1. 18 10月, 2019 1 次提交
  2. 19 9月, 2019 2 次提交
  3. 29 8月, 2019 1 次提交
  4. 07 8月, 2019 1 次提交
    • M
      gpiolib: fix incorrect IRQ requesting of an active-low lineevent · fdb0fb56
      Michael Wu 提交于
      commit 223ecaf140b1dd1c1d2a1a1d96281efc5c906984 upstream.
      
      When a pin is active-low, logical trigger edge should be inverted to match
      the same interrupt opportunity.
      
      For example, a button pushed triggers falling edge in ACTIVE_HIGH case; in
      ACTIVE_LOW case, the button pushed triggers rising edge. For user space the
      IRQ requesting doesn't need to do any modification except to configuring
      GPIOHANDLE_REQUEST_ACTIVE_LOW.
      
      For example, we want to catch the event when the button is pushed. The
      button on the original board drives level to be low when it is pushed, and
      drives level to be high when it is released.
      
      In user space we can do:
      
      	req.handleflags = GPIOHANDLE_REQUEST_INPUT;
      	req.eventflags = GPIOEVENT_REQUEST_FALLING_EDGE;
      
      	while (1) {
      		read(fd, &dat, sizeof(dat));
      		if (dat.id == GPIOEVENT_EVENT_FALLING_EDGE)
      			printf("button pushed\n");
      	}
      
      Run the same logic on another board which the polarity of the button is
      inverted; it drives level to be high when pushed, and level to be low when
      released. For this inversion we add flag GPIOHANDLE_REQUEST_ACTIVE_LOW:
      
      	req.handleflags = GPIOHANDLE_REQUEST_INPUT |
      		GPIOHANDLE_REQUEST_ACTIVE_LOW;
      	req.eventflags = GPIOEVENT_REQUEST_FALLING_EDGE;
      
      At the result, there are no any events caught when the button is pushed.
      By the way, button releasing will emit a "falling" event. The timing of
      "falling" catching is not expected.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NMichael Wu <michael.wu@vatics.com>
      Tested-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdb0fb56
  5. 26 7月, 2019 1 次提交
  6. 13 2月, 2019 1 次提交
    • M
      gpiolib: Fix possible use after free on label · 3555de57
      Muchun Song 提交于
      [ Upstream commit 18534df419041e6c1f4b41af56ee7d41f757815c ]
      
      gpiod_request_commit() copies the pointer to the label passed as
      an argument only to be used later. But there's a chance the caller
      could immediately free the passed string(e.g., local variable).
      This could trigger a use after free when we use gpio label(e.g.,
      gpiochip_unlock_as_irq(), gpiochip_is_requested()).
      
      To be on the safe side: duplicate the string with kstrdup_const()
      so that if an unaware user passes an address to a stack-allocated
      buffer, we won't get the arbitrary label.
      
      Also fix gpiod_set_consumer_name().
      Signed-off-by: NMuchun Song <smuchun@gmail.com>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3555de57
  7. 07 2月, 2019 1 次提交
  8. 01 12月, 2018 1 次提交
  9. 10 10月, 2018 1 次提交
    • S
      gpio: Assign gpio_irq_chip::parents to non-stack pointer · 3e779a2e
      Stephen Boyd 提交于
      gpiochip_set_cascaded_irqchip() is passed 'parent_irq' as an argument
      and then the address of that argument is assigned to the gpio chips
      gpio_irq_chip 'parents' pointer shortly thereafter. This can't ever
      work, because we've just assigned some stack address to a pointer that
      we plan to dereference later in gpiochip_irq_map(). I ran into this
      issue with the KASAN report below when gpiochip_irq_map() tried to setup
      the parent irq with a total junk pointer for the 'parents' array.
      
      BUG: KASAN: stack-out-of-bounds in gpiochip_irq_map+0x228/0x248
      Read of size 4 at addr ffffffc0dde472e0 by task swapper/0/1
      
      CPU: 7 PID: 1 Comm: swapper/0 Not tainted 4.14.72 #34
      Call trace:
      [<ffffff9008093638>] dump_backtrace+0x0/0x718
      [<ffffff9008093da4>] show_stack+0x20/0x2c
      [<ffffff90096b9224>] __dump_stack+0x20/0x28
      [<ffffff90096b91c8>] dump_stack+0x80/0xbc
      [<ffffff900845a350>] print_address_description+0x70/0x238
      [<ffffff900845a8e4>] kasan_report+0x1cc/0x260
      [<ffffff900845aa14>] __asan_report_load4_noabort+0x2c/0x38
      [<ffffff900897e098>] gpiochip_irq_map+0x228/0x248
      [<ffffff900820cc08>] irq_domain_associate+0x114/0x2ec
      [<ffffff900820d13c>] irq_create_mapping+0x120/0x234
      [<ffffff900820da78>] irq_create_fwspec_mapping+0x4c8/0x88c
      [<ffffff900820e2d8>] irq_create_of_mapping+0x180/0x210
      [<ffffff900917114c>] of_irq_get+0x138/0x198
      [<ffffff9008dc70ac>] spi_drv_probe+0x94/0x178
      [<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
      [<ffffff9008ca6538>] __device_attach_driver+0x148/0x20c
      [<ffffff9008ca14cc>] bus_for_each_drv+0x120/0x188
      [<ffffff9008ca570c>] __device_attach+0x19c/0x2dc
      [<ffffff9008ca586c>] device_initial_probe+0x20/0x2c
      [<ffffff9008ca18bc>] bus_probe_device+0x80/0x154
      [<ffffff9008c9b9b4>] device_add+0x9b8/0xbdc
      [<ffffff9008dc7640>] spi_add_device+0x1b8/0x380
      [<ffffff9008dcbaf0>] spi_register_controller+0x111c/0x1378
      [<ffffff9008dd6b10>] spi_geni_probe+0x4dc/0x6f8
      [<ffffff9008cab058>] platform_drv_probe+0xdc/0x130
      [<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
      [<ffffff9008ca59cc>] __driver_attach+0x100/0x194
      [<ffffff9008ca0ea8>] bus_for_each_dev+0x104/0x16c
      [<ffffff9008ca58c0>] driver_attach+0x48/0x54
      [<ffffff9008ca1edc>] bus_add_driver+0x274/0x498
      [<ffffff9008ca8448>] driver_register+0x1ac/0x230
      [<ffffff9008caaf6c>] __platform_driver_register+0xcc/0xdc
      [<ffffff9009c4b33c>] spi_geni_driver_init+0x1c/0x24
      [<ffffff9008084cb8>] do_one_initcall+0x240/0x3dc
      [<ffffff9009c017d0>] kernel_init_freeable+0x378/0x468
      [<ffffff90096e8240>] kernel_init+0x14/0x110
      [<ffffff9008086fcc>] ret_from_fork+0x10/0x18
      
      The buggy address belongs to the page:
      page:ffffffbf037791c0 count:0 mapcount:0 mapping:          (null) index:0x0
      flags: 0x4000000000000000()
      raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: ffffffbf037791e0 ffffffbf037791e0 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffffffc0dde47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffffffc0dde47200: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2
      >ffffffc0dde47280: f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
                                                             ^
       ffffffc0dde47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffffffc0dde47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Let's leave around one unsigned int in the gpio_irq_chip struct for the
      single parent irq case and repoint the 'parents' array at it. This way
      code is left mostly intact to setup parents and we waste an extra few
      bytes per structure of which there should be only a handful in a system.
      
      Cc: Evan Green <evgreen@chromium.org>
      Cc: Thierry Reding <treding@nvidia.com>
      Cc: Grygorii Strashko <grygorii.strashko@ti.com>
      Fixes: e0d89728 ("gpio: Implement tighter IRQ chip integration")
      Signed-off-by: NStephen Boyd <swboyd@chromium.org>
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      3e779a2e
  10. 19 9月, 2018 1 次提交
  11. 11 8月, 2018 2 次提交
  12. 07 8月, 2018 1 次提交
  13. 30 7月, 2018 1 次提交
  14. 16 7月, 2018 2 次提交
  15. 13 7月, 2018 2 次提交
  16. 09 7月, 2018 3 次提交
  17. 18 6月, 2018 1 次提交
    • L
      gpio: Add API to explicitly name a consumer · 90b39402
      Linus Walleij 提交于
      The GPIO (descriptor) API registers a "label" naming what is
      currently using the GPIO line. Typically this is taken from
      things like the device tree node, so "reset-gpios" will result
      in he line being labeled "reset".
      
      The technical effect is pretty much zero: the use is for
      debug and introspection, such as "lsgpio" and debugfs files.
      
      However sometimes the user want this cuddly feeling of
      listing all GPIO lines and seeing exactly what they are for
      and it gives a very fulfilling sense of control. Especially
      in the cases when the device tree node doesn't provide a
      good name, or anonymous GPIO lines assigned just to
      "gpios" in the device tree because the usage is implicit.
      
      For these cases it may be nice to be able to label the
      line directly and explicitly.
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      90b39402
  18. 07 6月, 2018 1 次提交
    • K
      treewide: Use struct_size() for kmalloc()-family · acafe7e3
      Kees Cook 提交于
      One of the more common cases of allocation size calculations is finding
      the size of a structure that has a zero-sized array at the end, along
      with memory for some number of elements for that array. For example:
      
      struct foo {
          int stuff;
          void *entry[];
      };
      
      instance = kmalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);
      
      Instead of leaving these open-coded and prone to type mistakes, we can
      now use the new struct_size() helper:
      
      instance = kmalloc(struct_size(instance, entry, count), GFP_KERNEL);
      
      This patch makes the changes for kmalloc()-family (and kvmalloc()-family)
      uses. It was done via automatic conversion with manual review for the
      "CHECKME" non-standard cases noted below, using the following Coccinelle
      script:
      
      // pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len *
      //                      sizeof *pkey_cache->table, GFP_KERNEL);
      @@
      identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
      expression GFP;
      identifier VAR, ELEMENT;
      expression COUNT;
      @@
      
      - alloc(sizeof(*VAR) + COUNT * sizeof(*VAR->ELEMENT), GFP)
      + alloc(struct_size(VAR, ELEMENT, COUNT), GFP)
      
      // mr = kzalloc(sizeof(*mr) + m * sizeof(mr->map[0]), GFP_KERNEL);
      @@
      identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
      expression GFP;
      identifier VAR, ELEMENT;
      expression COUNT;
      @@
      
      - alloc(sizeof(*VAR) + COUNT * sizeof(VAR->ELEMENT[0]), GFP)
      + alloc(struct_size(VAR, ELEMENT, COUNT), GFP)
      
      // Same pattern, but can't trivially locate the trailing element name,
      // or variable name.
      @@
      identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
      expression GFP;
      expression SOMETHING, COUNT, ELEMENT;
      @@
      
      - alloc(sizeof(SOMETHING) + COUNT * sizeof(ELEMENT), GFP)
      + alloc(CHECKME_struct_size(&SOMETHING, ELEMENT, COUNT), GFP)
      Signed-off-by: NKees Cook <keescook@chromium.org>
      acafe7e3
  19. 24 5月, 2018 1 次提交
  20. 23 5月, 2018 1 次提交
  21. 16 5月, 2018 2 次提交
  22. 27 4月, 2018 1 次提交
  23. 26 4月, 2018 1 次提交
  24. 27 3月, 2018 3 次提交
  25. 02 3月, 2018 1 次提交
  26. 12 2月, 2018 1 次提交
    • L
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds 提交于
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845
  27. 23 1月, 2018 2 次提交
  28. 17 1月, 2018 2 次提交
  29. 12 1月, 2018 1 次提交
    • L
      gpio: Export devm_gpiod_get_from_of_node() for consumers · 92542edc
      Linus Walleij 提交于
      We have been holding back on adding an API for fetching GPIO handles
      directly from device nodes, strongly preferring to get it from the
      spawn devices instead.
      
      The fwnode interface however already contains an API for doing this,
      as it is used for opaque device tree nodes or ACPI nodes for getting
      handles to LEDs and keys that use GPIO: those are specified as one
      child per LED/key in the device tree and are not individual devices.
      
      However regulators present a special problem as they already have
      helper functions to traverse the device tree from a regulator node
      and two levels down to fill in data, and as it already traverses
      GPIO nodes in its own way, and already holds a pointer to each
      regulators device tree node, it makes most sense to export an
      API to fetch the GPIO descriptor directly from the node.
      
      We only support the devm_* version for now, hopefully no non-devres
      version will be needed.
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      92542edc