Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'char-misc-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc driver fixes from Greg KH:
"Here are some small char/misc/android driver fixes for 6.18-rc3 for
reported issues. Included in here are:
- rust binder fixes for reported issues
- mei device id addition
- mei driver fixes
- comedi bugfix
- most usb driver bugfixes
- fastrpc memory leak fix
All of these have been in linux-next for a while with no reported
issues"
* tag 'char-misc-6.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
most: usb: hdm_probe: Fix calling put_device() before device initialization
most: usb: Fix use-after-free in hdm_disconnect
binder: remove "invalid inc weak" check
mei: txe: fix initialization order
comedi: fix divide-by-zero in comedi_buf_munge()
mei: late_bind: Fix -Wincompatible-function-pointer-types-strict
misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
mei: me: add wildcat lake P DID
misc: amd-sbi: Clarify that this is a BMC driver
nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE
binder: Fix missing kernel-doc entries in binder.c
rust_binder: report freeze notification only when fully frozen
rust_binder: don't delete FreezeListener if there are pending duplicates
rust_binder: freeze_notif_done should resend if wrong state
rust_binder: remove warning about orphan mappings
rust_binder: clean `clippy::mem_replace_with_default` warning
+93
-62
+15
-23
drivers/android/binder.c
+15
-23
drivers/android/binder.c
···
851
851
} else {
852
852
if (!internal)
853
853
node->local_weak_refs++;
854
-
if (!node->has_weak_ref && list_empty(&node->work.entry)) {
855
-
if (target_list == NULL) {
856
-
pr_err("invalid inc weak node for %d\n",
857
-
node->debug_id);
858
-
return -EINVAL;
859
-
}
860
-
/*
861
-
* See comment above
862
-
*/
854
+
if (!node->has_weak_ref && target_list && list_empty(&node->work.entry))
863
855
binder_enqueue_work_ilocked(&node->work, target_list);
864
-
}
865
856
}
866
857
return 0;
867
858
}
···
2409
2418
2410
2419
/**
2411
2420
* struct binder_ptr_fixup - data to be fixed-up in target buffer
2412
-
* @offset offset in target buffer to fixup
2413
-
* @skip_size bytes to skip in copy (fixup will be written later)
2414
-
* @fixup_data data to write at fixup offset
2415
-
* @node list node
2421
+
* @offset: offset in target buffer to fixup
2422
+
* @skip_size: bytes to skip in copy (fixup will be written later)
2423
+
* @fixup_data: data to write at fixup offset
2424
+
* @node: list node
2416
2425
*
2417
2426
* This is used for the pointer fixup list (pf) which is created and consumed
2418
2427
* during binder_transaction() and is only accessed locally. No
···
2429
2438
2430
2439
/**
2431
2440
* struct binder_sg_copy - scatter-gather data to be copied
2432
-
* @offset offset in target buffer
2433
-
* @sender_uaddr user address in source buffer
2434
-
* @length bytes to copy
2435
-
* @node list node
2441
+
* @offset: offset in target buffer
2442
+
* @sender_uaddr: user address in source buffer
2443
+
* @length: bytes to copy
2444
+
* @node: list node
2436
2445
*
2437
2446
* This is used for the sg copy list (sgc) which is created and consumed
2438
2447
* during binder_transaction() and is only accessed locally. No
···
4054
4063
4055
4064
/**
4056
4065
* binder_free_buf() - free the specified buffer
4057
-
* @proc: binder proc that owns buffer
4058
-
* @buffer: buffer to be freed
4059
-
* @is_failure: failed to send transaction
4066
+
* @proc: binder proc that owns buffer
4067
+
* @thread: binder thread performing the buffer release
4068
+
* @buffer: buffer to be freed
4069
+
* @is_failure: failed to send transaction
4060
4070
*
4061
-
* If buffer for an async transaction, enqueue the next async
4071
+
* If the buffer is for an async transaction, enqueue the next async
4062
4072
* transaction from the node.
4063
4073
*
4064
-
* Cleanup buffer and free it.
4074
+
* Cleanup the buffer and free it.
4065
4075
*/
4066
4076
static void
4067
4077
binder_free_buf(struct binder_proc *proc,
+14
-4
drivers/android/binder/freeze.rs
+14
-4
drivers/android/binder/freeze.rs
···
106
106
return Ok(true);
107
107
}
108
108
if freeze.is_clearing {
109
-
_removed_listener = freeze_entry.remove_node();
109
+
kernel::warn_on!(freeze.num_cleared_duplicates != 0);
110
+
if freeze.num_pending_duplicates > 0 {
111
+
// The primary freeze listener was deleted, so convert a pending duplicate back
112
+
// into the primary one.
113
+
freeze.num_pending_duplicates -= 1;
114
+
freeze.is_pending = true;
115
+
freeze.is_clearing = true;
116
+
} else {
117
+
_removed_listener = freeze_entry.remove_node();
118
+
}
110
119
drop(node_refs);
111
120
writer.write_code(BR_CLEAR_FREEZE_NOTIFICATION_DONE)?;
112
121
writer.write_payload(&self.cookie.0)?;
113
122
Ok(true)
114
123
} else {
115
-
let is_frozen = freeze.node.owner.inner.lock().is_frozen;
124
+
let is_frozen = freeze.node.owner.inner.lock().is_frozen.is_fully_frozen();
116
125
if freeze.last_is_frozen == Some(is_frozen) {
117
126
return Ok(true);
118
127
}
···
254
245
);
255
246
return Err(EINVAL);
256
247
}
257
-
if freeze.is_clearing {
258
-
// Immediately send another FreezeMessage for BR_CLEAR_FREEZE_NOTIFICATION_DONE.
248
+
let is_frozen = freeze.node.owner.inner.lock().is_frozen.is_fully_frozen();
249
+
if freeze.is_clearing || freeze.last_is_frozen != Some(is_frozen) {
250
+
// Immediately send another FreezeMessage.
259
251
clear_msg = Some(FreezeMessage::init(alloc, cookie));
260
252
}
261
253
freeze.is_pending = false;
+1
-1
drivers/android/binder/node.rs
+1
-1
drivers/android/binder/node.rs
+37
-13
drivers/android/binder/process.rs
+37
-13
drivers/android/binder/process.rs
···
72
72
const PROC_DEFER_FLUSH: u8 = 1;
73
73
const PROC_DEFER_RELEASE: u8 = 2;
74
74
75
+
#[derive(Copy, Clone)]
76
+
pub(crate) enum IsFrozen {
77
+
Yes,
78
+
No,
79
+
InProgress,
80
+
}
81
+
82
+
impl IsFrozen {
83
+
/// Whether incoming transactions should be rejected due to freeze.
84
+
pub(crate) fn is_frozen(self) -> bool {
85
+
match self {
86
+
IsFrozen::Yes => true,
87
+
IsFrozen::No => false,
88
+
IsFrozen::InProgress => true,
89
+
}
90
+
}
91
+
92
+
/// Whether freeze notifications consider this process frozen.
93
+
pub(crate) fn is_fully_frozen(self) -> bool {
94
+
match self {
95
+
IsFrozen::Yes => true,
96
+
IsFrozen::No => false,
97
+
IsFrozen::InProgress => false,
98
+
}
99
+
}
100
+
}
101
+
75
102
/// The fields of `Process` protected by the spinlock.
76
103
pub(crate) struct ProcessInner {
77
104
is_manager: bool,
···
125
98
/// are woken up.
126
99
outstanding_txns: u32,
127
100
/// Process is frozen and unable to service binder transactions.
128
-
pub(crate) is_frozen: bool,
101
+
pub(crate) is_frozen: IsFrozen,
129
102
/// Process received sync transactions since last frozen.
130
103
pub(crate) sync_recv: bool,
131
104
/// Process received async transactions since last frozen.
···
151
124
started_thread_count: 0,
152
125
defer_work: 0,
153
126
outstanding_txns: 0,
154
-
is_frozen: false,
127
+
is_frozen: IsFrozen::No,
155
128
sync_recv: false,
156
129
async_recv: false,
157
130
binderfs_file: None,
···
1287
1260
let is_manager = {
1288
1261
let mut inner = self.inner.lock();
1289
1262
inner.is_dead = true;
1290
-
inner.is_frozen = false;
1263
+
inner.is_frozen = IsFrozen::No;
1291
1264
inner.sync_recv = false;
1292
1265
inner.async_recv = false;
1293
1266
inner.is_manager
···
1373
1346
.alloc
1374
1347
.take_for_each(|offset, size, debug_id, odata| {
1375
1348
let ptr = offset + address;
1376
-
pr_warn!(
1377
-
"{}: removing orphan mapping {offset}:{size}\n",
1378
-
self.pid_in_current_ns()
1379
-
);
1380
1349
let mut alloc =
1381
1350
Allocation::new(self.clone(), debug_id, offset, size, ptr, false);
1382
1351
if let Some(data) = odata {
···
1394
1371
return;
1395
1372
}
1396
1373
inner.outstanding_txns -= 1;
1397
-
inner.is_frozen && inner.outstanding_txns == 0
1374
+
inner.is_frozen.is_frozen() && inner.outstanding_txns == 0
1398
1375
};
1399
1376
1400
1377
if wake {
···
1408
1385
let mut inner = self.inner.lock();
1409
1386
inner.sync_recv = false;
1410
1387
inner.async_recv = false;
1411
-
inner.is_frozen = false;
1388
+
inner.is_frozen = IsFrozen::No;
1412
1389
drop(inner);
1413
1390
msgs.send_messages();
1414
1391
return Ok(());
···
1417
1394
let mut inner = self.inner.lock();
1418
1395
inner.sync_recv = false;
1419
1396
inner.async_recv = false;
1420
-
inner.is_frozen = true;
1397
+
inner.is_frozen = IsFrozen::InProgress;
1421
1398
1422
1399
if info.timeout_ms > 0 {
1423
1400
let mut jiffies = kernel::time::msecs_to_jiffies(info.timeout_ms);
···
1431
1408
.wait_interruptible_timeout(&mut inner, jiffies)
1432
1409
{
1433
1410
CondVarTimeoutResult::Signal { .. } => {
1434
-
inner.is_frozen = false;
1411
+
inner.is_frozen = IsFrozen::No;
1435
1412
return Err(ERESTARTSYS);
1436
1413
}
1437
1414
CondVarTimeoutResult::Woken { jiffies: remaining } => {
···
1445
1422
}
1446
1423
1447
1424
if inner.txns_pending_locked() {
1448
-
inner.is_frozen = false;
1425
+
inner.is_frozen = IsFrozen::No;
1449
1426
Err(EAGAIN)
1450
1427
} else {
1451
1428
drop(inner);
1452
1429
match self.prepare_freeze_messages() {
1453
1430
Ok(batch) => {
1431
+
self.inner.lock().is_frozen = IsFrozen::Yes;
1454
1432
batch.send_messages();
1455
1433
Ok(())
1456
1434
}
1457
1435
Err(kernel::alloc::AllocError) => {
1458
-
self.inner.lock().is_frozen = false;
1436
+
self.inner.lock().is_frozen = IsFrozen::No;
1459
1437
Err(ENOMEM)
1460
1438
}
1461
1439
}
+3
-3
drivers/android/binder/transaction.rs
+3
-3
drivers/android/binder/transaction.rs
···
249
249
250
250
if oneway {
251
251
if let Some(target_node) = self.target_node.clone() {
252
-
if process_inner.is_frozen {
252
+
if process_inner.is_frozen.is_frozen() {
253
253
process_inner.async_recv = true;
254
254
if self.flags & TF_UPDATE_TXN != 0 {
255
255
if let Some(t_outdated) =
···
270
270
}
271
271
}
272
272
273
-
if process_inner.is_frozen {
273
+
if process_inner.is_frozen.is_frozen() {
274
274
return Err(BinderError::new_frozen_oneway());
275
275
} else {
276
276
return Ok(());
···
280
280
}
281
281
}
282
282
283
-
if process_inner.is_frozen {
283
+
if process_inner.is_frozen.is_frozen() {
284
284
process_inner.sync_recv = true;
285
285
return Err(BinderError::new_frozen());
286
286
}
+1
-1
drivers/comedi/comedi_buf.c
+1
-1
drivers/comedi/comedi_buf.c
···
317
317
unsigned int count = 0;
318
318
const unsigned int num_sample_bytes = comedi_bytes_per_sample(s);
319
319
320
-
if (!s->munge || (async->cmd.flags & CMDF_RAWDATA)) {
320
+
if (!s->munge || (async->cmd.flags & CMDF_RAWDATA) || async->cmd.chanlist_len == 0) {
321
321
async->munge_count += num_bytes;
322
322
return num_bytes;
323
323
}
+2
drivers/misc/amd-sbi/Kconfig
+2
drivers/misc/amd-sbi/Kconfig
···
2
2
config AMD_SBRMI_I2C
3
3
tristate "AMD side band RMI support"
4
4
depends on I2C
5
+
depends on ARM || ARM64 || COMPILE_TEST
5
6
select REGMAP_I2C
6
7
help
7
8
Side band RMI over I2C support for AMD out of band management.
9
+
This driver is intended to run on the BMC, not the managed node.
8
10
9
11
This driver can also be built as a module. If so, the module will
10
12
be called sbrmi-i2c.
+2
drivers/misc/fastrpc.c
+2
drivers/misc/fastrpc.c
+2
drivers/misc/mei/hw-me-regs.h
+2
drivers/misc/mei/hw-me-regs.h
+1
-2
drivers/misc/mei/mei_lb.c
+1
-2
drivers/misc/mei/mei_lb.c
···
134
134
return true;
135
135
}
136
136
137
-
static int mei_lb_push_payload(struct device *dev,
138
-
enum intel_lb_type type, u32 flags,
137
+
static int mei_lb_push_payload(struct device *dev, u32 type, u32 flags,
139
138
const void *payload, size_t payload_size)
140
139
{
141
140
struct mei_cl_device *cldev;
+2
drivers/misc/mei/pci-me.c
+2
drivers/misc/mei/pci-me.c
+7
-7
drivers/misc/mei/pci-txe.c
+7
-7
drivers/misc/mei/pci-txe.c
···
109
109
goto end;
110
110
}
111
111
112
+
err = mei_register(dev, &pdev->dev);
113
+
if (err)
114
+
goto release_irq;
115
+
112
116
if (mei_start(dev)) {
113
117
dev_err(&pdev->dev, "init hw failure.\n");
114
118
err = -ENODEV;
115
-
goto release_irq;
119
+
goto deregister;
116
120
}
117
121
118
122
pm_runtime_set_autosuspend_delay(&pdev->dev, MEI_TXI_RPM_TIMEOUT);
119
123
pm_runtime_use_autosuspend(&pdev->dev);
120
-
121
-
err = mei_register(dev, &pdev->dev);
122
-
if (err)
123
-
goto stop;
124
124
125
125
pci_set_drvdata(pdev, dev);
126
126
···
144
144
145
145
return 0;
146
146
147
-
stop:
148
-
mei_stop(dev);
147
+
deregister:
148
+
mei_deregister(dev);
149
149
release_irq:
150
150
mei_cancel_work(dev);
151
151
mei_disable_interrupts(dev);
+5
-8
drivers/most/most_usb.c
+5
-8
drivers/most/most_usb.c
···
929
929
{
930
930
struct most_dev *mdev = to_mdev_from_dev(dev);
931
931
932
+
kfree(mdev->busy_urbs);
933
+
kfree(mdev->cap);
934
+
kfree(mdev->conf);
935
+
kfree(mdev->ep_address);
932
936
kfree(mdev);
933
937
}
934
938
/**
···
1097
1093
err_free_conf:
1098
1094
kfree(mdev->conf);
1099
1095
err_free_mdev:
1100
-
put_device(&mdev->dev);
1096
+
kfree(mdev);
1101
1097
return ret;
1102
1098
}
1103
1099
···
1125
1121
if (mdev->dci)
1126
1122
device_unregister(&mdev->dci->dev);
1127
1123
most_deregister_interface(&mdev->iface);
1128
-
1129
-
kfree(mdev->busy_urbs);
1130
-
kfree(mdev->cap);
1131
-
kfree(mdev->conf);
1132
-
kfree(mdev->ep_address);
1133
-
put_device(&mdev->dci->dev);
1134
-
put_device(&mdev->dev);
1135
1124
}
1136
1125
1137
1126
static int hdm_suspend(struct usb_interface *interface, pm_message_t message)