diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-10-03 11:27:50 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-10-03 11:27:50 -0400 |
| commit | 3a98be090601398395e2bf04b949394a0fa03244 (patch) | |
| tree | 8d21bb999f1fd01114eaa07541d655845c5d4627 | |
| parent | 9e66317d3c92ddaab330c125dfe9d06eee268aff (diff) | |
| parent | 549e658a0919e355a2b2144dc380b3729bef7f3e (diff) | |
Merge tag 'char-misc-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc fixes from Greg KH:
"Here are a handful of char/misc driver fixes for 4.14-rc4.
Nothing major, some binder fixups, hyperv fixes, and other tiny
things.
All of these have been sitting in my tree for way too long, sorry for
the delay in getting them to you. All have been in linux-next for a
few weeks, and despite some people's feeling about if linux-next
actually tests things, I think it's a good "soak test" for patches"
* tag 'char-misc-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
Drivers: hv: fcopy: restore correct transfer length
vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
intel_th: pci: Add Lewisburg PCH support
intel_th: pci: Add Cedar Fork PCH support
stm class: Fix a use-after-free
nvmem: add missing of_node_put() in of_nvmem_cell_get()
nvmem: core: return EFBIG on out-of-range write
auxdisplay: charlcd: properly restore atomic counter on error path
binder: fix memory corruption in binder_transaction binder
binder: fix an ret value override
android: binder: fix type mismatch warning
| -rw-r--r-- | drivers/android/binder.c | 8 | ||||
| -rw-r--r-- | drivers/auxdisplay/charlcd.c | 11 | ||||
| -rw-r--r-- | drivers/auxdisplay/panel.c | 11 | ||||
| -rw-r--r-- | drivers/hv/channel_mgmt.c | 4 | ||||
| -rw-r--r-- | drivers/hv/hv_fcopy.c | 4 | ||||
| -rw-r--r-- | drivers/hwtracing/intel_th/pci.c | 10 | ||||
| -rw-r--r-- | drivers/hwtracing/stm/core.c | 2 | ||||
| -rw-r--r-- | drivers/nvmem/core.c | 3 |
8 files changed, 39 insertions, 14 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index d055b3f2a207..ab34239a76ee 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -2217,7 +2217,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, | |||
| 2217 | debug_id, (u64)fda->num_fds); | 2217 | debug_id, (u64)fda->num_fds); |
| 2218 | continue; | 2218 | continue; |
| 2219 | } | 2219 | } |
| 2220 | fd_array = (u32 *)(parent_buffer + fda->parent_offset); | 2220 | fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); |
| 2221 | for (fd_index = 0; fd_index < fda->num_fds; fd_index++) | 2221 | for (fd_index = 0; fd_index < fda->num_fds; fd_index++) |
| 2222 | task_close_fd(proc, fd_array[fd_index]); | 2222 | task_close_fd(proc, fd_array[fd_index]); |
| 2223 | } break; | 2223 | } break; |
| @@ -2326,7 +2326,6 @@ static int binder_translate_handle(struct flat_binder_object *fp, | |||
| 2326 | (u64)node->ptr); | 2326 | (u64)node->ptr); |
| 2327 | binder_node_unlock(node); | 2327 | binder_node_unlock(node); |
| 2328 | } else { | 2328 | } else { |
| 2329 | int ret; | ||
| 2330 | struct binder_ref_data dest_rdata; | 2329 | struct binder_ref_data dest_rdata; |
| 2331 | 2330 | ||
| 2332 | binder_node_unlock(node); | 2331 | binder_node_unlock(node); |
| @@ -2442,7 +2441,7 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, | |||
| 2442 | */ | 2441 | */ |
| 2443 | parent_buffer = parent->buffer - | 2442 | parent_buffer = parent->buffer - |
| 2444 | binder_alloc_get_user_buffer_offset(&target_proc->alloc); | 2443 | binder_alloc_get_user_buffer_offset(&target_proc->alloc); |
| 2445 | fd_array = (u32 *)(parent_buffer + fda->parent_offset); | 2444 | fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); |
| 2446 | if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) { | 2445 | if (!IS_ALIGNED((unsigned long)fd_array, sizeof(u32))) { |
| 2447 | binder_user_error("%d:%d parent offset not aligned correctly.\n", | 2446 | binder_user_error("%d:%d parent offset not aligned correctly.\n", |
| 2448 | proc->pid, thread->pid); | 2447 | proc->pid, thread->pid); |
| @@ -2508,7 +2507,7 @@ static int binder_fixup_parent(struct binder_transaction *t, | |||
| 2508 | proc->pid, thread->pid); | 2507 | proc->pid, thread->pid); |
| 2509 | return -EINVAL; | 2508 | return -EINVAL; |
| 2510 | } | 2509 | } |
| 2511 | parent_buffer = (u8 *)(parent->buffer - | 2510 | parent_buffer = (u8 *)((uintptr_t)parent->buffer - |
| 2512 | binder_alloc_get_user_buffer_offset( | 2511 | binder_alloc_get_user_buffer_offset( |
| 2513 | &target_proc->alloc)); | 2512 | &target_proc->alloc)); |
| 2514 | *(binder_uintptr_t *)(parent_buffer + bp->parent_offset) = bp->buffer; | 2513 | *(binder_uintptr_t *)(parent_buffer + bp->parent_offset) = bp->buffer; |
| @@ -3083,6 +3082,7 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3083 | err_dead_proc_or_thread: | 3082 | err_dead_proc_or_thread: |
| 3084 | return_error = BR_DEAD_REPLY; | 3083 | return_error = BR_DEAD_REPLY; |
| 3085 | return_error_line = __LINE__; | 3084 | return_error_line = __LINE__; |
| 3085 | binder_dequeue_work(proc, tcomplete); | ||
| 3086 | err_translate_failed: | 3086 | err_translate_failed: |
| 3087 | err_bad_object_type: | 3087 | err_bad_object_type: |
| 3088 | err_bad_offset: | 3088 | err_bad_offset: |
diff --git a/drivers/auxdisplay/charlcd.c b/drivers/auxdisplay/charlcd.c index cfeb049a01ef..642afd88870b 100644 --- a/drivers/auxdisplay/charlcd.c +++ b/drivers/auxdisplay/charlcd.c | |||
| @@ -647,18 +647,25 @@ static ssize_t charlcd_write(struct file *file, const char __user *buf, | |||
| 647 | static int charlcd_open(struct inode *inode, struct file *file) | 647 | static int charlcd_open(struct inode *inode, struct file *file) |
| 648 | { | 648 | { |
| 649 | struct charlcd_priv *priv = to_priv(the_charlcd); | 649 | struct charlcd_priv *priv = to_priv(the_charlcd); |
| 650 | int ret; | ||
| 650 | 651 | ||
| 652 | ret = -EBUSY; | ||
| 651 | if (!atomic_dec_and_test(&charlcd_available)) | 653 | if (!atomic_dec_and_test(&charlcd_available)) |
| 652 | return -EBUSY; /* open only once at a time */ | 654 | goto fail; /* open only once at a time */ |
| 653 | 655 | ||
| 656 | ret = -EPERM; | ||
| 654 | if (file->f_mode & FMODE_READ) /* device is write-only */ | 657 | if (file->f_mode & FMODE_READ) /* device is write-only */ |
| 655 | return -EPERM; | 658 | goto fail; |
| 656 | 659 | ||
| 657 | if (priv->must_clear) { | 660 | if (priv->must_clear) { |
| 658 | charlcd_clear_display(&priv->lcd); | 661 | charlcd_clear_display(&priv->lcd); |
| 659 | priv->must_clear = false; | 662 | priv->must_clear = false; |
| 660 | } | 663 | } |
| 661 | return nonseekable_open(inode, file); | 664 | return nonseekable_open(inode, file); |
| 665 | |||
| 666 | fail: | ||
| 667 | atomic_inc(&charlcd_available); | ||
| 668 | return ret; | ||
| 662 | } | 669 | } |
| 663 | 670 | ||
| 664 | static int charlcd_release(struct inode *inode, struct file *file) | 671 | static int charlcd_release(struct inode *inode, struct file *file) |
diff --git a/drivers/auxdisplay/panel.c b/drivers/auxdisplay/panel.c index df126dcdaf18..6911acd896d9 100644 --- a/drivers/auxdisplay/panel.c +++ b/drivers/auxdisplay/panel.c | |||
| @@ -1105,14 +1105,21 @@ static ssize_t keypad_read(struct file *file, | |||
| 1105 | 1105 | ||
| 1106 | static int keypad_open(struct inode *inode, struct file *file) | 1106 | static int keypad_open(struct inode *inode, struct file *file) |
| 1107 | { | 1107 | { |
| 1108 | int ret; | ||
| 1109 | |||
| 1110 | ret = -EBUSY; | ||
| 1108 | if (!atomic_dec_and_test(&keypad_available)) | 1111 | if (!atomic_dec_and_test(&keypad_available)) |
| 1109 | return -EBUSY; /* open only once at a time */ | 1112 | goto fail; /* open only once at a time */ |
| 1110 | 1113 | ||
| 1114 | ret = -EPERM; | ||
| 1111 | if (file->f_mode & FMODE_WRITE) /* device is read-only */ | 1115 | if (file->f_mode & FMODE_WRITE) /* device is read-only */ |
| 1112 | return -EPERM; | 1116 | goto fail; |
| 1113 | 1117 | ||
| 1114 | keypad_buflen = 0; /* flush the buffer on opening */ | 1118 | keypad_buflen = 0; /* flush the buffer on opening */ |
| 1115 | return 0; | 1119 | return 0; |
| 1120 | fail: | ||
| 1121 | atomic_inc(&keypad_available); | ||
| 1122 | return ret; | ||
| 1116 | } | 1123 | } |
| 1117 | 1124 | ||
| 1118 | static int keypad_release(struct inode *inode, struct file *file) | 1125 | static int keypad_release(struct inode *inode, struct file *file) |
diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index 060df71c2e8b..bcbb031f7263 100644 --- a/drivers/hv/channel_mgmt.c +++ b/drivers/hv/channel_mgmt.c | |||
| @@ -936,14 +936,10 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) | |||
| 936 | 936 | ||
| 937 | void vmbus_hvsock_device_unregister(struct vmbus_channel *channel) | 937 | void vmbus_hvsock_device_unregister(struct vmbus_channel *channel) |
| 938 | { | 938 | { |
| 939 | mutex_lock(&vmbus_connection.channel_mutex); | ||
| 940 | |||
| 941 | BUG_ON(!is_hvsock_channel(channel)); | 939 | BUG_ON(!is_hvsock_channel(channel)); |
| 942 | 940 | ||
| 943 | channel->rescind = true; | 941 | channel->rescind = true; |
| 944 | vmbus_device_unregister(channel->device_obj); | 942 | vmbus_device_unregister(channel->device_obj); |
| 945 | |||
| 946 | mutex_unlock(&vmbus_connection.channel_mutex); | ||
| 947 | } | 943 | } |
| 948 | EXPORT_SYMBOL_GPL(vmbus_hvsock_device_unregister); | 944 | EXPORT_SYMBOL_GPL(vmbus_hvsock_device_unregister); |
| 949 | 945 | ||
diff --git a/drivers/hv/hv_fcopy.c b/drivers/hv/hv_fcopy.c index daa75bd41f86..2364281d8593 100644 --- a/drivers/hv/hv_fcopy.c +++ b/drivers/hv/hv_fcopy.c | |||
| @@ -170,6 +170,10 @@ static void fcopy_send_data(struct work_struct *dummy) | |||
| 170 | out_src = smsg_out; | 170 | out_src = smsg_out; |
| 171 | break; | 171 | break; |
| 172 | 172 | ||
| 173 | case WRITE_TO_FILE: | ||
| 174 | out_src = fcopy_transaction.fcopy_msg; | ||
| 175 | out_len = sizeof(struct hv_do_fcopy); | ||
| 176 | break; | ||
| 173 | default: | 177 | default: |
| 174 | out_src = fcopy_transaction.fcopy_msg; | 178 | out_src = fcopy_transaction.fcopy_msg; |
| 175 | out_len = fcopy_transaction.recv_len; | 179 | out_len = fcopy_transaction.recv_len; |
diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c index bc9cebc30526..c2a2ce8ee541 100644 --- a/drivers/hwtracing/intel_th/pci.c +++ b/drivers/hwtracing/intel_th/pci.c | |||
| @@ -144,6 +144,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = { | |||
| 144 | .driver_data = (kernel_ulong_t)0, | 144 | .driver_data = (kernel_ulong_t)0, |
| 145 | }, | 145 | }, |
| 146 | { | 146 | { |
| 147 | /* Lewisburg PCH */ | ||
| 148 | PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa1a6), | ||
| 149 | .driver_data = (kernel_ulong_t)0, | ||
| 150 | }, | ||
| 151 | { | ||
| 147 | /* Gemini Lake */ | 152 | /* Gemini Lake */ |
| 148 | PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), | 153 | PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), |
| 149 | .driver_data = (kernel_ulong_t)&intel_th_2x, | 154 | .driver_data = (kernel_ulong_t)&intel_th_2x, |
| @@ -158,6 +163,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = { | |||
| 158 | PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6), | 163 | PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6), |
| 159 | .driver_data = (kernel_ulong_t)&intel_th_2x, | 164 | .driver_data = (kernel_ulong_t)&intel_th_2x, |
| 160 | }, | 165 | }, |
| 166 | { | ||
| 167 | /* Cedar Fork PCH */ | ||
| 168 | PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x18e1), | ||
| 169 | .driver_data = (kernel_ulong_t)&intel_th_2x, | ||
| 170 | }, | ||
| 161 | { 0 }, | 171 | { 0 }, |
| 162 | }; | 172 | }; |
| 163 | 173 | ||
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index 9414900575d8..f129869e05a9 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c | |||
| @@ -1119,7 +1119,7 @@ void stm_source_unregister_device(struct stm_source_data *data) | |||
| 1119 | 1119 | ||
| 1120 | stm_source_link_drop(src); | 1120 | stm_source_link_drop(src); |
| 1121 | 1121 | ||
| 1122 | device_destroy(&stm_source_class, src->dev.devt); | 1122 | device_unregister(&src->dev); |
| 1123 | } | 1123 | } |
| 1124 | EXPORT_SYMBOL_GPL(stm_source_unregister_device); | 1124 | EXPORT_SYMBOL_GPL(stm_source_unregister_device); |
| 1125 | 1125 | ||
diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index de54c7f5048a..d12e5de78e70 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c | |||
| @@ -135,7 +135,7 @@ static ssize_t bin_attr_nvmem_write(struct file *filp, struct kobject *kobj, | |||
| 135 | 135 | ||
| 136 | /* Stop the user from writing */ | 136 | /* Stop the user from writing */ |
| 137 | if (pos >= nvmem->size) | 137 | if (pos >= nvmem->size) |
| 138 | return 0; | 138 | return -EFBIG; |
| 139 | 139 | ||
| 140 | if (count < nvmem->word_size) | 140 | if (count < nvmem->word_size) |
| 141 | return -EINVAL; | 141 | return -EINVAL; |
| @@ -789,6 +789,7 @@ struct nvmem_cell *of_nvmem_cell_get(struct device_node *np, | |||
| 789 | return ERR_PTR(-EINVAL); | 789 | return ERR_PTR(-EINVAL); |
| 790 | 790 | ||
| 791 | nvmem = __nvmem_device_get(nvmem_np, NULL, NULL); | 791 | nvmem = __nvmem_device_get(nvmem_np, NULL, NULL); |
| 792 | of_node_put(nvmem_np); | ||
| 792 | if (IS_ERR(nvmem)) | 793 | if (IS_ERR(nvmem)) |
| 793 | return ERR_CAST(nvmem); | 794 | return ERR_CAST(nvmem); |
| 794 | 795 | ||