Char/Misc driver fixes for 5.4-rc3.

Here are some small char/misc driver fixes for 5.4-rc3.
 
 Nothing huge here.  Some binder driver fixes (although it is still being
 discussed if these all fix the reported issues or not, so more might be
 coming later), some mei device ids and fixes, and a google firmware
 driver bugfix that fixes a regression, as well as some other tiny fixes.
 
 All have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXaH5NQ8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ymBUACffYSpB3d5HLYX+Ytzg+SWX14X7uIAnRJkmcn9
 8lleiX86zTYyVpBwoQ7c
 =A7ZZ
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
 "Here are some small char/misc driver fixes for 5.4-rc3.

  Nothing huge here. Some binder driver fixes (although it is still
  being discussed if these all fix the reported issues or not, so more
  might be coming later), some mei device ids and fixes, and a google
  firmware driver bugfix that fixes a regression, as well as some other
  tiny fixes.

  All have been in linux-next with no reported issues"

* tag 'char-misc-5.4-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  firmware: google: increment VPD key_len properly
  w1: ds250x: Fix build error without CRC16
  virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
  binder: Fix comment headers on binder_alloc_prepare_to_free()
  binder: prevent UAF read in print_binder_transaction_log_entry()
  misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
  mei: avoid FW version request on Ibex Peak and earlier
  mei: me: add comet point (lake) LP device ids
This commit is contained in:
Linus Torvalds 2019-10-12 15:47:19 -07:00
commit da94001239
13 changed files with 60 additions and 18 deletions

View File

@ -57,6 +57,7 @@
#include <linux/sched/signal.h> #include <linux/sched/signal.h>
#include <linux/sched/mm.h> #include <linux/sched/mm.h>
#include <linux/seq_file.h> #include <linux/seq_file.h>
#include <linux/string.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/pid_namespace.h> #include <linux/pid_namespace.h>
#include <linux/security.h> #include <linux/security.h>
@ -66,6 +67,7 @@
#include <linux/task_work.h> #include <linux/task_work.h>
#include <uapi/linux/android/binder.h> #include <uapi/linux/android/binder.h>
#include <uapi/linux/android/binderfs.h>
#include <asm/cacheflush.h> #include <asm/cacheflush.h>
@ -2876,7 +2878,7 @@ static void binder_transaction(struct binder_proc *proc,
e->target_handle = tr->target.handle; e->target_handle = tr->target.handle;
e->data_size = tr->data_size; e->data_size = tr->data_size;
e->offsets_size = tr->offsets_size; e->offsets_size = tr->offsets_size;
e->context_name = proc->context->name; strscpy(e->context_name, proc->context->name, BINDERFS_MAX_NAME);
if (reply) { if (reply) {
binder_inner_proc_lock(proc); binder_inner_proc_lock(proc);

View File

@ -156,7 +156,7 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked(
} }
/** /**
* binder_alloc_buffer_lookup() - get buffer given user ptr * binder_alloc_prepare_to_free() - get buffer given user ptr
* @alloc: binder_alloc for this proc * @alloc: binder_alloc for this proc
* @user_ptr: User pointer to buffer data * @user_ptr: User pointer to buffer data
* *

View File

@ -130,7 +130,7 @@ struct binder_transaction_log_entry {
int return_error_line; int return_error_line;
uint32_t return_error; uint32_t return_error;
uint32_t return_error_param; uint32_t return_error_param;
const char *context_name; char context_name[BINDERFS_MAX_NAME + 1];
}; };
struct binder_transaction_log { struct binder_transaction_log {

View File

@ -52,7 +52,7 @@ static int vpd_decode_entry(const u32 max_len, const u8 *input_buf,
if (max_len - consumed < *entry_len) if (max_len - consumed < *entry_len)
return VPD_FAIL; return VPD_FAIL;
consumed += decoded_len; consumed += *entry_len;
*_consumed = consumed; *_consumed = consumed;
return VPD_OK; return VPD_OK;
} }

View File

@ -527,6 +527,7 @@ static int fastrpc_dma_buf_attach(struct dma_buf *dmabuf,
FASTRPC_PHYS(buffer->phys), buffer->size); FASTRPC_PHYS(buffer->phys), buffer->size);
if (ret < 0) { if (ret < 0) {
dev_err(buffer->dev, "failed to get scatterlist from DMA API\n"); dev_err(buffer->dev, "failed to get scatterlist from DMA API\n");
kfree(a);
return -EINVAL; return -EINVAL;
} }

View File

@ -218,13 +218,21 @@ static void mei_mkhi_fix(struct mei_cl_device *cldev)
{ {
int ret; int ret;
/* No need to enable the client if nothing is needed from it */
if (!cldev->bus->fw_f_fw_ver_supported &&
!cldev->bus->hbm_f_os_supported)
return;
ret = mei_cldev_enable(cldev); ret = mei_cldev_enable(cldev);
if (ret) if (ret)
return; return;
ret = mei_fwver(cldev); if (cldev->bus->fw_f_fw_ver_supported) {
if (ret < 0) ret = mei_fwver(cldev);
dev_err(&cldev->dev, "FW version command failed %d\n", ret); if (ret < 0)
dev_err(&cldev->dev, "FW version command failed %d\n",
ret);
}
if (cldev->bus->hbm_f_os_supported) { if (cldev->bus->hbm_f_os_supported) {
ret = mei_osver(cldev); ret = mei_osver(cldev);

View File

@ -79,6 +79,9 @@
#define MEI_DEV_ID_CNP_H 0xA360 /* Cannon Point H */ #define MEI_DEV_ID_CNP_H 0xA360 /* Cannon Point H */
#define MEI_DEV_ID_CNP_H_4 0xA364 /* Cannon Point H 4 (iTouch) */ #define MEI_DEV_ID_CNP_H_4 0xA364 /* Cannon Point H 4 (iTouch) */
#define MEI_DEV_ID_CMP_LP 0x02e0 /* Comet Point LP */
#define MEI_DEV_ID_CMP_LP_3 0x02e4 /* Comet Point LP 3 (iTouch) */
#define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
#define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */ #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */

View File

@ -1355,6 +1355,8 @@ static bool mei_me_fw_type_sps(struct pci_dev *pdev)
#define MEI_CFG_FW_SPS \ #define MEI_CFG_FW_SPS \
.quirk_probe = mei_me_fw_type_sps .quirk_probe = mei_me_fw_type_sps
#define MEI_CFG_FW_VER_SUPP \
.fw_ver_supported = 1
#define MEI_CFG_ICH_HFS \ #define MEI_CFG_ICH_HFS \
.fw_status.count = 0 .fw_status.count = 0
@ -1392,31 +1394,41 @@ static const struct mei_cfg mei_me_ich10_cfg = {
MEI_CFG_ICH10_HFS, MEI_CFG_ICH10_HFS,
}; };
/* PCH devices */ /* PCH6 devices */
static const struct mei_cfg mei_me_pch_cfg = { static const struct mei_cfg mei_me_pch6_cfg = {
MEI_CFG_PCH_HFS, MEI_CFG_PCH_HFS,
}; };
/* PCH7 devices */
static const struct mei_cfg mei_me_pch7_cfg = {
MEI_CFG_PCH_HFS,
MEI_CFG_FW_VER_SUPP,
};
/* PCH Cougar Point and Patsburg with quirk for Node Manager exclusion */ /* PCH Cougar Point and Patsburg with quirk for Node Manager exclusion */
static const struct mei_cfg mei_me_pch_cpt_pbg_cfg = { static const struct mei_cfg mei_me_pch_cpt_pbg_cfg = {
MEI_CFG_PCH_HFS, MEI_CFG_PCH_HFS,
MEI_CFG_FW_VER_SUPP,
MEI_CFG_FW_NM, MEI_CFG_FW_NM,
}; };
/* PCH8 Lynx Point and newer devices */ /* PCH8 Lynx Point and newer devices */
static const struct mei_cfg mei_me_pch8_cfg = { static const struct mei_cfg mei_me_pch8_cfg = {
MEI_CFG_PCH8_HFS, MEI_CFG_PCH8_HFS,
MEI_CFG_FW_VER_SUPP,
}; };
/* PCH8 Lynx Point with quirk for SPS Firmware exclusion */ /* PCH8 Lynx Point with quirk for SPS Firmware exclusion */
static const struct mei_cfg mei_me_pch8_sps_cfg = { static const struct mei_cfg mei_me_pch8_sps_cfg = {
MEI_CFG_PCH8_HFS, MEI_CFG_PCH8_HFS,
MEI_CFG_FW_VER_SUPP,
MEI_CFG_FW_SPS, MEI_CFG_FW_SPS,
}; };
/* Cannon Lake and newer devices */ /* Cannon Lake and newer devices */
static const struct mei_cfg mei_me_pch12_cfg = { static const struct mei_cfg mei_me_pch12_cfg = {
MEI_CFG_PCH8_HFS, MEI_CFG_PCH8_HFS,
MEI_CFG_FW_VER_SUPP,
MEI_CFG_DMA_128, MEI_CFG_DMA_128,
}; };
@ -1428,7 +1440,8 @@ static const struct mei_cfg *const mei_cfg_list[] = {
[MEI_ME_UNDEF_CFG] = NULL, [MEI_ME_UNDEF_CFG] = NULL,
[MEI_ME_ICH_CFG] = &mei_me_ich_cfg, [MEI_ME_ICH_CFG] = &mei_me_ich_cfg,
[MEI_ME_ICH10_CFG] = &mei_me_ich10_cfg, [MEI_ME_ICH10_CFG] = &mei_me_ich10_cfg,
[MEI_ME_PCH_CFG] = &mei_me_pch_cfg, [MEI_ME_PCH6_CFG] = &mei_me_pch6_cfg,
[MEI_ME_PCH7_CFG] = &mei_me_pch7_cfg,
[MEI_ME_PCH_CPT_PBG_CFG] = &mei_me_pch_cpt_pbg_cfg, [MEI_ME_PCH_CPT_PBG_CFG] = &mei_me_pch_cpt_pbg_cfg,
[MEI_ME_PCH8_CFG] = &mei_me_pch8_cfg, [MEI_ME_PCH8_CFG] = &mei_me_pch8_cfg,
[MEI_ME_PCH8_SPS_CFG] = &mei_me_pch8_sps_cfg, [MEI_ME_PCH8_SPS_CFG] = &mei_me_pch8_sps_cfg,
@ -1473,6 +1486,8 @@ struct mei_device *mei_me_dev_init(struct pci_dev *pdev,
mei_device_init(dev, &pdev->dev, &mei_me_hw_ops); mei_device_init(dev, &pdev->dev, &mei_me_hw_ops);
hw->cfg = cfg; hw->cfg = cfg;
dev->fw_f_fw_ver_supported = cfg->fw_ver_supported;
return dev; return dev;
} }

View File

@ -20,11 +20,13 @@
* @fw_status: FW status * @fw_status: FW status
* @quirk_probe: device exclusion quirk * @quirk_probe: device exclusion quirk
* @dma_size: device DMA buffers size * @dma_size: device DMA buffers size
* @fw_ver_supported: is fw version retrievable from FW
*/ */
struct mei_cfg { struct mei_cfg {
const struct mei_fw_status fw_status; const struct mei_fw_status fw_status;
bool (*quirk_probe)(struct pci_dev *pdev); bool (*quirk_probe)(struct pci_dev *pdev);
size_t dma_size[DMA_DSCR_NUM]; size_t dma_size[DMA_DSCR_NUM];
u32 fw_ver_supported:1;
}; };
@ -62,7 +64,8 @@ struct mei_me_hw {
* @MEI_ME_UNDEF_CFG: Lower sentinel. * @MEI_ME_UNDEF_CFG: Lower sentinel.
* @MEI_ME_ICH_CFG: I/O Controller Hub legacy devices. * @MEI_ME_ICH_CFG: I/O Controller Hub legacy devices.
* @MEI_ME_ICH10_CFG: I/O Controller Hub platforms Gen10 * @MEI_ME_ICH10_CFG: I/O Controller Hub platforms Gen10
* @MEI_ME_PCH_CFG: Platform Controller Hub platforms (Up to Gen8). * @MEI_ME_PCH6_CFG: Platform Controller Hub platforms (Gen6).
* @MEI_ME_PCH7_CFG: Platform Controller Hub platforms (Gen7).
* @MEI_ME_PCH_CPT_PBG_CFG:Platform Controller Hub workstations * @MEI_ME_PCH_CPT_PBG_CFG:Platform Controller Hub workstations
* with quirk for Node Manager exclusion. * with quirk for Node Manager exclusion.
* @MEI_ME_PCH8_CFG: Platform Controller Hub Gen8 and newer * @MEI_ME_PCH8_CFG: Platform Controller Hub Gen8 and newer
@ -77,7 +80,8 @@ enum mei_cfg_idx {
MEI_ME_UNDEF_CFG, MEI_ME_UNDEF_CFG,
MEI_ME_ICH_CFG, MEI_ME_ICH_CFG,
MEI_ME_ICH10_CFG, MEI_ME_ICH10_CFG,
MEI_ME_PCH_CFG, MEI_ME_PCH6_CFG,
MEI_ME_PCH7_CFG,
MEI_ME_PCH_CPT_PBG_CFG, MEI_ME_PCH_CPT_PBG_CFG,
MEI_ME_PCH8_CFG, MEI_ME_PCH8_CFG,
MEI_ME_PCH8_SPS_CFG, MEI_ME_PCH8_SPS_CFG,

View File

@ -426,6 +426,8 @@ struct mei_fw_version {
* *
* @fw_ver : FW versions * @fw_ver : FW versions
* *
* @fw_f_fw_ver_supported : fw feature: fw version supported
*
* @me_clients_rwsem: rw lock over me_clients list * @me_clients_rwsem: rw lock over me_clients list
* @me_clients : list of FW clients * @me_clients : list of FW clients
* @me_clients_map : FW clients bit map * @me_clients_map : FW clients bit map
@ -506,6 +508,8 @@ struct mei_device {
struct mei_fw_version fw_ver[MEI_MAX_FW_VER_BLOCKS]; struct mei_fw_version fw_ver[MEI_MAX_FW_VER_BLOCKS];
unsigned int fw_f_fw_ver_supported:1;
struct rw_semaphore me_clients_rwsem; struct rw_semaphore me_clients_rwsem;
struct list_head me_clients; struct list_head me_clients;
DECLARE_BITMAP(me_clients_map, MEI_CLIENTS_MAX); DECLARE_BITMAP(me_clients_map, MEI_CLIENTS_MAX);

View File

@ -61,13 +61,13 @@ static const struct pci_device_id mei_me_pci_tbl[] = {
{MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_3, MEI_ME_ICH10_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_3, MEI_ME_ICH10_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_4, MEI_ME_ICH10_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_ICH10_4, MEI_ME_ICH10_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_1, MEI_ME_PCH_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_1, MEI_ME_PCH6_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_2, MEI_ME_PCH_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_IBXPK_2, MEI_ME_PCH6_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_CPT_1, MEI_ME_PCH_CPT_PBG_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_CPT_1, MEI_ME_PCH_CPT_PBG_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_PBG_1, MEI_ME_PCH_CPT_PBG_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_PBG_1, MEI_ME_PCH_CPT_PBG_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_PPT_1, MEI_ME_PCH_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_1, MEI_ME_PCH7_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_PPT_2, MEI_ME_PCH_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_2, MEI_ME_PCH7_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_PPT_3, MEI_ME_PCH_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_PPT_3, MEI_ME_PCH7_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_LPT_H, MEI_ME_PCH8_SPS_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_H, MEI_ME_PCH8_SPS_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_LPT_W, MEI_ME_PCH8_SPS_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_W, MEI_ME_PCH8_SPS_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_LPT_LP, MEI_ME_PCH8_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_LPT_LP, MEI_ME_PCH8_CFG)},
@ -96,6 +96,9 @@ static const struct pci_device_id mei_me_pci_tbl[] = {
{MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH12_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH12_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
{MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)},

View File

@ -220,6 +220,8 @@ static int hgcm_call_preprocess_linaddr(
if (!bounce_buf) if (!bounce_buf)
return -ENOMEM; return -ENOMEM;
*bounce_buf_ret = bounce_buf;
if (copy_in) { if (copy_in) {
ret = copy_from_user(bounce_buf, (void __user *)buf, len); ret = copy_from_user(bounce_buf, (void __user *)buf, len);
if (ret) if (ret)
@ -228,7 +230,6 @@ static int hgcm_call_preprocess_linaddr(
memset(bounce_buf, 0, len); memset(bounce_buf, 0, len);
} }
*bounce_buf_ret = bounce_buf;
hgcm_call_add_pagelist_size(bounce_buf, len, extra); hgcm_call_add_pagelist_size(bounce_buf, len, extra);
return 0; return 0;
} }

View File

@ -103,6 +103,7 @@ config W1_SLAVE_DS2438
config W1_SLAVE_DS250X config W1_SLAVE_DS250X
tristate "512b/1kb/16kb EPROM family support" tristate "512b/1kb/16kb EPROM family support"
select CRC16
help help
Say Y here if you want to use a 1-wire Say Y here if you want to use a 1-wire
512b/1kb/16kb EPROM family device (DS250x). 512b/1kb/16kb EPROM family device (DS250x).