 -0500)]
gfs2: Fix glock rhashtable rcu bug
commit
961ae1d83d055a4b9ebbfb4cc8ca62ec1a7a3b74 upstream.
Before commit
88ffbf3e03 "GFS2: Use resizable hash table for glocks",
glocks were freed via call_rcu to allow reading the glock hashtable
locklessly using rcu. This was then changed to free glocks immediately,
which made reading the glock hashtable unsafe. Bring back the original
code for freeing glocks via call_rcu.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jiahau Chang [Mon, 19 Jun 2017 10:08:30 +0000 (13:08 +0300)]
xhci: Limit USB2 port wake support for AMD Promontory hosts
commit
dec08194ffeccfa1cf085906b53d301930eae18f upstream.
For AMD Promontory xHCI host, although you can disable USB 2.0 ports in
BIOS settings, those ports will be enabled anyway after you remove a
device on that port and re-plug it in again. It's a known limitation of
the chip. As a workaround we can clear the PORT_WAKE_BITS.
This will disable wake on connect, disconnect and overcurrent on
AMD Promontory USB2 ports
[checkpatch cleanup and commit message reword -Mathias]
Cc: Tsai Nicholas <nicholas.tsai@amd.com>
Signed-off-by: Jiahau Chang <Lars_Chang@asmedia.com.tw>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bjørn Mork [Tue, 13 Jun 2017 17:11:42 +0000 (19:11 +0200)]
USB: serial: qcserial: new Sierra Wireless EM7305 device ID
commit
996fab55d864ed604158f71724ff52db1c2454a3 upstream.
A new Sierra Wireless EM7305 device ID used in a Toshiba laptop.
Reported-by: Petr Kloc <petr_kloc@yahoo.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 12 Jun 2017 14:30:16 +0000 (16:30 +0200)]
USB: serial: option: add two Longcheer device ids
commit
8fb060da715ad10fe956d7c0077b2fb0c12bb9d7 upstream.
Add two Longcheer device-id entries which specifically enables a
Telewell TW-3G HSPA+ branded modem (0x9801).
Reported-by: Teemu Likonen <tlikonen@iki.fi>
Reported-by: Bjørn Mork <bjorn@mork.no>
Reported-by: Lars Melin <larsm17@gmail.com>
Tested-by: Teemu Likonen <tlikonen@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Geert Uytterhoeven [Thu, 9 Mar 2017 18:20:48 +0000 (19:20 +0100)]
pinctrl: sh-pfc: Update info pointer after SoC-specific init
commit
3091ae775fae17084013021d01513bc1ad274e6a upstream.
Update the sh_pfc_soc_info pointer after calling the SoC-specific
initialization function, as it may have been updated to e.g. handle
different SoC revisions. This makes sure the correct subdriver name is
printed later.
Fixes:
0c151062f32c9db8 ("sh-pfc: Add support for SoC-specific initialization")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sergei Shtylyov [Wed, 29 Mar 2017 18:36:50 +0000 (21:36 +0300)]
pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
commit
da7a692fbbab07f4e9798b5b52798f6e3256dd8f upstream.
The R8A7791 PFC driver was apparently based on the preliminary revisions
of the user's manual, which omitted the HSCIF1 group E signals in the
IPSR4 register description. This would cause HSCIF1's probe to fail with
the messages like below:
sh-pfc
e6060000.pfc: cannot locate data/mark enum_id for mark 1989
sh-sci
e62c8000.serial: Error applying setting, reverse things back
sh-sci: probe of
e62c8000.serial failed with error -22
Add the neceassary PINMUX_IPSR_MSEL() invocations for the HSCK1_E,
HCTS1#_E, and HRTS1#_E signals...
Fixes:
508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Uwe Kleine-König [Thu, 18 May 2017 09:23:55 +0000 (11:23 +0200)]
pinctrl: mxs: atomically switch mux and drive strength config
commit
da6c2addf66d7ff7d0b090d6267d4292f951e4e6 upstream.
To set the mux mode of a pin two bits must be set. Up to now this is
implemented using the following idiom:
writel(mask, reg + CLR);
writel(value, reg + SET);
. This however results in the mux mode being 0 between the two writes.
On my machine there is an IC's reset pin connected to LCD_D20. The
bootloader configures this pin as GPIO output-high (i.e. not holding the
IC in reset). When Linux reconfigures the pin to GPIO the short time
LCD_D20 is muxed as LCD_D20 instead of GPIO_1_20 is enough to confuse
the connected IC.
The same problem is present for the pin's drive strength setting which is
reset to low drive strength before using the right value.
So instead of relying on the hardware to modify the register setting
using two writes implement the bit toggling using read-modify-write.
Fixes:
17723111e64f ("pinctrl: add pinctrl-mxs support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wei Yongjun [Tue, 25 Apr 2017 06:22:05 +0000 (06:22 +0000)]
pinctrl: cherryview: Add terminate entry for dmi_system_id tables
commit
a9de080bbcd5c4e213a3d7bbb1e314d60980e943 upstream.
Make sure dmi_system_id tables are NULL terminated.
Fixes:
703650278372 ("pinctrl: cherryview: Add a quirk to make Acer
Chromebook keyboard work again")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chen-Yu Tsai [Mon, 22 May 2017 06:25:49 +0000 (14:25 +0800)]
pinctrl: sunxi: Fix SPDIF function name for A83T
commit
7903d4f5e1dec53963cba9b1bc472a76a3532e07 upstream.
We use well known standard names for functions that have name, such as
I2C, SPI, SPDIF, etc..
Fix the function name of SPDIF, which was named OWA (One Wire Audio)
based on Allwinner datasheets.
Fixes:
4730f33f0d82 ("pinctrl: sunxi: add allwinner A83T PIO controller
support")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexandre TORGUE [Tue, 30 May 2017 14:43:04 +0000 (16:43 +0200)]
pinctrl: stm32: Fix bad function call
commit
b7c747d4627462f25b3daabf49c18895a6722faa upstream.
In stm32_pconf_parse_conf function, stm32_pmx_gpio_set_direction is
called with wrong parameter value. Indeed, using NULL value for range
will raise an oops.
Fixes:
aceb16dc2da5 ("pinctrl: Add STM32 MCUs support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexandre TORGUE <alexandre.torgue@st.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Martin Blumenstingl [Sat, 1 Apr 2017 13:59:21 +0000 (15:59 +0200)]
pinctrl: meson: meson8b: fix the NAND DQS pins
commit
97ba26b8a9343008504d4e3a87d212bc07b05212 upstream.
The nand_groups table uses different names for the NAND DQS pins than
the GROUP() definition in meson8b_cbus_groups (nand_dqs_0 vs nand_dqs0).
This prevents using the NAND DQS pins in the devicetree.
Fix this by ensuring that the GROUP() definition and the
meson8b_cbus_groups use the same name for these pins.
Fixes:
0fefcb6876d0 ("pinctrl: Add support for Meson8b")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Acked-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Geert Uytterhoeven [Sat, 11 Mar 2017 11:26:09 +0000 (12:26 +0100)]
pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl
commit
4324b6084f45b9faebda8d6563d8625d22b4b5df upstream.
Fix typos in hscif2_clk_b_mux[] and hscif4_ctrl_mux[].
Fixes:
a56069c46c102710 ("pinctrl: sh-pfc: r8a7795: Add HSCIF pins, groups, and functions")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sergei Shtylyov [Wed, 29 Mar 2017 18:36:51 +0000 (21:36 +0300)]
pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
commit
3908632fb829d73317c64c3d04f584b49f62e4ae upstream.
The R8A7791 PFC driver was apparently based on the preliminary revisions
of the user's manual, which omitted the DVC_MUTE signal altogether in
the PFC section. The modern manual has the signal described, so just add
the necassary data to the driver...
Fixes:
508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sergei Shtylyov [Thu, 30 Mar 2017 20:20:48 +0000 (23:20 +0300)]
pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
commit
58439280f84e6b39fd7d61f25ab30489c1aaf0a9 upstream.
PINMUX_IPSR_MSEL() macro invocation for the TX2 signal has apparently wrong
1st argument -- most probably a result of cut&paste programming...
Fixes:
508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sergei Shtylyov [Tue, 4 Apr 2017 20:20:16 +0000 (23:20 +0300)]
pinctrl: sh-pfc: r8a7794: Swap ATA signals
commit
5f4c8cafe1148f8a91287072815df8f0b66f0e5c upstream.
All R8A7794 manuals I have here (0.50 and 1.10) agree that the PFC driver
has ATAG0# and ATAWR0# signals in IPSR12 swapped -- fix this.
Fixes:
43c4436e2f18 ("pinctrl: sh-pfc: add R8A7794 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mika Westerberg [Mon, 10 Apr 2017 10:16:33 +0000 (13:16 +0300)]
pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again
commit
7036502783729c2aaf7a3c24c89087c58721430f upstream.
After commit
47c950d10202 ("pinctrl: cherryview: Do not add all
southwest and north GPIOs to IRQ domain") the driver does not add all
GPIOs to the irqdomain. The reason for that is that those GPIOs cannot
generate IRQs at all, only GPEs (General Purpose Events). This causes
Linux virtual IRQ numbering to change.
However, it seems some CYAN Chromebooks, including Acer Chromebook
hardcodes these Linux IRQ numbers in the ACPI tables of the machine.
Since the numbering is different now, the IRQ meant for keyboard does
not match the Linux virtual IRQ number anymore making the keyboard
non-functional.
Work this around by adding special quirk just for these machines where
we add back all GPIOs to the irqdomain. Rest of the Cherryview/Braswell
based machines will not be affected by the change.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=194945
Fixes:
47c950d10202 ("pinctrl: cherryview: Do not add all southwest and north GPIOs to IRQ domain")
Reported-by: Adam S Levy <theadamlevy@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Christian Lamparter [Thu, 16 Mar 2017 20:36:07 +0000 (21:36 +0100)]
pinctrl: qcom: ipq4019: add missing pingroups for pins > 70
commit
d7402de48efae57bbb0072e53d3800c30de57ea5 upstream.
This patch adds the missing PINGROUP for GPIO70-99.
This fixes a crash that happens in pinctrl-msm, if any
of the GPIO70-99 are accessed.
Fixes:
5303f7827fcd41d ("pinctrl: qcom: ipq4019: set ngpios to correct value")
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Liping Zhang [Fri, 7 Apr 2017 15:51:07 +0000 (23:51 +0800)]
sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec
commit
425fffd886bae3d127a08fa6a17f2e31e24ed7ff upstream.
Currently, inputting the following command will succeed but actually the
value will be truncated:
# echo 0x12ffffffff > /proc/sys/net/ipv4/tcp_notsent_lowat
This is not friendly to the user, so instead, we should report error
when the value is larger than UINT_MAX.
Fixes:
e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Liping Zhang [Fri, 7 Apr 2017 15:51:06 +0000 (23:51 +0800)]
sysctl: don't print negative flag for proc_douintvec
commit
5380e5644afbba9e3d229c36771134976f05c91e upstream.
I saw some very confusing sysctl output on my system:
# cat /proc/sys/net/core/xfrm_aevent_rseqth
-2
# cat /proc/sys/net/core/xfrm_aevent_etime
-10
# cat /proc/sys/net/ipv4/tcp_notsent_lowat
-
4294967295
Because we forget to set the *negp flag in proc_douintvec, so it will
become a garbage value.
Since the value related to proc_douintvec is always an unsigned integer,
so we can set *negp to false explictily to fix this issue.
Fixes:
e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thomas Gleixner [Sat, 25 Feb 2017 10:27:37 +0000 (10:27 +0000)]
mac80211_hwsim: Replace bogus hrtimer clockid
commit
8fbcfeb8a9cc803464d6c166e7991913711c612c upstream.
mac80211_hwsim initializes a hrtimer with clockid
CLOCK_MONOTONIC_RAW. That's not supported.
Use CLOCK_MONOTONIC instead.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Tue, 6 Jun 2017 15:58:58 +0000 (17:58 +0200)]
USB: core: fix device node leak
commit
e271b2c909a22a2c13b2d5f77f2ce0091b74540c upstream.
Make sure to release any OF device-node reference taken when creating
the USB device.
Note that we currently do not hold a reference to the root hub
device-tree node (i.e. the parent controller node).
Fixes:
69bec7259853 ("USB: core: let USB device know device node")
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Benjamin Herrenschmidt [Tue, 13 Jun 2017 06:01:13 +0000 (16:01 +1000)]
usb: Fix typo in the definition of Endpoint[out]Request
commit
7cf916bd639bd26db7214f2205bccdb4b9306256 upstream.
The current definition is wrong. This breaks my upcoming
Aspeed virtual hub driver.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michael Grzeschik [Mon, 22 May 2017 11:02:44 +0000 (13:02 +0200)]
usb: usbip: set buffer pointers to NULL after free
commit
b3b51417d0af63fb9a06662dc292200aed9ea53f upstream.
The usbip stack dynamically allocates the transfer_buffer and
setup_packet of each urb that got generated by the tcp to usb stub code.
As these pointers are always used only once we will set them to NULL
after use. This is done likewise to the free_urb code in vudc_dev.c.
This patch fixes double kfree situations where the usbip remote side
added the URB_FREE_BUFFER.
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Devin Heitmueller [Tue, 27 Jun 2017 17:08:51 +0000 (13:08 -0400)]
Add USB quirk for HVR-950q to avoid intermittent device resets
commit
6836796de4019944f4ba4c99a360e8250fd2e735 upstream.
The USB core and sysfs will attempt to enumerate certain parameters
which are unsupported by the au0828 - causing inconsistent behavior
and sometimes causing the chip to reset. Avoid making these calls.
This problem manifested as intermittent cases where the au8522 would
be reset on analog video startup, in particular when starting up ALSA
audio streaming in parallel - the sysfs entries created by
snd-usb-audio on streaming startup would result in unsupported control
messages being sent during tuning which would put the chip into an
unknown state.
Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeremie Rapin [Wed, 28 Jun 2017 16:23:25 +0000 (18:23 +0200)]
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
commit
fd90f73a9925f248d696bde1cfc836d9fda5570d upstream.
Added the USB serial device ID for the CEL ZigBee EM3588
radio stick.
Signed-off-by: Jeremie Rapin <rapinj@gmail.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felipe Balbi [Wed, 17 May 2017 12:57:45 +0000 (15:57 +0300)]
usb: dwc3: replace %p with %pK
commit
04fb365c453e14ff9e8a28f1c46050d920a27a4a upstream.
%p will leak kernel pointers, so let's not expose the information on
dmesg and instead use %pK. %pK will only show the actual addresses if
explicitly enabled under /proc/sys/kernel/kptr_restrict.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gerd Hoffmann [Thu, 6 Apr 2017 15:59:40 +0000 (17:59 +0200)]
drm/virtio: don't leak bo on drm_gem_object_init failure
commit
385aee965b4e4c36551c362a334378d2985b722a upstream.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170406155941.458-1-kraxel@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / log