platform/kernel/linux-amlogic.git
3 years agousb: gadget: f_fs: Fix use-after-free for unbind with remaining io 56/251756/1
Seung-Woo Kim [Tue, 19 Jan 2021 05:47:25 +0000 (14:47 +0900)]
usb: gadget: f_fs: Fix use-after-free for unbind with remaining io

If usb has stall, then there can be remaining submitted io and
unbinding f_fs with the remaining io, there is use-after-free.
Fix the use-after-free by checking endpoint after wait.

This fixes following kasan warning:
   BUG: KASAN: use-after-free in ffs_epfile_io+0x654/0xb58
   Read of size 4 at addr ffffffc0a44e65dc by task mtp-responder/5117
   ...
   [<ffffff900a037794>] ffs_epfile_io+0x654/0xb58
   [<ffffff900a03818c>] ffs_epfile_read_iter+0x1ac/0x3e0
   ...

   Allocated by task 3869:
   ...
    __kmalloc+0x234/0x760
    _ffs_func_bind+0x264/0x7c8
    ffs_func_bind+0xe8/0x650
    usb_add_function+0x13c/0x378
   ...
   Freed by task 3869:
   ...
    kfree+0xa4/0x750
    ffs_func_unbind+0x150/0x248
    purge_configs_funcs+0x1a0/0x310
   ...

Change-Id: I2bb9b07d93b1ac42432caaa2c2176d987b36b140
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: drm/meson: Fix to use address type for 64bit 58/251658/1
Seung-Woo Kim [Mon, 18 Jan 2021 07:16:24 +0000 (16:16 +0900)]
amlogic: drm/meson: Fix to use address type for 64bit

In arm64, physical address type is accessed as 64bit, but
there is 32bit variable for it, so there is out-of-bounds
access. Fix to use address type for 64bit.

This fixes following kasan wanring:
   BUG: KASAN: stack-out-of-bounds in ion_phys+0xb4/0x180
   Write of size 8 at addr ffffffc0a152f700 by task enlightenment/4189
   ...
   [<ffffff900a3ddaec>] ion_phys+0xb4/0x180
   [<ffffff900a76cc4c>] am_meson_gem_object_get_phyaddr+0x114/0x148
   [<ffffff900a774808>] meson_plane_atomic_check+0x570/0xea8
   ...

Change-Id: I185601b2dd8f0bb9c700f87c2baaa9f6ebb183d8
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: drm/meson: Fix plane state out-of-bounds access 60/251560/1
Seung-Woo Kim [Fri, 15 Jan 2021 04:41:36 +0000 (13:41 +0900)]
amlogic: drm/meson: Fix plane state out-of-bounds access

For drm_plane_funcs callbacks, it was fixed to use meson specific
functions except reset callback. Not like other meson specific
callbacks, reset callback allocates drm_plane_state, so accessing
meson_plane_state from drm_plane state in other callbacks causes
out-of-bounds access. Fix plane state out-of-bounds access by using
meson specific reset callback using meson_plane_state based on
drm_atomic_helper_plane_reset().

This removes below kasan warning:
   BUG: KASAN: slab-out-of-bounds in kmemdup+0x4c/0xb0
   Read of size 128 at addr ffffffc005a710c0 by task enlightenment/4376
   ...
   [<ffffff90093959ec>] kmemdup+0x4c/0xb0
   [<ffffff900a7714e8>] meson_plane_duplicate_state+0x40/0x90
   [<ffffff9009d406d4>] drm_atomic_get_plane_state+0xc4/0x230
   [<ffffff9009cf6284>] __drm_atomic_helper_set_config+0xdc/0x788
   [<ffffff9009cf6a0c>] drm_atomic_helper_set_config+0xdc/0x178
   [<ffffff900a775df8>] meson_crtc_set_mode+0x40/0x68
   [<ffffff9009d22d54>] drm_mode_set_config_internal+0xf4/0x348
   [<ffffff9009d249ec>] drm_mode_setcrtc+0x1d4/0x910
   ...

   Allocated by task 1:
   ...
    kmem_cache_alloc_trace+0x20c/0x6c8
    drm_atomic_helper_plane_reset+0x6c/0xc8
    drm_mode_config_reset+0x7c/0x310
    am_meson_drm_bind+0x1fc/0x2f8
    try_to_bring_up_master.part.1+0x70/0x128
    component_master_add_with_match+0x1b8/0x230
    am_meson_drv_probe+0x3c8/0x410
   ...

Change-Id: Ie7bfd41d797a0782cffa45801629981c25b01561
Fixes commit 1f1efcfdd85d ("drm: add multi-layer support [1/1]")
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoStaging: android: ion: fix to set cached element of pool always 75/251375/1
Seung-Woo Kim [Wed, 13 Jan 2021 07:52:58 +0000 (16:52 +0900)]
Staging: android: ion: fix to set cached element of pool always

The allocated memory with kmalloc() can have invalid value. To
avoid using the invalid value, always set cached element.

This removes below UBSAN warning:
   UBSAN: Undefined behaviour in drivers/staging/android/ion/ion_page_pool.c:33:11
   load of value 152 is not a valid value for type '_Bool'
   ...
   [<ffffff9009b89e48>] __ubsan_handle_load_invalid_value+0x80/0x90
   [<ffffff900a2c4044>] ion_page_pool_alloc+0x154/0x180
   [<ffffff900a2c5b60>] ion_system_heap_allocate+0x2b8/0xa68
   [<ffffff900a2c0688>] ion_alloc+0x238/0x9c8
   ...

Change-Id: I86e0ee70404bb074dad3b73dccec31ebcf2c7c72
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoclk: amlogic: g12a: fix divide by zero for default pll register 68/251368/1
Seung-Woo Kim [Wed, 13 Jan 2021 05:50:51 +0000 (14:50 +0900)]
clk: amlogic: g12a: fix divide by zero for default pll register

On reset register value 0x20000000 for some plls of g12, there are
divide by zero operations warned by UBSAN. For the case, calculate
pll rate as zero.

This removes below UBSAN warnings:
   UBSAN: Undefined behaviour in drivers/amlogic/clk/g12a/g12a_clk-pll.c:155:74
   ...
   UBSAN: Undefined behaviour in drivers/amlogic/clk/g12a/g12a_clk-pll.c:140:74
   ...
   UBSAN: Undefined behaviour in drivers/amlogic/clk/g12a/g12a_clk-pll.c:145:25
   division by zero
   ...
   [<ffffff9009b8de04>] __ubsan_handle_divrem_overflow+0x8c/0xc8
   [<ffffff900a37f140>] meson_g12a_pll_recalc_rate+0x8d0/0x930
   [<ffffff9009c4909c>] clk_register+0x724/0xe10
   [<ffffff900bab2fec>] g12a_clkc_init+0x640/0x7fc
   ...

Change-Id: I4f0c771502e2ae0291a9eaffbea7a03e617009af
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agonet: rtl88xx: fix to check null adapter 05/251305/1
Seung-Woo Kim [Tue, 12 Jan 2021 09:19:36 +0000 (18:19 +0900)]
net: rtl88xx: fix to check null adapter

UBSAN warns about null pointer accessin rtl88xx. Fix to check
null pointer for adapter to remove below warning:

   UBSAN: Undefined behaviour in drivers/net/wireless/rtl8812au/os_dep/osdep_service.c:1187:2
   member access within null pointer of type 'struct _adapter'
   [...]
   [<ffffff9009b8d8b0>] __ubsan_handle_type_mismatch+0x28/0x30
   [<ffffff900330d2e4>] rtw_init_timer+0xbc/0xf0 [88XXau]
   [<ffffff90033150c8>] devobj_init+0x90/0x100 [88XXau]
   [<ffffff900331932c>] rtw_usb_primary_adapter_init+0x64c/0x1558 [88XXau]
   [<ffffff9009f77a1c>] usb_probe_interface+0x16c/0x4c8
   [...]

Change-Id: I258df3b790d7b1be49a89706dca46a895c4461b8
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agomm: fix wrong kasan report [1/1] 04/251304/1
Tao Zeng [Wed, 28 Aug 2019 07:25:40 +0000 (15:25 +0800)]
mm: fix wrong kasan report [1/1]

PD#SWPL-13281

Problem:
There are 2 types of wrong kasan report after merge change of
save wasted slab.
1, slab-out-of-bounds, which is caused by krealloc set shadow
   memory out-of-range, since tail of page was freed.
2, use-after-free, which is caused by kasan_free_pages called
   after a page freed. Because this function already called in
   free_page, so it marked shadow memory twice.

Solution:
1, make shadow do not out of range if a tail page was freed and
   been realloc again.
2, remove call of kasan_free_pages.

Verify:
X301

Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
[sw0312.kim: fully apply amlogic vendor commit becb83999e19 missed from merge]
Ref: https://github.com/hardkernel/linux/commit/becb83999e19d2055458f08a2b7a44bd1170853e
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I71daa41038e156a9bacf26e27fc51792d558f819

3 years agoNPU: Update DDK Version to 6.4.3CB 77/251277/2 accepted/tizen/unified/20210113.121038 submit/tizen/20210112.094137
Hoegeun Kwon [Mon, 11 Jan 2021 08:16:13 +0000 (17:16 +0900)]
NPU: Update DDK Version to 6.4.3CB

This DDK v6.4.3 from vendor kernel tree for support npu.

  commit: f5d5919889be (tag: khadas-vims-v0.9.7-release) Update DDK Version to 6.4.3CB
  url: https://github.com/khadas/linux/commit/f5d5919889becec2c0988bc6a6aa839012982e8a

Change-Id: I4ec74460ccb90a87158abe47c1b08cdeeed5dcdf
Signed-off-by: yan <yan-wyb@foxmail.com>
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
3 years agopackaging: Remove define debug_package 89/251189/1 accepted/tizen/unified/20210111.125424 submit/tizen/20210111.064900
Hoegeun Kwon [Mon, 11 Jan 2021 06:15:55 +0000 (15:15 +0900)]
packaging: Remove define debug_package

Delete the debug package nil. A problem occurs when the cmake version
is upgraded.

Change-Id: I65190223d728492ad83f0cebfa7cb6b926d9c5bf
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
3 years agoamlogic: reboot: add fota as reboot paremeter 52/251052/1 accepted/tizen/unified/20210108.125918 submit/tizen/20210107.224559
Jaehoon Chung [Thu, 7 Jan 2021 07:39:11 +0000 (16:39 +0900)]
amlogic: reboot: add fota as reboot paremeter

Add fota as reboot parameter.
To use it, defined MESON_FOTA_REBOOT as 3.

Change-Id: I06e725cf47e6d0de0add7336266679203dcf6a41
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoscript: fix wrong exit location 45/251045/1
Jaehoon Chung [Thu, 7 Jan 2021 06:30:45 +0000 (15:30 +0900)]
script: fix wrong exit location

Fix wrong exit location.
When using same config with previous config, it doesn't build and
immediately exit.

Change-Id: Idbc58c24fc7bd20863aee2e6d75d2e296a1d26cd
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agonet: wireless: bcmdhd: remove unnecessary message 45/250445/1
Jaehoon Chung [Mon, 28 Dec 2020 00:10:00 +0000 (09:10 +0900)]
net: wireless: bcmdhd: remove unnecessary message

Remove unnecessary message when run "make clean".
- bcm SDIO driver configured

Change-Id: Ie0a48857c709a00f2aa73b425ad8f434fddf959e
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoarm64: configs: tizen_*: Disable RAID6_PQ_BENCHMARK 21/250221/1
Seung-Woo Kim [Tue, 22 Dec 2020 07:27:46 +0000 (16:27 +0900)]
arm64: configs: tizen_*: Disable RAID6_PQ_BENCHMARK

Skip the algorithm benchmarking process of RAID6. This is helpful for
systems where fast kernel startup is important. Also, The option is not
crucial for the amlogic boards.

Change-Id: Ib83637d619ed779058403f24fc87ab0880f7d623
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agolib/raid6: add option to skip algo benchmarking 20/250220/1
Daniel Verkamp [Mon, 12 Nov 2018 23:26:52 +0000 (15:26 -0800)]
lib/raid6: add option to skip algo benchmarking

This is helpful for systems where fast startup time is important.
It is especially nice to avoid benchmarking RAID functions that are
never used (for example, BTRFS selects RAID6_PQ even if the parity RAID
mode is not in use).

This saves 250+ milliseconds of boot time on modern x86 and ARM systems
with a dozen or more available implementations.

The new option is defaulted to 'y' to match the previous behavior of
always benchmarking on init.

Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Signed-off-by: Shaohua Li <shli@fb.com>
[sw0312.kim: cherry-pick mainline commit be85f93ae2df to skip unnecessary raid6 benchmark during booting]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I70256f5cbfb61c0033a16d2eb57e10e0dd1e6768

3 years agoarm64: dts: amlogic: odroid: Update gpiomem node as khadas's style 18/250218/2
Seung-Woo Kim [Tue, 22 Dec 2020 07:15:35 +0000 (16:15 +0900)]
arm64: dts: amlogic: odroid: Update gpiomem node as khadas's style

For multi-instance of gpiomem, khadas gpiomem uses seperated
gpiomem nodes with its own dev node name. Because gpiomem driver
is applied as khadas' style, so update from odroid dt files.

Change-Id: I98b802d30045b2936ab98d6e23b81e6aff8068d6
Fixes: commit c167bac048f5 ("char: aml-gpiomem: Update to Khadas' multi-instance version")
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agotreewide: Remove unnecessary executable attributes from source files 68/249968/1 accepted/tizen/unified/20201222.122553 submit/tizen/20201221.095525
Seung-Woo Kim [Fri, 18 Dec 2020 04:38:26 +0000 (13:38 +0900)]
treewide: Remove unnecessary executable attributes from source files

No need executable attributes for source files. Remove executable
attributes from source files.

Change-Id: Ide52ab63e927804ab10ed4e840959c8e7fef9242
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agotreewide: Remove remaining executable attributes from source files 67/249967/1
Joe Perches [Fri, 24 Feb 2017 06:29:40 +0000 (22:29 -0800)]
treewide: Remove remaining executable attributes from source files

These are the current source files that should not have
executable attributes set.

[ Normally this would be sent through Andrew Morton's tree
  but his quilt tools don't like permission only patches. ]

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[sw0312.kim: backport mainline commit 6e5c8381d1db to remove unnecessary executable]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I921790c9b9e8be67f14d31f76f2002215771d889

3 years agotreewide: Make remaining source files non-executable 66/249966/1
Joe Perches [Mon, 12 Dec 2016 22:26:55 +0000 (14:26 -0800)]
treewide: Make remaining source files non-executable

.c and .h source files should not be executable, change
the permissions to 0644.

[ This would normally go through Andrew Morton, but his ancient
  patch-based toolchain doesn't do permission changes ]

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[sw0312.kim: cherry-pick mainline commit fe6bce8d30a8 to remove unnecessary executable]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I1f9a2d12877632a1bace7f66200fe9d9b80e9bd7

3 years agoscript: add a build script for amlogic boards 63/249963/2
Seung-Woo Kim [Fri, 18 Dec 2020 03:53:41 +0000 (12:53 +0900)]
script: add a build script for amlogic boards

Add a build script for amlogic boards.

For Odroid-C4/N2, it will create the below files.
- odroid/Image.gz
- meson64-odroidc4.dtb
- meson64-odroidn2_drm.dtb
- modules.img (with ${version}-TIZEN-amlogic-odroid+)

For Khadas VIM3/VIM3L, it will create the below files.
- kvim/Image.gz
- kvim3_linux.dtb
- kvim3l_linux.dtb
- modules.img (with ${version}-TIZEN-amlogic-kvim+)

For 'all' boards build, it will create the below files.
- odroid/Image.gz
- kvim/Image.gz
- meson64-odroidc4.dtb
- meson64-odroidn2_drm.dtb
- kvim3_linux.dtb
- kvim3l_linux.dtb
- modules.img (with ${version}-TIZEN-amlogic-odroid+ and ${version}-TIZEN-amlogic-kvim+)

Change-Id: I7bd9ae47576ab53d206b7c268f035b244a22f8e2
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
[sw0312.kim: add to support 'all' board option]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: reboot: add MESON_DOWNOLAD_REBOOT to enter thor mode 22/249922/1
Jaehoon Chung [Thu, 17 Dec 2020 07:57:06 +0000 (16:57 +0900)]
amlogic: reboot: add MESON_DOWNOLAD_REBOOT to enter thor mode

Add MESON_DOWNLOAD_REBOOT to enter thor mode.
Reuse the MESON_FASTBOOT_REBOOT value.

Change-Id: Ie3272062b103f131b8088191e4b534d4eff48819
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoASoc: meson: remove duplicated const 29/249829/1
Seung-Woo Kim [Thu, 17 Dec 2020 03:37:18 +0000 (12:37 +0900)]
ASoc: meson: remove duplicated const

The macro SOC_*_DECL() already has const, so "const SOC_*_DECL()"
makes duplicated const. Remove the duplicated const.

Change-Id: I259251ff91c27344f723bf7da5003ffcff99d802
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: alternatives: use tpidr_el2 on VHE hosts 69/249769/1
Stephen Warren [Wed, 8 Jan 2020 18:54:14 +0000 (11:54 -0700)]
arm64: alternatives: use tpidr_el2 on VHE hosts

When upstream 6d99b68933fb was back-ported to upstream v4.9.x stable as
eea59020a7f2, the edits to arch/arm64/mm/proc.S were dropped because
proc.S didn't save/restore tpidr_el1 at all. Separately, in android-4.9,
0ec37136b90e ("UPSTREAM: arm64: move sp_el0 and tpidr_el1 into
cpu_suspend_ctx") modified proc.S to save/restore tpidir_el1. These two
paths were later merged together in android-4.9. The missing edits to
proc.S should have been added in during the merge, but were not. This
change restores those edits. The original upstream change description
of 6d99b68933fb follows; this is where the missing code appeared
originally.

Commit 6d99b68933fbcf51f84fcbba49246ce1209ec193 upstream.

Now that KVM uses tpidr_el2 in the same way as Linux's cpu_offset in
tpidr_el1, merge the two. This saves KVM from save/restoring tpidr_el1
on VHE hosts, and allows future code to blindly access per-cpu variables
without triggering world-switch.

Signed-off-by: James Morse <james.morse@arm.com>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Fixes: eea59020a7f2 ("arm64: alternatives: use tpidr_el2 on VHE hosts")
Fixes: 0ec37136b90e ("UPSTREAM: arm64: move sp_el0 and tpidr_el1 into cpu_suspend_ctx")
Fixes: 4a5211fa1474 ("Merge 4.9.114 into android-4.9-p")
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[sw0312.kim: cherry-pick android-4.9-q commit c337caddb549 to fix booting issue
- also fully applying linux-4.9.y commit eea59020a7f2 ("arm64: alternatives: use tpidr_el2 on VHE hosts") skipped from khadas' revert]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Iad39e6f1fb662b95967e8ebd07a36844bf46cd2d

3 years agommc: card: replace to CONFIG_TIZEN instead of 0 62/249762/1
Jaehoon Chung [Wed, 16 Dec 2020 05:43:04 +0000 (14:43 +0900)]
mmc: card: replace to CONFIG_TIZEN instead of 0

Replace to CONFIG_TIZEN instead of 0.

Change-Id: If131c42b517e01ef5171218aa29beaf3254400c7
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoARM64: configs: enable CONFIG_TIZEN about kvims/odroidg12 97/249497/1
Jaehoon Chung [Mon, 14 Dec 2020 06:00:27 +0000 (15:00 +0900)]
ARM64: configs: enable CONFIG_TIZEN about kvims/odroidg12

Enable CONFIG_TIZEN about kvim3/odroidg12.

Change-Id: I9527dc3310d0656863d4f80dffb36af3d47a8149
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoplatform: Kconfig: Add TIZEN configuration 95/249495/1
Jaehoon Chung [Mon, 14 Dec 2020 04:55:59 +0000 (13:55 +0900)]
platform: Kconfig: Add TIZEN configuration

Add TIZEN configuration.
If Tizen specific code is used somewhere, use this config.
It's useful to find where tizen specific codes are.

Change-Id: I068c4e8e943b35d89265384dd7ecf61c75ec3ae9
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoarm64: configs: tizen_odroidg12: disable unnecessary btrfs options 61/249361/1 accepted/tizen/unified/20201211.124320 submit/tizen/20201211.030542
Seung-Woo Kim [Thu, 10 Dec 2020 11:20:41 +0000 (20:20 +0900)]
arm64: configs: tizen_odroidg12: disable unnecessary btrfs options

The commit ac70f5b01e79 ("arm64: configs: tizen_*: adjust
filesystem module config options") did not disable unnecessary
btrfs self test options. Disable the btrfs options.

Note: this should be squashed into the commit.

Change-Id: I50298f4dc902a55a140b04db7dc29367c40138e5
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agopackaging: add rpm packaging spec 14/248914/5
Seung-Woo Kim [Mon, 7 Dec 2020 01:54:27 +0000 (10:54 +0900)]
packaging: add rpm packaging spec

For Tizen packaging, add rpm packaging spec to build both odroid
and kvim boards.

Change-Id: I14815c8df90b6455bb1bd37b8111e9f206163040
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agodrm: Kbuild: add meson_drm.h to the installed headers 39/249339/1
Seung-Woo Kim [Mon, 7 Dec 2020 10:19:14 +0000 (19:19 +0900)]
drm: Kbuild: add meson_drm.h to the installed headers

To use meson drm in user, meson_drm.h should be installed.

Change-Id: I09ebba543ea53f7406d8de5c43979ca3d5f0b0f9
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoWORKAROUND: arm64: configs: tizen_*: enable acm gadget and its dummy mode 03/249003/2
Hoegeun Kwon [Tue, 17 Nov 2020 10:14:25 +0000 (19:14 +0900)]
WORKAROUND: arm64: configs: tizen_*: enable acm gadget and its dummy mode

To support tizen gadget mode of deviced, acm gadget is required
because it is always in device mode configuration. But there is issue
for using too mant gadget functions because of amlogic usb endpoint
fifo limitation. So, eanble acm gadget and its dummy mode.

Note: When usb device mode config is possible to set mtp and sdb only,
then this workaround can be removed.

Change-Id: Iacffadce2acdd78845002ff2db6b224a09f4bfe0
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
3 years agoWORKAROUND: usb: gadget: f_acm: Add dummy mode 02/249002/2
Seung-Woo Kim [Fri, 4 Dec 2020 06:09:30 +0000 (15:09 +0900)]
WORKAROUND: usb: gadget: f_acm: Add dummy mode

With amlogic dwc2, only fixed bytes for fifo can be used because
it is set as 2848 bytes in sram. But Tizen default usb gadget mode
enables mtp, acm, and sdb, and for those interfaces, 3104 bytes
are required. Disabling acm gadget causes usb mode setting fail in
Tizen deviced, so add acm gadget dummy mode which enables acm
gadget in configuration, but not really using any endpoint fifo.

Note: once gadget mode is properly fixed, this change will not be
necessary, so it will be reverted after gadget mode modification
is done in deviced.

Change-Id: I6148a714520642050133b6c32bce666971869826
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: configs: tizen_*: adjust filesystem module config options 84/249084/1
Seung-Woo Kim [Mon, 7 Dec 2020 03:06:55 +0000 (12:06 +0900)]
arm64: configs: tizen_*: adjust filesystem module config options

Tizen uses ext4, squashfs, btrfs and fat/dosfs. For feature test,
also enable extfat, f2fs, overlayfs and ecryptfs and disable all
other filesystems including network filesystem.

Change-Id: I51c380574eacf0f6557ebbd68e1754222619a509
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: configs: tizen_*: Fix to build BLK_DEV_RAM as built-in 90/248990/2
Hoegeun Kwon [Wed, 2 Dec 2020 09:42:36 +0000 (18:42 +0900)]
arm64: configs: tizen_*: Fix to build BLK_DEV_RAM as built-in

Fix to build BLK_DEV_RAM as built-in for Tizen ramdisk boot and
set size to 32MB for Tizen ramdisk/ramdisk-recovery.

Change-Id: I9b24953105f19746fa4c12fed75690f16e71e904
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: configs: tizen_*: Enable SECURITY_SMACK and disable all other LSM 89/248989/2
Hoegeun Kwon [Fri, 4 Dec 2020 04:30:53 +0000 (13:30 +0900)]
arm64: configs: tizen_*: Enable SECURITY_SMACK and disable all other LSM

It needs to enable configs related with SMACK for booting tizen
platform. Also, other LSMs are not required in Tizen, so disable
them.

Change-Id: I44680664404bd4e1fda6fc9e7d1b31910de435b1
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: configs: tizen_kvims: Disable local git RELEASE version 88/248988/1
Seung-Woo Kim [Fri, 4 Dec 2020 06:01:50 +0000 (15:01 +0900)]
arm64: configs: tizen_kvims: Disable local git RELEASE version

No need to git hash value in kernel RELEASE version, so disable it.

Change-Id: I2b945f6a85b8b31ea6650eca4ad7370eca68c466
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogpu/arm: utgard: do not use git version as driver version 87/248987/1
Seung-Woo Kim [Fri, 4 Dec 2020 04:44:42 +0000 (13:44 +0900)]
gpu/arm: utgard: do not use git version as driver version

Using git version as driver version causes repeated build
for the mali utgard driver even there is no change. Also,
git describe command takes time, so do not use git version.

Change-Id: I456e0296681bf6dd48b87b2067786b392504d8cb
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: isp_module: find include directory only under source tree 86/248986/1
Seung-Woo Kim [Fri, 4 Dec 2020 04:41:12 +0000 (13:41 +0900)]
amlogic: isp_module: find include directory only under source tree

For building, it takes too much time to find include directory
because find is called from top directory. Fix to find only under
source tree.

Change-Id: I0b77d6b6b68dba39d8b9c7f41dbc6570ff9c2a0c
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: relocatable: fix inconsistencies in linker script and options 85/248985/1
Ard Biesheuvel [Mon, 3 Dec 2018 19:58:05 +0000 (20:58 +0100)]
arm64: relocatable: fix inconsistencies in linker script and options

commit 3bbd3db86470c701091fb1d67f1fab6621debf50 upstream.

readelf complains about the section layout of vmlinux when building
with CONFIG_RELOCATABLE=y (for KASLR):

  readelf: Warning: [21]: Link field (0) should index a symtab section.
  readelf: Warning: [21]: Info field (0) should index a relocatable section.

Also, it seems that our use of '-pie -shared' is contradictory, and
thus ambiguous. In general, the way KASLR is wired up at the moment
is highly tailored to how ld.bfd happens to implement (and conflate)
PIE executables and shared libraries, so given the current effort to
support other toolchains, let's fix some of these issues as well.

- Drop the -pie linker argument and just leave -shared. In ld.bfd,
  the differences between them are unclear (except for the ELF type
  of the produced image [0]) but lld chokes on seeing both at the
  same time.

- Rename the .rela output section to .rela.dyn, as is customary for
  shared libraries and PIE executables, so that it is not misidentified
  by readelf as a static relocation section (producing the warnings
  above).

- Pass the -z notext and -z norelro options to explicitly instruct the
  linker to permit text relocations, and to omit the RELRO program
  header (which requires a certain section layout that we don't adhere
  to in the kernel). These are the defaults for current versions of
  ld.bfd.

- Discard .eh_frame and .gnu.hash sections to avoid them from being
  emitted between .head.text and .text, screwing up the section layout.

These changes only affect the ELF image, and produce the same binary
image.

[0] b9dce7f1ba01 ("arm64: kernel: force ET_DYN ELF type for ...")

Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Smith <peter.smith@linaro.org>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: backport stable linux-4.14.y commit f21ce3cdff2f for gcc 9 built image size]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I0ddfedad20188dcd9d7b416370e95d175b595db0

3 years agoarm64: configs: Add tizen_kvims from kvims_defconfig 13/248913/1
Seung-Woo Kim [Thu, 3 Dec 2020 05:10:57 +0000 (14:10 +0900)]
arm64: configs: Add tizen_kvims from kvims_defconfig

Add tizen_kvims from kvims_defconfig, stored with the command
'make ARCH=arm64 savedefconfig'.

Change-Id: Iddd3a2750a1796b78f1649d551f279cf05a4c6e5
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: configs: Add tizen_odroidg12_defconfig from odroidg12_defconfig 12/248912/1
Hoegeun Kwon [Thu, 3 Dec 2020 05:07:50 +0000 (14:07 +0900)]
arm64: configs: Add tizen_odroidg12_defconfig from odroidg12_defconfig

Add tizen_odroidg12_defconfig from odroidg12_defconfig, but
stored with the command 'make ARCH=arm64 savedefconfig'.

Note: the mali400 driver is added from Khadas's tree and not used
from odroidg12, so it is disabled.

Change-Id: Ibd5ccaf09b5628d484b53417054fd54dd742419c
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: dts: VIM3/VIM3L: Set extcon state for dwc2_a cable as always true 74/248874/1
Seung-Woo Kim [Wed, 22 Jul 2020 06:48:24 +0000 (15:48 +0900)]
arm64: dts: VIM3/VIM3L: Set extcon state for dwc2_a cable as always true

Since this, extcon state for dwc2_a, dwc_otg udc becomes always
'USB=1'.

Change-Id: I45f5c31a9ca42b4049a10b4fd1b008d2ba1726a0
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: dts: mesong12_odroid_common: Set extcon state for dwc2_a cable as always true 73/248873/1
Seung-Woo Kim [Thu, 3 Dec 2020 03:55:02 +0000 (12:55 +0900)]
arm64: dts: mesong12_odroid_common: Set extcon state for dwc2_a cable as always true

Since this, extcon state for dwc2_a, dwc_otg udc becomes always
'USB=1'.

Note: odroid-c4/n2 connects usb_dwc2_a_id to usb connector id
and usb_dwc2_a_vbus to usb connector vbus, so usb connect event
can be detected including otg host and peripheral recognition.
But the detection is possible to after configuration gadget on
the udc, so in Tizen, it does not work because Tizen deviced
waits usb connection to configure gadget on the udc. Because of
this constraint in Tizen deviced, as a workaround, set extcon
state for dwc2_a usb cable as connected.

Change-Id: I755b3385f21d7ac49673afea291e4a43497be030
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agousb: dwc_otg: Set extcon state for usb cable as always true 72/248872/1
Seung-Woo Kim [Thu, 3 Dec 2020 03:53:43 +0000 (12:53 +0900)]
usb: dwc_otg: Set extcon state for usb cable as always true

To inform to userspace as enable usb features always, set extcon
state for usb cable as connected permanently. To enable this, add
g-extcon-always-on property on dt.

Note: ported from https://git.tizen.org/cgit/profile/common/platform/kernel/linux-artik7/commit/?h=tizen&id=f7e1e93b230f61d66d6a3bc58d09c53dcd305e21

Change-Id: I16fb629ccec54f0ae46e697b56750c3021f01ccb
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: media_modules: demux: choose only one from sw/hw demux 71/248871/1
Seung-Woo Kim [Wed, 2 Dec 2020 09:33:18 +0000 (18:33 +0900)]
amlogic: media_modules: demux: choose only one from sw/hw demux

Amlogic dvb sw_demux and hw_demux have same exported symbols and
it is used from dvb_ci. This causes warnings and dvb_ci.ko module
dependency is only set to the first built module, so here is no
need to build both demuxs. Choose only one from sw/hw demux
explictly.

Change-Id: Ib6cd7f5f3852e77fdacb0180471ce854e8b6f0b7
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoarm64: dts: VIM3/VIM3L: change dwc2 usb mode to device mode
Seung-Woo Kim [Wed, 2 Dec 2020 06:44:43 +0000 (15:44 +0900)]
arm64: dts: VIM3/VIM3L: change dwc2 usb mode to device mode

Like kvim3/kvim3l android-pie kernel, change dwc2 usb mode to
device mode for usb sdb in Tizen.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agousb: gadget: f_fs: Do not use amlogic custom buffer
Dongwoo Lee [Wed, 2 Dec 2020 06:44:37 +0000 (15:44 +0900)]
usb: gadget: f_fs: Do not use amlogic custom buffer

Since amlogic usb features customize ffs to fit for adb, it uses
fixed size of payload buffer and causes data overflow on sdb. To fix
it up, this patch makes not use amlogic customize.

Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>
3 years agogator: support kernel backtrace in kernel module
Seung-Woo Kim [Tue, 1 Dec 2020 08:09:29 +0000 (17:09 +0900)]
gator: support kernel backtrace in kernel module

From Linux 4.9, walk_stackframe was unexported so it is not
possible to build gator as kernel module. Use save_stack_trace
instead for kernel backtrace as like higher gator version.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogator: Update gator v5.23.1
Chanwoo Choi [Tue, 1 Dec 2020 07:49:29 +0000 (16:49 +0900)]
gator: Update gator v5.23.1

Update gator with v5.23.1 except gator_src_md5.h. The generated
file is named as generated_gator_src_md5.h as higher gator version.

Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agommc: card: block: remove amlogic specific function call
Jaehoon Chung [Tue, 26 May 2020 07:52:19 +0000 (16:52 +0900)]
mmc: card: block: remove amlogic specific function call

Remove amlogic specific function call.
When called aml_emmc_partition_ops(), it's only used amlogic specific
platform.
Tizen doesn't need to call it.

Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
3 years agoSmack: ignore private inode for file functions
Seung-Woo Kim [Mon, 12 Dec 2016 08:35:26 +0000 (17:35 +0900)]
Smack: ignore private inode for file functions

The access to fd from anon_inode is always failed because there is
no set xattr operations. So this patch fixes to ignore private
inode including anon_inode for file functions.

It was only ignored for smack_file_receive() to share dma-buf fd,
but dma-buf has other functions like ioctl and mmap.

Reference: https://lkml.org/lkml/2015/4/17/16

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[sw0312.kim: backport mainline commit 83a1e53f3920 for Tizen security smack]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I31719d13885b63ebd643fe03565314ad7d65ee3c

3 years agoSmack: fix d_instantiate logic for sockfs and pipefs
Rafal Krypa [Fri, 9 Dec 2016 13:03:04 +0000 (14:03 +0100)]
Smack: fix d_instantiate logic for sockfs and pipefs

Since 4b936885a (v2.6.32) all inodes on sockfs and pipefs are disconnected.
It caused filesystem specific code in smack_d_instantiate to be skipped,
because all inodes on those pseudo filesystems were treated as root inodes.
As a result all sockfs inodes had the Smack label set to floor.

In most cases access checks for sockets use socket_smack data so the inode
label is not important. But there are special cases that were broken.
One example would be calling fcntl with F_SETOWN command on a socket fd.

Now smack_d_instantiate expects all pipefs and sockfs inodes to be
disconnected and has the logic in appropriate place.

Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[sw0312.kim: backport mainline commit 805b65a80bed for Tizen security smack]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ib60a38ea4173df99ef1998e4ef5eba215a63c38a

3 years agoSmack: Fix memory leak in smack_inode_getsecctx
Casey Schaufler [Fri, 1 Jun 2018 17:45:12 +0000 (10:45 -0700)]
Smack: Fix memory leak in smack_inode_getsecctx

Fix memory leak in smack_inode_getsecctx

The implementation of smack_inode_getsecctx() made
incorrect assumptions about how Smack presents a security
context. Smack does not need to allocate memory to support
security contexts, so "releasing" a Smack context is a no-op.
The code made an unnecessary copy and returned that as a
context, which was never freed. The revised implementation
returns the context correctly.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reported-by: CHANDAN VN <chandan.vn@samsung.com>
Tested-by: CHANDAN VN <chandan.vn@samsung.com>
[sw0312.kim: cherry-pick mainline commit 0f8983cf97d3]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoSmack: Assign smack_known_web label for kernel thread's
jooseong lee [Thu, 3 Nov 2016 10:54:39 +0000 (11:54 +0100)]
Smack: Assign smack_known_web label for kernel thread's

Assign smack_known_web label for kernel thread's socket

Creating struct sock by sk_alloc function in various kernel subsystems
like bluetooth doesn't call smack_socket_post_create(). In such case,
received sock label is the floor('_') label and makes access deny.

Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[sw0312.kim: cherry-pick mainline commit 08382c9f6efe]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogpu/arm: adjust file mode
Seung-Woo Kim [Wed, 2 Dec 2020 03:02:09 +0000 (12:02 +0900)]
gpu/arm: adjust file mode

Only set execute file mode for shell script and for code files,
remove the execute file mode.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogpu/arm: Remove duplicated mali midgard driver
Seung-Woo Kim [Tue, 1 Dec 2020 09:57:43 +0000 (18:57 +0900)]
gpu/arm: Remove duplicated mali midgard driver

In the tree, there are two duplicated mali midgard driver in
drivers/gpu/arm/midgard and drivers/gpu/drm/bifrost/midgard with
different version. There is no reason to keep old release version,
so keep only the later version, r16p0, 11.13, to
drivers/gpu/arm/midgard.

Also, config option for choosing a version is removed.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agochar: aml-gpiomem: Update to Khadas' multi-instance version
Seung-Woo Kim [Tue, 1 Dec 2020 09:55:58 +0000 (18:55 +0900)]
char: aml-gpiomem: Update to Khadas' multi-instance version

The Khadas VIM3/VIM3L has two aml-gpiomem nodes, so it needs multi
instance driver version. Update to Khadas' multi-instance version.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoRevert "fs/proc: make cmdline writable"
Seung-Woo Kim [Wed, 2 Dec 2020 04:35:32 +0000 (13:35 +0900)]
Revert "fs/proc: make cmdline writable"

This reverts commit 341b13d1ba7f5d10830a7236b257bed780602917
and commit 7970fede1d941cbda83ac6f875b1f99b9af5a8f9 and commit
129e951a369446eb40d23264caf20bddcd1929e3.

Writing /proc/cmdline is not required and the feature causes too
much stack frame usage. To remove the FRAME_WARN issue for
frame-larger-than, revert writing /proc/cmdline feature commits.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: media_modules: fix too big stack usage for gcc 9 build
Seung-Woo Kim [Thu, 12 Mar 2020 10:01:18 +0000 (19:01 +0900)]
amlogic: media_modules: fix too big stack usage for gcc 9 build

Too big stack usage causes build issue for gcc 9. Fix too big stack
usage by replacing kzalloc() instead of array in stack.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: dtv_demod: remove set/get_property()
Seung-Woo Kim [Tue, 1 Dec 2020 07:15:56 +0000 (16:15 +0900)]
amlogic: dtv_demod: remove set/get_property()

After the commit c0d4c1a37d7a ("media: dvb_frontend: get rid of
get_property() callback") and the commit 43619b35587e ("media:
dvb_frontend: get rid of set_property() callback"), there is no
set/get_property() callback in struct dvb_frontend_ops. Remove
the set/get_property() from amlogic media drivers.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoamlogic: nand: pass a nand_chip object to nand_release()
Seung-Woo Kim [Tue, 1 Dec 2020 07:41:43 +0000 (16:41 +0900)]
amlogic: nand: pass a nand_chip object to nand_release()

After the commit 6624691037da ("mtd: rawnand: Pass a nand_chip
object to nand_release()"), it should send nand_chip object to
nand_release().

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agonet: bcmdhd: remoev default config for choice value.
Seung-Woo Kim [Tue, 1 Dec 2020 03:13:43 +0000 (12:13 +0900)]
net: bcmdhd: remoev default config for choice value.

Choice value does not support default config option, so remove
default config for the choice value.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogpu/arm: mali: utgard: fix sizeof-pointer-memaccess build issue in gcc 9
Seung-Woo Kim [Wed, 28 Oct 2020 05:52:03 +0000 (14:52 +0900)]
gpu/arm: mali: utgard: fix sizeof-pointer-memaccess build issue in gcc 9

This fixes sizeof-pointer-memaccess for strncpy().

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogpu/arm: mali: utgard: add automatically generated file to ignore list
Seung-Woo Kim [Tue, 1 Dec 2020 01:34:58 +0000 (10:34 +0900)]
gpu/arm: mali: utgard: add automatically generated file to ignore list

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agogator: gitignore: add ignore rule about gator_src_md5 header
Jaehoon Chung [Tue, 1 Dec 2020 01:37:06 +0000 (10:37 +0900)]
gator: gitignore: add ignore rule about gator_src_md5 header

Add ignore rule about generated_gator_src_md5 header.

Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
3 years agoarm64: Silence gcc warnings about arch ABI drift
Dave Martin [Thu, 6 Jun 2019 10:33:43 +0000 (11:33 +0100)]
arm64: Silence gcc warnings about arch ABI drift

Since GCC 9, the compiler warns about evolution of the
platform-specific ABI, in particular relating for the marshaling of
certain structures involving bitfields.

The kernel is a standalone binary, and of course nobody would be
so stupid as to expose structs containing bitfields as function
arguments in ABI.  (Passing a pointer to such a struct, however
inadvisable, should be unaffected by this change.  perf and various
drivers rely on that.)

So these warnings do more harm than good: turn them off.

We may miss warnings about future ABI drift, but that's too bad.
Future ABI breaks of this class will have to be debugged and fixed
the traditional way unless the compiler evolves finer-grained
diagnostics.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[sw0312.kim: backport mainline commit ebcc5928c5d9 for gcc 9 build]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
3 years agoMerge hardkernel's branch 'odroidg12-4.9.y' into khadas's khadas-vims-4.9.y. amlogic-base-20201130
Seung-Woo Kim [Fri, 27 Nov 2020 02:37:30 +0000 (11:37 +0900)]
Merge hardkernel's branch 'odroidg12-4.9.y' into khadas's khadas-vims-4.9.y.

khadas's base is commit 86f9ab4cb492 ("Merge tag 'v4.9.241' into
khadas-vims-4.9.y") and tagged as khadas-vims-v0.9.6-release.
hardkernel's base is 6ad97dceb7a0 ("ODROID-HC4:remove pwm-fan
pinctrl(PWM_C : GPIOC_4 remove)") and tagged as
hardkernel-4.9.236-104.

Note: during the fixing Conflicts, non amlogic related parts
are from wrong port for stable version with android common
kernel. It is fixed as like android common kernel's branch
android-4.9-q.

Most of amlogic driver conflicts is fixed with hardkernel's
tree because it has recent version.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
4 years agoODROID-HC4:remove pwm-fan pinctrl(PWM_C : GPIOC_4 remove) hardkernel-4.9.236-104
ckkim [Fri, 6 Nov 2020 08:14:32 +0000 (17:14 +0900)]
ODROID-HC4:remove pwm-fan pinctrl(PWM_C : GPIOC_4 remove)

Signed-off-by: ckkim <changkon12@gmail.com>
Change-Id: I36ddb1889cc1d181372c8925e58726d71a615d4e

4 years agoMerge tag 'v4.9.241' into khadas-vims-4.9.y khadas-vims-v0.9.6-release
Nick Xie [Sat, 7 Nov 2020 02:30:09 +0000 (10:30 +0800)]
Merge tag 'v4.9.241' into khadas-vims-4.9.y

This is the 4.9.241 stable release

4 years agoMerge tag 'v4.9.240' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:30:05 +0000 (10:30 +0800)]
Merge tag 'v4.9.240' into khadas-vims-4.9.y

This is the 4.9.240 stable release

4 years agoMerge tag 'v4.9.239' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:30:00 +0000 (10:30 +0800)]
Merge tag 'v4.9.239' into khadas-vims-4.9.y

This is the 4.9.239 stable release

Signed-off-by: Nick Xie <nick@khadas.com>
4 years agoMerge tag 'v4.9.238' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:27:45 +0000 (10:27 +0800)]
Merge tag 'v4.9.238' into khadas-vims-4.9.y

This is the 4.9.238 stable release

4 years agoMerge tag 'v4.9.237' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:27:41 +0000 (10:27 +0800)]
Merge tag 'v4.9.237' into khadas-vims-4.9.y

This is the 4.9.237 stable release

4 years agoMerge tag 'v4.9.236' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:27:38 +0000 (10:27 +0800)]
Merge tag 'v4.9.236' into khadas-vims-4.9.y

This is the 4.9.236 stable release

4 years agoMerge tag 'v4.9.235' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:27:34 +0000 (10:27 +0800)]
Merge tag 'v4.9.235' into khadas-vims-4.9.y

This is the 4.9.235 stable release

4 years agoMerge tag 'v4.9.234' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:27:30 +0000 (10:27 +0800)]
Merge tag 'v4.9.234' into khadas-vims-4.9.y

This is the 4.9.234 stable release

Signed-off-by: Nick Xie <nick@khadas.com>
4 years agoMerge tag 'v4.9.233' into khadas-vims-4.9.y
Nick Xie [Sat, 7 Nov 2020 02:26:54 +0000 (10:26 +0800)]
Merge tag 'v4.9.233' into khadas-vims-4.9.y

This is the 4.9.233 stable release

4 years agoRevert "ODROID-COMMON: osd: Adjust osd scaler and vout serve to fit in KODI"
Dongjin Kim [Thu, 5 Nov 2020 08:17:13 +0000 (17:17 +0900)]
Revert "ODROID-COMMON: osd: Adjust osd scaler and vout serve to fit in KODI"

This reverts commit 6f7138e3ac2a900a0720be31d486fcb8514fe5ed.

Change-Id: Ib57697cf7668460ab81bf951d0dee1e003adba44

4 years agoRevert "ODROID-COMMON:osd: Adjust osd scaler and vout serve to fit in KODI. Only...
Dongjin Kim [Thu, 5 Nov 2020 08:16:40 +0000 (17:16 +0900)]
Revert "ODROID-COMMON:osd: Adjust osd scaler and vout serve to fit in KODI. Only works in S922(N2/N2+)."

This reverts commit 0427609dc95c93d0989b1b2dea84b9c41f2ba4ba.

Change-Id: Idcf054d6da7a2602dbac904ae2a6ec6da0ee00bf

4 years agoODROID-N2/N2+:no soundcard error fix.
ckkim [Wed, 4 Nov 2020 03:15:28 +0000 (12:15 +0900)]
ODROID-N2/N2+:no soundcard error fix.

Change-Id: I71319cf50a1fd07b9ec48edc62e2a0bbcf565ba9

4 years agoMerge "ODROID-COMMON:osd: Adjust osd scaler and vout serve to fit in KODI. Only works...
Mauro Ribeiro [Fri, 30 Oct 2020 13:39:19 +0000 (22:39 +0900)]
Merge "ODROID-COMMON:osd: Adjust osd scaler and vout serve to fit in KODI. Only works in S922(N2/N2+)." into odroidg12-4.9.y

4 years agoODROID-COMMON: drivers/spi: Set the 64 bits per word by default
Deokgyu Yang [Fri, 30 Oct 2020 06:46:07 +0000 (15:46 +0900)]
ODROID-COMMON: drivers/spi: Set the 64 bits per word by default

The existing force64b routine might not work properly under specific
conditions. This patch fixes that bug of 64 bits per word and forces
use that option. It will improve SPI performance significantly.

Signed-off-by: Deokgyu Yang <secugyu@gmail.com>
Change-Id: I85a58d425303ea1765b7b83ee5dd5f0a7f4203fc

4 years agoODROID-COMMON:osd: Adjust osd scaler and vout serve to fit in KODI. Only works in...
ckkim [Thu, 29 Oct 2020 09:24:13 +0000 (18:24 +0900)]
ODROID-COMMON:osd: Adjust osd scaler and vout serve to fit in KODI. Only works in S922(N2/N2+).

Change-Id: I7a16dd2cbde63d8b716aab17d85fb9dc1157e2ff

4 years agoLinux 4.9.241 v4.9.241
Greg Kroah-Hartman [Thu, 29 Oct 2020 08:05:46 +0000 (09:05 +0100)]
Linux 4.9.241

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20201027134902.130312227@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4 years agousb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets.
Lorenzo Colitti [Tue, 25 Aug 2020 05:55:05 +0000 (14:55 +0900)]
usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets.

[ Upstream commit 7974ecd7d3c0f42a98566f281e44ea8573a2ad88 ]

Currently, enabling f_ncm at SuperSpeed Plus speeds results in an
oops in config_ep_by_speed because ncm_set_alt passes in NULL
ssp_descriptors. Fix this by re-using the SuperSpeed descriptors.
This is safe because usb_assign_descriptors calls
usb_copy_descriptors.

Tested: enabled f_ncm on a dwc3 gadget and 10Gbps link, ran iperf
Reviewed-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoeeprom: at25: set minimum read/write access stride to 1
Christian Eggers [Tue, 28 Jul 2020 09:29:59 +0000 (11:29 +0200)]
eeprom: at25: set minimum read/write access stride to 1

commit 284f52ac1c6cfa1b2e5c11b84653dd90e4e91de7 upstream.

SPI eeproms are addressed by byte.

Signed-off-by: Christian Eggers <ceggers@arri.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200728092959.24600-1-ceggers@arri.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4 years agoUSB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync().
Oliver Neukum [Mon, 28 Sep 2020 14:17:55 +0000 (23:17 +0900)]
USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync().

commit 37d2a36394d954413a495da61da1b2a51ecd28ab upstream.

syzbot is reporting hung task at wdm_flush() [1], for there is a circular
dependency that wdm_flush() from flip_close() for /dev/cdc-wdm0 forever
waits for /dev/raw-gadget to be closed while close() for /dev/raw-gadget
cannot be called unless close() for /dev/cdc-wdm0 completes.

Tetsuo Handa considered that such circular dependency is an usage error [2]
which corresponds to an unresponding broken hardware [3]. But Alan Stern
responded that we should be prepared for such hardware [4]. Therefore,
this patch changes wdm_flush() to use wait_event_interruptible_timeout()
which gives up after 30 seconds, for hardware that remains silent must be
ignored. The 30 seconds are coming out of thin air.

Changing wait_event() to wait_event_interruptible_timeout() makes error
reporting from close() syscall less reliable. To compensate it, this patch
also implements wdm_fsync() which does not use timeout. Those who want to
be very sure that data has gone out to the device are now advised to call
fsync(), with a caveat that fsync() can return -EINVAL when running on
older kernels which do not implement wdm_fsync().

This patch also fixes three more problems (listed below) found during
exhaustive discussion and testing.

  Since multiple threads can concurrently call wdm_write()/wdm_flush(),
  we need to use wake_up_all() whenever clearing WDM_IN_USE in order to
  make sure that all waiters are woken up. Also, error reporting needs
  to use fetch-and-clear approach in order not to report same error for
  multiple times.

  Since wdm_flush() checks WDM_DISCONNECTING, wdm_write() should as well
  check WDM_DISCONNECTING.

  In wdm_flush(), since locks are not held, it is not safe to dereference
  desc->intf after checking that WDM_DISCONNECTING is not set [5]. Thus,
  remove dev_err() from wdm_flush().

[1] https://syzkaller.appspot.com/bug?id=e7b761593b23eb50855b9ea31e3be5472b711186
[2] https://lkml.kernel.org/r/27b7545e-8f41-10b8-7c02-e35a08eb1611@i-love.sakura.ne.jp
[3] https://lkml.kernel.org/r/79ba410f-e0ef-2465-b94f-6b9a4a82adf5@i-love.sakura.ne.jp
[4] https://lkml.kernel.org/r/20200530011040.GB12419@rowland.harvard.edu
[5] https://lkml.kernel.org/r/c85331fc-874c-6e46-a77f-0ef1dc075308@i-love.sakura.ne.jp

Reported-by: syzbot <syzbot+854768b99f19e89d7f81@syzkaller.appspotmail.com>
Cc: stable <stable@vger.kernel.org>
Co-developed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20200928141755.3476-1-penguin-kernel@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4 years agousb: cdc-acm: add quirk to blacklist ETAS ES58X devices
Vincent Mailhol [Fri, 2 Oct 2020 15:41:51 +0000 (00:41 +0900)]
usb: cdc-acm: add quirk to blacklist ETAS ES58X devices

commit a4f88430af896bf34ec25a7a5f0e053fb3d928e0 upstream.

The ES58X devices has a CDC ACM interface (used for debug
purpose). During probing, the device is thus recognized as USB Modem
(CDC ACM), preventing the etas-es58x module to load:
  usbcore: registered new interface driver etas_es58x
  usb 1-1.1: new full-speed USB device number 14 using xhci_hcd
  usb 1-1.1: New USB device found, idVendor=108c, idProduct=0159, bcdDevice= 1.00
  usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
  usb 1-1.1: Product: ES581.4
  usb 1-1.1: Manufacturer: ETAS GmbH
  usb 1-1.1: SerialNumber: 2204355
  cdc_acm 1-1.1:1.0: No union descriptor, testing for castrated device
  cdc_acm 1-1.1:1.0: ttyACM0: USB ACM device

Thus, these have been added to the ignore list in
drivers/usb/class/cdc-acm.c

N.B. Future firmware release of the ES58X will remove the CDC-ACM
interface.

`lsusb -v` of the three devices variant (ES581.4, ES582.1 and
ES584.1):

  Bus 001 Device 011: ID 108c:0159 Robert Bosch GmbH ES581.4
  Device Descriptor:
    bLength                18
    bDescriptorType         1
    bcdUSB               1.10
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    idVendor           0x108c Robert Bosch GmbH
    idProduct          0x0159
    bcdDevice            1.00
    iManufacturer           1 ETAS GmbH
    iProduct                2 ES581.4
    iSerial                 3 2204355
    bNumConfigurations      1
    Configuration Descriptor:
      bLength                 9
      bDescriptorType         2
      wTotalLength       0x0035
      bNumInterfaces          1
      bConfigurationValue     1
      iConfiguration          5 Bus Powered Configuration
      bmAttributes         0x80
        (Bus Powered)
      MaxPower              100mA
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        0
        bAlternateSetting       0
        bNumEndpoints           3
        bInterfaceClass         2 Communications
        bInterfaceSubClass      2 Abstract (modem)
        bInterfaceProtocol      0
        iInterface              4 ACM Control Interface
        CDC Header:
          bcdCDC               1.10
        CDC Call Management:
          bmCapabilities       0x01
            call management
          bDataInterface          0
        CDC ACM:
          bmCapabilities       0x06
            sends break
            line coding and serial state
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x81  EP 1 IN
          bmAttributes            3
            Transfer Type            Interrupt
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0010  1x 16 bytes
          bInterval              10
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x82  EP 2 IN
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval               0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x03  EP 3 OUT
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval               0
  Device Status:     0x0000
    (Bus Powered)

  Bus 001 Device 012: ID 108c:0168 Robert Bosch GmbH ES582
  Device Descriptor:
    bLength                18
    bDescriptorType         1
    bcdUSB               2.00
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    idVendor           0x108c Robert Bosch GmbH
    idProduct          0x0168
    bcdDevice            1.00
    iManufacturer           1 ETAS GmbH
    iProduct                2 ES582
    iSerial                 3 0108933
    bNumConfigurations      1
    Configuration Descriptor:
      bLength                 9
      bDescriptorType         2
      wTotalLength       0x0043
      bNumInterfaces          2
      bConfigurationValue     1
      iConfiguration          0
      bmAttributes         0x80
        (Bus Powered)
      MaxPower              500mA
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        0
        bAlternateSetting       0
        bNumEndpoints           1
        bInterfaceClass         2 Communications
        bInterfaceSubClass      2 Abstract (modem)
        bInterfaceProtocol      1 AT-commands (v.25ter)
        iInterface              0
        CDC Header:
          bcdCDC               1.10
        CDC ACM:
          bmCapabilities       0x02
            line coding and serial state
        CDC Union:
          bMasterInterface        0
          bSlaveInterface         1
        CDC Call Management:
          bmCapabilities       0x03
            call management
            use DataInterface
          bDataInterface          1
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x83  EP 3 IN
          bmAttributes            3
            Transfer Type            Interrupt
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval              16
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        1
        bAlternateSetting       0
        bNumEndpoints           2
        bInterfaceClass        10 CDC Data
        bInterfaceSubClass      0
        bInterfaceProtocol      0
        iInterface              0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x81  EP 1 IN
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0200  1x 512 bytes
          bInterval               0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x02  EP 2 OUT
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0200  1x 512 bytes
          bInterval               0
  Device Qualifier (for other device speed):
    bLength                10
    bDescriptorType         6
    bcdUSB               2.00
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    bNumConfigurations      1
  Device Status:     0x0000
    (Bus Powered)

  Bus 001 Device 013: ID 108c:0169 Robert Bosch GmbH ES584.1
  Device Descriptor:
    bLength                18
    bDescriptorType         1
    bcdUSB               2.00
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    idVendor           0x108c Robert Bosch GmbH
    idProduct          0x0169
    bcdDevice            1.00
    iManufacturer           1 ETAS GmbH
    iProduct                2 ES584.1
    iSerial                 3 0100320
    bNumConfigurations      1
    Configuration Descriptor:
      bLength                 9
      bDescriptorType         2
      wTotalLength       0x0043
      bNumInterfaces          2
      bConfigurationValue     1
      iConfiguration          0
      bmAttributes         0x80
        (Bus Powered)
      MaxPower              500mA
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        0
        bAlternateSetting       0
        bNumEndpoints           1
        bInterfaceClass         2 Communications
        bInterfaceSubClass      2 Abstract (modem)
        bInterfaceProtocol      1 AT-commands (v.25ter)
        iInterface              0
        CDC Header:
          bcdCDC               1.10
        CDC ACM:
          bmCapabilities       0x02
            line coding and serial state
        CDC Union:
          bMasterInterface        0
          bSlaveInterface         1
        CDC Call Management:
          bmCapabilities       0x03
            call management
            use DataInterface
          bDataInterface          1
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x83  EP 3 IN
          bmAttributes            3
            Transfer Type            Interrupt
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval              16
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        1
        bAlternateSetting       0
        bNumEndpoints           2
        bInterfaceClass        10 CDC Data
        bInterfaceSubClass      0
        bInterfaceProtocol      0
        iInterface              0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x81  EP 1 IN
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0200  1x 512 bytes
          bInterval               0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x02  EP 2 OUT
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0200  1x 512 bytes
          bInterval               0
  Device Qualifier (for other device speed):
    bLength                10
    bDescriptorType         6
    bcdUSB               2.00
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    bNumConfigurations      1
  Device Status:     0x0000
    (Bus Powered)

Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201002154219.4887-8-mailhol.vincent@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4 years agonet: korina: cast KSEG0 address to pointer in kfree
Valentin Vidic [Sun, 18 Oct 2020 18:42:55 +0000 (20:42 +0200)]
net: korina: cast KSEG0 address to pointer in kfree

[ Upstream commit 3bd57b90554b4bb82dce638e0668ef9dc95d3e96 ]

Fixes gcc warning:

passing argument 1 of 'kfree' makes pointer from integer without a cast

Fixes: 3af5f0f5c74e ("net: korina: fix kfree of rx/tx descriptor array")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
Link: https://lore.kernel.org/r/20201018184255.28989-1-vvidic@valentin-vidic.from.hr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()
Zekun Shen [Tue, 23 Jun 2020 22:11:05 +0000 (18:11 -0400)]
ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()

[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ]

The idx in __ath10k_htt_rx_ring_fill_n function lives in
consistent dma region writable by the device. Malfunctional
or malicious device could manipulate such idx to have a OOB
write. Either by
    htt->rx_ring.netbufs_ring[idx] = skb;
or by
    ath10k_htt_set_paddrs_ring(htt, paddr, idx);

The idx can also be negative as it's signed, giving a large
memory space to write to.

It's possibly exploitable by corruptting a legit pointer with
a skb pointer. And then fill skb with payload as rougue object.

Part of the log here. Sometimes it appears as UAF when writing
to a freed memory by chance.

 [   15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
 [   15.595483] #PF: supervisor write access in kernel mode
 [   15.596250] #PF: error_code(0x0002) - not-present page
 [   15.597013] PGD 0 P4D 0
 [   15.597395] Oops: 0002 [#1] SMP KASAN PTI
 [   15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
 [   15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
 BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
 [   15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
 [   15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
 (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core

Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agousb: core: Solve race condition in anchor cleanup functions
Eli Billauer [Fri, 31 Jul 2020 05:46:50 +0000 (08:46 +0300)]
usb: core: Solve race condition in anchor cleanup functions

[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ]

usb_kill_anchored_urbs() is commonly used to cancel all URBs on an
anchor just before releasing resources which the URBs rely on. By doing
so, users of this function rely on that no completer callbacks will take
place from any URB on the anchor after it returns.

However if this function is called in parallel with __usb_hcd_giveback_urb
processing a URB on the anchor, the latter may call the completer
callback after usb_kill_anchored_urbs() returns. This can lead to a
kernel panic due to use after release of memory in interrupt context.

The race condition is that __usb_hcd_giveback_urb() first unanchors the URB
and then makes the completer callback. Such URB is hence invisible to
usb_kill_anchored_urbs(), allowing it to return before the completer has
been called, since the anchor's urb_list is empty.

Even worse, if the racing completer callback resubmits the URB, it may
remain in the system long after usb_kill_anchored_urbs() returns.

Hence list_empty(&anchor->urb_list), which is used in the existing
while-loop, doesn't reliably ensure that all URBs of the anchor are gone.

A similar problem exists with usb_poison_anchored_urbs() and
usb_scuttle_anchored_urbs().

This patch adds an external do-while loop, which ensures that all URBs
are indeed handled before these three functions return. This change has
no effect at all unless the race condition occurs, in which case the
loop will busy-wait until the racing completer callback has finished.
This is a rare condition, so the CPU waste of this spinning is
negligible.

The additional do-while loop relies on usb_anchor_check_wakeup(), which
returns true iff the anchor list is empty, and there is no
__usb_hcd_giveback_urb() in the system that is in the middle of the
unanchor-before-complete phase. The @suspend_wakeups member of
struct usb_anchor is used for this purpose, which was introduced to solve
another problem which the same race condition causes, in commit
6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up
till completion is done").

The surely_empty variable is necessary, because usb_anchor_check_wakeup()
must be called with the lock held to prevent races. However the spinlock
must be released and reacquired if the outer loop spins with an empty
URB list while waiting for the unanchor-before-complete passage to finish:
The completer callback may very well attempt to take the very same lock.

To summarize, using usb_anchor_check_wakeup() means that the patched
functions can return only when the anchor's list is empty, and there is
no invisible URB being processed. Since the inner while loop finishes on
the empty list condition, the new do-while loop will terminate as well,
except for when the said race condition occurs.

Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agobrcm80211: fix possible memleak in brcmf_proto_msgbuf_attach
Wang Yufen [Mon, 20 Jul 2020 09:36:05 +0000 (17:36 +0800)]
brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach

[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ]

When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL,
we should destroy the workqueue.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoreiserfs: Fix memory leak in reiserfs_parse_options()
Jan Kara [Wed, 4 Mar 2020 13:01:44 +0000 (14:01 +0100)]
reiserfs: Fix memory leak in reiserfs_parse_options()

[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ]

When a usrjquota or grpjquota mount option is used multiple times, we
will leak memory allocated for the file name. Make sure the last setting
is used and all the previous ones are properly freed.

Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoipvs: Fix uninit-value in do_ip_vs_set_ctl()
Peilin Ye [Tue, 11 Aug 2020 07:46:40 +0000 (03:46 -0400)]
ipvs: Fix uninit-value in do_ip_vs_set_ctl()

[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ]

do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
zero. Fix it.

Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agotty: ipwireless: fix error handling
Tong Zhang [Fri, 21 Aug 2020 16:19:40 +0000 (12:19 -0400)]
tty: ipwireless: fix error handling

[ Upstream commit db332356222d9429731ab9395c89cca403828460 ]

ipwireless_send_packet() can only return 0 on success and -ENOMEM on
error, the caller should check non zero for error condition

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Acked-by: David Sterba <dsterba@suse.com>
Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoFix use after free in get_capset_info callback.
Doug Horn [Wed, 2 Sep 2020 21:08:25 +0000 (14:08 -0700)]
Fix use after free in get_capset_info callback.

[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ]

If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.

Signed-off-by: Doug Horn <doughorn@google.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agortl8xxxu: prevent potential memory leak
Chris Chiu [Sun, 6 Sep 2020 04:04:24 +0000 (12:04 +0800)]
rtl8xxxu: prevent potential memory leak

[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ]

Free the skb if usb_submit_urb fails on rx_urb. And free the urb
no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb.

Signed-off-by: Chris Chiu <chiu@endlessm.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agobrcmsmac: fix memory leak in wlc_phy_attach_lcnphy
Keita Suzuki [Tue, 8 Sep 2020 12:17:41 +0000 (12:17 +0000)]
brcmsmac: fix memory leak in wlc_phy_attach_lcnphy

[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ]

When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy,
the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be
freed in the caller function.

Fix this by calling wlc_phy_detach_lcnphy in the error handler of
wlc_phy_txpwr_srom_read_lcnphy before returning.

Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoscsi: ibmvfc: Fix error return in ibmvfc_probe()
Jing Xiangfeng [Mon, 7 Sep 2020 08:39:49 +0000 (16:39 +0800)]
scsi: ibmvfc: Fix error return in ibmvfc_probe()

[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ]

Fix to return error code PTR_ERR() from the error handling case instead of
0.

Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com
Acked-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoBluetooth: Only mark socket zapped after unlocking
Abhishek Pandit-Subedi [Fri, 11 Sep 2020 22:33:18 +0000 (15:33 -0700)]
Bluetooth: Only mark socket zapped after unlocking

[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]

Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
setting the socket as zapped, it could potentially race with
l2cap_sock_release which frees the socket. Thus, wait until the cleanup
is complete before marking the socket as zapped.

This race was reproduced on a JBL GO speaker after the remote device
rejected L2CAP connection due to resource unavailability.

Here is a dmesg log with debug logs from a repro of this bug:
[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002
[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0
[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2
[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001
[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952
[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c
[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00
[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4
[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT
[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT
[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3
[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6
[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159
[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053
[ 3465.430330]  lock: 0xffffff804410aac0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
[ 3465.430332] Causing a watchdog bite!

Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agousb: ohci: Default to per-port over-current protection
Hamish Martin [Thu, 10 Sep 2020 21:25:11 +0000 (09:25 +1200)]
usb: ohci: Default to per-port over-current protection

[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ]

Some integrated OHCI controller hubs do not expose all ports of the hub
to pins on the SoC. In some cases the unconnected ports generate
spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC
contains a nominally 3 port hub but only the first port is wired.

Default behaviour for ohci-platform driver is to use global over-current
protection mode (AKA "ganged"). This leads to the spurious over-current
events affecting all ports in the hub.

We now alter the default to use per-port over-current protection.

This patch results in the following configuration changes depending
on quirks:
- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up
  for ganged power switching and no over-current protection.
- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching
  remains at none, while over-current protection is now guaranteed to be
  set to per-port rather than the previous behaviour where it was either
  none or global over-current protection depending on the value at
  function entry.

Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
4 years agoxfs: make sure the rt allocator doesn't run off the end
Darrick J. Wong [Wed, 9 Sep 2020 21:21:06 +0000 (14:21 -0700)]
xfs: make sure the rt allocator doesn't run off the end

[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ]

There's an overflow bug in the realtime allocator.  If the rt volume is
large enough to handle a single allocation request that is larger than
the maximum bmap extent length and the rt bitmap ends exactly on a
bitmap block boundary, it's possible that the near allocator will try to
check the freeness of a range that extends past the end of the bitmap.
This fails with a corruption error and shuts down the fs.

Therefore, constrain maxlen so that the range scan cannot run off the
end of the rt bitmap.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>