Some functions consume more than allowed stack frame
size with KASan enabled and GCC warns it as an error.
To avoid compilation warning, allow larger stack frame
size when KASan is enabled instead of changing each file.
Below is one of the warning messages for reference.
kernel/net/wireless/nl80211.c: In function 'nl80211_send_wiphy':
kernel/net/wireless/nl80211.c:1705:1: warning: the frame size
of 5488 bytes is larger than 2048 bytes [-Wframe-larger-than=]
Change-Id: I953018f459bf048366f0ba5ff7c980edcd9bbe07
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
[satyap: trivial merge conflict resolution]
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
KASan marks slub objects as redzone and free and the bitmasks for
that region are not cleared until the pages are freed. When
CONFIG_PAGE_POISONING is enabled, as the pages still have special
bitmasks, KAsan report arises during pages poisoning. So mark the
pages as alloc status before poisoning the pages.
==================================================================
BUG: KASan: use after free in memset+0x24/0x44 at addr ffffffc0bb628000
Write of size 4096 by task kworker/u8:0/6
page:ffffffbacc51d900 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Call trace:
[<ffffffc00008c010>] dump_backtrace+0x0/0x250
[<ffffffc00008c270>] show_stack+0x10/0x1c
[<ffffffc001b6f9e4>] dump_stack+0x74/0xfc
[<ffffffc0002debf4>] kasan_report_error+0x2b0/0x408
[<ffffffc0002dee28>] kasan_report+0x34/0x40
[<ffffffc0002de240>] __asan_storeN+0x15c/0x168
[<ffffffc0002de47c>] memset+0x20/0x44
[<ffffffc0002d77bc>] kernel_map_pages+0x2e8/0x384
[<ffffffc000266458>] free_pages_prepare+0x340/0x3a0
[<ffffffc0002694cc>] __free_pages_ok+0x20/0x12c
[<ffffffc00026a698>] __free_pages+0x34/0x44
[<ffffffc00026ab3c>] __free_kmem_pages+0x8/0x14
[<ffffffc0002dc3fc>] kfree+0x114/0x254
[<ffffffc000b05748>] devres_free+0x48/0x5c
[<ffffffc000b05824>] devres_destroy+0x10/0x28
[<ffffffc000b05958>] devm_kfree+0x1c/0x3c
Memory state around the buggy address:
ffffffc0bb627f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0bb627f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0bb628000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffffc0bb628080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffc0bb628100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
BUG: KASan: use after free in memset+0x24/0x44 at addr ffffffc0bb2fe000
Write of size 4096 by task swapper/0/1
page:ffffffbacc4fdec0 count:0 mapcount:0 mapping: (null) index:0xffffffc0bb2fe6a0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Call trace:
[<ffffffc00008c010>] dump_backtrace+0x0/0x250
[<ffffffc00008c270>] show_stack+0x10/0x1c
[<ffffffc001b6f9e4>] dump_stack+0x74/0xfc
[<ffffffc0002debf4>] kasan_report_error+0x2b0/0x408
[<ffffffc0002dee28>] kasan_report+0x34/0x40
[<ffffffc0002de240>] __asan_storeN+0x15c/0x168
[<ffffffc0002de47c>] memset+0x20/0x44
[<ffffffc0002d77bc>] kernel_map_pages+0x2e8/0x384
[<ffffffc000266458>] free_pages_prepare+0x340/0x3a0
[<ffffffc0002694cc>] __free_pages_ok+0x20/0x12c
[<ffffffc00026a698>] __free_pages+0x34/0x44
[<ffffffc0002d9c98>] __free_slab+0x15c/0x178
[<ffffffc0002d9d14>] discard_slab+0x60/0x6c
[<ffffffc0002dc034>] __slab_free+0x320/0x340
[<ffffffc0002dc224>] kmem_cache_free+0x1d0/0x25c
[<ffffffc0003bb608>] kernfs_put+0x2a0/0x3d8
Memory state around the buggy address:
ffffffc0bb2fdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffffc0bb2fdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffffffc0bb2fe000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
^
fffffc0bb2fe080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffffc0bb2fe100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Change-Id: Id963b9439685f94a022dcdd60b59aaf126610387
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
[satyap: trivial merge conflict resolution]
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
the pages allocated for thread info is used for stack. KAsan marks
some stack memory region for guarding area and the bitmasks for
that region are not cleared until the pages are freed. When
CONFIG_PAGE_POISONING is enabled, as the pages still have special
bitmasks, a out of bound access KASan report arises during pages
poisoning. So mark the pages as alloc status before poisoning the
pages.
==================================================================
BUG: KASan: out of bounds on stack in memset+0x24/0x44 at addr ffffffc0b8e3f000
Write of size 4096 by task swapper/0/0
page:ffffffbacc38e760 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.0-g5a4a5d5-07244-g488682c-dirty #12
Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2.0 LiQUID (DT)
Call trace:
[<ffffffc00008c010>] dump_backtrace+0x0/0x250
[<ffffffc00008c270>] show_stack+0x10/0x1c
[<ffffffc001b6f9e4>] dump_stack+0x74/0xfc
[<ffffffc0002debf4>] kasan_report_error+0x2b0/0x408
[<ffffffc0002dee28>] kasan_report+0x34/0x40
[<ffffffc0002de240>] __asan_storeN+0x15c/0x168
[<ffffffc0002de47c>] memset+0x20/0x44
[<ffffffc0002d77bc>] kernel_map_pages+0x2e8/0x384
[<ffffffc000266458>] free_pages_prepare+0x340/0x3a0
[<ffffffc0002694cc>] __free_pages_ok+0x20/0x12c
[<ffffffc00026a698>] __free_pages+0x34/0x44
[<ffffffc00026abb0>] free_kmem_pages+0x68/0x80
[<ffffffc0000b0424>] free_task+0x80/0xac
[<ffffffc0000b05a8>] __put_task_struct+0x158/0x23c
[<ffffffc0000b9194>] delayed_put_task_struct+0x188/0x1cc
[<ffffffc00018586c>] rcu_process_callbacks+0x6cc/0xbb0
[<ffffffc0000bfdb0>] __do_softirq+0x368/0x750
[<ffffffc0000c0630>] irq_exit+0xd8/0x15c
[<ffffffc00016f610>] __handle_domain_irq+0x108/0x168
[<ffffffc000081af8>] gic_handle_irq+0x50/0xc0
Memory state around the buggy address:
ffffffc0b8e3f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0b8e3fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0b8e3fa80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
^
ffffffc0b8e3fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0b8e3fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Change-Id: I90aa1c6e82a0bde58d2d5d68d84e67f932728a88
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
The commit 'a106f65b("dma-mapping: Add dma_remap functions")' is
defined remap functions for ARM arch only, so it will break other
architecture compilation.
So remap functions are excluded, if arch is not using DMA.
Change-Id: Id39fcbac74f30a0ab1b3ce0c780460017ea189e5
Signed-off-by: Naveen Ramaraj <nramaraj@codeaurora.org>
Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>
Signed-off-by: Jeevan Shriram <jshriram@codeaurora.org>
This property is no longer used in 4.4 kernel, hence remove it.
Change-Id: I8fe311d95359220fa8f44e9b39db61e01ee34f5b
Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
This is handled in the ufs platform init. Drop the upstream
change that was missed in the ufs driver port to 4.4 kernel.
Change-Id: Ia3305f2b4f6c6eeafe3866833f2c98e186ad6632
Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
Enable the following MSM I2C related features:
- qcom-sps-dma driver which is the dma engine wrapper for BAM
- i2c-msm-v2 driver, the main MSM I2C driver.
- I2C CHARDEV that allows userspace to communicate with I2C framework.
Change-Id: Ibca06d935de61517ef1a927828789875fcdb7718
Signed-off-by: Girish Mahadevan <girishm@codeaurora.org>
Remove the use of PM_RUNTIME feature flag which is obsoleted on newer
kernel versions. Instead use PM feature flag to condiitionally compile
RPM callbacks.
Change-Id: I775c89f79b698bf3f20fdb655216027e58e7059d
Signed-off-by: Girish Mahadevan <girishm@codeaurora.org>
Remove the use of PM_RUNTIME feature flag in the driver as this flag
is obsoleted on newer kernel versions. Instead use PM flag to conditionally
compile RPM callbacks.
Change-Id: I92d4b9ac15d05c6144a68ddd41f29b00aa209fd2
Signed-off-by: Girish Mahadevan <girishm@codeaurora.org>
Remove the use of the PM_RUNTIME config flag in code. This feature flag
has been obsoleted on newer kernel versions, instead use the generic
PM feature flag to conditionally compile RPM callbacks.
Change-Id: Id78a31a3cb59694d07e24ba6f762d608354d758a
Signed-off-by: Girish Mahadevan <girishm@codeaurora.org>
This commit adds a snapshot of the i2c-msm-v2 driver from kernel-3.18.
Kernel-3.18 baseline: e70ad0cd5efdd9dc91a77dcdac31d6132e1315c1
Change-Id: I392a1761ecc324c4a229caf112b1dc4c32a3b9bf
Signed-off-by: Girish Mahadevan <girishm@codeaurora.org>
Modify the qcom-sps-dma driver to adapt to the framework changes in
dmaengine introduced between kernel-3.18 and kernel-4.4 .
Change-Id: I000e209af6cf26e652d6937af67eb3382d2d2262
Add a snapshot of the qcom-sps-dma driver from the 3.18 kernel branch.
3.18 baseline: e70ad0cd5efdd9dc91a77dcdac31d6132e1315c1
Change-Id: Ifa64e83d25e6cca220a0435757da861e28f97480
This change adds a snapshot of SPI QSD driver from the 3.18 branch.
kernel-3.18 baseline: e70ad0cd5efdd9dc91a77dcdac31d6132e1315c1
Change-Id: I6e2a4be429a2681603a12e5ecb6853582cd3ffbe
Signed-off-by: Girish Mahadevan <girishm@codeaurora.org>
Read the hi-power power-supply property in the
get_property callback to avoid warnings from the
power-supply framework.
Change-Id: I5a9bb9b625ceb308afab915db9ac784a567ffbfb
Signed-off-by: Anirudh Ghayal <aghayal@codeaurora.org>
Temperature sensor (TSENS) driver provides clients to
read on die temperature sensors and set temperature
thresholds for thermal mitigation.
Signed-off-by: Siddartha Mohanadoss <smohanad@codeaurora.org>
This snapshot is taken as of msm-3.18 commit dbdb6776f
(Merge "msm: camera: Add dummy sub module in sensor pipeline")
Commit 0b46b8a7 (clocksource: arch_timer: Fix code to use
physical timers when requested) introduces the use of
physical counters and requires clients to use api
arch_counter_get_cntvct(). Accordingly update tsens_poll()
to the new API to prevent a BUG_ON() during bootup.
Fixup TSENS to use supported int type for temperature value.
Signed-off-by: Siddartha Mohanadoss <smohanad@codeaurora.org>
batterydata-lib.h limits function declarations to certain CONFIGs and
provides stub function definitions for everyone else. Remove the function
defintions and provide function declarations to everyone.
Signed-off-by: Nicholas Troast <ntroast@codeaurora.org>
QTI charger drivers have outgrown thier home in power and deserve their
own sub-directory. Move all QTI charger drivers and their depedencies to
a new sub-directory of power called qcom-charger.
Signed-off-by: Nicholas Troast <ntroast@codeaurora.org>
Many of the older SMB charger drivers are no longer present therefore
remove the config entries for them.
Duplicate config entries are present. Remove them.
Signed-off-by: Nicholas Troast <ntroast@codeaurora.org>
Embedded power measurement (EPM) driver allows
clients to read supported current and voltage
channels for power measurements.
Signed-off-by: Siddartha Mohanadoss <smohanad@codeaurora.org>
This snapshot is taken as of msm-3.18 commit dbdb6776f
(Merge "msm: camera: Add dummy sub module in sensor pipeline")
Signed-off-by: Siddartha Mohanadoss <smohanad@codeaurora.org>
Currently, the CPU_STARTING notifiers would observe an incorrect sibling
mask since the notifier chain is called before the topology masks are
updated for the new cpu.
Update the topology masks before calling the notifier chain to fix this
problem.
Change-Id: I3f698d777af3bb8e324019619b4c1c4de85e7b2c
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
In case of a kernel panic, only the panicking CPU does an entire
cache flush. This means that certain dirty cache lines in the
caches of the other CPUs may never get flushed. This gives us
improper RAM dumps. Add cache flushing for all the online CPUs.
The outer domain is not flushed since it is already being done by
the panicking CPU.
Change-Id: I03cf14f49334e45c145a17b06d0c623575b653e8
Signed-off-by: Abhimanyu Kapur <abhimany@codeaurora.org>
[satyap: trivial merge conflict resolution]
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Add a call to secondary start kernel for cpus which have been
onlined via the hotplug path for wfi based hotplug solution
where the return path from cpu_die should not return to the
idle thread. Update the cpu_die definition with a __ref to
allow referencing a __cpuinit call (secondary_start_kernel)
from it.
Change-Id: I7c083effda3928b562ea0d601833ceb8d5178d43
Signed-off-by: Abhimanyu Kapur <abhimany@codeaurora.org>
Convert deprecated smp_mb__*() barriers.
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
[joshc: fixup other uses around the kernel during the 3.14 upgrade]
Signed-off-by: Josh Cartwright <joshc@codeaurora.org>
Since ARM64 doesn't have an NMI, send an IPI to all other CPUs
(current cpu prints the stack directly) to capture a backtrace.
Change-Id: Ib90494123205b3bbaa0b244ccde6c7e40a560199
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
[satyap: trivial merge conflict resolution & compilation fixes]
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
"This snapshot is taken as of msm-3.18 commit dbdb6776f
(Merge "msm: camera: Add dummy sub module in sensor pipeline")
Use regulator_set_load() to specify the load required
while issuing VADC requests on the VADC LDO and fixup
compilation for qpnp_vadc_read() from thermal sysfs.
Signed-off-by: Siddartha Mohanadoss <smohanad@codeaurora.org>
Add support for IPI_WAKEUP which is used by hotplug code
path to wake up CPU from low power states.
Change-Id: I258d05e109a377613064624a5bfda21ab8ea9869
Signed-off-by: Abhimanyu Kapur <abhimany@codeaurora.org>
[satyap@codeaurora.org: trivial merge conflict resolution]
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Squash and apply following u_serial driver changes taken from
msm-3.10 kernel as of commit
ec18e1c5aed (Merge "mmc: card: set dma_mask as the queue bounce limit")
feb56a3 usb: gadget: Fix bug in serial driver RX path
2ff1b9a USB: Gadget: u_serial: Debugfs for endpoint buffer monitoring
272d2fd USB: gadget: u_serial: free read/write requests upon queue failure
950a3a3 USB: Gadget: u_serial: Freeing usb requests as a part of gs_close
e4e6bc4 USB: u_serial: Don't allow UDC to append and send a zero length
packet
4bd2646 usb: gadget: serial: Limit write permissions to root
13e7219 USB: Fix multiple issues found by static analysis tool
505294c USB: Debugfs: Fix compilation issues when debugfs is disabled
0e7633e usb: gadget: Fix code quality issues when accessing port
607dbeb USB: u_serial: Don't free usb_requests in gs_close and reuse them
4aebedc usb: u_serial: Fix NULL pointer dereference in u_serial tty
callbacks
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Squash and apply following f_serial driver changes taken
from msm-3.10 kernel as of commit
ec18e1c5aed (Merge "mmc: card: set dma_mask as the queue bounce limit")
d98217e USB: android gadget: queue the request only when serial is online
b8bd483 USB: android gadget: Add interrupt ep and modem support in f_serial
7b56862 USB: Add super speed descriptors for android functions
c5a7f7f gadget: u_serial: Add tiocmset/tiocmget functionality
2a821c8 usb: gadget: Add debug message to print the control line state
information
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Correct the the __iomem decorations in __raw_write_logged()
and __raw_read_logged().
Change-Id: If4a4f7aff09537772a5f9e386c3c6ada95512457
Signed-off-by: Jeremy Gebben <jgebben@codeaurora.org>
Due to USB cable disconnect, ADBD closes its epfiles and re-opens the same.
In normal operation the sequence is:
ffs_func_eps_disable() setting epfile->error to 1
ffs_epfile_release() setting epfile->error to 1
ffs_epfile_open() setting epfile->error to 0
In some cases when above sequeunce gets changed, epfile->error is set to 1.
Hence there is no data transfer happening on ep-IN endpoint. Fix this by
not allowing opening of epfiles until it has being successfully released.
Change-Id: I26b9ec1b6218d00cc0965ce3e71fcea49f9bf567
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
config_ep_by_speed() configures endpoint based on speed and
uses already available endpoint descriptors. Here it overrides
maxpacket field based on selected descriptor for endpoint. maxpacket
field is used by some of UDC driver to resize TXFIFO for IN endpoint.
Due to maxpacket is not being configured with selected endpoint
descriptor, UDC driver uses previously stale maxpacket value which
results into wrong TXFIFO calculated for used IN endpoint. Fix this
issue by calling config_ep_by_speed() for ADB endpoints to make sure
that proper value is updated with maxpacket field based on descriptor.
Change-Id: I9121f4df898de1455f9be4333ca8d0e744f4eb9e
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
f_fs uses only one request per ep and driver is trying to queue
same request again before it completed. This is seen in following
scenario, as part of system suspend wait_for_completion was
interrupted by -ERESTARTSYS, and driver tried to dequeue this
request, as USB was in LPM it was unable to dequeue this and
later on system resume ffs_epfile_read tried to queue same
request again which was never dequeued or completed. ep_queue
will return error if same request is queued again while it is in
progress. User space considers this ep_queue failure as halt and
try to clear halt condition that never happened. When User space
is trying to clear halt by that time USB has entered LPM again
leading to crash.
Avoid this by making sure same request is not queued again until
it is completed.
Change-Id: I6e9f357b9b8a47753b1323b4308e60844d7dec94
Signed-off-by: Tarun Gupta <tarung@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
In few instances, it is observed that multiple adbd instances are
running on device causing condition BUG_ON(ffs->gadget) to be true.
ffs->opened and ffs->ref atomic variables are used here to make
decision for checking ffs->gadget. These atomic variable operations
requires expilict memory barrier to make sure that update to
ffs->gadget is visible to other CPUs before updated atomic variable
based value is seen. This change also adds explicit memory barriers
before reading or modified any atomic varaiables.
Change-Id: I3c846eb6bbb53663892e05d51ebac8439aac957a
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
As part of ffs_ep0_open(), atomic variable ffs.opened is set and as part
of ffs_ep0_release() it is cleared. Also as part of release operation, in
ffs_data_clear() ffs->gadget is set to NULL.
If two adb daemons are running in parallel, then BUG ON is observed as part
of release operation as ffs->gadget is not set to NULL.
To fix the issue add check for ffs->opened to allow only one adb daemon
perform device open. This ensures open and release operation are performed
in serialized way and avoids any race.
Also add debug print for dumping the ffs gadget.
Change-Id: Ifccdfa6068f506bb7dfdc9945b60591da530df8f
Signed-off-by: Saket Saurabh <ssaurabh@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Add print message in case of error scenarios which will
be useful for debugging adb offline issues.
Change-Id: I75bc136eab05151abb187c1fa1e5956b6f507297
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
done completion variable is local stack variable to ffs_epfile_io().
It is being used to unblock ffs_epfile_io() from USB request
completion context where done is accessed through req->context. If
ffs_epfile_io() is unblocked or interrupted due to epfile close or
any signal before USB request completion is handled, req->context is
having stale "done" reference causing invalid access. Fix this issue
by storing done completion reference with epfile structure instead of
having it on stack to have valid req->context in completion handler.
Change-Id: I15102538d1b5bee14dfa3c7b3fa1f8e3f767cf71
Signed-off-by: Sujeet Kumar <ksujeet@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
