When gadget is disconnected, running sequence is like this.
. composite_disconnect
. Call trace:
usb_string_copy+0xd0/0x128
gadget_config_name_configuration_store+0x4
gadget_config_name_attr_store+0x40/0x50
configfs_write_file+0x198/0x1f4
vfs_write+0x100/0x220
SyS_write+0x58/0xa8
. configfs_composite_unbind
. configfs_composite_bind
In configfs_composite_bind, it has
"cn->strings.s = cn->configuration;"
When usb_string_copy is invoked. it would
allocate memory, copy input string, release previous pointed memory space,
and use new allocated memory.
When gadget is connected, host sends down request to get information.
Call trace:
usb_gadget_get_string+0xec/0x168
lookup_string+0x64/0x98
composite_setup+0xa34/0x1ee8
If gadget is disconnected and connected quickly, in the failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
memory is accessed, "BUG: KASAN: use-after-free" error occurs.
BUG=chrome-os-partner:58412
TEST=After smaug device was connected to ubuntu PC host, detached and attached
type-C cable quickly several times without seeing
"BUG: KASAN: use-after-free in usb_gadget_get_string".
Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://chromium-review.googlesource.com/428059
Commit-Ready: Jim Lin <jilin%nvidia.com@gtempaccount.com>
Tested-by: Jim Lin <jilin%nvidia.com@gtempaccount.com>
Reviewed-by: Adrian Salido <salidoa@google.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Git-repo: https://chromium.googlesource.com/chromiumos/third_party/kernel
Git-commit: a7b597d255d70f6f0c6bfdfb7e4e04f67fcebf9d
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Tao Huang <huangtao@rock-chips.com>
(cherry picked from https://android.googlesource.com/kernel/msm
commit fcf0e822fce098b27b6735d96e5414d6ff8de762)
Change port_mux/layer_sel register as less as possible.
Change-Id: I7436cafcb9dd40ae9495091a08b0df479a79c978
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
The pipe clk of rk3568 is used for PIPE_GRF module, we
need to manage this clk so that the USB IP can access
the registers of PIPE_GRF.
Change-Id: I9ebfd5d25bdf1e95a9c5a3390b1030aed5f5c7ba
Signed-off-by: William Wu <william.wu@rock-chips.com>
This patch to generate the rk3568-pinctrl.dtsi again by pin2dts tool
which has been updated with some bugs fixed, such as lack of comment
for some nodes.
Now the pin2dts can generate the auto part of pinctrl file absolutely,
changes including:
* file header
/SPDX-License head
/#include <something>
&pinctrl {
};
* full rules
make the auto part can be generated by rules without any handly modify
special case: pwm4 which may be matched as pw-m4, that means the module
is pw and its mux mode is m4.
Change-Id: Ia92668ab938c1c05dfe430cf67b6f73bafaa31c3
Signed-off-by: Jianqun Xu <jay.xu@rock-chips.com>
There is a case, the app may call s_ctrl before device power on,
pm_runtime_get will increment usage counter and call Sensor_runtime_resume,
but when the s_ctrl function judges that the return value of pm_runtime_get
is less than or equal to 0, it returns directly, causing pm_runtime_put
not to be executed. so device can't be suspended.
pm_runtime_get_if_in_use increment the device's counter when runtime PM status
is RPM_ACTIVE and the runtime PM usage counter is nonzero.
so used pm_runtime_get_if_in_use can avoid usage counter error.
Signed-off-by: Zefa Chen <zefa.chen@rock-chips.com>
Change-Id: I4e61cdefafd82083f2628f67181a6bb2eee50507
This patch support to disable u3 root port for USB3.0 controller
if needed. Such as RK3568 EVB6 USB3.0 OTG1 xHCI controller, it
only used USB2.0 PHY, so we need to disable u3 port by set the
xHCI u3 port number to zero and select the clk_usb3otg0_utmi for
source clk at the same time.
Change-Id: I4aee7cc0d2947e478ff7437e47e329411e67297c
Signed-off-by: William Wu <william.wu@rock-chips.com>
This patch add new property to disable u3 root port for
usb3.0 controller if we want to force the controller
to u2 only mode.
Change-Id: I53da3a7816585f1d3f9ac7fd3ee5ba8ba323eff1
Signed-off-by: William Wu <william.wu@rock-chips.com>
A workaround to avoid display image shift on
screen when window enable.
Change-Id: I37064f580f7050997b521282d9cbae4193ace05d
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Add optee node to supply OP-TEE required properties.
/optee node is supposed to be below /firmware node.
Signed-off-by: Hisping Lin <hisping.lin@rock-chips.com>
Change-Id: Ib7a96ea6b72915703ae3a9595a32fd84802c7a22
default enable mipi camera ov5695,
disable dvp camera gc2145;
for dvp camrea pinctrl conflicts with gmac1 & ov5695
Signed-off-by: Wang Panzhenzhuan <randy.wang@rock-chips.com>
Change-Id: I74697200539249e006e505af2e69cec2300b25ec
This is needed by rk3566 rkg11 2k tablet LCD power supply.
Signed-off-by: Jason Song <sxj@rock-chips.com>
Change-Id: I0a752a92f62b4e72e8778a62ffaabf6fb3cf793f
if sdcard detect pin active status is low, forcejtag must be 0.
Signed-off-by: Weixin Zhou <zwx@rock-chips.com>
Change-Id: I653693e92422b191539d11ba498a4c14a4ccd117
We don't need to check cmd conflict, so remove it.
Change-Id: Ied0619820395b5354b2fe892d7986217426a3e82
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
This setting will be lost during deep suspend in case of powering
off the controller. So we need to always recovery it when calling
resume hook. But .set_clock() will be awlays called whenever the
driver's probed or resumed. So we move it there.
Change-Id: I65ccc04241db04cf84486a43fe5954f20e3cc95d
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
sdhci aims for emmc but keep-power-in-suspend is for sdio devices.
Change-Id: If70e8d450df607811149a580c273ebcdfb9e3592
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
