GitHub/LineageOS/android_kernel_samsung_universal7580.git
5 years agocpufreq_stats: Adds the fucntionality to load current values for each frequency for...
Ruchi Kandoi [Sat, 10 Dec 2016 18:07:17 +0000 (18:07 +0000)]
cpufreq_stats: Adds the fucntionality to load current values for each frequency for all the cores.

The current values for the cpu cores needs to be added to the device
tree for this functionaly to work. It loads the current values for each
frequecy in uA for all the cores.

Change-Id: If03311aaeb3e4c09375dd0beb9ad4fbb254b5c08
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Original commit: https://github.com/dianlujitao/CAF_kernel_msm-3.10/commit/8d12562a74922eac859dcec9c43d34d8fd1a9fd1

5 years agoFix memory leaks when updating stats table
Sultanxda [Sun, 25 Jun 2017 07:39:02 +0000 (07:39 +0000)]
Fix memory leaks when updating stats table

The address for an element in the per-cpu cpufreq_stats_table variable
is overwritten in cpufreq_stats_update_policy_cpu(), but the memory
allocated at the address that gets overwritten is not freed beforehand.

Free the allocated memory beforehand to fix the memory leaks.

Signed-off-by: Sultanxda <sultanxda@gmail.com>
Signed-off-by: Francisco Franco <franciscofranco.1990@gmail.com>
Signed-off-by: Luca Grifo <lg@linux.com>
Signed-off-by: djb77 <dwayne.bakewell@gmail.com>
Used commit: https://github.com/Siddhant-Naik/TheFlash-Kernel-A5-A7-2017/commit/98bd2052dfc9757832c49b7a8c68157b8baea13f

5 years agocpufreq: interactive governor drops bits in time calculation
Chris Redpath [Mon, 17 Jun 2013 17:36:56 +0000 (18:36 +0100)]
cpufreq: interactive governor drops bits in time calculation

Keep time calculation in 64-bit throughout. If we have long times
between idle calculations this can result in deltas > 32 bits
which causes incorrect load percentage calculations and selecting
the wrong frequencies if we truncate here.

Change-Id: Iac1e5646d58485737538edbb9e7a6d2246b56023
Signed-off-by: Chris Redpath <chris.redpath@arm.com>
Signed-off-by: Alex Naidis <alex.naidis@linux.com>
5 years agoCHROMIUM: cpufreq: interactive: calculate load before freq change
Derek Basehore [Fri, 27 Mar 2015 20:59:30 +0000 (13:59 -0700)]
CHROMIUM: cpufreq: interactive: calculate load before freq change

The update to cpu load for cpufreq rate changes was happening after the rate
change instead of before. This switches it to update the cpu load before the
cpufreq rate change so the old frequency is used for calculating the speed
adjusted cpu load. The old frequency was used for that active time, so it should
be used for calculating the speed adjusted cpu load.

BUG=chrome-os-partner:37673
TEST=power_LoadTest on Jerry
check we spend most of our time at the lower cpu frequencies

Change-Id: I2fff785561ad8aebd354ddd305e91d96c799a617
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/262925
Reviewed-by: Douglas Anderson <dianders@chromium.org>
5 years agocpufreq: Correct the data reported in all_time_in_state
Nirmal Abraham [Wed, 7 Oct 2015 10:53:43 +0000 (16:23 +0530)]
cpufreq: Correct the data reported in all_time_in_state

Commit bd9474e059bbb2bb62f7e93894cfc3d3ba473fb2 (cpufreq_stats:
Adds the fucntionality to load current values for each frequency
for all the cores) introduced a change by which
'cpufreq_allstats_create' gets called at initialization (from
'cpufreq_stats_init' instead of 'cpufreq_stat_notifier_policy').
This causes 'cpufreq_allstate_create' to be called before the
freq_table is allocated from 'create_all_freq_table'. Due to
this, the data for cpu's which are online at boot are not
added to the 'all_freq_table' leading to the incorrect
reporting of data when the below sysfs command is run -
'cat sys/devices/system/cpu/cpufreq/all_time_in_state'.

Correct this behaviour by altering the cpufreq_stats init
sequence by which the memory for 'all_freq_table' is allocated
before the 'cpufreq_allstats_create' function is called.

Change-Id: I2232dacdc0deec4d1987c418e833fe28f74623fc
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
5 years agocpufreq: interactive: Ramp up directly if cpu_load exceeds 100
Junjie Wu [Wed, 25 Mar 2015 21:05:49 +0000 (14:05 -0700)]
cpufreq: interactive: Ramp up directly if cpu_load exceeds 100

When governor is using regular busy time tracking, cpu_load will
never exceed 100 because busy time will never exceed elapsed time in
any one sampling window. The only exception is when frequency is
reduced in middle of a window (e.g. due to thermal throttling). In
this case, cpu_load is likely irrelevant since current frequency
governor has been voting is already higher than what target can run
at.

However, on a heterogeneous CPU system with scheduler input enabled
to track the load of migrated tasks, cpu_load could also exceed 100
when a task migrates from more capable CPU to slower CPU. When this
happens, governor already knows the exact frequency required to handle
this load. There is no need to progressively ramp up frequency in order
to assess the load's real demand. It's not desirable to starve such a
migrating task by forcing it through ramping up process on the slower
CPU.

Direclty jump beyond hispeed_freq and ignore above_hispeed_delay if
cpu_load exceeds 100.

Change-Id: Ib87057e4f00732fad943ab595a33e3059494ef15
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
5 years agocpufreq: interactive: fix permanent locking on high CPU frequency
Alexander Alexeev [Thu, 24 Jan 2019 19:04:15 +0000 (22:04 +0300)]
cpufreq: interactive: fix permanent locking on high CPU frequency

This removed improper Samsung's changes

5 years agoCHROMIUM: cpufreq: interactive: validate above_hispeed_delay
Andrew Bresticker [Tue, 13 Aug 2013 20:39:48 +0000 (13:39 -0700)]
CHROMIUM: cpufreq: interactive: validate above_hispeed_delay

We rely on the frequencies in above_hispeed_delay being in ascending
order.  Ensure that is the case for the values the user gives us.

BUG=chrome-os-partner:20830
TEST=Boot Pit; write invalid above_hispeed_delay value:
localhost ~ # echo "20000 1800000:20000 700000:0" > above_hispeed_delay
-bash: echo: write error: Invalid argument

Change-Id: Ifb431e58ad4b6b371152d7b09fcbefa127b0cbe2
Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/65742
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
5 years agocpufreq: interactive: BUG_ON when tunables are NULL after init
Junjie Wu [Tue, 5 Aug 2014 18:24:32 +0000 (11:24 -0700)]
cpufreq: interactive: BUG_ON when tunables are NULL after init

When tunables are not available for events other than
CPUFREQ_GOV_POLICY_INIT in cpufreq_governor_interactive(), trigger a
panic instead of throwing a warning.

When the original warning happens, some race condition must have
occurred, and governor will be in a bad state even if it might still
run for a while. Panic directly so that it's easier to catch the
first race event.

Change-Id: I2dc1185cabfe72a63739452731fe242924d2cf45
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
5 years agocpufreq: interactive: Don't set floor_validate_time during boost
Junjie Wu [Tue, 27 Oct 2015 17:30:57 +0000 (18:30 +0100)]
cpufreq: interactive: Don't set floor_validate_time during boost

Frequency selection algorithm guarantees its chosen frequency
is not lower than hispeed_freq as long as boost is enabled.

Setting floor_freq and floor_validate_time during boost could block
CPU frequency from going below hispeed_freq even after
boostpulse_duration expires, if min_sample_time is higher than
boostpulse_duration. This conflicts with the intention of commit
de091367ead15b6e95dd1d0743a18f0da5a07ee5
(cpufreq: interactive: specify duration of CPU speed boost pulse)
to allow CPU to ramp down immediately after boost expires. It also
makes boost behavior inconsistent since it depends on min_sample_time.

Avoid setting floor_freq and floor_validate_time when boost starts.

Change-Id: I12852998af46cfbfaf8661eb5e8d5301b6f631e7
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
Signed-off-by: Bálint Czobor <czoborbalint@gmail.com>
5 years agocpufreq: interactive: Use del_timer/add_timer_on to rearm timers
Junjie Wu [Fri, 15 Aug 2014 23:20:54 +0000 (16:20 -0700)]
cpufreq: interactive: Use del_timer/add_timer_on to rearm timers

Replace mod_timer_pinned() with del_timer(), add_timer_on().
mod_timer_pinned() always adds timer onto current CPU. Interactive
governor expects each CPU's timers to be running on the same CPU.
If cpufreq_interactive_timer_resched() is called from another CPU,
the timer will be armed on the wrong CPU.

Replacing mod_timer_pinned() with del_timer() and add_timer_on()
guarantees timers are still run on the right CPU even if another
CPU reschedules the timer. This would provide more flexibility
for future changes.

Change-Id: I3a10be37632afc0ea4e0cc9c86323b9783b216b1
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
5 years agonet: core: To send ARP probe when neighbor state is NUD_STALE
Sridhar Ancha [Thu, 14 Apr 2016 15:50:43 +0000 (21:20 +0530)]
net: core: To send ARP probe when neighbor state is NUD_STALE

Featurizing to send an ARP probe to the connected client when
the neighbor state moves to NUD_STALE. This triggers the
neighbor state to move back to NUD_REACHABLE if the ARP request
is resolved and prevents a RTM_DELNEIGH from being triggered

Change-Id: I27aba004a180dfbff5b1fcee2d04047c8523fb8a
Signed-off-by: Sridhar Ancha <sancha@codeaurora.org>
5 years agonet: core: Send ARP probe and trigger RTM_NEWNEIGH
Ravinder Konka [Thu, 9 Apr 2015 06:12:00 +0000 (11:42 +0530)]
net: core: Send ARP probe and trigger RTM_NEWNEIGH

Send ARP probe and generate RTM_NEWNEIGH if the neighbor
state is not NUD_REACHABLE. Also featurize changes for
sending neighbor probe.

Change-Id: I633285b8e0cbcd49291d5e52136f11e20f2388bc
Signed-off-by: Ravinder Konka <rkonka@codeaurora.org>
5 years agoneigh: Better handling of transition to NUD_PROBE state
Erik Kline [Mon, 18 May 2015 10:44:41 +0000 (19:44 +0900)]
neigh: Better handling of transition to NUD_PROBE state

[1] When entering NUD_PROBE state via neigh_update(), perhaps received
    from userspace, correctly (re)initialize the probes count to zero.

    This is useful for forcing revalidation of a neighbor (for example
    if the host is attempting to do DNA [IPv4 4436, IPv6 6059]).

[2] Notify listeners when a neighbor goes into NUD_PROBE state.

    By sending notifications on entry to NUD_PROBE state listeners get
    more timely warnings of imminent connectivity issues.

    The current notifications on entry to NUD_STALE have somewhat
    limited usefulness: NUD_STALE is a perfectly normal state, as is
    NUD_DELAY, whereas notifications on entry to NUD_FAILURE come after
    a neighbor reachability problem has been confirmed (typically after
    three probes).

Change-Id: I1d01d40ef3bc4753b0eaa79da2b27235425b1934
Signed-off-by: Erik Kline <ek@google.com>
Acked-By: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: e4a6d6ba5a9e9e1796bbe6efe4f20ce7072df667
Git-repo: https://android.googlesource.com/kernel/common.git
Signed-off-by: Ian Maund <imaund@codeaurora.org>
5 years agonet: core: To send ARP probe when neighbor state is NUD_STALE
Ravinder Konka [Wed, 10 Dec 2014 11:46:31 +0000 (17:16 +0530)]
net: core: To send ARP probe when neighbor state is NUD_STALE

Send an ARP probe to the connected client when the neighbor
state moves to NUD_STALE. This triggers the neighbor state
to move back to NUD_REACHABLE if the ARP request is resolved
and prevents a RTM_DELNEIGH from being triggered

Change-Id: I4d17c8f24d47931524904d0db74fa812a4f235f6
Signed-off-by: Ravinder Konka <rkonka@codeaurora.org>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
5 years agoANDROID: binder: don't queue async transactions to thread.
Martijn Coenen [Thu, 10 Aug 2017 11:56:16 +0000 (13:56 +0200)]
ANDROID: binder: don't queue async transactions to thread.

This can cause issues with processes using the poll()
interface:

1) client sends two oneway transactions
2) the second one gets queued on async_todo
   (because the server didn't handle the first one
    yet)
3) server returns from poll(), picks up the
   first transaction and does transaction work
4) server is done with the transaction, sends
   BC_FREE_BUFFER, and the second transaction gets
   moved to thread->todo
5) libbinder's handlePolledCommands() only handles
   the commands in the current data buffer, so
   doesn't see the new transaction
6) the server continues running and issues a new
   outgoing transaction. Now, it suddenly finds
   the incoming oneway transaction on its thread
   todo, and returns that to userspace.
7) userspace does not expect this to happen; it
   may be holding a lock while making the outgoing
   transaction, and if handling the incoming
   trasnaction requires taking the same lock,
   userspace will deadlock.

By queueing the async transaction to the proc
workqueue, we make sure it's only picked up when
a thread is ready for proc work.

Bug: 38201220
Bug: 63075553
Bug: 63079216

Change-Id: I84268cc112f735d7e3173793873dfdb4b268468b
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoANDROID: binder: don't enqueue death notifications to thread todo.
Martijn Coenen [Thu, 10 Aug 2017 11:50:52 +0000 (13:50 +0200)]
ANDROID: binder: don't enqueue death notifications to thread todo.

This allows userspace to request death notifications without
having to worry about getting an immediate callback on the same
thread; one scenario where this would be problematic is if the
death recipient handler grabs a lock that was already taken
earlier (eg as part of a nested transaction).

Bug: 23525545
Test: binderLibTest.DeathNotificationThread passes
Change-Id: I955e16306fe3110dacb9a391ffff1bf869249495
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoANDROID: binder: call poll_wait() unconditionally.
Martijn Coenen [Thu, 10 Aug 2017 10:32:00 +0000 (12:32 +0200)]
ANDROID: binder: call poll_wait() unconditionally.

Because we're not guaranteed that subsequent calls
to poll() will have a poll_table_struct parameter
with _qproc set. When _qproc is not set, poll_wait()
is a noop, and we won't be woken up correctly.

Bug: 64552728
Change-Id: I5b904c9886b6b0994d1631a636f5c5e5f6327950
Test: binderLibTest stops hanging with new test
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoANDROID: binder: Don't BUG_ON(!spin_is_locked()).
Martijn Coenen [Thu, 27 Jul 2017 21:52:24 +0000 (23:52 +0200)]
ANDROID: binder: Don't BUG_ON(!spin_is_locked()).

Because is_spin_locked() always returns false on UP
systems.

Use assert_spin_locked() instead, and remove the
WARN_ON() instances, since those were easy to verify.

Bug: 64073116
Change-Id: I9080991c6d67e91928282a3ee64db23e50c7d66a
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoANDROID: binder: don't check prio permissions on restore.
Martijn Coenen [Fri, 26 May 2017 17:48:56 +0000 (10:48 -0700)]
ANDROID: binder: don't check prio permissions on restore.

Because we have disabled RT priority inheritance for
the regular binder domain, the following can happen:

1) thread A (prio 98) calls into thread B
2) because RT prio inheritance is disabled, thread B
   runs at the lowest nice (prio 100) instead
3) thread B calls back into A; A will run at prio 100
   for the duration of the transaction
4) When thread A is done with the call from B, we will
   try to restore the prio back to 98. But, we fail
   because the process doesn't hold CAP_SYS_NICE,
   neither is RLIMIT_RT_PRIO set.

While the proper fix going forward will be to
correctly apply CAP_SYS_NICE or RLIMIT_RT_PRIO,
for now it seems reasonable to not check permissions
on the restore path.

Change-Id: Ibede5960c9b7bb786271c001e405de50be64d944
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoAdd BINDER_GET_NODE_DEBUG_INFO ioctl
Colin Cross [Tue, 20 Jun 2017 20:54:44 +0000 (13:54 -0700)]
Add BINDER_GET_NODE_DEBUG_INFO ioctl

The BINDER_GET_NODE_DEBUG_INFO ioctl will return debug info on
a node.  Each successive call reusing the previous return value
will return the next node.  The data will be used by
libmemunreachable to mark the pointers with kernel references
as reachable.

Bug: 28275695
Change-Id: Idbbafa648a33822dc023862cd92b51a595cf7c1c
Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoANDROID: binder: add RT inheritance flag to node.
Martijn Coenen [Fri, 23 Jun 2017 17:13:43 +0000 (10:13 -0700)]
ANDROID: binder: add RT inheritance flag to node.

Allows a binder node to specify whether it wants to
inherit real-time scheduling policy from a caller.

Change-Id: I375b6094bf441c19f19cba06d5a6be02cd07d714
Signed-off-by: Martijn Coenen <maco@android.com>
5 years agoANDROID: binder: improve priority inheritance.
Martijn Coenen [Wed, 7 Jun 2017 17:02:12 +0000 (10:02 -0700)]
ANDROID: binder: improve priority inheritance.

By raising the priority of a thread selected for
a transaction *before* we wake it up.

Delay restoring the priority when doing a reply
until after we wake-up the process receiving
the reply.

Change-Id: Ic332e4e0ed7d2d3ca6ab1034da4629c9eadd3405
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoANDROID: binder: add min sched_policy to node.
Martijn Coenen [Wed, 7 Jun 2017 16:29:14 +0000 (09:29 -0700)]
ANDROID: binder: add min sched_policy to node.

This change adds flags to flat_binder_object.flags
to allow indicating a minimum scheduling policy for
the node. It also clarifies the valid value range
for the priority bits in the flags.

Internally, we use the priority map that the kernel
uses, e.g. [0..99] for real-time policies and [100..139]
for the SCHED_NORMAL/SCHED_BATCH policies.

Bug: 34461621
Bug: 37293077
Change-Id: I12438deecb53df432da18c6fc77460768ae726d2
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoANDROID: binder: add support for RT prio inheritance.
Martijn Coenen [Wed, 7 Jun 2017 00:04:42 +0000 (17:04 -0700)]
ANDROID: binder: add support for RT prio inheritance.

Adds support for SCHED_BATCH/SCHED_FIFO/SCHED_RR
priority inheritance.

Change-Id: I71f356e476be2933713a0ecfa2cc31aa141e2dc6
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoANDROID: binder: push new transactions to waiting threads.
Martijn Coenen [Tue, 6 Jun 2017 22:17:46 +0000 (15:17 -0700)]
ANDROID: binder: push new transactions to waiting threads.

Instead of pushing new transactions to the process
waitqueue, select a thread that is waiting on proc
work to handle the transaction. This will make it
easier to improve priority inheritance in future
patches, by setting the priority before we wake up
a thread.

If we can't find a waiting thread, submit the work
to the proc waitqueue instead as we did previously.

Change-Id: I23cbfcca867bed7b86007e22137d0a8fad4b4001
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoANDROID: binder: remove proc waitqueue
Martijn Coenen [Fri, 2 Jun 2017 18:15:44 +0000 (11:15 -0700)]
ANDROID: binder: remove proc waitqueue

Removes the process waitqueue, so that threads
can only wait on the thread waitqueue. Whenever
there is process work to do, pick a thread and
wake it up.

This also fixes an issue with using epoll(),
since we no longer have to block on different
waitqueues.

Bug: 34461621
Change-Id: I2950b9de6fa078ee72d53c667a03cbaf587f0849
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoFROMLIST: binder: remove global binder lock
Todd Kjos [Mon, 14 Nov 2016 19:37:41 +0000 (11:37 -0800)]
FROMLIST: binder: remove global binder lock

(from https://patchwork.kernel.org/patch/9817773/)

Remove global mutex and rely on fine-grained locking

Change-Id: Idd1ae2e52d654e5dd76d443a1ff97522e687fd4c
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: fix death race conditions
Martijn Coenen [Mon, 22 May 2017 18:26:23 +0000 (11:26 -0700)]
FROMLIST: binder: fix death race conditions

(from https://patchwork.kernel.org/patch/9817765/)

A race existed where one thread could register
a death notification for a node, while another
thread was cleaning up that node and sending
out death notifications for its references,
causing simultaneous access to ref->death
because different locks were held.

Test: boots, manual testing
Change-Id: Iff73312f34f70374f417beba4c4c82dd33cac119
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoFROMLIST: binder: protect against stale pointers in print_binder_transaction
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against stale pointers in print_binder_transaction

(from https://patchwork.kernel.org/patch/9817761/)

When printing transactions there were several race conditions
that could cause a stale pointer to be deferenced. Fixed by
reading the pointer once and using it if valid (which is
safe). The transaction buffer also needed protection via proc
lock, so it is only printed if we are holding the correct lock.

Bug: 36650912
Test: tested manually
Change-Id: I78240f99cc1a070d70a841c0d84d4306e2fd528d
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: protect binder_ref with outer lock
Todd Kjos [Thu, 20 Oct 2016 23:43:34 +0000 (16:43 -0700)]
FROMLIST: binder: protect binder_ref with outer lock

(from https://patchwork.kernel.org/patch/9817771/)

Use proc->outer_lock to protect the binder_ref structure.
The outer lock allows functions operating on the binder_ref
to do nested acquires of node and inner locks as necessary
to attach refs to nodes atomically.

Binder refs must never be accesssed without holding the
outer lock.

Change-Id: Icf6add0eddf70473b39239960b2d9a524775b53a
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: use inner lock to protect thread accounting
Todd Kjos [Fri, 26 May 2017 00:35:02 +0000 (17:35 -0700)]
FROMLIST: binder: use inner lock to protect thread accounting

(from https://patchwork.kernel.org/patch/9817763/)

Use the inner lock to protect thread accounting fields in
proc structure: max_threads, requested_threads,
requested_threads_started and ready_threads.

Change-Id: I5a17eb68812702f803d4e2806e7887de0b3af18e
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: protect transaction_stack with inner lock.
Martijn Coenen [Fri, 2 Jun 2017 20:36:52 +0000 (13:36 -0700)]
FROMLIST: binder: protect transaction_stack with inner lock.

(from https://patchwork.kernel.org/patch/9817779/)

This makes future changes to priority inheritance
easier, since we want to be able to look at a thread's
transaction stack when selecting a thread to inherit
priority for.

It also allows us to take just a single lock in a
few paths, where we used to take two in succession.

Change-Id: Idb1b6e9faa5c669978b2b3011fe326be8aece586
Signed-off-by: Martijn Coenen <maco@google.com>
5 years agoFROMLIST: binder: protect proc->threads with inner_lock
Todd Kjos [Thu, 25 May 2017 22:52:17 +0000 (15:52 -0700)]
FROMLIST: binder: protect proc->threads with inner_lock

(from https://patchwork.kernel.org/patch/9817775/)

proc->threads will need to be accessed with higher
locks of other processes held so use proc->inner_lock
to protect it. proc->tmp_ref now needs to be protected
by proc->inner_lock.

Change-Id: I176cfeca16bf7c9b34b428c16405f93db81d2ff8
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: protect proc->nodes with inner lock
Todd Kjos [Mon, 12 Jun 2017 19:07:26 +0000 (12:07 -0700)]
FROMLIST: binder: protect proc->nodes with inner lock

(from https://patchwork.kernel.org/patch/9817783/)

When locks for binder_ref handling are added, proc->nodes
will need to be modified while holding the outer lock

Change-Id: I17b39e981c55130c14a62fe49900eceff6e3642b
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: add spinlock to protect binder_node
Todd Kjos [Thu, 8 Jun 2017 20:45:59 +0000 (13:45 -0700)]
FROMLIST: binder: add spinlock to protect binder_node

(from https://patchwork.kernel.org/patch/9817769/)

node->node_lock is used to protect elements of node. No
need to acquire for fields that are invariant: debug_id,
ptr, cookie.

Change-Id: Ib7738e52fa7689767f17136e18cc05ff548b5717
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: add spinlocks to protect todo lists
Todd Kjos [Thu, 20 Oct 2016 17:33:00 +0000 (10:33 -0700)]
FROMLIST: binder: add spinlocks to protect todo lists

(from https://patchwork.kernel.org/patch/9817769/)

The todo lists in the proc, thread, and node structures
are accessed by other procs/threads to place work
items on the queue.

The todo lists are protected by the new proc->inner_lock.
No locks should ever be nested under these locks. As the
name suggests, an outer lock will be introduced in
a later patch.

Change-Id: I7720bacf5ebae4af177e22fcab0900d54c94c11a
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: use inner lock to sync work dq and node counts
Todd Kjos [Tue, 21 Mar 2017 20:06:01 +0000 (13:06 -0700)]
FROMLIST: binder: use inner lock to sync work dq and node counts

(from https://patchwork.kernel.org/patch/9817789/)

For correct behavior we need to hold the inner lock when
dequeuing and processing node work in binder_thread_read.
We now hold the inner lock when we enter the switch statement
and release it after processing anything that might be
affected by other threads.

We also need to hold the inner lock to protect the node
weak/strong ref tracking fields as long as node->proc
is non-NULL (if it is NULL then we are guaranteed that
we don't have any node work queued).

This means that other functions that manipulate these fields
must hold the inner lock. Refactored these functions to use
the inner lock.

Change-Id: I02c5cfdd3ab6dadea7f07f2a275faf3e27be77ad
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: introduce locking helper functions
Todd Kjos [Mon, 29 May 2017 23:44:24 +0000 (16:44 -0700)]
FROMLIST: binder: introduce locking helper functions

(from https://patchwork.kernel.org/patch/9817791/)

There are 3 main spinlocks which must be acquired in this
order:
1) proc->outer_lock : protects most fields of binder_proc,
binder_thread, and binder_ref structures. binder_proc_lock()
and binder_proc_unlock() are used to acq/rel.
2) node->lock : protects most fields of binder_node.
binder_node_lock() and binder_node_unlock() are
used to acq/rel
3) proc->inner_lock : protects the thread and node lists
(proc->threads, proc->nodes) and all todo lists associated
with the binder_proc (proc->todo, thread->todo,
proc->delivered_death and node->async_todo).
binder_inner_proc_lock() and binder_inner_proc_unlock()
are used to acq/rel

Any lock under procA must never be nested under any lock at the same
level or below on procB.

Functions that require a lock held on entry indicate which lock
in the suffix of the function name:

foo_olocked() : requires node->outer_lock
foo_nlocked() : requires node->lock
foo_ilocked() : requires proc->inner_lock
foo_iolocked(): requires proc->outer_lock and proc->inner_lock
foo_nilocked(): requires node->lock and proc->inner_lock

Change-Id: Ied42674486092a0e3bdde64356e45b2494844558
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: use node->tmp_refs to ensure node safety
Todd Kjos [Tue, 9 May 2017 18:08:05 +0000 (11:08 -0700)]
FROMLIST: binder: use node->tmp_refs to ensure node safety

(from https://patchwork.kernel.org/patch/9817795/)

When obtaining a node via binder_get_node(),
binder_get_node_from_ref() or binder_new_node(),
increment node->tmp_refs to take a
temporary reference on the node to ensure the node
persists while being used.  binder_put_node() must
be called to remove the temporary reference.

Change-Id: I962b39d5cd80b2d7e4786bb87236ede7914e2db7
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: refactor binder ref inc/dec for thread safety
Todd Kjos [Mon, 8 May 2017 16:16:27 +0000 (09:16 -0700)]
FROMLIST: binder: refactor binder ref inc/dec for thread safety

(from https://patchwork.kernel.org/patch/9817781/)

Once locks are added, binder_ref's will only be accessed
safely with the proc lock held. Refactor the inc/dec paths
to make them atomic with the binder_get_ref* paths and
node inc/dec. For example, instead of:

  ref = binder_get_ref(proc, handle, strong);
  ...
  binder_dec_ref(ref, strong);

we now have:

  ret = binder_dec_ref_for_handle(proc, handle, strong, &rdata);

Since the actual ref is no longer exposed to callers, a
new struct binder_ref_data is introduced which can be used
to return a copy of ref state.

Change-Id: I7de22107f8ebc967cee63251d584fceb4ea56250
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: make sure accesses to proc/thread are safe
Todd Kjos [Fri, 12 May 2017 21:42:55 +0000 (14:42 -0700)]
FROMLIST: binder: make sure accesses to proc/thread are safe

(from https://patchwork.kernel.org/patch/9817787/)

binder_thread and binder_proc may be accessed by other
threads when processing transaction. Therefore they
must be prevented from being freed while a transaction
is in progress that references them.

This is done by introducing a temporary reference
counter for threads and procs that indicates that the
object is in use and must not be freed. binder_thread_dec_tmpref()
and binder_proc_dec_tmpref() are used to decrement
the temporary reference.

It is safe to free a binder_thread if there
is no reference and it has been released
(indicated by thread->is_dead).

It is safe to free a binder_proc if it has no
remaining threads and no reference.

A spinlock is added to the binder_transaction
to safely access and set references for t->from
and for debug code to safely access t->to_thread
and t->to_proc.

Change-Id: I0a00a0294c3e93aea8b3f141c6f18e77ad244078
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: make sure target_node has strong ref
Todd Kjos [Fri, 26 May 2017 18:56:29 +0000 (11:56 -0700)]
FROMLIST: binder: make sure target_node has strong ref

(from https://patchwork.kernel.org/patch/9817787/)

When initiating a transaction, the target_node must
have a strong ref on it. Then we take a second
strong ref to make sure the node survives until the
transaction is complete.

Change-Id: If7429cb43eda520ab89d45df6c19327cee97c60c
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: guarantee txn complete / errors delivered in-order
Todd Kjos [Sat, 22 Apr 2017 00:35:12 +0000 (17:35 -0700)]
FROMLIST: binder: guarantee txn complete / errors delivered in-order

(from https://patchwork.kernel.org/patch/9817805/)

Since errors are tracked in the return_error/return_error2
fields of the binder_thread object and BR_TRANSACTION_COMPLETEs
can be tracked either in those fields or via the thread todo
work list, it is possible for errors to be reported ahead
of the associated txn complete.

Use the thread todo work list for errors to guarantee
order. Also changed binder_send_failed_reply to pop
the transaction even if it failed to send a reply.

Bug: 37218618
Test: tested manually
Change-Id: I196cfaeed09fdcd697f8ab25eea4e04241fdb08f
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: refactor binder_pop_transaction
Todd Kjos [Fri, 31 Mar 2017 01:02:13 +0000 (18:02 -0700)]
FROMLIST: binder: refactor binder_pop_transaction

(from https://lkml.org/lkml/2017/6/29/754)

binder_pop_transaction needs to be split into 2 pieces to
to allow the proc lock to be held on entry to dequeue the
transaction stack, but no lock when kfree'ing the transaction.

Split into binder_pop_transaction_locked and binder_free_transaction
(the actual locks are still to be added).

Change-Id: I848ae994cc27b3cd083cff2dbd1071762784f4a3
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: use atomic for transaction_log index
Todd Kjos [Wed, 24 May 2017 20:33:28 +0000 (13:33 -0700)]
FROMLIST: binder: use atomic for transaction_log index

(from https://patchwork.kernel.org/patch/9817807/)

The log->next index for the transaction log was
not protected when incremented. This led to a
case where log->next++ resulted in an index
larger than ARRAY_SIZE(log->entry) and eventually
a bad access to memory.

Fixed by making the log index an atomic64 and
converting to an array by using "% ARRAY_SIZE(log->entry)"

Also added "complete" field to the log entry which is
written last to tell the print code whether the
entry is complete

Bug: 62038227
Test: tested manually
Change-Id: I1bb1c1a332a6ac458a626f5bedd05022b56b91f2
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: protect against two threads freeing buffer
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against two threads freeing buffer

(from https://patchwork.kernel.org/patch/9817815/)

Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.

Bug: 36650912
Change-Id: I43e078cbf31c0789aaff5ceaf8f1a94c75f79d45
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: remove dead code in binder_get_ref_for_node
Todd Kjos [Tue, 2 May 2017 00:21:51 +0000 (17:21 -0700)]
FROMLIST: binder: remove dead code in binder_get_ref_for_node

(from https://patchwork.kernel.org/patch/9817819/)

node is always non-NULL in binder_get_ref_for_node so the
conditional and else clause are not needed

Change-Id: I23f011ba59e1869d9577e6bf28e1f1dd38f45713
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: don't modify thread->looper from other threads
Todd Kjos [Fri, 6 Jan 2017 22:19:25 +0000 (14:19 -0800)]
FROMLIST: binder: don't modify thread->looper from other threads

(from https://patchwork.kernel.org/patch/9817799/)

The looper member of struct binder_thread is a bitmask
of control bits. All of the existing bits are modified
by the affected thread except for BINDER_LOOPER_STATE_NEED_RETURN
which can be modified in binder_deferred_flush() by
another thread.

To avoid adding a spinlock around all read-mod-writes to
modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag
is replaced by a separate field in struct binder_thread.

Bug: 33250092 32225111
Change-Id: Ia4cefbdbd683c6cb17c323ba7d278de5f2ca0745
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: avoid race conditions when enqueuing txn
Todd Kjos [Tue, 9 May 2017 15:31:32 +0000 (08:31 -0700)]
FROMLIST: binder: avoid race conditions when enqueuing txn

(from https://patchwork.kernel.org/patch/9817813/)

Currently, the transaction complete work item is queued
after the transaction. This means that it is possible
for the transaction to be handled and a reply to be
enqueued in the current thread before the transaction
complete is enqueued, which violates the protocol
with userspace who may not expect the transaction
complete. Fixed by always enqueing the transaction
complete first.

Also, once the transaction is enqueued, it is unsafe
to access since it might be freed. Currently,
t->flags is accessed to determine whether a sync
wake is needed. Changed to access tr->flags
instead.

Change-Id: I6c01566e167a39cf17c9027c3817618182e56975
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: refactor queue management in binder_thread_read
Todd Kjos [Wed, 24 May 2017 17:51:01 +0000 (10:51 -0700)]
FROMLIST: binder: refactor queue management in binder_thread_read

(from https://patchwork.kernel.org/patch/9817757/)

In binder_thread_read, the BINDER_WORK_NODE command is used
to communicate the references on the node to userspace. It
can take a couple of iterations in the loop to construct
the list of commands for user space. When locking is added,
the lock would need to be release on each iteration which
means the state could change. The work item is not dequeued
during this process which prevents a simpler queue management
that can just dequeue up front and handle the work item.

Fixed by changing the BINDER_WORK_NODE algorithm in
binder_thread_read to determine which commands to send
to userspace atomically in 1 pass so it stays consistent
with the kernel view.

The work item is now dequeued immediately since only
1 pass is needed.

Change-Id: I9b4109997b2d53ba661867b14d7336cd076be06d
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: add log information for binder transaction failures
Todd Kjos [Thu, 23 Mar 2017 00:19:52 +0000 (17:19 -0700)]
FROMLIST: binder: add log information for binder transaction failures

(from https://patchwork.kernel.org/patch/9817751/)

Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detected

Also, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)

Bug: 36406078
Change-Id: Ifc8881fa5adfcced3f2d67f9030fbd3efa3e2cab
Test: tested manually
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: make binder_last_id an atomic
Todd Kjos [Thu, 25 May 2017 17:56:00 +0000 (10:56 -0700)]
FROMLIST: binder: make binder_last_id an atomic

(from https://patchwork.kernel.org/patch/9817809/)

Change-Id: I12a505091d377ca9034861317b7e68c2e75f7256
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: change binder_stats to atomics
Badhri Jagan Sridharan [Thu, 13 Oct 2016 23:36:15 +0000 (16:36 -0700)]
FROMLIST: binder: change binder_stats to atomics

(from https://patchwork.kernel.org/patch/9817755/)

Use atomics for stats to avoid needing to lock for
increments/decrements

Bug: 33250092 32225111
Change-Id: I13e69b7f0485ccf16673e25091455781e1933a98
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: add protection for non-perf cases
Todd Kjos [Mon, 17 Oct 2016 19:33:15 +0000 (12:33 -0700)]
FROMLIST: binder: add protection for non-perf cases

(from https://patchwork.kernel.org/patch/9817749/)

Add binder_dead_nodes_lock, binder_procs_lock, and
binder_context_mgr_node_lock to protect the associated global lists

Bug: 33250092 32225111
Change-Id: I9d1158536783763e0fa93b18e19fba2c488d8cfc
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: remove binder_debug_no_lock mechanism
Todd Kjos [Wed, 24 May 2017 18:53:13 +0000 (11:53 -0700)]
FROMLIST: binder: remove binder_debug_no_lock mechanism

(from https://patchwork.kernel.org/patch/9817811/)

With the global lock, there was a mechanism to acceess
binder driver debugging information with the global
lock disabled to debug deadlocks or other issues.
This mechanism is rarely (if ever) used anymore
and wasn't needed during the development of
fine-grained locking in the binder driver.
Removing it.

Change-Id: Ie1cf45748cefa433607a97c2ef322e7906efe0f7
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: move binder_alloc to separate file
Todd Kjos [Mon, 10 Oct 2016 17:40:53 +0000 (10:40 -0700)]
FROMLIST: binder: move binder_alloc to separate file

(from https://patchwork.kernel.org/patch/9817753/)

Move the binder allocator functionality to its own file

Continuation of splitting the binder allocator from the binder
driver. Split binder_alloc functions from normal binder functions.

Add kernel doc comments to functions declared extern in
binder_alloc.h

Change-Id: I8f1a967375359078b8e63c7b6b88a752c374a64a
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: separate out binder_alloc functions
Todd Kjos [Mon, 10 Oct 2016 17:40:53 +0000 (10:40 -0700)]
FROMLIST: binder: separate out binder_alloc functions

(from https://patchwork.kernel.org/patch/9817753/)

Continuation of splitting the binder allocator from the binder
driver. Separate binder_alloc functions from normal binder
functions. Protect the allocator with a separate mutex.

Bug: 33250092 32225111
Change-Id: I634637415aa03c74145159d84f1749bbe785a8f3
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: remove unneeded cleanup code
Todd Kjos [Fri, 21 Apr 2017 18:18:12 +0000 (11:18 -0700)]
FROMLIST: binder: remove unneeded cleanup code

(from https://patchwork.kernel.org/patch/9817817/)

The buffer's transaction has already been freed before
binder_deferred_release. No need to do it again.

Change-Id: I412709c23879c5e45a6c7304a588bba0a5223fc3
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoFROMLIST: binder: separate binder allocator structure from binder proc
Todd Kjos [Mon, 10 Oct 2016 17:39:59 +0000 (10:39 -0700)]
FROMLIST: binder: separate binder allocator structure from binder proc

(from https://patchwork.kernel.org/patch/9817745/)

The binder allocator is logically separate from the rest
of the binder drivers. Separating the data structures
to prepare for splitting into separate file with separate
locking.

Change-Id: I5ca4df567ac4b8c8d6ee2116ae67c0c1d75c9747
Signed-off-by: Todd Kjos <tkjos@google.com>
5 years agoRevert "android: binder: move global binder state into context struct."
Danny Wood [Tue, 26 Feb 2019 08:19:34 +0000 (08:19 +0000)]
Revert "android: binder: move global binder state into context struct."

This reverts commit 9f28e23f6e38e2cf55704fbbae18f44b04aeb64e.

5 years agoRevert "CHROMIUM: android: binder: Fix potential scheduling-while-atomic"
Danny Wood [Tue, 26 Feb 2019 08:16:10 +0000 (08:16 +0000)]
Revert "CHROMIUM: android: binder: Fix potential scheduling-while-atomic"

This reverts commit 0e13ca5f2efc20fb5edf1985f0fe724f037923f5.

5 years agoRevert "android: binder: use copy_from_user_preempt_disabled"
Danny Wood [Tue, 26 Feb 2019 08:16:00 +0000 (08:16 +0000)]
Revert "android: binder: use copy_from_user_preempt_disabled"

This reverts commit 10cfee25e9e1509d2b34a73435356db05969256a.

5 years agoRevert "android: binder: Disable preemption while holding the global binder lock."
Danny Wood [Tue, 26 Feb 2019 08:15:45 +0000 (08:15 +0000)]
Revert "android: binder: Disable preemption while holding the global binder lock."

This reverts commit 6fd130fe5ba15d200251d27aabab0bf4c94d8f13.

5 years agoRevert "binder: blacklist %p kptr_restrict"
Danny Wood [Tue, 26 Feb 2019 08:10:36 +0000 (08:10 +0000)]
Revert "binder: blacklist %p kptr_restrict"

This reverts commit 1bbb3f5143779897496587ff2895f9ae98a808c1.

5 years agoRevert "binder: NULL pointer reference"
Danny Wood [Tue, 26 Feb 2019 10:09:25 +0000 (10:09 +0000)]
Revert "binder: NULL pointer reference"

This reverts commit 354ac4b46f48765cd0e88ae750e810dec33a7458.

5 years agoRevert "binder: prevent kptr leak by using %pK format specifier"
Danny Wood [Tue, 26 Feb 2019 08:10:28 +0000 (08:10 +0000)]
Revert "binder: prevent kptr leak by using %pK format specifier"

This reverts commit f9ddba81a5ecaf920d61d4d333300ade97614c7d.

5 years agokernel: make READ_ONCE() valid on const arguments
Linus Torvalds [Fri, 20 Feb 2015 23:46:31 +0000 (15:46 -0800)]
kernel: make READ_ONCE() valid on const arguments

[ Upstream commit dd36929720f40f17685e841ae0d4c581c165ea60 ]

The use of READ_ONCE() causes lots of warnings witht he pending paravirt
spinlock fixes, because those ends up having passing a member to a
'const' structure to READ_ONCE().

There should certainly be nothing wrong with using READ_ONCE() with a
const source, but the helper function __read_once_size() would cause
warnings because it would drop the 'const' qualifier, but also because
the destination would be marked 'const' too due to the use of 'typeof'.

Use a union of types in READ_ONCE() to avoid this issue.

Also make sure to use parenthesis around the macro arguments to avoid
possible operator precedence issues.

Tested-by: Ingo Molnar <mingo@kernel.org>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
5 years agokernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val)
Christian Borntraeger [Tue, 13 Jan 2015 09:46:42 +0000 (10:46 +0100)]
kernel: Change ASSIGN_ONCE(val, x) to WRITE_ONCE(x, val)

[ Upstream commit 43239cbe79fc369f5d2160bd7f69e28b5c50a58c ]

Feedback has shown that WRITE_ONCE(x, val) is easier to use than
ASSIGN_ONCE(val,x).
There are no in-tree users yet, so lets change it for 3.19.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
5 years agokernel: Provide READ_ONCE and ASSIGN_ONCE
Christian Borntraeger [Tue, 25 Nov 2014 09:01:16 +0000 (10:01 +0100)]
kernel: Provide READ_ONCE and ASSIGN_ONCE

[ Upstream commit 230fa253df6352af12ad0a16128760b5cb3f92df ]

ACCESS_ONCE does not work reliably on non-scalar types. For
example gcc 4.6 and 4.7 might remove the volatile tag for such
accesses during the SRA (scalar replacement of aggregates) step
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145)

Let's provide READ_ONCE/ASSIGN_ONCE that will do all accesses via
scalar types as suggested by Linus Torvalds. Accesses larger than
the machines word size cannot be guaranteed to be atomic. These
macros will use memcpy and emit a build warning.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
5 years agostaging: android: ashmem: lseek failed due to no FMODE_LSEEK.
zhangshuxiao [Wed, 8 Mar 2017 08:53:24 +0000 (16:53 +0800)]
staging: android: ashmem: lseek failed due to no FMODE_LSEEK.

vfs_llseek will check whether the file mode has
FMODE_LSEEK, no return failure. But ashmem can be
lseek, so add FMODE_LSEEK to ashmem file.

Change-Id: Ia78ef4c7c96adb89d52e70b63f7c00636fe60d01
Signed-off-by: zhangshuxiao <zhangshuxiao@xiaomi.com>
(cherry picked from commit 6c8d409129bbebe36cde9f8e511011756216163a)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
5 years agostaging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
Greg Hackmann [Tue, 4 Sep 2018 16:33:36 +0000 (09:33 -0700)]
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free

The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
times while operating on one of the client's ion_handles.  This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:

- thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
- thread A: starts ION_IOC_MAP and increments the refcount to 2
- thread B: ION_IOC_FREE decrements the refcount to 1
- thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
            handle
- thread A: continues ION_IOC_MAP with a dangling ion_handle * to
            freed memory

Fix this by holding client->lock for the duration of
ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE.  Also
remove ion_handle_get_by_id(), since there's literally no way to use it
safely.

This patch is applied on top of 4.4.y, and applies to older kernels
too.  4.9.y was fixed separately.  Kernels 4.12 and later are
unaffected, since all the underlying ion_handle infrastructure has been
ripped out.

Cc: stable@vger.kernel.org # v4.4-
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Acked-by: Laura Abbott <labbott@redhat.com>
5 years agostaging: ion: fix corruption of ion_import_dma_buf
Shawn Lin [Wed, 9 Sep 2015 07:41:52 +0000 (15:41 +0800)]
staging: ion: fix corruption of ion_import_dma_buf

we found this issue but still exit in lastest kernel. Simply
keep ion_handle_create under mutex_lock to avoid this race.

WARNING: CPU: 2 PID: 2648 at drivers/staging/android/ion/ion.c:512 ion_handle_add+0xb4/0xc0()
ion_handle_add: buffer already found.
Modules linked in: iwlmvm iwlwifi mac80211 cfg80211 compat
CPU: 2 PID: 2648 Comm: TimedEventQueue Tainted: G        W    3.14.0 #7
 00000000 00000000 9a3efd2c 80faf273 9a3efd6c 9a3efd5c 80935dc9 811d7fd3
 9a3efd88 00000a58 812208a0 00000200 80e128d4 80e128d4 8d4ae00c a8cd8600
 a8cd8094 9a3efd74 80935e0e 00000009 9a3efd6c 811d7fd3 9a3efd88 9a3efd9c
Call Trace:
  [<80faf273>] dump_stack+0x48/0x69
  [<80935dc9>] warn_slowpath_common+0x79/0x90
  [<80e128d4>] ? ion_handle_add+0xb4/0xc0
  [<80e128d4>] ? ion_handle_add+0xb4/0xc0
  [<80935e0e>] warn_slowpath_fmt+0x2e/0x30
  [<80e128d4>] ion_handle_add+0xb4/0xc0
  [<80e144cc>] ion_import_dma_buf+0x8c/0x110
  [<80c517c4>] reg_init+0x364/0x7d0
  [<80993363>] ? futex_wait+0x123/0x210
  [<80992e0e>] ? get_futex_key+0x16e/0x1e0
  [<8099308f>] ? futex_wake+0x5f/0x120
  [<80c51e19>] vpu_service_ioctl+0x1e9/0x500
  [<80994aec>] ? do_futex+0xec/0x8e0
  [<80971080>] ? prepare_to_wait_event+0xc0/0xc0
  [<80c51c30>] ? reg_init+0x7d0/0x7d0
  [<80a22562>] do_vfs_ioctl+0x2d2/0x4c0
  [<80b198ad>] ? inode_has_perm.isra.41+0x2d/0x40
  [<80b199cf>] ? file_has_perm+0x7f/0x90
  [<80b1a5f7>] ? selinux_file_ioctl+0x47/0xf0
  [<80a227a8>] SyS_ioctl+0x58/0x80
  [<80fb45e8>] syscall_call+0x7/0x7
  [<80fb0000>] ? mmc_do_calc_max_discard+0xab/0xe4

Fixes: 83271f626 ("ion: hold reference to handle...")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Cc: stable <stable@vger.kernel.org> # 3.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 6fa92e2bcf6390e64895b12761e851c452d87bd8)

5 years agostaging: ion: fixup invalid kfree() calls on heap destroy
Heesub Shin [Fri, 20 Jun 2014 02:46:14 +0000 (11:46 +0900)]
staging: ion: fixup invalid kfree() calls on heap destroy

I've noticed that the last commit to ion_system_heap.c ('staging: ion:
optimize struct ion_system_heap') has an omission, so an invalid kfree()
gets called on ion_system_heap_destroy(). As ION system heap is never
destroyed until system shutdown, it may not cause any harm, but should
be fixed. I should have caught this before the merge, my bad.

Signed-off-by: Heesub Shin <heesub.shin@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agostaging: android: ion: ion_chunk_heap.c: Fix checkpatch warning
Tair Rzayev [Sat, 31 May 2014 19:47:42 +0000 (22:47 +0300)]
staging: android: ion: ion_chunk_heap.c: Fix checkpatch warning

Fix the over 80 character line

Signed-off-by: Tair Rzayev <tair.rzayev@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agostaging: ion: optimize struct ion_system_heap
Heesub Shin [Fri, 30 May 2014 01:26:30 +0000 (10:26 +0900)]
staging: ion: optimize struct ion_system_heap

struct ion_system_heap has an array for storing pointers to page pools
and it is allocated separately from the containing structure. There is
no point in allocating those two small objects individually, bothering
slab allocator. Using a variable length array simplifies code lines and
reduces overhead to the slab.

Signed-off-by: Heesub Shin <heesub.shin@samsung.com>
Reviewed-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Tested-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoUPSTREAM staging: ion: Fix error handling in ion_buffer_create
Rohit kumar [Wed, 30 Sep 2015 05:37:35 +0000 (11:07 +0530)]
UPSTREAM staging: ion: Fix error handling in ion_buffer_create

This patch fixes error handling case when buffer->pages allocation
fails. Also, it removes unreachable code of checking ret variable
although it is not updated.

Signed-off-by: Rohit kumar <rohit.kr@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Suggested-by: Pintu Kumar <pintu.k@samsung.com>
Reviewed-by: Pintu Kumar <pintu.k@samsung.com>
Reviewed-by: Gioh Kim <gioh.kim@lge.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a56d092aa94ebcc9452ddaa47423b9a478aa6aa5)
Change-Id: Ic38b8e3ef0a21de4e38e58b4bb942535fe671ae5
Bug: 34283718

5 years agoUSB: gadget: mtp: Add module parameters for Tx transfer length
Vijayavardhan Vennapusa [Mon, 20 May 2013 10:36:01 +0000 (16:06 +0530)]
USB: gadget: mtp: Add module parameters for Tx transfer length

The Tx request transfer length is 16K bytes by default. The test
results indicate that larger transfers improve read speeds. Add
provision for specifying Tx transfer length at runtime.

echo -n 1048576 > /sys/module/g_android/parameters/mtp_tx_req_len

The above command can be used to set Tx transfer length to 1MB. If
the memory allocation is failed, fallback to the default length.

Also add provision for specifying no. of Tx requests at runtime.

echo 8 > /sys/module/g_android/parameters/mtp_tx_reqs

CRs-Fixed: 486455
Change-Id: I675fc3303be2aba081d2ab59a9efb94aa478f849
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
5 years agoUSB: gadget: Add module parameter for Rx transfer length
Pavankumar Kondeti [Tue, 19 Feb 2019 11:37:06 +0000 (11:37 +0000)]
USB: gadget: Add module parameter for Rx transfer length

The Rx request transfer length is 16K bytes by default.  The test
results indicate that larger transfers improve write speeds.  Add
provision for specifying Rx transfer length at runtime.

echo -n 1048576 > /sys/module/g_android/parameters/mtp_rx_req_len

The above command can be used to set Rx transfer length to 1MB.  If
the memory allocation is failed, fallback to the default length.

CRs-Fixed: 429212
Change-Id: I7bed5aeefabf1a50c08a9a8e5b876e0cf59515fd
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
5 years agousb: gadget: mtp: Switch to 16k buffers to reduce possible allocation failures
Danny Wood [Tue, 19 Feb 2019 10:42:55 +0000 (10:42 +0000)]
usb: gadget: mtp: Switch to 16k buffers to reduce possible  allocation failures

5 years agousb: gadget: f_hid: fix: Prevent accessing released memory
Krzysztof Opasiak [Thu, 19 Jan 2017 17:55:28 +0000 (18:55 +0100)]
usb: gadget: f_hid: fix: Prevent accessing released memory

commit aa65d11aa008f4de58a9cee7e121666d9d68505e upstream.

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner <david@lechnology.com>
Bug: 74447444
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Jerry Zhang <zhangjerry@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ia5d3da0952d87cd82a9e476e90a7cd3633536d94

5 years agousb: gadget: f_fs: Guard epfile->error
Jerry Zhang [Sat, 15 Apr 2017 00:29:35 +0000 (17:29 -0700)]
usb: gadget: f_fs: Guard epfile->error

epfile->error is a QC extension. It needs to be guarded
from being null to work safely with the no_disconnect patch.

Bug: 37423404
Change-Id: I3142a03ef3296b928aa36c54a5397afbe30798b7
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
5 years agousb: gadget: f_accessory: Fix for UsbAccessory clean unbind.
Anson Jacob [Sat, 13 Aug 2016 00:38:10 +0000 (20:38 -0400)]
usb: gadget: f_accessory: Fix for UsbAccessory clean unbind.

Reapplying fix by Darren Whobrey (Change 69674)

Fixes issues: 20545, 59667 and 61390.
With prior version of f_accessory.c, UsbAccessories would not
unbind cleanly when application is closed or i/o stopped
while the usb cable is still connected. The accessory gadget
driver would be left in an invalid state which was not reset
on subsequent binding or opening. A reboot was necessary to clear.

In some phones this issues causes the phone to reboot upon
unplugging the USB cable.

Main problem was that acc_disconnect was being called on I/O error
which reset disconnected and online.

Minor fix required to properly track setting and unsetting of
disconnected and online flags. Also added urb Q wakeup's on unbind
to help unblock waiting threads.

Tested on Nexus 7 grouper. Expected behaviour now observed:
closing accessory causes blocked i/o to interrupt with IOException.
Accessory can be restarted following closing of file handle
and re-opening.

This is a generic fix that applies to all devices.

Change-Id: I4e08b326730dd3a2820c863124cee10f7cb5501e
Signed-off-by: Darren Whobrey <d.whobrey@mildai.org>
Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com>
5 years agousb: gadget: mass_storage: added sysfs entry for cdrom to LUNs
FrozenCow [Thu, 4 Jul 2013 10:36:57 +0000 (12:36 +0200)]
usb: gadget: mass_storage: added sysfs entry for cdrom to LUNs

This patch adds a "cdrom" sysfs entry for each mass_storage LUN, just
like "ro" sysfs entry. This allows switching between USB and CD-ROM
emulation without reinserting the module or recompiling the kernel.

Change-Id: Idf83c74815b1ad370428ab9d3e5503d5f7bcd3b6

5 years agousb: gadget: fix NULL ptr derefer while symlinking PTP func
Amit Pundir [Sat, 1 Aug 2015 04:34:41 +0000 (10:04 +0530)]
usb: gadget: fix NULL ptr derefer while symlinking PTP func

Fix NULL pointer dereference while trying to link PTP
function to a gadget configuration without creating
MTP function.

PTP piggyback on MTP function so make sure we have
MTP function created beforehand. Otherwise we run
into following kernel panic:
-----------------------
[   37.265726] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[   37.266518] pgd = ddb58000
[   37.266830] [00000000] *pgd=00000000
[   37.267759] Internal error: Oops: 805 [#1] SMP THUMB2
[   37.268473] CPU: 0 PID: 1974 Comm: ln Not tainted 3.14.0-00645-gf06587c #1
[   37.269084] task: dc494b80 ti: dc4b6000 task.ti: dc4b6000
[   37.269908] PC is at function_alloc_mtp_ptp+0xe/0x68
[   37.270348] LR is at usb_get_function+0x11/0x1c
<..snip..>
[   37.362593] ---[ end trace b51362b88516de68 ]---
[   37.363431] Kernel panic - not syncing: Fatal exception
-----------------------

Steps to reproduce the kernel panic:

mount -t configfs none /config
mkdir /config/usb_gadget/g1
cd /config/usb_gadget/g1
echo 0x18d1 > idVendor
echo 0x4e26 > idProduct
mkdir strings/0x409
echo 0123459876 > strings/0x409/serialnumber
echo Asus > strings/0x409/manufacturer
echo Nexus7 > strings/0x409/product
mkdir configs/c.1
mkdir configs/c.1/strings/0x409
echo "Conf 1" > configs/c.1/strings/0x409/configuration
echo 120 > configs/c.1/MaxPower
mkdir functions/ptp.ptp
ln -s functions/ptp.ptp configs/c.1/ptp.ptp

Also MTP and PTP are mutually exclusive functions
so make sure we have only one of it linked to a
configuration at a time. Otherwise it opens up
another set of bug(s?).

Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
5 years agoUPSTREAM: usb: gadget: f_fs: add "no_disconnect" mode
Robert Baldyga [Fri, 7 Apr 2017 18:01:11 +0000 (11:01 -0700)]
UPSTREAM: usb: gadget: f_fs: add "no_disconnect" mode

Since we can compose gadgets from many functions, there is the problem
related to gadget breakage while FunctionFS daemon being closed. FFS
function is userspace code so there is no way to know when it will close
files (it doesn't matter what is the reason of this situation, it can
be daemon logic, program breakage, process kill or any other). So when
we have another function in gadget which, for example, sends some amount
of data, does some software update or implements some real-time functionality,
we may want to keep the gadget connected despite FFS function is no longer
functional.

We can't just remove one of functions from gadget since it has been
enumerated, so the only way to keep entire gadget working is to make
broken FFS function deactivated but still visible to host. For this
purpose this patch introduces "no_disconnect" mode. It can be enabled
by setting mount option "no_disconnect=1", and results with defering
function disconnect to the moment of reopen ep0 file or filesystem
unmount. After closing all endpoint files, FunctionFS is set to state
FFS_DEACTIVATED.

When ffs->state == FFS_DEACTIVATED:
- function is still bound and visible to host,
- setup requests are automatically stalled,
- transfers on other endpoints are refused,
- epfiles, except ep0, are deleted from the filesystem,
- opening ep0 causes the function to be closed, and then FunctionFS
  is ready for descriptors and string write,
- altsetting change causes the function to be closed - we want to keep
  function alive until another functions are potentialy used, altsetting
  change means that another configuration is being selected or USB cable
  was unplugged, which indicates that we don't need to stay longer in
  FFS_DEACTIVATED state
- unmounting of the FunctionFS instance causes the function to be closed.

Tested-by: David Cohen <david.a.cohen@linux.intel.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Bug: 36801389
Bug: 34873000
Change-Id: I950dc11f21048c34af640cb3ab81873d2a6730a9
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
5 years agousb: gadget: f_fs: Add flags to descriptors block
Michal Nazarewicz [Fri, 28 Feb 2014 11:20:23 +0000 (16:50 +0530)]
usb: gadget: f_fs: Add flags to descriptors block

This reworks the way SuperSpeed descriptors are added and instead of
having a magic after full and high speed descriptors, it reworks the
whole descriptors block to include a flags field which lists which
descriptors are present and makes future extensions possible.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Change-Id: Ic4dd1b5caeae2aeedb3eeed96e2f11d751a837da
Git-commit: ac8dde11f2b397fe2282f585d5eb427a13675ea2
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[jackp@codeaurora.org: fixed up conflicts when applying to msm-3.10]
Signed-off-by: Jack Pham <jackp@codeaurora.org>
5 years agoUSB: f_fs: Add memory barrier before atomic operations
Mayank Rana [Wed, 25 Feb 2015 06:10:12 +0000 (22:10 -0800)]
USB: f_fs: Add memory barrier before atomic operations

In few instances, it is observed that multiple adbd instances are
running on device causing condition BUG_ON(ffs->gadget) to be true.
ffs->opened and ffs->ref atomic variables are used here to make
decision for checking ffs->gadget. These atomic variable operations
requires expilict memory barrier to make sure that update to
ffs->gadget is visible to other CPUs before updated atomic variable
based value is seen.

CRs-Fixed: 793733
Change-Id: I3c846eb6bbb53663892e05d51ebac8439aac957a
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
5 years agousb: gadget: f_fs: Allow only one adb daemon perform device open
Saket Saurabh [Tue, 30 Sep 2014 11:35:10 +0000 (17:05 +0530)]
usb: gadget: f_fs: Allow only one adb daemon perform device open

As part of ffs_ep0_open(), atomic variable ffs.opened is set and as part
of ffs_ep0_release() it is cleared. Also as part of release operation, in
ffs_data_clear() ffs->gadget is set to NULL.
If two adb daemons are running in parallel, then BUG ON is observed as part
of release operation as ffs->gadget is not set to NULL.

To fix the issue add check for ffs->opened to allow only one adb daemon
perform device open. This ensures open and release operation are performed
in serialized way and avoids any race.
Also add debug print for dumping the ffs gadget.

CRs-Fixed: 730155
Change-Id: Ifccdfa6068f506bb7dfdc9945b60591da530df8f
Signed-off-by: Saket Saurabh <ssaurabh@codeaurora.org>
5 years agoarch: Mass conversion of smp_mb__*()
Peter Zijlstra [Mon, 17 Mar 2014 17:06:10 +0000 (18:06 +0100)]
arch: Mass conversion of smp_mb__*()

Mostly scripted conversion of the smp_mb__* barriers.

Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/n/tip-55dhyhocezdw1dg7u19hmh1u@git.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-arch@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-commit: 4e857c58efeb99393cba5a5d0d8ec7117183137c
[joonwoop@codeaurora.org: fixed trivial merge conflict.]
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
5 years agoarch,arm64: Convert smp_mb__*()
Peter Zijlstra [Thu, 13 Mar 2014 18:00:37 +0000 (19:00 +0100)]
arch,arm64: Convert smp_mb__*()

AARGH64 uses ll/sc primitives that do not imply any barriers for the
normal atomics, therefore smp_mb__{before,after} should be a full
barrier.

Since AARGH64 doesn't use asm-generic/barrier.h, add the required
definitions to its asm/barrier.h.

Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/n/tip-8p5iclqgy78al33kck3ht7nr@git.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Chen Gang <gang.chen@asianux.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
5 years agoarch: Prepare for smp_mb__{before,after}_atomic()
Peter Zijlstra [Thu, 6 Feb 2014 17:16:07 +0000 (18:16 +0100)]
arch: Prepare for smp_mb__{before,after}_atomic()

Since the smp_mb__{before,after}*() ops are fundamentally dependent on
how an arch can implement atomics it doesn't make sense to have 3
variants of them. They must all be the same.

Furthermore, the 3 variants suggest they're only valid for those 3
atomic ops, while we have many more where they could be applied.

So move away from
smp_mb__{before,after}_{atomic,clear}_{dec,inc,bit}() and reduce the
interface to just the two: smp_mb__{before,after}_atomic().

This patch prepares the way by introducing default implementations in
asm-generic/barrier.h that default to a full barrier and providing
__deprecated inlines for the previous 6 barriers if they're not
provided by the arch.

This should allow for a mostly painless transition (lots of deprecated
warns in the interim).

Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/n/tip-wr59327qdyi9mbzn6x937s4e@git.kernel.org
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Chen, Gong" <gong.chen@linux.intel.com>
Cc: John Sullivan <jsrhbz@kanargh.force9.co.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>
Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-arch@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-commit: febdbfe8a91ce0d11939d4940b592eb0dba8d663
[joonwoop@codeaurora.org: fixed trivial merge conflict.]
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
5 years agousb/gadget: fix NULL pointer issue in mtp_read()
Jiebing Li [Fri, 19 Dec 2014 08:50:09 +0000 (16:50 +0800)]
usb/gadget: fix NULL pointer issue in mtp_read()

pointer dev->ep_out->desc is set to NULL if MTP function
is disabled during read operation. So we need to do pointer check
before access it and add spin lock protection in case it's modified
at another place in future.

Change-Id: If2756ad38a1c93b3b36d800358f16e164f69ad4c
Tracked-On: https://jira01.devtools.intel.com/browse/IMINAN-14123
Signed-off-by: Jiebing Li <jiebing.li@intel.com>
5 years agousb/gadget: fix MTP enumeration issue under super speed mode
Jiebing Li [Wed, 3 Dec 2014 04:29:12 +0000 (12:29 +0800)]
usb/gadget: fix MTP enumeration issue under super speed mode

MTP function doesn't show as a drive in Windows when the device
is connected to PC's USB3 port, because device fails to respond
ACK to BULK OUT transfer request.

This patch modifies MTP OUT request length as multiple of MaxPacketSize
per databook requirement in order to fix this issue.

Change-Id: I7eedfc5a127b0104e49dcc97bc939a5e8137c223
Signed-off-by: Jiebing Li <jiebing.li@intel.com>
5 years agousb: dwc3: gadget: Iterate only over valid endpoints
Jack Pham [Wed, 26 Mar 2014 17:31:44 +0000 (10:31 -0700)]
usb: dwc3: gadget: Iterate only over valid endpoints

Make dwc3_gadget_resize_tx_fifos() iterate only over IN
endpoints that are actually present, based on the
num_in_eps parameter. This terminates the loop so as to
prevent dereferencing a potential NULL dwc->eps[i] where
i >= (num_in_eps + num_out_eps).

Signed-off-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
5 years agousb: dwc3: set gadget's quirk ep_out_align_size
David Cohen [Mon, 9 Dec 2013 23:55:38 +0000 (15:55 -0800)]
usb: dwc3: set gadget's quirk ep_out_align_size

DWC3 requires epout to have buffer size aligned to MaxPacketSize value.
This patch sets necessary quirk for it.

Signed-off-by: David Cohen <david.a.cohen@linux.intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
5 years agousb: gadget: add quirk_ep_out_aligned_size field to struct usb_gadget
David Cohen [Mon, 9 Dec 2013 23:55:35 +0000 (15:55 -0800)]
usb: gadget: add quirk_ep_out_aligned_size field to struct usb_gadget

Due to USB controllers may have different restrictions, usb gadget layer
needs to provide a generic way to inform gadget functions to complain
with non-standard requirements.

This patch adds 'quirk_ep_out_aligned_size' field to struct usb_gadget
to inform when controller's epout requires buffer size to be aligned to
MaxPacketSize. A helper is also provided to align buffer size when
necessary.

Cc: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: David Cohen <david.a.cohen@linux.intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
5 years agoLinux 3.10.108
Willy Tarreau [Sat, 4 Nov 2017 22:34:48 +0000 (23:34 +0100)]
Linux 3.10.108

5 years agox86/apic: fix build breakage caused by incomplete backport to 3.10
Willy Tarreau [Thu, 2 Nov 2017 22:22:31 +0000 (23:22 +0100)]
x86/apic: fix build breakage caused by incomplete backport to 3.10

Commit 928a277 ("x86/apic: Do not init irq remapping if ioapic is
disabled") introduced in 3.10.105 introduced an implicit dependency of
CONFIG_X86_LOCAL_APIC to CONFIG_X86_IO_APIC which was later solved as
part of simplifications on the config dependencies in more recent kernels.
This dependency results in build failure when CONFIG_X86_LOCAL_APIC is
set without CONFIG_X86_IO_APIC (this setup requires CONFIG_SMP=n). The
reason is that skip_ioapic_setup is declared in apic.c and that the
backported code was picked from a context where the #ifdef surrounding
the function used to cover this condition.

Let's just add the appropriate #ifdef to fix the 3.10 backport.

Thanks to Christoph Biedl for reporting and diagnosing this one.

Reported-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
5 years agocan: esd_usb2: Fix can_dlc value for received RTR, frames
Stefan Mätje [Wed, 18 Oct 2017 11:25:17 +0000 (13:25 +0200)]
can: esd_usb2: Fix can_dlc value for received RTR, frames

commit 72d92e865d1560723e1957ee3f393688c49ca5bf upstream.

The dlc member of the struct rx_msg contains also the ESD_RTR flag to
mark received RTR frames. Without the fix the can_dlc value for received
RTR frames would always be set to 8 by get_can_dlc() instead of the
received value.

Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>