shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-10 04:48:04 +09:00
Code Issues Packages Projects Releases Wiki Activity
651,276 Commits 55 Branches 2,486 Tags
d441ea15e441f93d280f85db3744fd94db894b73
Commit Graph

651276 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jiamin Ma
d441ea15e4 debug: show pfn info when undefined instr happens at user space [1/1] 
PD#SWPL-3076

Problem:
Lack of debug infos when undefined instr happens at user space

Solution:
Call show_all_pfn when undefined instr happens at user space

Verify:
Locally on ampere

Change-Id: Id24e797c2781c94c507ad07ec17a3d4ae7d44cd9
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
 2019-02-26 18:15:11 +09:00
he.he
4576ac4d9d usb: adb panic [1/1] 
PD#SWPL-2678

Problem:
adb panic in release_ffs_buffer

Solution:
1.when kzalloc data_ep use GFP_ATOMIC  instead of GFP_KERNEL
and keep spin lock protection.
2.check buffer_temp->data_ep == NULL, return

Test: adb push

Verify:
verified by he he

Change-Id: I3402b17d62b8a0ef4e3185a87729a0c3e87449e9
Signed-off-by: he.he <he.he@amlogic.com>
 2019-02-26 18:15:11 +09:00
Bencheng Jing
d59458ce71 pq: fix sr registers load fail on txl [1/1] 
PD#SWPL-2941

Problem:
sr top ctrl is closed when video off

Solution:
txl and txl sr top don't close

Verify:
TxL

Change-Id: Ia8e7e3bd93dd328497af66cf9758e3021cafe22c
Signed-off-by: Bencheng Jing <bencheng.jing@amlogic.com>
 2019-02-26 18:15:11 +09:00
tao zeng
49061a2a4c mm: optimize stack usage for functions [1/1] 
PD#SWPL-1773

Problem:
After adding optimization of vmap stack, we can found stack usage
of each functions when handle vmap fault. From test log we see some
functions using large stack size which over 256bytes. Especially
common call path from fs. We need to optimize stack usage of these
functions to reduce stack fault probability and save stack memory
usage.

Solution:
1. remove CONFIG_CC_STACKPROTECTOR_STRONG and set STACKPROTECTOR to
   NONE. This can save stack usage add by compiler for most functions.
   Kernel code size can also save over 1MB.
2. Add some noinline functions for android_fs_data rw trace calls. In
   these trace call it allcated a 256 bytes local buffer.
3. Add a wrap function for mem abort handler. By default, it defined a
   siginfo struct(size over 100 bytes) in local but only used when fault
   can't be handled.
4. reduce cached page size for vmap stack since probability of page
   fault caused by stack overflow is reduced after function stack usage
   optimized.
Monkey test show real stack usage ratio compared with 1st vmap
implementation reduced from 35% ~ 38% to 26 ~ 27%. Which is very
close to 25%, theory limit.

Verify:
P212

Change-Id: I5505cacc1cab51f88654052902852fd648b6a036
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
 2019-02-26 18:15:11 +09:00
Pengcheng Chen
308fdff353 osd: remove phys_to_vir to prevent crash on the 32bit & 2G boadr [1/1] 
PD#SWPL-3079

Problem:
phys_to_vir in height mem rw caused crashed.

Solution:
remove phys_to_vir(dd funs not work)

Verify:
tl1

Change-Id: Ic9679471a51974cabf84b61efe90c88e845d01ea
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
 2019-02-26 18:15:11 +09:00
Hongmin Hua
860e27496f cec: add the port map for connect status [1/1] 
PD#SWPL-3010

Problem:
the arc can't work

Solution:
add the port map for connect status

Verify:
verified on darwin

Change-Id: I9f886c35de8670acdc431185bb26aa1836a8c150
Signed-off-by: Hongmin Hua <hongmin.hua@amlogic.com>
 2019-02-26 18:15:10 +09:00
Yi Zeng
a0ffcf1f04 nand: fix the free-node leak in rsv manager [1/1] 
PD#SWPL-2776

Problem:
did not release the free node of rsv information

Solution:
release free node and set bit mask in right way

Verify:
S400

Change-Id: I781f2374b91ca1e7cd1a66e75fc554318737c377
Signed-off-by: Yi Zeng <yi.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
2dcf3effec video: fix picdec coverity error [1/1] 
PD#SWPL-2797

Problem:
fix picdec coverity error

Solution:
solve picdec coverity issues

Verify:
verified on P212

Change-Id: Iee0a7beb3fbf8382e9dd4207075df85171ed62ae
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
78c3172bbc video: fix ppmgr coverity error [1/1] 
PD#SWPL-2797

Problem:
fix ppmgr coverity error

Solution:
solve ppmgr coverity issues

Verify:
verified on P212

Change-Id: I05b837073ec9c981004320afaa0680648198d5b3
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
89ecad7785 osd: fix ge2d coverity error [1/1] 
PD#SWPL-2798

Problem:
fix ge2d coverity error

Solution:
add return val timeout for waiting completion

Verify:
verified on P212

Change-Id: Iaacf3f5b30721eb5d72d3c355f0404f4848969b5
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
825be7ff26 osd: fix osd coverity error [1/1] 
PD#SWPL-2798

Problem:
fix osd coverity error

Solution:
solve osd coverity issues

Verify:
verified on P212

Change-Id: I9714e3b229786d39ffa5a150633d59082bdf3549
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
MingLiang Dong
d1be185d61 hdr: Enable default output to HDR for HDR TV [1/1] 
PD#SWPL-3096

Problem:
G12A/G12B need enable sdr2hdr

Solution:
enable sdr2hdr function

Verify:
verify on G12A

Change-Id: I1e771a13d33fe675cfc36d8308afc37077545cd4
Signed-off-by: MingLiang Dong <mingliang.dong@amlogic.com>
 2019-02-26 18:13:09 +09:00
nengwen.chen
d7616d946e dtv_demod: DTV search menu does not have ISDB-T entry [4/6] 
PD#SWPL-1664

Problem:
DTV search menu does not have ISDB-T entry

Solution:
add ISDB-T system support.

Verify:
verified by einstein

Change-Id: Ie0bdc988d53256487e24c3123320b50f2a58cdf3
Signed-off-by: nengwen.chen <nengwen.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
Chuangcheng Peng
3411f700d2 dvb-core: compatile with 32bit in 64bit kernel [1/1] 
PD#SWPL-3009

Problem:
32bit frontend app can't call ioctl in 64bit-kernel

Solution:
Add 32bit define in header and handle in dvb_frontend in 64bit-kernel

Verify:
Verify at android_p at R311

Change-Id: I63178803cfb1cf7d670e3c2b55f104e97f5afa63
Signed-off-by: Chuangcheng Peng <chuangcheng.peng@amlogic.com>
 2019-02-26 18:13:09 +09:00
tao zeng
b682325e08 mm: check phys_to_xxxx macro on 32bit OS [1/1] 
PD#SWPL-1909

Problem:
If physical address of a memory location is not in linear mapping
range, then any caller with phys_to_xxxx to get a pointer will
cause bug.

Solution:
Check input address range for phys_to_xxxx to get a BUG output.
This change is used for debug

Verify:
P212

Change-Id: I13bcaa3983e2d730b8d2bc03cd28c62585f49969
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
qiu.zeng
247b345a8c BT: resolve bt remote re-connected fail [1/1] 
PD#SWPL-2735

Problem:
bt remote re-connected fail

Solution:
control bluetooth opwer up

Verify:
Verifying on Public Edition r311

Change-Id: I8c74442894f606d5afd992e52d6c80bada0aed9f
Signed-off-by: Qiu Zeng <qiu.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Brian Zhu
e80a91182d video: sr: add the missing bit mask for sr core1 [1/1] 
PD#SWPL-2948

Problem:
Miss the sr core1 bit mask to cause display abnormal

Solution:
Add the bit mask for sr core1

Verify:
Test pass by x301

Change-Id: I742d86b610a9748adad7c143d7a85c6796d3c8f7
Signed-off-by: Brian Zhu <brian.zhu@amlogic.com>
 2019-02-26 18:13:09 +09:00
Tao Zeng
85a1cc4b4c mm: subtract CMA isolated pages when allocate TVP [1/1] 
PD#SWPL-2933

Problem:
When allocate CMA pages in buildroot enverioment, system will
hung in congestion_wait:
Call trace:
[<ffffff8009086a78>] __switch_to+0xa0/0xc8
[<ffffff8009de3eb8>] __schedule+0x268/0x7d8
[<ffffff8009de4464>] schedule+0x3c/0xa0
[<ffffff8009de7c9c>] schedule_timeout+0x1b4/0x448
[<ffffff8009de3be8>] io_schedule_timeout+0x98/0x100
[<ffffff80091e3fb8>] congestion_wait+0x90/0x190
[<ffffff80091ebcf4>] isolate_migratepages_block+0x7ec/0x890
[<ffffff80091ec794>] isolate_migratepages_range+0x8c/0x100
[<ffffff8009a8f34c>] aml_alloc_contig_migrate_range+0x104/0x158
[<ffffff8009a8f518>] cma_boost_work_func+0x178/0x270
[<ffffff80090cc228>] kthread+0xf8/0x110
[<ffffff80090836c0>] ret_from_fork+0x10/0x50

Solution:
subtract isolated CMA pages when allocation large CMA for TVP.

Verify:
local

Change-Id: I96153cf104abb009a8965c2230a5242e495dd031
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
pengcheng chen
1eaed5c403 osd: fix afbc dd length error issue [1/1] 
PD#SWPL-2674

Problem:
fix afbc dd length error issue

Solution:
add afbc_len to set screen_size

Verify:
verified on g12a-u200

Change-Id: I00df7945f0f928efe2b8be88c56f10f20bb1700f
Signed-off-by: pengcheng chen <pengcheng.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
Hongmin Hua
c4d568050a cec: set the phy port the same as ui id [2/2] 
PD#SWPL-2685

Problem:
the atom switch wrong channel when wakeup by device

Solution:
set the phy port the same as ui id

Verify:
atom

Change-Id: I4e43f83af5bb30a2388df7e7030f135c3f0830ad
Signed-off-by: Hongmin Hua <hongmin.hua@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Hu
f479fa7aa1 clk: g12a: add gen clock [1/1] 
PD#OTT-1025

Problem:
not support gen clock

Solution:
add gen clock

Verify:
test passed on g12a u200

Change-Id: I5199289d3cd1483fffbbd41f8d104369214ba302
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
 2019-02-26 18:13:09 +09:00
Xingyu Chen
1eaaf0c9de pinctrl: meson: add gen_clk_ee/ao pin groups for G12A/B [1/1] 
PD#OTT-1025

Problem:
don't support gen_clk_ee and gen_clk_ao pin groups

Solution:
add gen_clk_ee/ao pin groups according to the corepinmux document

Verify:
test pass on U200

Change-Id: Ia3e61079def285c482d8dc4957b5f9e7db35847d
Signed-off-by: Xingyu Chen <xingyu.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
tao zeng
76789cadf7 mm: optimize thread stack usage on arm64 [1/1] 
PD#SWPL-1219

Problem:
On arm64, thread stack is 16KB for each task. If running task number
is large, this type of memory may over 40MB. It's a large amount on
small memory platform. But most case thread only use less 4KB stack.
It's waste of memory and we need optimize it.

Solution:
1. Pre-allocate a vmalloc address space for task stack;
2. Only map 1st page for stack and handle page fault in EL1
   when stack growth triggered exception;
3. handle stack switch for exception.

Verify:
p212

Change-Id: I47f511ccfa2868d982bc10a820ed6435b6d52ba9
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jihong Sui
19cd66c4b6 deinterlace: deinterlace: fix coverity error [1/1] 
PD#SWPL-2863

Problem:
cdev_add without checking return value.

Solution:
add check

Verify:
p212

Change-Id: Ib1d96f6e5ee07dd28f67eb4ee77acb6580a1f877
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jihong Sui
2085c6c8e1 deinterlace: deinterlace: set post_ctrl when no mirror [1/1] 
PD#SWPL-1076

Problem:
Kplayer 4KDemo.mp4, show green screen.

Solution:
add DI_IF1_GEN_REG set when no mirror

Verify:
p212

Change-Id: I2cfb27068393832fb47498ebdb9b93349f1fe635
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
 2019-02-26 18:13:09 +09:00
Pengcheng Chen
35bd3f85f6 osd: add osd log module control [2/2] 
PD#SWPL-2551

Problem:
add osd log module control

Solution:
add osd log module control

Verify:
verified on P212

Change-Id: Iadbf795cb7afe4ddcab0f9283b9c7f542eca0b29
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
ae2cfc82eb osd: range of mouse is wrong under 4K mode [1/2] 
PD#SWPL-2551

Problem:
range of mouse is wrong under 4K mode

Solution:
new cursor coordinate paras without using scale
add osd_cursor_hw_no_scale() to deal with it.

Verify:
verified on P212

Change-Id: I1748df569b96522eb58dc00af862983bca17815a
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Tao Guo
79327826e1 media: add get free handle cmd [4/9] 
PD#SWPL-1081

Problem:
Need get freed handle for DRM frame mode

Solution:
Add ioctl cmd to get freed handle

Verify:
P212

Change-Id: Ic0ce64061e334fdea5580d9f92b3e0b58caa88eb
Signed-off-by: Tao Guo <tao.guo@amlogic.com>
 2019-02-26 18:13:09 +09:00
Evoke Zhang
9bf6dd1786 lcd: mipi_dsi: update clk_post timing for dphy [1/1] 
PD#SWPL-2436

Problem:
sometime the dphy clk_post is not match spec

Solution:
update clk_post config

Verify:
w400

Change-Id: Ib6b585f833bf923e72109991509915f4ad35d316
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
 2019-02-26 18:13:09 +09:00
Zongdong Jiao
8bdb61f1ec hdmitx: parse colorattribute from uboot [2/2] 
PD#SWPL-2181

Problem:
For some Rx, if the Tx cold boots up, the HPD can't be got in uboot.
That is to say, the output mode is CVBS in uboot, even HDMI cable is
connected. And during kernel boots up, it will reset to hdmi mode.
During the Android boots up, it will set to hdmi mode again. Twice
hdmi mode setting may cause TV flicks.

Solution:
Add parsing colorattribute from uboot and assign $attr to prevent
the second Android mode setting.

Verify:
S905X/P212

Change-Id: I665227bc3e8481acb40c34dde2f5cb3c633c64a2
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
 2019-02-26 18:13:09 +09:00
bichao.zheng
a08c296467 arm: dts: fix wifi 32K Frequency offset [2/2] 
PD#SWPL-2623

Problem:
wifi 32K Frequency offset too large

Solution:
Modification cycle

Verify:
x301

Change-Id: I04724b0eacdffc1760b67689be373cb8f671a125
Signed-off-by: bichao.zheng <bichao.zheng@amlogic.com>

Conflicts:
	arch/arm/boot/dts/amlogic/tl1_t962x2_x301.dts
 2019-02-26 18:13:09 +09:00
bichao.zheng
11a7f76221 arm64: dts: fix wifi 32K Frequency offset [2/1] 
PD#SWPL-2623

Problem:
wifi 32K Frequency offset too large

Solution:
Modification cycle

Verify:
axg u211 p321 r311 p212

Change-Id: Ica04bec99ba2097918387a980b94dc007bb4eca4
Signed-off-by: bichao.zheng <bichao.zheng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jihong Sui
5729bb56f5 deinterlace: reduce the screen flash when fast forward [1/1] 
PD#SWPL-2188

Problem:
1.fast forward/rewind operation, the screen flashes

Solution:
1.add function to update MCDI_MCVECRD_CTRL[9]

Verify:
1.txl

Change-Id: I1bf8583901fa49c518cca74e7716632447adf32f
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Hu
27d563b9bc clk: gxl: correct saradc clock id when check sardadc clock [1/1] 
PD#OTT-944

Problem:
saradc check the wrong clock id.

Solution:
correct saradc id.

Verify:
verified on P212 board

Change-Id: I7fdde80c21228e45ec165252549bf4ca5f21bd67
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
 2019-02-26 18:13:09 +09:00
Daogao Xu
aba647b757 video: add fast and slow playback support [1/1] 
PD#SWPL-1690

Problem:
YouTube requires support playback rate 0.25, 0.50, 1.00, 1.25, 1.50,
2.00

Solution:
vsync_slow_factor can be used to slow playback, extend it's value to
support fast playback

Verify:
mesongxl_p212_32_kernel49

Change-Id: I94589a210b8531cc198414b3017c3caf82827565
Signed-off-by: Daogao Xu <daogao.xu@amlogic.com>
 2019-02-26 18:13:09 +09:00
wenfeng.guo
a064612c42 vpp: fix vpp covertiy error [1/1] 
PD#SWPL-2458

Problem:
vpp has covertiy error

Solution:
fix vpp covertiy error

Verify:
r311

Change-Id: Ic755420107b72fa0a56d73e288b708ab421f7609
Signed-off-by: Wenfeng Guo <wenfeng.guo@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jiacheng Mei
744e1b6c69 dts: reduce isp memory usage [1/1] 
PD#SWPL-2512

Problem:
isp reserved mem too large

Solution:
reduce isp mem to 256M

Verify:
A311D-W400

Change-Id: I33ee2872daf961da5f0ba4ba4810b0ac9690e45f
Signed-off-by: Jiacheng Mei <jiacheng.mei@amlogic.com>
 2019-02-26 18:13:09 +09:00
Bencheng Jing
b0e61d50db amvecm: fix dnlp read scurv_mid2 debug interface error [1/1] 
PD#SWPL-2448

Problem:
can not read dnlp scurv_mid2 value

Solution:
fix the error

Verify:
t962x_r311

Change-Id: I7a7df769dd117fd83164065f6df8e3ae82c2499f
Signed-off-by: Bencheng Jing <bencheng.jing@amlogic.com>
 2019-02-26 18:13:09 +09:00
Guosong Zhou
d4391d7d16 picdec: add mmap interface for picdec [2/2] 
PD#SWPL-2280

Problem:
play picture crash

Solution:
add mmap interface for picdec

Verify:
verify by p321

Change-Id: Ib278de80035b0404884315e29fe933cd8f4b6cfe
Signed-off-by: Guosong Zhou <guosong.zhou@amlogic.com>
 2019-02-26 18:00:39 +09:00
Mauro (mdrjr) Ribeiro
c96db883a1 Merge tag 'v4.9.160' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.160 stable release
 2019-02-25 05:49:52 -03:00
Mauro (mdrjr) Ribeiro
b8fc2fa121 Merge tag 'v4.9.159' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.159 stable release
 2019-02-25 05:49:30 -03:00
Mauro (mdrjr) Ribeiro
a71f18485f Merge tag 'v4.9.158' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.158 stable release
 2019-02-25 05:49:05 -03:00
Mauro (mdrjr) Ribeiro
039a2ed13b Merge tag 'v4.9.157' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.157 stable release
 2019-02-25 05:48:43 -03:00
Mauro (mdrjr) Ribeiro
1da441a5ba ODROID-N2: config: enable UAS 
Change-Id: Idbb302e3ff68f054d6d9d33519e099b408c1f36e
 2019-02-25 05:47:15 -03:00
Mauro Ribeiro
463bedbced Merge "BACKPORT: USB Audio: add support for additional DSD raw capable devices" into odroidn2-4.9.y 2019-02-25 17:41:12 +09:00
Dongjin Kim
1251ca1b06 BACKPORT: USB Audio: add support for additional DSD raw capable devices 
Change-Id: If1a619e86f6c0f0893a8ce1d65fd8fe6c8f97b8c
Signed-off-by: Gé Koerkamp<ge.koerkamp@gmail.com>
Signed-off-by: Dongjin Kim <tobetter@gmail.com>
 2019-02-25 10:54:38 +09:00
Dongjin Kim
0ab894855c ODROID-N2: config: enable 'CONFIG_FHANDLE' for systemd 
Change-Id: I14f31de80b8bfca404bde3eda147adb7c8a1433b
Signed-off-by: Dongjin Kim <tobetter@gmail.com>
 2019-02-25 00:38:10 +09:00
Greg Kroah-Hartman
badcc565e1 Linux 4.9.160 2019-02-23 09:05:59 +01:00
Eric Dumazet
b5a50669d2 ax25: fix possible use-after-free 
commit 63530aba78 upstream.

syzbot found that ax25 routes where not properly protected
against concurrent use [1].

In this particular report the bug happened while
copying ax25->digipeat.

Fix this problem by making sure we call ax25_get_route()
while ax25_route_lock is held, so that no modification
could happen while using the route.

The current two ax25_get_route() callers do not sleep,
so this change should be fine.

Once we do that, ax25_get_route() no longer needs to
grab a reference on the found route.

[1]
ax25_connect(): syz-executor0 uses autobind, please contact jreuter@yaina.de
BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline]
BUG: KASAN: use-after-free in kmemdup+0x42/0x60 mm/util.c:113
Read of size 66 at addr ffff888066641a80 by task syz-executor2/531

ax25_connect(): syz-executor0 uses autobind, please contact jreuter@yaina.de
CPU: 1 PID: 531 Comm: syz-executor2 Not tainted 5.0.0-rc2+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 memcpy+0x24/0x50 mm/kasan/common.c:130
 memcpy include/linux/string.h:352 [inline]
 kmemdup+0x42/0x60 mm/util.c:113
 kmemdup include/linux/string.h:425 [inline]
 ax25_rt_autobind+0x25d/0x750 net/ax25/ax25_route.c:424
 ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1224
 __sys_connect+0x357/0x490 net/socket.c:1664
 __do_sys_connect net/socket.c:1675 [inline]
 __se_sys_connect net/socket.c:1672 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1672
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458099
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f870ee22c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099
RDX: 0000000000000048 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
ax25_connect(): syz-executor4 uses autobind, please contact jreuter@yaina.de
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f870ee236d4
R13: 00000000004be48e R14: 00000000004ce9a8 R15: 00000000ffffffff

Allocated by task 526:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
ax25_connect(): syz-executor5 uses autobind, please contact jreuter@yaina.de
 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 ax25_rt_add net/ax25/ax25_route.c:95 [inline]
 ax25_rt_ioctl+0x3b9/0x1270 net/ax25/ax25_route.c:233
 ax25_ioctl+0x322/0x10b0 net/ax25/af_ax25.c:1763
 sock_do_ioctl+0xe2/0x400 net/socket.c:950
 sock_ioctl+0x32f/0x6c0 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

ax25_connect(): syz-executor5 uses autobind, please contact jreuter@yaina.de
Freed by task 550:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 ax25_rt_add net/ax25/ax25_route.c:92 [inline]
 ax25_rt_ioctl+0x304/0x1270 net/ax25/ax25_route.c:233
 ax25_ioctl+0x322/0x10b0 net/ax25/af_ax25.c:1763
 sock_do_ioctl+0xe2/0x400 net/socket.c:950
 sock_ioctl+0x32f/0x6c0 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888066641a80
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes inside of
 96-byte region [ffff888066641a80, ffff888066641ae0)
The buggy address belongs to the page:
page:ffffea0001999040 count:1 mapcount:0 mapping:ffff88812c3f04c0 index:0x0
flags: 0x1fffc0000000200(slab)
ax25_connect(): syz-executor4 uses autobind, please contact jreuter@yaina.de
raw: 01fffc0000000200 ffffea0001817948 ffffea0002341dc8 ffff88812c3f04c0
raw: 0000000000000000 ffff888066641000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888066641980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066641a00: 00 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc
>ffff888066641a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                   ^
 ffff888066641b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066641b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00
Eric Dumazet
f6f281bb15 mISDN: fix a race in dev_expire_timer() 
commit bdcc5bc255 upstream.

Since mISDN_close() uses dev->pending to iterate over active
timers, there is a chance that one timer got removed from the
->pending list in dev_expire_timer() but that the thread
has not called yet wake_up_interruptible()

So mISDN_close() could miss this and free dev before
completion of at least one dev_expire_timer()

syzbot was able to catch this race :

BUG: KASAN: use-after-free in register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
Write of size 8 at addr ffff88809fc18948 by task syz-executor1/24769

CPU: 1 PID: 24769 Comm: syz-executor1 Not tainted 5.0.0-rc5 #60
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
 __lock_acquire+0x11f/0x4700 kernel/locking/lockdep.c:3224
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
 __wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
 __wake_up+0xe/0x10 kernel/sched/wait.c:145
 dev_expire_timer+0xe4/0x3b0 drivers/isdn/mISDN/timerdev.c:174
 call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
 expire_timers kernel/time/timer.c:1362 [inline]
 __run_timers kernel/time/timer.c:1681 [inline]
 __run_timers kernel/time/timer.c:1649 [inline]
 run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
 __do_softirq+0x266/0x95a kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 </IRQ>
RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
Code: 90 90 90 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 98 12 92 7e 81 e2 00 01 1f 00 75 2b 8b 90 d8 12 00 00 <83> fa 02 75 20 48 8b 88 e0 12 00 00 8b 80 dc 12 00 00 48 8b 11 48
RSP: 0018:ffff8880589b7a60 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: ffff888087ce25c0 RBX: 0000000000000001 RCX: ffffffff818f8ca3
RDX: 0000000000000000 RSI: ffffffff818f8b48 RDI: 0000000000000001
RBP: ffff8880589b7a60 R08: ffff888087ce25c0 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffffea0001ae4680
R13: ffffea0001ae4688 R14: 0000000000000000 R15: ffffea0001b41648
 PageIdle include/linux/page-flags.h:398 [inline]
 page_is_idle include/linux/page_idle.h:29 [inline]
 mark_page_accessed+0x618/0x1140 mm/swap.c:398
 touch_buffer fs/buffer.c:59 [inline]
 __find_get_block+0x312/0xcc0 fs/buffer.c:1298
 sb_find_get_block include/linux/buffer_head.h:338 [inline]
 recently_deleted fs/ext4/ialloc.c:682 [inline]
 find_inode_bit.isra.0+0x202/0x510 fs/ext4/ialloc.c:722
 __ext4_new_inode+0x14ad/0x52c0 fs/ext4/ialloc.c:914
 ext4_symlink+0x3f8/0xbe0 fs/ext4/namei.c:3096
 vfs_symlink fs/namei.c:4126 [inline]
 vfs_symlink+0x378/0x5d0 fs/namei.c:4112
 do_symlinkat+0x22b/0x290 fs/namei.c:4153
 __do_sys_symlink fs/namei.c:4172 [inline]
 __se_sys_symlink fs/namei.c:4170 [inline]
 __x64_sys_symlink+0x59/0x80 fs/namei.c:4170
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457b67
Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff045ce0f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000457b67
RDX: 00007fff045ce173 RSI: 00000000004bd63f RDI: 00007fff045ce160
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
R10: 0000000000000075 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000001 R14: 000000000000029b R15: 0000000000000001

Allocated by task 24763:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 mISDN_open+0x9a/0x270 drivers/isdn/mISDN/timerdev.c:59
 misc_open+0x398/0x4c0 drivers/char/misc.c:141
 chrdev_open+0x247/0x6b0 fs/char_dev.c:417
 do_dentry_open+0x47d/0x1130 fs/open.c:771
 vfs_open+0xa0/0xd0 fs/open.c:880
 do_last fs/namei.c:3418 [inline]
 path_openat+0x10d7/0x4690 fs/namei.c:3534
 do_filp_open+0x1a1/0x280 fs/namei.c:3564
 do_sys_open+0x3fe/0x5d0 fs/open.c:1063
 __do_sys_openat fs/open.c:1090 [inline]
 __se_sys_openat fs/open.c:1084 [inline]
 __x64_sys_openat+0x9d/0x100 fs/open.c:1084
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 24762:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 mISDN_close+0x2a1/0x390 drivers/isdn/mISDN/timerdev.c:97
 __fput+0x2df/0x8d0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x14a/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809fc18900
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 72 bytes inside of
 192-byte region [ffff88809fc18900, ffff88809fc189c0)
The buggy address belongs to the page:
page:ffffea00027f0600 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0xffff88809fc18000
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea000269f648 ffffea00029f7408 ffff88812c3f0040
raw: ffff88809fc18000 ffff88809fc18000 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809fc18800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809fc18880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809fc18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88809fc18980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88809fc18a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00