platform/kernel/linux-amlogic.git
7 years agounifykey: add secure storage and nand key support
Jiamin Ma [Sat, 29 Jul 2017 13:20:06 +0000 (21:20 +0800)]
unifykey: add secure storage and nand key support

PD#148390: this commit fix two problems
1. the previews way to detect storage type is invalid
2. the previews define of max key size for nand and emmc
   is wrong

Change-Id: Ie7c05f3e0d85c2386177e196187f52786e0955f4
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
7 years agodts: add a113x & a113d skt config
Yueguie He [Thu, 3 Aug 2017 05:59:00 +0000 (13:59 +0800)]
dts: add a113x & a113d skt config

PD#148646: add a113x & a113d skt config

Change-Id: Id52e858fdb80b236dd504fba6c3ef6f47181d952
Signed-off-by: Yueguie He <yuegui.he@amlogic.com>
7 years agomtd: nand: fix false ecc report on infopage
Yonghui Yu [Thu, 20 Jul 2017 14:38:16 +0000 (22:38 +0800)]
mtd: nand: fix false ecc report on infopage

PD#147956: mtd: nand: fix false ecc report on infopage

Infopage must be programed with scrambled to fit romboot.
And all “0xff” page will be reported as uncorrectable falsely
with scramber on.
we have to exclude this by counting the zero byts.

Change-Id: I167491bee69444f64231a09e41d04bcd03f30d65
Signed-off-by: Yonghui Yu <yonghui.yu@amlogic.com>
7 years agodefconfig: meson32: enable LOCKUP detector
jianxin.pan [Thu, 3 Aug 2017 02:11:18 +0000 (10:11 +0800)]
defconfig: meson32: enable LOCKUP detector

PD#141217: enable LOCKUP detector for meson32

Change-Id: I2a70e7b29ddc12a720704a4edf5d6334802263a5
Signed-off-by: jianxin.pan <jianxin.pan@amlogic.com>
7 years agodvb: modify dvb-frontend
Hualing Chen [Tue, 18 Jul 2017 10:29:48 +0000 (18:29 +0800)]
dvb: modify dvb-frontend

PD#147721: dvb: modify dvb-frontend some struct and add dvb dts

1. add dvbs dvbt info at frontend
2. add blind cmd
3. add dvb dts

Change-Id: I22ab5284e646a17ae060f229bcf7c27ee5b6211f
Signed-off-by: Hualing Chen <hualing.chen@amlogic.com>
7 years agoMerge branch 'android-4.9' into amlogic-4.9-dev
Victor Wan [Tue, 1 Aug 2017 10:38:14 +0000 (18:38 +0800)]
Merge branch 'android-4.9' into amlogic-4.9-dev

7 years agoi2c: add i2c auto test and fix i2c clk error.
Xuhua Zhang [Mon, 26 Jun 2017 07:44:23 +0000 (15:44 +0800)]
i2c: add i2c auto test and fix i2c clk error.

PD#146534: add i2c auto test and fix i2c clk error.

1. add i2c auto test function form 50KHZ to 3.4MHZ.
2. fix i2c clk distortion when the clk go beyond 1MHZ.
3. fix i2c clk distortion when the clk less than 100KHZ.
4. fit for i2c T_low/T_higt time standard.
5. reduce i2c error log.

Change-Id: I2bb5598684848478aa18349b87eaac5bcc44065d
Signed-off-by: Xuhua Zhang <xuhua.zhang@amlogic.com>
7 years agowifi: fix iptable forward cmd issue[1/1]
Rongjun Chen [Tue, 25 Jul 2017 08:20:39 +0000 (16:20 +0800)]
wifi: fix iptable forward cmd issue[1/1]

PD#147462: add some iptabe nat support to fix android NatController
cmd issue

Change-Id: Ia2e8e4f14898c5e3c6b2e2b61007260ff74db193
Signed-off-by: Rongjun Chen <rongjun.chen@amlogic.com>
7 years agoMerge "lcd: enable clkree gate" into amlogic-4.9-dev
Jianxin Pan [Mon, 31 Jul 2017 12:22:19 +0000 (05:22 -0700)]
Merge "lcd: enable clkree gate" into amlogic-4.9-dev

7 years agolcd: enable clkree gate
Weiming Liu [Fri, 28 Jul 2017 05:11:18 +0000 (13:11 +0800)]
lcd: enable clkree gate

PD#146437: lcd: enable clktree gate

Change-Id: I9fcc1b37ec291a27a169092a129663fbdab5aefa
Signed-off-by: Weiming Liu <weiming.liu@amlogic.com>
7 years agodefconfig: fix coldboot_done too long,reduce /dev/pty* devices
Yixun Lan [Mon, 31 Jul 2017 05:46:21 +0000 (13:46 +0800)]
defconfig: fix coldboot_done too long,reduce /dev/pty* devices

PD#148403: fix coldboot_done too long,reduce /dev/pty* devices

with this change, boot from android
needle:/ # dmesg | grep ueventd
[ 3.657267@2] init: Starting service 'ueventd'...
[ 3.662364@0] ueventd: ueventd started!
[ 4.364547@2] ueventd: Coldboot took 0.70s. // prevous 1.44s

Change-Id: Iedf6b530bffb3aa6411f538e1c0dadb611dc616e
Signed-off-by: Yixun Lan <yixun.lan@amlogic.com>
7 years agoclk: add mipi enable and bandgap gate
Yun Cai [Tue, 11 Jul 2017 11:28:13 +0000 (19:28 +0800)]
clk: add mipi enable and bandgap gate

PD#146437: axg: add mipi enable and bandgap gate and
update clkmsr for cts_encl_clk

Change-Id: If14ede7ab0a0b649879153cb1089bec04c7412b2
Signed-off-by: Yun Cai <yun.cai@amlogic.com>
7 years agounifykey: support both old and new unifykey format
Jiamin Ma [Mon, 24 Jul 2017 10:39:23 +0000 (18:39 +0800)]
unifykey: support both old and new unifykey format

PD#148057: for m8bb m200 platform, we have the latest linux kernel
and a relative old version uboot running on it. For some historic
resons, the unifykey data stored in emmc/nand has totally different
format, which means the key stored by old uboot cannot be fetched
out by new kernel. To solve this problem, we have to support both
the old and new unifykey dataformat in lasted kernel.

Change-Id: Ic70df6543466b345a5ff513bfaabfe4cfcf647ed
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
7 years agodts: gxl: add p231 buildroot dts.
liangzhuo.xie [Tue, 25 Jul 2017 04:09:50 +0000 (12:09 +0800)]
dts: gxl: add p231 buildroot dts.

PD#147281: P231 4.9 add wpe-launcher and chromium

Change-Id: Iba74fce849e86f71742526e4a6cf6b999084b2dd
Signed-off-by: liangzhuo.xie <liangzhuo.xie@amlogic.com>
7 years agopwm: fix kernel crash using spinlock_t lock
Jian Hu [Fri, 28 Jul 2017 06:41:05 +0000 (14:41 +0800)]
pwm: fix kernel crash using spinlock_t lock

PD#148269: fix kernel panic when hibenating

1.Using mutex lock instead of spinlock_t lock.
2.Clk_prepare_enable might sleep could not use
  spinlock_t lock.
3.Add spinlock_t lock for clock_mux.
4.Panic message:
BUG: sleeping function called from invalid context at
kernel/locking/mutex.c:97
in_atomic(): 1, irqs_disabled(): 128, pid: 2501, name: sh
Preemption disabled at:[   69.935889@1] [<ffffff80097af728>]
meson_pwm_apply+0x48/0x398

Change-Id: Ib2f42c4d757d1bb4bd8e4df0f90f7924be2fa799
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
7 years agoaudio: fix tdm audio format
Xing Wang [Fri, 21 Jul 2017 08:12:36 +0000 (16:12 +0800)]
audio: fix tdm audio format

PD#146334: audio: fix tdm bclk and fclk revert and skew issue

Change-Id: I1dcb6f8559b3c04a2ddbb7c13a6115001c249c18
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
7 years agodefconfig: disable LOCKUP detect for meson32/64_defconfig
jianxin.pan [Fri, 28 Jul 2017 06:14:10 +0000 (14:14 +0800)]
defconfig: disable LOCKUP detect for meson32/64_defconfig

PD#138714: disable LOCKUP detect
-CONFIG_LOCKUP_DETECTOR=y
-CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y

Change-Id: I74df363b34e6a2fa95cd0aa30485fd941764be09
Signed-off-by: jianxin.pan <jianxin.pan@amlogic.com>
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
7 years agousb: fix adb reboot panic.
Yue Wang [Mon, 24 Jul 2017 08:08:25 +0000 (16:08 +0800)]
usb: fix adb reboot panic.

PD#146539: usb: fix adb reboot panic.

Avoid kernel panic caused by race condition. For example,
1. In the ffs_epfile_io function, data buffer is allocated
for non-halt requests and the address of this buffer is
writed to usb controller registers.
2. After adb process be killed, data buffer is freed and
this memory is allocated for the other. But the address
is hold by the controller.
3. Adbd in PC is running. So, the controller receive the
data and write to this memory.
4. The value of this memory is modified by the controller.
This could cause the kernel panic.

To avoid this, during FunctionFS mount, we allocated the
data buffer for requests. And the memory resources has
been released in kill_sb.

Change-Id: Ie06fae8ce18ea553d71f4841458c3c3af096ff4b
Signed-off-by: Yue Wang <yue.wang@amlogic.com>
7 years agoaudio: disable analog mic on board S400
Peipeng Zhao [Thu, 27 Jul 2017 08:37:13 +0000 (16:37 +0800)]
audio: disable analog mic on board S400

PD#148261: disable analog mic on board S400
because new mic board will not connnect analog mic
        if enable analog mic, it will generate much i2c error

Change-Id: I0bc63dcdb2b4dbf47b740266008529490bcac937
Signed-off-by: Peipeng Zhao <peipeng.zhao@amlogic.com>
7 years agoaudio: resume tdm mclk for revA
Xing Wang [Fri, 21 Jul 2017 11:30:34 +0000 (19:30 +0800)]
audio: resume tdm mclk for revA

PD#147886: audio: resume tdm mclk for revA

Change-Id: I6365a9b218fd022ded746d183673f53ee70b6183
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
7 years agowifi: appending wifi dts
Jian Hu [Tue, 25 Jul 2017 02:25:38 +0000 (10:25 +0800)]
wifi: appending wifi dts

PD#146172: wifi: appending wifi dts

Change-Id: I0d208bda96192d6198e7cf959abb0dce6fe96a5f
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
7 years agopcie: fix pcie power on timing.
Yue Wang [Mon, 17 Jul 2017 03:46:55 +0000 (11:46 +0800)]
pcie: fix pcie power on timing.

PD#147564: pcie: fix pxie power on timing.

Change-Id: I28d39f0ed030f8886adecc9b575540c0ffc13716
Signed-off-by: Yue Wang <yue.wang@amlogic.com>
7 years agobl: update bl_pwm driver to adjust new api
Weiming Liu [Mon, 24 Jul 2017 12:13:33 +0000 (20:13 +0800)]
bl: update bl_pwm driver to adjust new api

PD#146172: bl: update bl_pwm driver to adjust new api

Change-Id: I8f1fa55e7276424086fe4f4e9dc011ccaa259740
Signed-off-by: Weiming Liu <weiming.liu@amlogic.com>
7 years agoPM/sleep: fine-tune meson legacy early_suspend/late_resume flow
Qiufang Dai [Fri, 21 Jul 2017 12:07:20 +0000 (20:07 +0800)]
PM/sleep: fine-tune meson legacy early_suspend/late_resume flow

PD#147988: PM / sleep: meson: fine-tune legacy early_suspend/late_resume flow
1. early_suspend/late_resume could be call via sysfs or pm notify.
2. enable remote wakesource irq for wakeup freeze mode.

Change-Id: Ic667e19b9262af2a2a5c3534bd3ab4e240a868be
Signed-off-by: Qiufang Dai <qiufang.dai@amlogic.com>
7 years agoaudio: fix dai-link multi-codec confs issue [1/1]
Shuai Li [Thu, 20 Jul 2017 11:33:05 +0000 (19:33 +0800)]
audio: fix dai-link multi-codec confs issue [1/1]

PD#147919: If more than one dai-link configure the codec prefix name,
tinymix shows only the last dai-link codec which has prefix-names.

This fix adds a for-loop to realloc confs for each dai-link setting.
Thus every prefix name will show in tinymix.

Change-Id: I347328a3329eb2bdba0e0b7e2295c75c8f3ec1e8
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
7 years agopwm: add new pwm driver initially
Jian Hu [Thu, 22 Jun 2017 09:03:45 +0000 (17:03 +0800)]
pwm: add new pwm driver initially

PD#146172: pwm: add new pwm driver

1.Reference to upstream, add meson pwm driver initially.
2.pwm driver Verify passed on axg.
3.config for wifi 32k using latest driver.
4.wifi 32k verified on gxl/gxm/axg.

Change-Id: Ie602c879cf348c979d6783f1b295574c2fd782f2
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
7 years agosaradc/adc_keypad: reduce the probability bl30 fail to get race flag
xingyu.chen [Thu, 20 Jul 2017 05:47:07 +0000 (13:47 +0800)]
saradc/adc_keypad: reduce the probability bl30 fail to get race flag

PD#146381: saradc/adc_keypad: reduce the probability bl30 fail to get race flag

1. unify the way to obtain race flag with bl30
2. replace the irq mode with polling mode
3. delay adc key scan time by 25ms

Change-Id: If072ee0a0a62c55e9c671baee0d25d1647e29ad9
Signed-off-by: xingyu.chen <xingyu.chen@amlogic.com>
7 years agodrm: dts include meson_drm
Jiyu Yang [Mon, 17 Jul 2017 12:37:23 +0000 (20:37 +0800)]
drm: dts include meson_drm

PD#147238: rm dep for ARCH_MESON, include meson_drm.dtsi

Change-Id: I08a973569d062338fc6084c55a765d08c2e6aaf5
Signed-off-by: Jiyu Yang <Jiyu.Yang@amlogic.com>
7 years agodrm: add drm support
Jiyu Yang [Fri, 14 Jul 2017 08:34:07 +0000 (16:34 +0800)]
drm: add drm support

PD#147238: drm tempoperily bringup on 4.9

Change-Id: I3fa93b57404445985f5f3380f9b9a64161ff720a
Signed-off-by: Jiyu Yang <Jiyu.Yang@amlogic.com>
7 years agodrm/meson: Fix plane atomic check when no crtc for the plane
Neil Armstrong [Mon, 2 Jan 2017 15:09:59 +0000 (16:09 +0100)]
drm/meson: Fix plane atomic check when no crtc for the plane

PD#147238: enable DRM driver on kernel 4.9
When no CRTC is associated with the plane, the meson_plane_atomic_check()
call breaks the kernel with an Oops.

Change-Id: I9d31c405316460420c0ed56dfcb0fc4ef6f86938
Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
7 years agodrm/meson: Fix CVBS initialization when HDMI is configured by bootloader
Neil Armstrong [Mon, 2 Jan 2017 15:14:15 +0000 (16:14 +0100)]
drm/meson: Fix CVBS initialization when HDMI is configured by bootloader

PD#147238: enable DRM driver on kernel 4.9
When the HDMI output is configured by the bootloader, there is mismatch is the
pipeline configuration and the Vsync interrupt fails to trigger.

This commit disables the HDMI blocks in the probe phase.

Change-Id: Ibf7b6384e9d34f790bd87a5e6f34a93a2d274d7c
Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
7 years agodrm/meson: Fix CVBS VDAC disable
Neil Armstrong [Wed, 4 Jan 2017 09:51:02 +0000 (10:51 +0100)]
drm/meson: Fix CVBS VDAC disable

PD#147238: enable DRM driver on kernel 4.9
This commit fixes the VDAC disabling register write values.

Change-Id: I5534a15e52730ee2a5b54d1aa82bbe59c2e01b50
Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
7 years agodrm: Add support for Amlogic Meson Graphic Controller
Neil Armstrong [Thu, 10 Nov 2016 14:29:37 +0000 (15:29 +0100)]
drm: Add support for Amlogic Meson Graphic Controller

PD#147238: enable DRM driver on kernel 4.9
The Amlogic Meson Display controller is composed of several components :

DMC|---------------VPU (Video Processing Unit)----------------|------HHI------|
   | vd1   _______     _____________    _________________     |               |
D  |-------|      |----|            |   |                |    |   HDMI PLL    |
D  | vd2   | VIU  |    | Video Post |   | Video Encoders |<---|-----VCLK      |
R  |-------|      |----| Processing |   |                |    |               |
   | osd2  |      |    |            |---| Enci ----------|----|-----VDAC------|
R  |-------| CSC  |----| Scalers    |   | Encp ----------|----|----HDMI-TX----|
A  | osd1  |      |    | Blenders   |   | Encl ----------|----|---------------|
M  |-------|______|----|____________|   |________________|    |               |
___|__________________________________________________________|_______________|

VIU: Video Input Unit
---------------------

The Video Input Unit is in charge of the pixel scanout from the DDR memory.
It fetches the frames addresses, stride and parameters from the "Canvas" memory.
This part is also in charge of the CSC (Colorspace Conversion).
It can handle 2 OSD Planes and 2 Video Planes.

VPP: Video Post Processing
--------------------------

The Video Post Processing is in charge of the scaling and blending of the
various planes into a single pixel stream.
There is a special "pre-blending" used by the video planes with a dedicated
scaler and a "post-blending" to merge with the OSD Planes.
The OSD planes also have a dedicated scaler for one of the OSD.

VENC: Video Encoders
--------------------

The VENC is composed of the multiple pixel encoders :
 - ENCI : Interlace Video encoder for CVBS and Interlace HDMI
 - ENCP : Progressive Video Encoder for HDMI
 - ENCL : LCD LVDS Encoder
The VENC Unit gets a Pixel Clocks (VCLK) from a dedicated HDMI PLL and clock
tree and provides the scanout clock to the VPP and VIU.
The ENCI is connected to a single VDAC for Composite Output.
The ENCI and ENCP are connected to an on-chip HDMI Transceiver.

This driver is a DRM/KMS driver using the following DRM components :
 - GEM-CMA
 - PRIME-CMA
 - Atomic Modesetting
 - FBDev-CMA

For the following SoCs :
 - GXBB Family (S905)
 - GXL Family (S905X, S905D)
 - GXM Family (S912)

The current driver only supports the CVBS PAL/NTSC output modes, but the
CRTC/Planes management should support bigger modes.
But Advanced Colorspace Conversion, Scaling and HDMI Modes will be added in
a second time.

The Device Tree bindings makes use of the endpoints video interface definitions
to connect to the optional CVBS and in the future the HDMI Connector nodes.

HDMI Support is planned for a next release.

Change-Id: I72d50f54b4e7ab73d447cf664e959a3c43e58809
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
7 years agoconfigs: disable hardlockup
Jiamin Ma [Thu, 20 Jul 2017 06:22:25 +0000 (14:22 +0800)]
configs: disable hardlockup

PD#138714: disable hardlockup

Change-Id: I0b10bfdc65b0a99b8a9fe213b274cacfd16110f7
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
7 years agodt-bindings: display: add Amlogic Meson DRM Bindings
Neil Armstrong [Fri, 25 Nov 2016 15:10:56 +0000 (16:10 +0100)]
dt-bindings: display: add Amlogic Meson DRM Bindings

PD#147238: enable DRM driver on Kernel4.9

Change-Id: I5a7e60857384de6690a08cc496163377c0b26b7a
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
7 years agoMerge branch 'android-4.9' into amlogic-4.9-dev
Victor Wan [Wed, 19 Jul 2017 15:20:20 +0000 (23:20 +0800)]
Merge branch 'android-4.9' into amlogic-4.9-dev

7 years agoclk: axg: fine-tune pll set_rate op [1/1]
Qiufang Dai [Fri, 14 Jul 2017 12:19:33 +0000 (20:19 +0800)]
clk: axg: fine-tune pll set_rate op [1/1]

PD#146411: if set_rate target rate equal to old rate, just skip.

Change-Id: I945fdf6f72c5fccc6e0e701fe8f50fba8458d99f
Signed-off-by: Qiufang Dai <qiufang.dai@amlogic.com>
7 years agoAdd BINDER_GET_NODE_DEBUG_INFO ioctl
Colin Cross [Tue, 20 Jun 2017 20:54:44 +0000 (13:54 -0700)]
Add BINDER_GET_NODE_DEBUG_INFO ioctl

The BINDER_GET_NODE_DEBUG_INFO ioctl will return debug info on
a node.  Each successive call reusing the previous return value
will return the next node.  The data will be used by
libmemunreachable to mark the pointers with kernel references
as reachable.

Bug: 28275695
Change-Id: Idbbafa648a33822dc023862cd92b51a595cf7c1c
Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: Martijn Coenen <maco@android.com>
7 years agoANDROID: binder: add RT inheritance flag to node.
Martijn Coenen [Fri, 23 Jun 2017 17:13:43 +0000 (10:13 -0700)]
ANDROID: binder: add RT inheritance flag to node.

Allows a binder node to specify whether it wants to
inherit real-time scheduling policy from a caller.

Change-Id: I375b6094bf441c19f19cba06d5a6be02cd07d714
Signed-off-by: Martijn Coenen <maco@android.com>
7 years agoANDROID: binder: improve priority inheritance.
Martijn Coenen [Wed, 7 Jun 2017 17:02:12 +0000 (10:02 -0700)]
ANDROID: binder: improve priority inheritance.

By raising the priority of a thread selected for
a transaction *before* we wake it up.

Delay restoring the priority when doing a reply
until after we wake-up the process receiving
the reply.

Change-Id: Ic332e4e0ed7d2d3ca6ab1034da4629c9eadd3405
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoANDROID: binder: add min sched_policy to node.
Martijn Coenen [Wed, 7 Jun 2017 16:29:14 +0000 (09:29 -0700)]
ANDROID: binder: add min sched_policy to node.

This change adds flags to flat_binder_object.flags
to allow indicating a minimum scheduling policy for
the node. It also clarifies the valid value range
for the priority bits in the flags.

Internally, we use the priority map that the kernel
uses, e.g. [0..99] for real-time policies and [100..139]
for the SCHED_NORMAL/SCHED_BATCH policies.

Bug: 34461621
Bug: 37293077
Change-Id: I12438deecb53df432da18c6fc77460768ae726d2
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoANDROID: binder: add support for RT prio inheritance.
Martijn Coenen [Wed, 7 Jun 2017 00:04:42 +0000 (17:04 -0700)]
ANDROID: binder: add support for RT prio inheritance.

Adds support for SCHED_BATCH/SCHED_FIFO/SCHED_RR
priority inheritance.

Change-Id: I71f356e476be2933713a0ecfa2cc31aa141e2dc6
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoANDROID: binder: push new transactions to waiting threads.
Martijn Coenen [Tue, 6 Jun 2017 22:17:46 +0000 (15:17 -0700)]
ANDROID: binder: push new transactions to waiting threads.

Instead of pushing new transactions to the process
waitqueue, select a thread that is waiting on proc
work to handle the transaction. This will make it
easier to improve priority inheritance in future
patches, by setting the priority before we wake up
a thread.

If we can't find a waiting thread, submit the work
to the proc waitqueue instead as we did previously.

Change-Id: I23cbfcca867bed7b86007e22137d0a8fad4b4001
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoANDROID: binder: remove proc waitqueue
Martijn Coenen [Fri, 2 Jun 2017 18:15:44 +0000 (11:15 -0700)]
ANDROID: binder: remove proc waitqueue

Removes the process waitqueue, so that threads
can only wait on the thread waitqueue. Whenever
there is process work to do, pick a thread and
wake it up.

This also fixes an issue with using epoll(),
since we no longer have to block on different
waitqueues.

Bug: 34461621
Change-Id: I2950b9de6fa078ee72d53c667a03cbaf587f0849
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoPD#147376: fix hdmitx extcon NULL pointer error.
Lianghu Su [Tue, 11 Jul 2017 12:56:33 +0000 (20:56 +0800)]
PD#147376: fix hdmitx extcon NULL pointer error.

Change-Id: Idabf1f61f4b264115ecdbf147715cbed3c938df1
Signed-off-by: Lianghu Su <lianghu.su@amlogic.com>
7 years agoaudio: add loopback
Xing Wang [Thu, 6 Jul 2017 13:40:10 +0000 (21:40 +0800)]
audio: add loopback

PD#147538: audio: loopback for pdm/spdif/tdm

1. pdm/spdif/tdm as loopback datain soruce, tdmin_lb as datalb source
2. add mixer kcontrols for loopback

Change-Id: I579db913080b3bb02bc99885eb330e24af8a0edb
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
7 years agoaudio: pdm dclk support 3.072m/1.024m/768k
Xing Wang [Thu, 13 Jul 2017 12:31:44 +0000 (20:31 +0800)]
audio: pdm dclk support 3.072m/1.024m/768k

PD#147320: audio: pdm dclk support 3.072m/1.024m/768k

Change-Id: I3904fa73fed7c91bf7f709317e211053cf4bb9b2
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
7 years agoMerge 4.9.38 into android-4.9
Greg Kroah-Hartman [Sat, 15 Jul 2017 11:31:27 +0000 (13:31 +0200)]
Merge 4.9.38 into android-4.9

Changes in 4.9.38
mqueue: fix a use-after-free in sys_mq_notify()
Add "shutdown" to "struct class".
tpm: Issue a TPM2_Shutdown for TPM2 devices.
tools include: Add a __fallthrough statement
tools string: Use __fallthrough in perf_atoll()
tools strfilter: Use __fallthrough
perf top: Use __fallthrough
perf thread_map: Correctly size buffer used with dirent->dt_name
perf intel-pt: Use __fallthrough
perf tests: Avoid possible truncation with dirent->d_name + snprintf
perf bench numa: Avoid possible truncation when using snprintf()
perf header: Fix handling of PERF_EVENT_UPDATE__SCALE
perf scripting perl: Fix compile error with some perl5 versions
perf probe: Fix to probe on gcc generated symbols for offline kernel
perf probe: Add error checks to offline probe post-processing
md: fix incorrect use of lexx_to_cpu in does_sb_need_changing
md: fix super_offset endianness in super_1_rdev_size_change
locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
staging: comedi: fix clean-up of comedi_class in comedi_init()
crypto: caam - fix gfp allocation flags (part I)
crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
ext4: check return value of kstrtoull correctly in reserved_clusters_store
x86/mm/pat: Don't report PAT on CPUs that don't support it
saa7134: fix warm Medion 7134 EEPROM read
Linux 4.9.38

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
7 years agoLinux 4.9.38 v4.9.38
Greg Kroah-Hartman [Sat, 15 Jul 2017 10:17:55 +0000 (12:17 +0200)]
Linux 4.9.38

7 years agosaa7134: fix warm Medion 7134 EEPROM read
Maciej S. Szmigiero [Sat, 2 Jul 2016 23:27:46 +0000 (20:27 -0300)]
saa7134: fix warm Medion 7134 EEPROM read

commit 5a91206ff0d0548939f3e85a65fb76b400fb0e89 upstream.

When saa7134 module driving a Medion 7134 card is reloaded reads of this
card EEPROM (required for automatic detection of tuner model) will be
corrupted due to I2C gate in DVB-T demod being left closed.
This sometimes also happens on first saa7134 module load after a warm
reboot.

Fix this by opening this I2C gate before doing EEPROM read during i2c
initialization.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agox86/mm/pat: Don't report PAT on CPUs that don't support it
Mikulas Patocka [Tue, 4 Jul 2017 23:04:23 +0000 (19:04 -0400)]
x86/mm/pat: Don't report PAT on CPUs that don't support it

commit 99c13b8c8896d7bcb92753bf0c63a8de4326e78d upstream.

The pat_enabled() logic is broken on CPUs which do not support PAT and
where the initialization code fails to call pat_init(). Due to that the
enabled flag stays true and pat_enabled() returns true wrongfully.

As a consequence the mappings, e.g. for Xorg, are set up with the wrong
caching mode and the required MTRR setups are omitted.

To cure this the following changes are required:

  1) Make pat_enabled() return true only if PAT initialization was
     invoked and successful.

  2) Invoke init_cache_modes() unconditionally in setup_arch() and
     remove the extra callsites in pat_disable() and the pat disabled
     code path in pat_init().

Also rename __pat_enabled to pat_disabled to reflect the real purpose of
this variable.

Fixes: 9cd25aac1f44 ("x86/mm/pat: Emulate PAT when it is disabled")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bernhard Held <berny156@gmx.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: "Luis R. Rodriguez" <mcgrof@suse.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1707041749300.3456@file01.intranet.prod.int.rdu2.redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoext4: check return value of kstrtoull correctly in reserved_clusters_store
Chao Yu [Fri, 23 Jun 2017 05:08:22 +0000 (01:08 -0400)]
ext4: check return value of kstrtoull correctly in reserved_clusters_store

commit 1ea1516fbbab2b30bf98c534ecaacba579a35208 upstream.

kstrtoull returns 0 on success, however, in reserved_clusters_store we
will return -EINVAL if kstrtoull returns 0, it makes us fail to update
reserved_clusters value through sysfs.

Fixes: 76d33bca5581b1dd5c3157fa168db849a784ada4
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Miao Xie <miaoxie@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agocrypto: rsa-pkcs1pad - use constant time memory comparison for MACs
Jason A. Donenfeld [Sun, 11 Jun 2017 21:20:23 +0000 (23:20 +0200)]
crypto: rsa-pkcs1pad - use constant time memory comparison for MACs

commit fec17cb2231733174e039ad9054fa16bb358e2ec upstream.

Otherwise, we enable all sorts of forgeries via timing attack.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Suggested-by: Stephan Müller <smueller@chronox.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agocrypto: caam - fix gfp allocation flags (part I)
Horia Geantă [Mon, 19 Jun 2017 08:44:45 +0000 (11:44 +0300)]
crypto: caam - fix gfp allocation flags (part I)

commit 42cfcafb91dabb0f9d9e08396c39824535948c67 upstream.

Changes in the SW cts (ciphertext stealing) code in
commit 0605c41cc53ca ("crypto: cts - Convert to skcipher")
revealed a problem in the CAAM driver:
when cts(cbc(aes)) is executed and cts runs in SW,
cbc(aes) is offloaded in CAAM; cts encrypts the last block
in atomic context and CAAM incorrectly decides to use GFP_KERNEL
for memory allocation.

Fix this by allowing GFP_KERNEL (sleeping) only when MAY_SLEEP flag is
set, i.e. remove MAY_BACKLOG flag.

We split the fix in two parts - first is sent to -stable, while the
second is not (since there is no known failure case).

Link: http://lkml.kernel.org/g/20170602122446.2427-1-david@sigma-star.at
Reported-by: David Gstir <david@sigma-star.at>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agostaging: comedi: fix clean-up of comedi_class in comedi_init()
Ian Abbott [Fri, 16 Jun 2017 18:35:34 +0000 (19:35 +0100)]
staging: comedi: fix clean-up of comedi_class in comedi_init()

commit a9332e9ad09c2644c99058fcf6ae2f355e93ce74 upstream.

There is a clean-up bug in the core comedi module initialization
functions, `comedi_init()`.  If the `comedi_num_legacy_minors` module
parameter is non-zero (and valid), it creates that many "legacy" devices
and registers them in SysFS.  A failure causes the function to clean up
and return an error.  Unfortunately, it fails to destroy the "comedi"
class that was created earlier.  Fix it by adding a call to
`class_destroy(comedi_class)` at the appropriate place in the clean-up
sequence.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agostaging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
Malcolm Priestley [Sat, 29 Apr 2017 12:03:44 +0000 (13:03 +0100)]
staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.

commit dc32190f2cd41c7dba25363ea7d618d4f5172b4e upstream.

The key table is not intialized correctly without this call.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agolocking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
Kirill Tkhai [Fri, 16 Jun 2017 13:44:34 +0000 (16:44 +0300)]
locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()

commit a0c4acd2c220376b4e9690e75782d0c0afdaab9f upstream.

If a writer could been woken up, the above branch

if (sem->count == 0)
break;

would have moved us to taking the sem. So, it's
not the time to wake a writer now, and only readers
are allowed now. Thus, 0 must be passed to __rwsem_do_wake().

Next, __rwsem_do_wake() wakes readers unconditionally.
But we mustn't do that if the sem is owned by writer
in the moment. Otherwise, writer and reader own the sem
the same time, which leads to memory corruption in
callers.

rwsem-xadd.c does not need that, as:

  1) the similar check is made lockless there,
  2) in __rwsem_mark_wake::try_reader_grant we test,

that sem is not owned by writer.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Niklas Cassel <niklas.cassel@axis.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 17fcbd590d0c "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y"
Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomain
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomd: fix super_offset endianness in super_1_rdev_size_change
Jason Yan [Fri, 10 Mar 2017 03:27:23 +0000 (11:27 +0800)]
md: fix super_offset endianness in super_1_rdev_size_change

commit 3fb632e40d7667d8bedfabc28850ac06d5493f54 upstream.

The sb->super_offset should be big-endian, but the rdev->sb_start is in
host byte order, so fix this by adding cpu_to_le64.

Signed-off-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomd: fix incorrect use of lexx_to_cpu in does_sb_need_changing
Jason Yan [Fri, 10 Mar 2017 03:49:12 +0000 (11:49 +0800)]
md: fix incorrect use of lexx_to_cpu in does_sb_need_changing

commit 1345921393ba23b60d3fcf15933e699232ad25ae upstream.

The sb->layout is of type __le32, so we shoud use le32_to_cpu.

Signed-off-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf probe: Add error checks to offline probe post-processing
Masami Hiramatsu [Wed, 11 Jan 2017 06:00:47 +0000 (15:00 +0900)]
perf probe: Add error checks to offline probe post-processing

commit 3e96dac7c956089d3f23aca98c4dfca57b6aaf8a upstream.

Add error check codes on post processing and improve it for offline
probe events as:

 - post processing fails if no matched symbol found in map(-ENOENT)
   or strdup() failed(-ENOMEM).

 - Even if the symbol name is the same, it updates symbol address
   and offset.

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/148411443738.9978.4617979132625405545.stgit@devbox
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Krister Johansen <kjlx@templeofstupid.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf probe: Fix to probe on gcc generated symbols for offline kernel
Masami Hiramatsu [Wed, 4 Jan 2017 03:30:19 +0000 (12:30 +0900)]
perf probe: Fix to probe on gcc generated symbols for offline kernel

commit 8a937a25a7e3c19d5fb3f9d92f605cf5fda219d8 upstream.

Fix perf-probe to show probe definition on gcc generated symbols for
offline kernel (including cross-arch kernel image).

gcc sometimes optimizes functions and generate new symbols with suffixes
such as ".constprop.N" or ".isra.N" etc. Since those symbol names are
not recorded in DWARF, we have to find correct generated symbols from
offline ELF binary to probe on it (kallsyms doesn't correct it).  For
online kernel or uprobes we don't need it because those are rebased on
_text, or a section relative address.

E.g. Without this:

  $ perf probe -k build-arm/vmlinux -F __slab_alloc*
  __slab_alloc.constprop.9
  $ perf probe -k build-arm/vmlinux -D __slab_alloc
  p:probe/__slab_alloc __slab_alloc+0

If you put above definition on target machine, it should fail
because there is no __slab_alloc in kallsyms.

With this fix, perf probe shows correct probe definition on
__slab_alloc.constprop.9:

  $ perf probe -k build-arm/vmlinux -D __slab_alloc
  p:probe/__slab_alloc __slab_alloc.constprop.9+0

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/148350060434.19001.11864836288580083501.stgit@devbox
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Krister Johansen <kjlx@templeofstupid.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf scripting perl: Fix compile error with some perl5 versions
Wang YanQing [Sun, 12 Feb 2017 02:46:55 +0000 (10:46 +0800)]
perf scripting perl: Fix compile error with some perl5 versions

commit d7dd112ea5cacf91ae72c0714c3b911eb6016fea upstream.

Fix below compile error:

  CC       util/scripting-engines/trace-event-perl.o
  In file included from /usr/lib/perl5/5.22.2/i686-linux/CORE/perl.h:5673:0,
                   from util/scripting-engines/trace-event-perl.c:31:
  /usr/lib/perl5/5.22.2/i686-linux/CORE/inline.h: In function 'S__is_utf8_char_slow':
  /usr/lib/perl5/5.22.2/i686-linux/CORE/inline.h:270:5: error: nested extern declaration of 'Perl___notused' [-Werror=nested-externs]
          dTHX;   /* The function called below requires thread context */
     ^
  cc1: all warnings being treated as errors

After digging perl5 repository, I find out that we will meet this
compile error with perl from v5.21.1 to v5.25.4

Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: http://lkml.kernel.org/r/20170212024655.GA15997@udknight
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf header: Fix handling of PERF_EVENT_UPDATE__SCALE
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 00:57:22 +0000 (21:57 -0300)]
perf header: Fix handling of PERF_EVENT_UPDATE__SCALE

commit 8434a2ec13d5c8cb25716950bfbf7c9d7b64628a upstream.

In commit daeecbc0c431 ("perf tools: Add event_update event scale type"), the
handling of PERF_EVENT_UPDATE__SCALE cast struct event_update_event->data to a
pointer to event_update_event_scale, uses some field from this casted struct
and then ends up falling through to the handling of another event type,
PERF_EVENT_UPDATE__CPUS were it casts that ev->data to yet another type, oops,
fix it by inserting the missing break.

Noticed when building perf using gcc 7 on Fedora Rawhide:

  util/header.c: In function 'perf_event__process_event_update':
  util/header.c:3207:16: error: this statement may fall through [-Werror=implicit-fallthrough=]
     evsel->scale = ev_scale->scale;
     ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
  util/header.c:3208:2: note: here
    case PERF_EVENT_UPDATE__CPUS:
    ^~~~

This wasn't noticed because probably PERF_EVENT_UPDATE__CPUS comes after
PERF_EVENT_UPDATE__SCALE, so we would just create a bogus evsel->own_cpus when
processing a PERF_EVENT_UPDATE__SCALE to then leak it and create a new cpu map
with the correct data.

Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Fixes: daeecbc0c431 ("perf tools: Add event_update event scale type")
Link: http://lkml.kernel.org/n/tip-lukcf9hdj092ax2914ss95at@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf bench numa: Avoid possible truncation when using snprintf()
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 17:39:42 +0000 (14:39 -0300)]
perf bench numa: Avoid possible truncation when using snprintf()

commit 3aff8ba0a4c9c9191bb788171a1c54778e1246a2 upstream.

Addressing this warning from gcc 7:

    CC       /tmp/build/perf/bench/numa.o
  bench/numa.c: In function '__bench_numa':
  bench/numa.c:1582:42: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size between 8 and 17 [-Werror=format-truncation=]
       snprintf(tname, 32, "process%d:thread%d", p, t);
                                            ^~
  bench/numa.c:1582:25: note: directive argument in the range [0, 2147483647]
       snprintf(tname, 32, "process%d:thread%d", p, t);
                           ^~~~~~~~~~~~~~~~~~~~
  In file included from /usr/include/stdio.h:939:0,
                   from bench/../util/util.h:47,
                   from bench/../builtin.h:4,
                   from bench/numa.c:11:
  /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 17 and 35 bytes into a destination of size 32
     return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          __bos (__s), __fmt, __va_arg_pack ());
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  cc1: all warnings being treated as errors

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Petr Holasek <pholasek@redhat.com>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-twa37vsfqcie5gwpqwnjuuz9@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf tests: Avoid possible truncation with dirent->d_name + snprintf
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 17:48:46 +0000 (14:48 -0300)]
perf tests: Avoid possible truncation with dirent->d_name + snprintf

commit 2e2bbc039fad9eabad6c4c1a473c8b2554cdd2d4 upstream.

Addressing a few cases spotted by a new warning in gcc 7:

  tests/parse-events.c: In function 'test_pmu_events':
  tests/parse-events.c:1790:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 90 [-Werror=format-truncation=]
     snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name);
                                       ^~
  In file included from /usr/include/stdio.h:939:0,
                   from /git/linux/tools/perf/util/map.h:9,
                   from /git/linux/tools/perf/util/symbol.h:7,
                   from /git/linux/tools/perf/util/evsel.h:10,
                   from tests/parse-events.c:3:
  /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 13 and 268 bytes into a destination of size 100
     return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          __bos (__s), __fmt, __va_arg_pack ());
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  tests/parse-events.c:1798:29: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 100 [-Werror=format-truncation=]
     snprintf(name, MAX_NAME, "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name);

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 945aea220bb8 ("perf tests: Move test objects into 'tests' directory")
Link: http://lkml.kernel.org/n/tip-ty4q2p8zp1dp3mskvubxskm5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf intel-pt: Use __fallthrough
Arnaldo Carvalho de Melo [Thu, 9 Feb 2017 18:22:22 +0000 (15:22 -0300)]
perf intel-pt: Use __fallthrough

commit 7ea6856d6f5629d742edc23b8b76e6263371ef45 upstream.

To address new warnings emmited by gcc 7, e.g.::

    CC       /tmp/build/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.o
    CC       /tmp/build/perf/tests/parse-events.o
  util/intel-pt-decoder/intel-pt-pkt-decoder.c: In function 'intel_pt_pkt_desc':
  util/intel-pt-decoder/intel-pt-pkt-decoder.c:499:6: error: this statement may fall through [-Werror=implicit-fallthrough=]
     if (!(packet->count))
        ^
  util/intel-pt-decoder/intel-pt-pkt-decoder.c:501:2: note: here
    case INTEL_PT_CYC:
    ^~~~
    CC       /tmp/build/perf/util/intel-pt-decoder/intel-pt-decoder.o
  cc1: all warnings being treated as errors

Acked-by: Andi Kleen <ak@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-mf0hw789pu9x855us5l32c83@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf thread_map: Correctly size buffer used with dirent->dt_name
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
perf thread_map: Correctly size buffer used with dirent->dt_name

commit bdf23a9a190d7ecea092fd5c4aabb7d4bd0a9980 upstream.

The size of dirent->dt_name is NAME_MAX + 1, but the size for the 'path'
buffer is hard coded at 256, which may truncate it because we also
prepend "/proc/", so that all that into account and thank gcc 7 for this
warning:

  /git/linux/tools/perf/util/thread_map.c: In function 'thread_map__new_by_uid':
  /git/linux/tools/perf/util/thread_map.c:119:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 250 [-Werror=format-truncation=]
     snprintf(path, sizeof(path), "/proc/%s", dirent->d_name);
                                         ^~
  In file included from /usr/include/stdio.h:939:0,
                   from /git/linux/tools/perf/util/thread_map.c:5:
  /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 7 and 262 bytes into a destination of size 256
     return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          __bos (__s), __fmt, __va_arg_pack ());
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-csy0r8zrvz5efccgd4k12c82@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoperf top: Use __fallthrough
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
perf top: Use __fallthrough

commit 7b0214b702ad8e124e039a317beeebb3f020d125 upstream.

The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:

    CC       /tmp/build/perf/builtin-top.o
  builtin-top.c: In function 'display_thread':
  builtin-top.c:644:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
      if (errno == EINTR)
         ^
  builtin-top.c:647:3: note: here
     default:
   ^~~~~~~

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-lmcfnnyx9ic0m6j0aud98p4e@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotools strfilter: Use __fallthrough
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
tools strfilter: Use __fallthrough

commit d64b721d27aef3fbeb16ecda9dd22ee34818ff70 upstream.

The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:

  util/strfilter.c: In function 'strfilter_node__sprint':
  util/strfilter.c:270:6: error: this statement may fall through [-Werror=implicit-fallthrough=]
     if (len < 0)
        ^
  util/strfilter.c:272:2: note: here
    case '!':
    ^~~~
  cc1: all warnings being treated as errors

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-z2dpywg7u8fim000hjfbpyfm@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotools string: Use __fallthrough in perf_atoll()
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
tools string: Use __fallthrough in perf_atoll()

commit 94bdd5edb34e472980d1e18b4600d6fb92bd6b0a upstream.

The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:

    CC       /tmp/build/perf/util/string.o
  util/string.c: In function 'perf_atoll':
  util/string.c:22:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
      if (*p)
         ^
  util/string.c:24:3: note: here
     case '\0':
     ^~~~

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-0ophb30v9apkk6o95el0rqlq@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotools include: Add a __fallthrough statement
Arnaldo Carvalho de Melo [Wed, 8 Feb 2017 20:01:46 +0000 (17:01 -0300)]
tools include: Add a __fallthrough statement

commit b5bf1733d6a391c4e90ea8f8468d83023be74a2a upstream.

For cases where implicit fall through case labels are intended,
to let us inform that to gcc >= 7:

    CC       /tmp/build/perf/util/string.o
  util/string.c: In function 'perf_atoll':
  util/string.c:22:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
      if (*p)
         ^
  util/string.c:24:3: note: here
     case '\0':
     ^~~~

So we introduce:

  #define __fallthrough __attribute__ ((fallthrough))

And use it in such cases.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Cc: William Cohen <wcohen@redhat.com>
Link: http://lkml.kernel.org/n/tip-qnpig0xfop4hwv6k4mv1wts5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotpm: Issue a TPM2_Shutdown for TPM2 devices.
Josh Zimmerman [Sun, 25 Jun 2017 21:53:24 +0000 (14:53 -0700)]
tpm: Issue a TPM2_Shutdown for TPM2 devices.

commit d1bd4a792d3961a04e6154118816b00167aad91a upstream.

If a TPM2 loses power without a TPM2_Shutdown command being issued (a
"disorderly reboot"), it may lose some state that has yet to be
persisted to NVRam, and will increment the DA counter. After the DA
counter gets sufficiently large, the TPM will lock the user out.

NOTE: This only changes behavior on TPM2 devices. Since TPM1 uses sysfs,
and sysfs relies on implicit locking on chip->ops, it is not safe to
allow this code to run in TPM1, or to add sysfs support to TPM2, until
that locking is made explicit.

Signed-off-by: Josh Zimmerman <joshz@google.com>
Fixes: 74d6b3ceaa17 ("tpm: fix suspend/resume paths for TPM 2.0")
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoAdd "shutdown" to "struct class".
Josh Zimmerman [Sun, 25 Jun 2017 21:53:23 +0000 (14:53 -0700)]
Add "shutdown" to "struct class".

commit f77af15165847406b15d8f70c382c4cb15846b2a upstream.

The TPM class has some common shutdown code that must be executed for
all drivers. This adds some needed functionality for that.

Signed-off-by: Josh Zimmerman <joshz@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: 74d6b3ceaa17 ("tpm: fix suspend/resume paths for TPM 2.0")
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomqueue: fix a use-after-free in sys_mq_notify()
Cong Wang [Sun, 9 Jul 2017 20:19:55 +0000 (13:19 -0700)]
mqueue: fix a use-after-free in sys_mq_notify()

commit f991af3daabaecff34684fd51fac80319d1baad1 upstream.

The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
   release the file refcnt

so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.

Setting 'sock' to NULL here should be sufficient to fix it.

Reported-by: GeneBlue <geneblue.mail@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoFROMLIST: binder: remove global binder lock
Todd Kjos [Mon, 14 Nov 2016 19:37:41 +0000 (11:37 -0800)]
FROMLIST: binder: remove global binder lock

(from https://patchwork.kernel.org/patch/9817773/)

Remove global mutex and rely on fine-grained locking

Change-Id: Ide1988128c155e4374dc0b222b50a804109bcb6f
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: fix death race conditions
Martijn Coenen [Mon, 22 May 2017 18:26:23 +0000 (11:26 -0700)]
FROMLIST: binder: fix death race conditions

(from https://patchwork.kernel.org/patch/9817765/)

A race existed where one thread could register
a death notification for a node, while another
thread was cleaning up that node and sending
out death notifications for its references,
causing simultaneous access to ref->death
because different locks were held.

Change-Id: I2392eb8075ac0aee51f1749ac398a663853ef4e6
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoFROMLIST: binder: protect against stale pointers in print_binder_transaction
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against stale pointers in print_binder_transaction

(from https://patchwork.kernel.org/patch/9817761/)

When printing transactions there were several race conditions
that could cause a stale pointer to be deferenced. Fixed by
reading the pointer once and using it if valid (which is
safe). The transaction buffer also needed protection via proc
lock, so it is only printed if we are holding the correct lock.

Change-Id: I9a03129e08eaab4b8a5646eecafaf10e343dbdea
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: protect binder_ref with outer lock
Todd Kjos [Thu, 20 Oct 2016 23:43:34 +0000 (16:43 -0700)]
FROMLIST: binder: protect binder_ref with outer lock

(from https://patchwork.kernel.org/patch/9817771/)

Use proc->outer_lock to protect the binder_ref structure.
The outer lock allows functions operating on the binder_ref
to do nested acquires of node and inner locks as necessary
to attach refs to nodes atomically.

Binder refs must never be accesssed without holding the
outer lock.

Change-Id: Iffb9ae47fd383b87b70ee6bec344cde9f8d24996
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use inner lock to protect thread accounting
Todd Kjos [Fri, 26 May 2017 00:35:02 +0000 (17:35 -0700)]
FROMLIST: binder: use inner lock to protect thread accounting

(from https://patchwork.kernel.org/patch/9817763/)

Use the inner lock to protect thread accounting fields in
proc structure: max_threads, requested_threads,
requested_threads_started and ready_threads.

Change-Id: I8cf519f40ddfe4fd00d99b82fdb88dc069611787
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: protect transaction_stack with inner lock.
Martijn Coenen [Fri, 2 Jun 2017 20:36:52 +0000 (13:36 -0700)]
FROMLIST: binder: protect transaction_stack with inner lock.

(from https://patchwork.kernel.org/patch/9817779/)

This makes future changes to priority inheritance
easier, since we want to be able to look at a thread's
transaction stack when selecting a thread to inherit
priority for.

It also allows us to take just a single lock in a
few paths, where we used to take two in succession.

Change-Id: Ie30eaefe9f746577967bab76e64c49069b8a5cfa
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoFROMLIST: binder: protect proc->threads with inner_lock
Todd Kjos [Thu, 25 May 2017 22:52:17 +0000 (15:52 -0700)]
FROMLIST: binder: protect proc->threads with inner_lock

(from https://patchwork.kernel.org/patch/9817775/)

proc->threads will need to be accessed with higher
locks of other processes held so use proc->inner_lock
to protect it. proc->tmp_ref now needs to be protected
by proc->inner_lock.

Change-Id: Id4cff2c9786d900b7846ec9b1816f7a07655c429
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: protect proc->nodes with inner lock
Todd Kjos [Mon, 12 Jun 2017 19:07:26 +0000 (12:07 -0700)]
FROMLIST: binder: protect proc->nodes with inner lock

(from https://patchwork.kernel.org/patch/9817783/)

When locks for binder_ref handling are added, proc->nodes
will need to be modified while holding the outer lock

Change-Id: I7daf5a51d83cdf6ac31a3728b3ea3e6ab94bf2e7
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add spinlock to protect binder_node
Todd Kjos [Thu, 8 Jun 2017 20:45:59 +0000 (13:45 -0700)]
FROMLIST: binder: add spinlock to protect binder_node

(from https://patchwork.kernel.org/patch/9817769/)

node->node_lock is used to protect elements of node. No
need to acquire for fields that are invariant: debug_id,
ptr, cookie.

Change-Id: I612ecb9db2d69b1319a9f0c450ccfdc85de70c39
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add spinlocks to protect todo lists
Todd Kjos [Thu, 20 Oct 2016 17:33:00 +0000 (10:33 -0700)]
FROMLIST: binder: add spinlocks to protect todo lists

(from https://patchwork.kernel.org/patch/9817769/)

The todo lists in the proc, thread, and node structures
are accessed by other procs/threads to place work
items on the queue.

The todo lists are protected by the new proc->inner_lock.
No locks should ever be nested under these locks. As the
name suggests, an outer lock will be introduced in
a later patch.

Change-Id: Iaf613f317d7c6a1409055de47c5b84cd8147102e
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use inner lock to sync work dq and node counts
Todd Kjos [Tue, 21 Mar 2017 20:06:01 +0000 (13:06 -0700)]
FROMLIST: binder: use inner lock to sync work dq and node counts

(from https://patchwork.kernel.org/patch/9817789/)

For correct behavior we need to hold the inner lock when
dequeuing and processing node work in binder_thread_read.
We now hold the inner lock when we enter the switch statement
and release it after processing anything that might be
affected by other threads.

We also need to hold the inner lock to protect the node
weak/strong ref tracking fields as long as node->proc
is non-NULL (if it is NULL then we are guaranteed that
we don't have any node work queued).

This means that other functions that manipulate these fields
must hold the inner lock. Refactored these functions to use
the inner lock.

Change-Id: I90cb6e39a3fecf4809a0828aa3a4f3199b38b209
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: introduce locking helper functions
Todd Kjos [Mon, 29 May 2017 23:44:24 +0000 (16:44 -0700)]
FROMLIST: binder: introduce locking helper functions

(from https://patchwork.kernel.org/patch/9817791/)

There are 3 main spinlocks which must be acquired in this
order:
1) proc->outer_lock : protects most fields of binder_proc,
binder_thread, and binder_ref structures. binder_proc_lock()
and binder_proc_unlock() are used to acq/rel.
2) node->lock : protects most fields of binder_node.
binder_node_lock() and binder_node_unlock() are
used to acq/rel
3) proc->inner_lock : protects the thread and node lists
(proc->threads, proc->nodes) and all todo lists associated
with the binder_proc (proc->todo, thread->todo,
proc->delivered_death and node->async_todo).
binder_inner_proc_lock() and binder_inner_proc_unlock()
are used to acq/rel

Any lock under procA must never be nested under any lock at the same
level or below on procB.

Functions that require a lock held on entry indicate which lock
in the suffix of the function name:

foo_olocked() : requires node->outer_lock
foo_nlocked() : requires node->lock
foo_ilocked() : requires proc->inner_lock
foo_iolocked(): requires proc->outer_lock and proc->inner_lock
foo_nilocked(): requires node->lock and proc->inner_lock

Change-Id: Ic11bf3bf988e0a901ce0484e2fd9323b176994c3
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use node->tmp_refs to ensure node safety
Todd Kjos [Tue, 9 May 2017 18:08:05 +0000 (11:08 -0700)]
FROMLIST: binder: use node->tmp_refs to ensure node safety

(from https://patchwork.kernel.org/patch/9817795/)

When obtaining a node via binder_get_node(),
binder_get_node_from_ref() or binder_new_node(),
increment node->tmp_refs to take a
temporary reference on the node to ensure the node
persists while being used.  binder_put_node() must
be called to remove the temporary reference.

Change-Id: Idb84fea1ba0ae119a6593ec2dc80b7d4e6d81bce
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: refactor binder ref inc/dec for thread safety
Todd Kjos [Mon, 8 May 2017 16:16:27 +0000 (09:16 -0700)]
FROMLIST: binder: refactor binder ref inc/dec for thread safety

(from https://patchwork.kernel.org/patch/9817781/)

Once locks are added, binder_ref's will only be accessed
safely with the proc lock held. Refactor the inc/dec paths
to make them atomic with the binder_get_ref* paths and
node inc/dec. For example, instead of:

  ref = binder_get_ref(proc, handle, strong);
  ...
  binder_dec_ref(ref, strong);

we now have:

  ret = binder_dec_ref_for_handle(proc, handle, strong, &rdata);

Since the actual ref is no longer exposed to callers, a
new struct binder_ref_data is introduced which can be used
to return a copy of ref state.

Change-Id: I11e6a31963eb18f5788cd52ae6ec9adb4438fa48
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: make sure accesses to proc/thread are safe
Todd Kjos [Fri, 12 May 2017 21:42:55 +0000 (14:42 -0700)]
FROMLIST: binder: make sure accesses to proc/thread are safe

(from https://patchwork.kernel.org/patch/9817787/)

binder_thread and binder_proc may be accessed by other
threads when processing transaction. Therefore they
must be prevented from being freed while a transaction
is in progress that references them.

This is done by introducing a temporary reference
counter for threads and procs that indicates that the
object is in use and must not be freed. binder_thread_dec_tmpref()
and binder_proc_dec_tmpref() are used to decrement
the temporary reference.

It is safe to free a binder_thread if there
is no reference and it has been released
(indicated by thread->is_dead).

It is safe to free a binder_proc if it has no
remaining threads and no reference.

A spinlock is added to the binder_transaction
to safely access and set references for t->from
and for debug code to safely access t->to_thread
and t->to_proc.

Change-Id: Ibab67eacc55e61d00f15a6567e54fb67aef51b3f
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: make sure target_node has strong ref
Todd Kjos [Fri, 26 May 2017 18:56:29 +0000 (11:56 -0700)]
FROMLIST: binder: make sure target_node has strong ref

(from https://patchwork.kernel.org/patch/9817787/)

When initiating a transaction, the target_node must
have a strong ref on it. Then we take a second
strong ref to make sure the node survives until the
transaction is complete.

Change-Id: Ia77b1794a92a8b6b8a564e48b4a4a6b225b5c279
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: guarantee txn complete / errors delivered in-order
Todd Kjos [Sat, 22 Apr 2017 00:35:12 +0000 (17:35 -0700)]
FROMLIST: binder: guarantee txn complete / errors delivered in-order

(from https://patchwork.kernel.org/patch/9817805/)

Since errors are tracked in the return_error/return_error2
fields of the binder_thread object and BR_TRANSACTION_COMPLETEs
can be tracked either in those fields or via the thread todo
work list, it is possible for errors to be reported ahead
of the associated txn complete.

Use the thread todo work list for errors to guarantee
order. Also changed binder_send_failed_reply to pop
the transaction even if it failed to send a reply.

Change-Id: Ibf93b412b6236812d415bc10fec8b43826948eaa
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: refactor binder_pop_transaction
Todd Kjos [Fri, 31 Mar 2017 01:02:13 +0000 (18:02 -0700)]
FROMLIST: binder: refactor binder_pop_transaction

(from https://lkml.org/lkml/2017/6/29/754)

binder_pop_transaction needs to be split into 2 pieces to
to allow the proc lock to be held on entry to dequeue the
transaction stack, but no lock when kfree'ing the transaction.

Split into binder_pop_transaction_locked and binder_free_transaction
(the actual locks are still to be added).

Change-Id: I4b3d21d42ad54031f52cb94ab2b0152812747c38
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use atomic for transaction_log index
Todd Kjos [Wed, 24 May 2017 20:33:28 +0000 (13:33 -0700)]
FROMLIST: binder: use atomic for transaction_log index

(from https://patchwork.kernel.org/patch/9817807/)

The log->next index for the transaction log was
not protected when incremented. This led to a
case where log->next++ resulted in an index
larger than ARRAY_SIZE(log->entry) and eventually
a bad access to memory.

Fixed by making the log index an atomic64 and
converting to an array by using "% ARRAY_SIZE(log->entry)"

Also added "complete" field to the log entry which is
written last to tell the print code whether the
entry is complete

Change-Id: I539f285fee3406468e7f89de3cd560285bfd9ab1
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add more debug info when allocation fails.
Martijn Coenen [Wed, 15 Mar 2017 17:22:52 +0000 (18:22 +0100)]
FROMLIST: binder: add more debug info when allocation fails.

(from https://patchwork.kernel.org/patch/9817797/)

Display information about allocated/free space whenever
binder buffer allocation fails on synchronous
transactions.

Change-Id: Ia718c897dfbfd50991746232ea3c6c9cfab5d1a3
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
7 years agoFROMLIST: binder: protect against two threads freeing buffer
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against two threads freeing buffer

(from https://patchwork.kernel.org/patch/9817815/)

Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.

Change-Id: I9461229401aaa7f3b5b2477960f79d4d1bd17fee
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: remove dead code in binder_get_ref_for_node
Todd Kjos [Tue, 2 May 2017 00:21:51 +0000 (17:21 -0700)]
FROMLIST: binder: remove dead code in binder_get_ref_for_node

(from https://patchwork.kernel.org/patch/9817819/)

node is always non-NULL in binder_get_ref_for_node so the
conditional and else clause are not needed

Change-Id: I89ca8c3c0a1a263624a0bd5ddb14e9093ae12009
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: don't modify thread->looper from other threads
Todd Kjos [Fri, 6 Jan 2017 22:19:25 +0000 (14:19 -0800)]
FROMLIST: binder: don't modify thread->looper from other threads

(from https://patchwork.kernel.org/patch/9817799/)

The looper member of struct binder_thread is a bitmask
of control bits. All of the existing bits are modified
by the affected thread except for BINDER_LOOPER_STATE_NEED_RETURN
which can be modified in binder_deferred_flush() by
another thread.

To avoid adding a spinlock around all read-mod-writes to
modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag
is replaced by a separate field in struct binder_thread.

Change-Id: I92a5d084081e813b6d8c60f970dd58cc031042d6
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: avoid race conditions when enqueuing txn
Todd Kjos [Tue, 9 May 2017 15:31:32 +0000 (08:31 -0700)]
FROMLIST: binder: avoid race conditions when enqueuing txn

(from https://patchwork.kernel.org/patch/9817813/)

Currently, the transaction complete work item is queued
after the transaction. This means that it is possible
for the transaction to be handled and a reply to be
enqueued in the current thread before the transaction
complete is enqueued, which violates the protocol
with userspace who may not expect the transaction
complete. Fixed by always enqueing the transaction
complete first.

Also, once the transaction is enqueued, it is unsafe
to access since it might be freed. Currently,
t->flags is accessed to determine whether a sync
wake is needed. Changed to access tr->flags
instead.

Change-Id: I247f25a66cfeac8a1fcb2ad65c6053d51cafe4f3
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: refactor queue management in binder_thread_read
Todd Kjos [Wed, 24 May 2017 17:51:01 +0000 (10:51 -0700)]
FROMLIST: binder: refactor queue management in binder_thread_read

(from https://patchwork.kernel.org/patch/9817757/)

In binder_thread_read, the BINDER_WORK_NODE command is used
to communicate the references on the node to userspace. It
can take a couple of iterations in the loop to construct
the list of commands for user space. When locking is added,
the lock would need to be release on each iteration which
means the state could change. The work item is not dequeued
during this process which prevents a simpler queue management
that can just dequeue up front and handle the work item.

Fixed by changing the BINDER_WORK_NODE algorithm in
binder_thread_read to determine which commands to send
to userspace atomically in 1 pass so it stays consistent
with the kernel view.

The work item is now dequeued immediately since only
1 pass is needed.

Change-Id: I252990504866e6518cf474a1e0af6d853ac52102
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add log information for binder transaction failures
Todd Kjos [Thu, 23 Mar 2017 00:19:52 +0000 (17:19 -0700)]
FROMLIST: binder: add log information for binder transaction failures

(from https://patchwork.kernel.org/patch/9817751/)

Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detected

Also, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)

Change-Id: If9f203dee30036003aa1823aaf3f7098f488a3e6
Signed-off-by: Todd Kjos <tkjos@google.com>