December 2020 - Linux-stable-mirror

patch "iio:light:rpr0521: Fix timestamp alignment and prevent data leak." added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio:light:rpr0521: Fix timestamp alignment and prevent data leak. to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From a61817216bcc755eabbcb1cf281d84ccad267ed1 Mon Sep 17 00:00:00 2001 From: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Date: Sun, 20 Sep 2020 12:27:35 +0100 Subject: iio:light:rpr0521: Fix timestamp alignment and prevent data leak. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc() so no data can leak apart from previous readings and in this case the status byte from the device. The forced alignment of ts is not necessary in this case but it potentially makes the code less fragile. >From personal communications with Mikko: We could probably split the reading of the int register, but it would mean a significant performance cost of 20 i2c clock cycles. Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Reviewed-by: Alexandru Ardelean <alexandru.ardelean(a)analog.com> Cc: Mikko Koivunen <mikko.koivunen(a)fi.rohmeurope.com> Cc: <Stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20200920112742.170751-2-jic23@kernel.org --- drivers/iio/light/rpr0521.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/iio/light/rpr0521.c b/drivers/iio/light/rpr0521.c index aa2972b04833..31224a33bade 100644 --- a/drivers/iio/light/rpr0521.c +++ b/drivers/iio/light/rpr0521.c @@ -194,6 +194,17 @@ struct rpr0521_data { bool pxs_need_dis; struct regmap *regmap; + + /* + * Ensure correct naturally aligned timestamp. + * Note that the read will put garbage data into + * the padding but this should not be a problem + */ + struct { + __le16 channels[3]; + u8 garbage; + s64 ts __aligned(8); + } scan; }; static IIO_CONST_ATTR(in_intensity_scale_available, RPR0521_ALS_SCALE_AVAIL); @@ -449,8 +460,6 @@ static irqreturn_t rpr0521_trigger_consumer_handler(int irq, void *p) struct rpr0521_data *data = iio_priv(indio_dev); int err; - u8 buffer[16]; /* 3 16-bit channels + padding + ts */ - /* Use irq timestamp when reasonable. */ if (iio_trigger_using_own(indio_dev) && data->irq_timestamp) { pf->timestamp = data->irq_timestamp; @@ -461,11 +470,11 @@ static irqreturn_t rpr0521_trigger_consumer_handler(int irq, void *p) pf->timestamp = iio_get_time_ns(indio_dev); err = regmap_bulk_read(data->regmap, RPR0521_REG_PXS_DATA, - &buffer, + data->scan.channels, (3 * 2) + 1); /* 3 * 16-bit + (discarded) int clear reg. */ if (!err) iio_push_to_buffers_with_timestamp(indio_dev, - buffer, pf->timestamp); + &data->scan, pf->timestamp); else dev_err(&data->client->dev, "Trigger consumer can't read from sensor.\n"); -- 2.29.2

3 years, 7 months

1
0
0 0

patch "iio: buffer: Fix demux update" added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: buffer: Fix demux update to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 19ef7b70ca9487773c29b449adf0c70f540a0aab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa(a)analog.com> Date: Thu, 12 Nov 2020 15:43:22 +0100 Subject: iio: buffer: Fix demux update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When updating the buffer demux, we will skip a scan element from the device in the case `in_ind != out_ind` and we enter the while loop. in_ind should only be refreshed with `find_next_bit()` in the end of the loop. Note, to cause problems we need a situation where we are skippig over an element (channel not enabled) that happens to not have the same size as the next element. Whilst this is a possible situation we haven't actually identified any cases in mainline where it happens as most drivers have consistent channel storage sizes with the exception of the timestamp which is the last element and hence never skipped over. Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer") Signed-off-by: Nuno Sá <nuno.sa(a)analog.com> Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/industrialio-buffer.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c index 9663dec3dcf3..2f7426a2f47c 100644 --- a/drivers/iio/industrialio-buffer.c +++ b/drivers/iio/industrialio-buffer.c @@ -853,12 +853,12 @@ static int iio_buffer_update_demux(struct iio_dev *indio_dev, indio_dev->masklength, in_ind + 1); while (in_ind != out_ind) { - in_ind = find_next_bit(indio_dev->active_scan_mask, - indio_dev->masklength, - in_ind + 1); length = iio_storage_bytes_for_si(indio_dev, in_ind); /* Make sure we are aligned */ in_loc = roundup(in_loc, length) + length; + in_ind = find_next_bit(indio_dev->active_scan_mask, + indio_dev->masklength, + in_ind + 1); } length = iio_storage_bytes_for_si(indio_dev, in_ind); out_loc = roundup(out_loc, length); -- 2.29.2

3 years, 7 months

1
0
0 0

patch "iio: ad_sigma_delta: Don't put SPI transfer buffer on the stack" added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: ad_sigma_delta: Don't put SPI transfer buffer on the stack to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 0fb6ee8d0b5e90b72f870f76debc8bd31a742014 Mon Sep 17 00:00:00 2001 From: Lars-Peter Clausen <lars(a)metafoo.de> Date: Tue, 24 Nov 2020 14:38:07 +0200 Subject: iio: ad_sigma_delta: Don't put SPI transfer buffer on the stack Use a heap allocated memory for the SPI transfer buffer. Using stack memory can corrupt stack memory when using DMA on some systems. This change moves the buffer from the stack of the trigger handler call to the heap of the buffer of the state struct. The size increases takes into account the alignment for the timestamp, which is 8 bytes. The 'data' buffer is split into 'tx_buf' and 'rx_buf', to make a clearer separation of which part of the buffer should be used for TX & RX. Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices") Signed-off-by: Lars-Peter Clausen <lars(a)metafoo.de> Signed-off-by: Alexandru Ardelean <alexandru.ardelean(a)analog.com> Link: https://lore.kernel.org/r/20201124123807.19717-1-alexandru.ardelean@analog.… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad_sigma_delta.c | 18 ++++++++---------- include/linux/iio/adc/ad_sigma_delta.h | 6 +++++- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c index 86039e9ecaca..3a6f239d4acc 100644 --- a/drivers/iio/adc/ad_sigma_delta.c +++ b/drivers/iio/adc/ad_sigma_delta.c @@ -57,7 +57,7 @@ EXPORT_SYMBOL_GPL(ad_sd_set_comm); int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg, unsigned int size, unsigned int val) { - uint8_t *data = sigma_delta->data; + uint8_t *data = sigma_delta->tx_buf; struct spi_transfer t = { .tx_buf = data, .len = size + 1, @@ -99,7 +99,7 @@ EXPORT_SYMBOL_GPL(ad_sd_write_reg); static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta, unsigned int reg, unsigned int size, uint8_t *val) { - uint8_t *data = sigma_delta->data; + uint8_t *data = sigma_delta->tx_buf; int ret; struct spi_transfer t[] = { { @@ -146,22 +146,22 @@ int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta, { int ret; - ret = ad_sd_read_reg_raw(sigma_delta, reg, size, sigma_delta->data); + ret = ad_sd_read_reg_raw(sigma_delta, reg, size, sigma_delta->rx_buf); if (ret < 0) goto out; switch (size) { case 4: - *val = get_unaligned_be32(sigma_delta->data); + *val = get_unaligned_be32(sigma_delta->rx_buf); break; case 3: - *val = get_unaligned_be24(&sigma_delta->data[0]); + *val = get_unaligned_be24(sigma_delta->rx_buf); break; case 2: - *val = get_unaligned_be16(sigma_delta->data); + *val = get_unaligned_be16(sigma_delta->rx_buf); break; case 1: - *val = sigma_delta->data[0]; + *val = sigma_delta->rx_buf[0]; break; default: ret = -EINVAL; @@ -395,11 +395,9 @@ static irqreturn_t ad_sd_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); + uint8_t *data = sigma_delta->rx_buf; unsigned int reg_size; unsigned int data_reg; - uint8_t data[16]; - - memset(data, 0x00, 16); reg_size = indio_dev->channels[0].scan_type.realbits + indio_dev->channels[0].scan_type.shift; diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h index a3a838dcf8e4..7199280d89ca 100644 --- a/include/linux/iio/adc/ad_sigma_delta.h +++ b/include/linux/iio/adc/ad_sigma_delta.h @@ -79,8 +79,12 @@ struct ad_sigma_delta { /* * DMA (thus cache coherency maintenance) requires the * transfer buffers to live in their own cache lines. + * 'tx_buf' is up to 32 bits. + * 'rx_buf' is up to 32 bits per sample + 64 bit timestamp, + * rounded to 16 bytes to take into account padding. */ - uint8_t data[4] ____cacheline_aligned; + uint8_t tx_buf[4] ____cacheline_aligned; + uint8_t rx_buf[16] __aligned(8); }; static inline int ad_sigma_delta_set_channel(struct ad_sigma_delta *sd, -- 2.29.2

3 years, 7 months

1
0
0 0

patch "of: fix linker-section match-table corruption" added to driver-core-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled of: fix linker-section match-table corruption to my driver-core git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git in the driver-core-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 5812b32e01c6d86ba7a84110702b46d8a8531fe9 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Mon, 23 Nov 2020 11:23:12 +0100 Subject: of: fix linker-section match-table corruption Specify type alignment when declaring linker-section match-table entries to prevent gcc from increasing alignment and corrupting the various tables with padding (e.g. timers, irqchips, clocks, reserved memory). This is specifically needed on x86 where gcc (typically) aligns larger objects like struct of_device_id with static extent on 32-byte boundaries which at best prevents matching on anything but the first entry. Specifying alignment when declaring variables suppresses this optimisation. Here's a 64-bit example where all entries are corrupt as 16 bytes of padding has been inserted before the first entry: ffffffff8266b4b0 D __clk_of_table ffffffff8266b4c0 d __of_table_fixed_factor_clk ffffffff8266b5a0 d __of_table_fixed_clk ffffffff8266b680 d __clk_of_table_sentinel And here's a 32-bit example where the 8-byte-aligned table happens to be placed on a 32-byte boundary so that all but the first entry are corrupt due to the 28 bytes of padding inserted between entries: 812b3ec0 D __irqchip_of_table 812b3ec0 d __of_table_irqchip1 812b3fa0 d __of_table_irqchip2 812b4080 d __of_table_irqchip3 812b4160 d irqchip_of_match_end Verified on x86 using gcc-9.3 and gcc-4.9 (which uses 64-byte alignment), and on arm using gcc-7.2. Note that there are no in-tree users of these tables on x86 currently (even if they are included in the image). Fixes: 54196ccbe0ba ("of: consolidate linker section OF match table declarations") Fixes: f6e916b82022 ("irqchip: add basic infrastructure") Cc: stable <stable(a)vger.kernel.org> # 3.9 Signed-off-by: Johan Hovold <johan(a)kernel.org> Link: https://lore.kernel.org/r/20201123102319.8090-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/linux/of.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/of.h b/include/linux/of.h index 5d51891cbf1a..af655d264f10 100644 --- a/include/linux/of.h +++ b/include/linux/of.h @@ -1300,6 +1300,7 @@ static inline int of_get_available_child_count(const struct device_node *np) #define _OF_DECLARE(table, name, compat, fn, fn_type) \ static const struct of_device_id __of_table_##name \ __used __section("__" #table "_of_table") \ + __aligned(__alignof__(struct of_device_id)) \ = { .compatible = compat, \ .data = (fn == (fn_type)NULL) ? fn : fn } #else -- 2.29.2

3 years, 7 months

1
0
0 0

Backport 666224b43b4b to 4.19-stable

by Lukas Wunner

Hi Greg, commit 666224b43b4b ("spi: bcm2835: Release the DMA channel if probe fails after dma_init") was not marked for stable but really should have been. Here's a backport for 4.19: -- >8 -- From: Peter Ujfalusi <peter.ujfalusi(a)ti.com> Date: Thu, 12 Dec 2019 15:55:43 +0200 Subject: [PATCH] spi: bcm2835: Release the DMA channel if probe fails after dma_init [ Upstream commit 666224b43b4bd4612ce3b758c038f9bc5c5e3fcb ] The DMA channel was not released if either devm_request_irq() or devm_spi_register_controller() failed. Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)ti.com> Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne(a)suse.de> Link: https://lore.kernel.org/r/20191212135550.4634-3-peter.ujfalusi@ti.com Signed-off-by: Mark Brown <broonie(a)kernel.org> [lukas: backport to 4.19-stable] Signed-off-by: Lukas Wunner <lukas(a)wunner.de> --- drivers/spi/spi-bcm2835.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c index 2908df35466f..6824beae18e4 100644 --- a/drivers/spi/spi-bcm2835.c +++ b/drivers/spi/spi-bcm2835.c @@ -787,18 +787,19 @@ static int bcm2835_spi_probe(struct platform_device *pdev) dev_name(&pdev->dev), master); if (err) { dev_err(&pdev->dev, "could not request IRQ: %d\n", err); - goto out_clk_disable; + goto out_dma_release; } err = spi_register_master(master); if (err) { dev_err(&pdev->dev, "could not register SPI master: %d\n", err); - goto out_clk_disable; + goto out_dma_release; } return 0; -out_clk_disable: +out_dma_release: + bcm2835_dma_release(master); clk_disable_unprepare(bs->clk); return err; } -- 2.29.2

3 years, 7 months

1
0
0 0

[PATCH v2] ALSA: hda/realtek: make bass spk volume adjustable on a yoga laptop

by Hui Wang

This change could fix 2 issues on this machine: - the bass speaker's output volume can't be adjusted, that is because the bass speaker is routed to the DAC (Nid 0x6) which has no volume control. - after plugging a headset with vol+, vol- and pause buttons on it, press those buttons, nothing happens, this means those buttons don't work at all. This machine has alc287 codec, need to add the codec id to the disable/enable_headset_jack_key(), then the headset button could work. The quirk of ALC285_FIXUP_THINKPAD_HEADSET_JACK could fix both of these 2 issues. Cc: <stable(a)vger.kernel.org> Signed-off-by: Hui Wang <hui.wang(a)canonical.com> --- sound/pci/hda/patch_realtek.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 8616c5624870..5a905fa1b33a 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -3104,6 +3104,7 @@ static void alc_disable_headset_jack_key(struct hda_codec *codec) case 0x10ec0215: case 0x10ec0225: case 0x10ec0285: + case 0x10ec0287: case 0x10ec0295: case 0x10ec0289: case 0x10ec0299: @@ -3130,6 +3131,7 @@ static void alc_enable_headset_jack_key(struct hda_codec *codec) case 0x10ec0215: case 0x10ec0225: case 0x10ec0285: + case 0x10ec0287: case 0x10ec0295: case 0x10ec0289: case 0x10ec0299: @@ -8578,6 +8580,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { {0x14, 0x90170110}, {0x19, 0x04a11040}, {0x21, 0x04211020}), + SND_HDA_PIN_QUIRK(0x10ec0287, 0x17aa, "Lenovo", ALC285_FIXUP_THINKPAD_HEADSET_JACK, + {0x14, 0x90170110}, + {0x17, 0x90170111}, + {0x19, 0x03a11030}, + {0x21, 0x03211020}), SND_HDA_PIN_QUIRK(0x10ec0286, 0x1025, "Acer", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE, {0x12, 0x90a60130}, {0x17, 0x90170110}, -- 2.25.1

3 years, 7 months

2
1
0 0

+ proc-use-untagged_addr-for-pagemap_read-addresses.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: proc: use untagged_addr() for pagemap_read addresses has been added to the -mm tree. Its filename is proc-use-untagged_addr-for-pagemap_read-addresses.patch This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/proc-use-untagged_addr-for-pagema… and later at https://ozlabs.org/~akpm/mmotm/broken-out/proc-use-untagged_addr-for-pagema… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Miles Chen <miles.chen(a)mediatek.com> Subject: proc: use untagged_addr() for pagemap_read addresses When we try to visit the pagemap of a tagged userspace pointer, we find that the start_vaddr is not correct because of the tag. To fix it, we should untag the userspace pointers in pagemap_read(). I tested with 5.10-rc4 and the issue remains. Explanation from Catalin in [1]: :Arguably, that's a user-space bug since tagged file offsets were never :supported. In this case it's not even a tag at bit 56 as per the arm64 :tagged address ABI but rather down to bit 47. You could say that the :problem is caused by the C library (malloc()) or whoever created the :tagged vaddr and passed it to this function. It's not a kernel :regression as we've never supported it. : :Now, pagemap is a special case where the offset is usually not generated :as a classic file offset but rather derived by shifting a user virtual :address. I guess we can make a concession for pagemap (only) and allow :such offset with the tag at bit (56 - PAGE_SHIFT + 3). My test code is based on [2]: A userspace pointer which has been tagged by 0xb4: 0xb400007662f541c8 === userspace program === uint64 OsLayer::VirtualToPhysical(void *vaddr) { uint64 frame, paddr, pfnmask, pagemask; int pagesize = sysconf(_SC_PAGESIZE); off64_t off = ((uintptr_t)vaddr) / pagesize * 8; // off = 0xb400007662f541c8 / pagesize * 8 = 0x5a00003b317aa0 int fd = open(kPagemapPath, O_RDONLY); ... if (lseek64(fd, off, SEEK_SET) != off || read(fd, &frame, 8) != 8) { int err = errno; string errtxt = ErrorString(err); if (fd >= 0) close(fd); return 0; } ... } === kernel fs/proc/task_mmu.c === static ssize_t pagemap_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { ... src = *ppos; svpfn = src / PM_ENTRY_BYTES; // svpfn == 0xb400007662f54 start_vaddr = svpfn << PAGE_SHIFT; // start_vaddr == 0xb400007662f54000 end_vaddr = mm->task_size; /* watch out for wraparound */ // svpfn == 0xb400007662f54 // (mm->task_size >> PAGE) == 0x8000000 if (svpfn > mm->task_size >> PAGE_SHIFT) // the condition is true because of the tag 0xb4 start_vaddr = end_vaddr; ret = 0; while (count && (start_vaddr < end_vaddr)) { // we cannot visit correct entry because start_vaddr is set to end_vaddr int len; unsigned long end; ... } ... } [1] https://lore.kernel.org/patchwork/patch/1343258/ [2] https://github.com/stressapptest/stressapptest/blob/master/src/os.cc#L158 Link: https://lkml.kernel.org/r/20201204024347.8295-1-miles.chen@mediatek.com Signed-off-by: Miles Chen <miles.chen(a)mediatek.com> Reviewed-by: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Andrey Konovalov <andreyknvl(a)google.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: Song Bao Hua (Barry Song) <song.bao.hua(a)hisilicon.com> Cc: <stable(a)vger.kernel.org> [5.4-] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/fs/proc/task_mmu.c~proc-use-untagged_addr-for-pagemap_read-addresses +++ a/fs/proc/task_mmu.c @@ -1599,11 +1599,15 @@ static ssize_t pagemap_read(struct file src = *ppos; svpfn = src / PM_ENTRY_BYTES; - start_vaddr = svpfn << PAGE_SHIFT; end_vaddr = mm->task_size; /* watch out for wraparound */ - if (svpfn > mm->task_size >> PAGE_SHIFT) + start_vaddr = end_vaddr; + if (svpfn <= (ULONG_MAX >> PAGE_SHIFT)) + start_vaddr = untagged_addr(svpfn << PAGE_SHIFT); + + /* Ensure the address is inside the task */ + if (start_vaddr > mm->task_size) start_vaddr = end_vaddr; /* _ Patches currently in -mm which might be from miles.chen(a)mediatek.com are proc-use-untagged_addr-for-pagemap_read-addresses.patch

3 years, 7 months

1
0
0 0

[to-be-updated] proc-use-untagged_addr-for-pagemap_read-addresses.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: proc: use untagged_addr() for pagemap_read addresses has been removed from the -mm tree. Its filename was proc-use-untagged_addr-for-pagemap_read-addresses.patch This patch was dropped because an updated version will be merged ------------------------------------------------------ From: Miles Chen <miles.chen(a)mediatek.com> Subject: proc: use untagged_addr() for pagemap_read addresses When we try to visit the pagemap of a tagged userspace pointer, we find that the start_vaddr is not correct because of the tag. To fix it, we should untag the usespace pointers in pagemap_read(). I tested with 5.10-rc4 and the issue remains. Explanation from Catalin in [1]: : Arguably, that's a user-space bug since tagged file offsets were never : supported. In this case it's not even a tag at bit 56 as per the arm64 : tagged address ABI but rather down to bit 47. You could say that the : problem is caused by the C library (malloc()) or whoever created the : tagged vaddr and passed it to this function. It's not a kernel regression : as we've never supported it. : : Now, pagemap is a special case where the offset is usually not generated : as a classic file offset but rather derived by shifting a user virtual : address. I guess we can make a concession for pagemap (only) and allow : such offset with the tag at bit (56 - PAGE_SHIFT + 3). My test code is baed on [2]: A userspace pointer which has been tagged by 0xb4: 0xb400007662f541c8 === userspace program === uint64 OsLayer::VirtualToPhysical(void *vaddr) { uint64 frame, paddr, pfnmask, pagemask; int pagesize = sysconf(_SC_PAGESIZE); off64_t off = ((uintptr_t)vaddr) / pagesize * 8; // off = 0xb400007662f541c8 / pagesize * 8 = 0x5a00003b317aa0 int fd = open(kPagemapPath, O_RDONLY); ... if (lseek64(fd, off, SEEK_SET) != off || read(fd, &frame, 8) != 8) { int err = errno; string errtxt = ErrorString(err); if (fd >= 0) close(fd); return 0; } ... } === kernel fs/proc/task_mmu.c === static ssize_t pagemap_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { ... src = *ppos; svpfn = src / PM_ENTRY_BYTES; // svpfn == 0xb400007662f54 start_vaddr = svpfn << PAGE_SHIFT; // start_vaddr == 0xb400007662f54000 end_vaddr = mm->task_size; /* watch out for wraparound */ // svpfn == 0xb400007662f54 // (mm->task_size >> PAGE) == 0x8000000 if (svpfn > mm->task_size >> PAGE_SHIFT) // the condition is true because of the tag 0xb4 start_vaddr = end_vaddr; ret = 0; while (count && (start_vaddr < end_vaddr)) { // we cannot visit correct entry because start_vaddr is set to end_vaddr int len; unsigned long end; ... } ... } [1] https://lore.kernel.org/patchwork/patch/1343258/ [2] https://github.com/stressapptest/stressapptest/blob/master/src/os.cc#L158 Link: https://lkml.kernel.org/r/20201127050738.14440-1-miles.chen@mediatek.com Signed-off-by: Miles Chen <miles.chen(a)mediatek.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Reviewed-by: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Andrey Konovalov <andreyknvl(a)google.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Ryabinin <aryabinin(a)virtuozzo.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: Song Bao Hua (Barry Song) <song.bao.hua(a)hisilicon.com> Cc: <stable(a)vger.kernel.org> [5.4+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/fs/proc/task_mmu.c~proc-use-untagged_addr-for-pagemap_read-addresses +++ a/fs/proc/task_mmu.c @@ -1599,11 +1599,15 @@ static ssize_t pagemap_read(struct file src = *ppos; svpfn = src / PM_ENTRY_BYTES; - start_vaddr = svpfn << PAGE_SHIFT; end_vaddr = mm->task_size; /* watch out for wraparound */ - if (svpfn > mm->task_size >> PAGE_SHIFT) + start_vaddr = end_vaddr; + if (svpfn < (ULONG_MAX >> PAGE_SHIFT)) + start_vaddr = untagged_addr(svpfn << PAGE_SHIFT); + + /* Ensure the address is inside the task */ + if (start_vaddr > mm->task_size) start_vaddr = end_vaddr; /* _ Patches currently in -mm which might be from miles.chen(a)mediatek.com are

3 years, 7 months

1
0
0 0

[PATCH] ALSA: hda/realtek: make bass spk volume adjustable on a yoga laptop

by Hui Wang

This also make the headset button work on this machine. Cc: <stable(a)vger.kernel.org> Signed-off-by: Hui Wang <hui.wang(a)canonical.com> --- sound/pci/hda/patch_realtek.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 8616c5624870..5a905fa1b33a 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -3104,6 +3104,7 @@ static void alc_disable_headset_jack_key(struct hda_codec *codec) case 0x10ec0215: case 0x10ec0225: case 0x10ec0285: + case 0x10ec0287: case 0x10ec0295: case 0x10ec0289: case 0x10ec0299: @@ -3130,6 +3131,7 @@ static void alc_enable_headset_jack_key(struct hda_codec *codec) case 0x10ec0215: case 0x10ec0225: case 0x10ec0285: + case 0x10ec0287: case 0x10ec0295: case 0x10ec0289: case 0x10ec0299: @@ -8578,6 +8580,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { {0x14, 0x90170110}, {0x19, 0x04a11040}, {0x21, 0x04211020}), + SND_HDA_PIN_QUIRK(0x10ec0287, 0x17aa, "Lenovo", ALC285_FIXUP_THINKPAD_HEADSET_JACK, + {0x14, 0x90170110}, + {0x17, 0x90170111}, + {0x19, 0x03a11030}, + {0x21, 0x03211020}), SND_HDA_PIN_QUIRK(0x10ec0286, 0x1025, "Acer", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE, {0x12, 0x90a60130}, {0x17, 0x90170110}, -- 2.25.1

3 years, 7 months

2
2
0 0

Re: [PATCH v2] regulatx DLDO2 voltage control register mask for AXP22x

by Mark Brown

On Thu, Dec 03, 2020 at 12:04:05AM +0800, dinghua ma wrote: > I sent a new email. I don’t know if you received it. The subject is "[PATCH > v3] regulator: axp20x: Fix DLDO2 voltage control register mask for AXP22x" No, no sign. You can check if things are at least hitting the list at: https://lore.kernel.org/lkml/

3 years, 7 months

2
4
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2020