1. 11 3月, 2018 2 次提交
  2. 10 3月, 2018 1 次提交
  3. 24 2月, 2018 5 次提交
  4. 18 2月, 2018 1 次提交
  5. 17 2月, 2018 4 次提交
    • L
      iio: adis_lib: Initialize trigger before requesting interrupt · f027e0b3
      Lars-Peter Clausen 提交于
      The adis_probe_trigger() creates a new IIO trigger and requests an
      interrupt associated with the trigger. The interrupt uses the generic
      iio_trigger_generic_data_rdy_poll() function as its interrupt handler.
      
      Currently the driver initializes some fields of the trigger structure after
      the interrupt has been requested. But an interrupt can fire as soon as it
      has been requested. This opens up a race condition.
      
      iio_trigger_generic_data_rdy_poll() will access the trigger data structure
      and dereference the ops field. If the ops field is not yet initialized this
      will result in a NULL pointer deref.
      
      It is not expected that the device generates an interrupt at this point, so
      typically this issue did not surface unless e.g. due to a hardware
      misconfiguration (wrong interrupt number, wrong polarity, etc.).
      
      But some newer devices from the ADIS family start to generate periodic
      interrupts in their power-on reset configuration and unfortunately the
      interrupt can not be masked in the device.  This makes the race condition
      much more visible and the following crash has been observed occasionally
      when booting a system using the ADIS16460.
      
      	Unable to handle kernel NULL pointer dereference at virtual address 00000008
      	pgd = c0004000
      	[00000008] *pgd=00000000
      	Internal error: Oops: 5 [#1] PREEMPT SMP ARM
      	Modules linked in:
      	CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257
      	Hardware name: Xilinx Zynq Platform
      	task: ef04f640 task.stack: ef050000
      	PC is at iio_trigger_notify_done+0x30/0x68
      	LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20
      	pc : [<c042d868>]    lr : [<c042d924>]    psr: 60000193
      	sp : ef051bb8  ip : 00000000  fp : ef106400
      	r10: c081d80a  r9 : ef3bfa00  r8 : 00000087
      	r7 : ef051bec  r6 : 00000000  r5 : ef3bfa00  r4 : ee92ab00
      	r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : ee97e400
      	Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
      	Control: 18c5387d  Table: 0000404a  DAC: 00000051
      	Process swapper/0 (pid: 1, stack limit = 0xef050210)
      	[<c042d868>] (iio_trigger_notify_done) from [<c0065b10>] (__handle_irq_event_percpu+0x88/0x118)
      	[<c0065b10>] (__handle_irq_event_percpu) from [<c0065bbc>] (handle_irq_event_percpu+0x1c/0x58)
      	[<c0065bbc>] (handle_irq_event_percpu) from [<c0065c30>] (handle_irq_event+0x38/0x5c)
      	[<c0065c30>] (handle_irq_event) from [<c0068e28>] (handle_level_irq+0xa4/0x130)
      	[<c0068e28>] (handle_level_irq) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
      	[<c0064e74>] (generic_handle_irq) from [<c021ab7c>] (zynq_gpio_irqhandler+0xb8/0x13c)
      	[<c021ab7c>] (zynq_gpio_irqhandler) from [<c0064e74>] (generic_handle_irq+0x24/0x34)
      	[<c0064e74>] (generic_handle_irq) from [<c0065370>] (__handle_domain_irq+0x5c/0xb4)
      	[<c0065370>] (__handle_domain_irq) from [<c000940c>] (gic_handle_irq+0x48/0x8c)
      	[<c000940c>] (gic_handle_irq) from [<c0013e8c>] (__irq_svc+0x6c/0xa8)
      
      To fix this make sure that the trigger is fully initialized before
      requesting the interrupt.
      
      Fixes: ccd2b52f ("staging:iio: Add common ADIS library")
      Reported-by: NRobin Getz <Robin.Getz@analog.com>
      Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: NJonathan Cameron <Jonathan.Cameron@huawei.com>
      f027e0b3
    • L
      staging: android: ion: Zero CMA allocated memory · 6d79bd5b
      Liam Mark 提交于
      Since commit 204f6722 ("staging: android: ion: Use CMA APIs directly")
      the CMA API is now used directly and therefore the allocated memory is no
      longer automatically zeroed.
      
      Explicitly zero CMA allocated memory to ensure that no data is exposed to
      userspace.
      
      Fixes: 204f6722 ("staging: android: ion: Use CMA APIs directly")
      Signed-off-by: NLiam Mark <lmark@codeaurora.org>
      Acked-by: NLaura Abbott <labbott@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d79bd5b
    • B
      staging: android: ashmem: Fix a race condition in pin ioctls · ce8a3a9e
      Ben Hutchings 提交于
      ashmem_pin_unpin() reads asma->file and asma->size before taking the
      ashmem_mutex, so it can race with other operations that modify them.
      
      Build-tested only.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce8a3a9e
    • A
      staging: fsl-mc: fix build testing on x86 · 02b7b284
      Arnd Bergmann 提交于
      Selecting GENERIC_MSI_IRQ_DOMAIN on x86 causes a compile-time error in
      some configurations:
      
      drivers/base/platform-msi.c:37:19: error: field 'arg' has incomplete type
      
      On the other architectures, we are fine, but here we should have an additional
      dependency on X86_LOCAL_APIC so we can get the PCI_MSI_IRQ_DOMAIN symbol.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02b7b284
  6. 12 2月, 2018 1 次提交
    • L
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds 提交于
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845
  7. 10 2月, 2018 10 次提交
  8. 09 2月, 2018 10 次提交
  9. 08 2月, 2018 6 次提交