--- /dev/null
+From b2a6d1b999a4c13e5997bb864694e77172d45250 Mon Sep 17 00:00:00 2001
+From: Martijn Coenen <maco@android.com>
+Date: Fri, 28 Jul 2017 13:56:08 +0200
+Subject: ANDROID: binder: fix proc->tsk check.
+
+From: Martijn Coenen <maco@android.com>
+
+commit b2a6d1b999a4c13e5997bb864694e77172d45250 upstream.
+
+Commit c4ea41ba195d ("binder: use group leader instead of open thread")'
+was incomplete and didn't update a check in binder_mmap(), causing all
+mmap() calls into the binder driver to fail.
+
+Signed-off-by: Martijn Coenen <maco@android.com>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2875,7 +2875,7 @@ static int binder_mmap(struct file *filp
+ const char *failure_string;
+ struct binder_buffer *buffer;
+
+- if (proc->tsk != current)
++ if (proc->tsk != current->group_leader)
+ return -EINVAL;
+
+ if ((vma->vm_end - vma->vm_start) > SZ_4M)
--- /dev/null
+From c4ea41ba195d01c9af66fb28711a16cc97caa9c5 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Thu, 29 Jun 2017 12:01:36 -0700
+Subject: binder: use group leader instead of open thread
+
+From: Todd Kjos <tkjos@android.com>
+
+commit c4ea41ba195d01c9af66fb28711a16cc97caa9c5 upstream.
+
+The binder allocator assumes that the thread that
+called binder_open will never die for the lifetime of
+that proc. That thread is normally the group_leader,
+however it may not be. Use the group_leader instead
+of current.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2972,8 +2972,8 @@ static int binder_open(struct inode *nod
+ proc = kzalloc(sizeof(*proc), GFP_KERNEL);
+ if (proc == NULL)
+ return -ENOMEM;
+- get_task_struct(current);
+- proc->tsk = current;
++ get_task_struct(current->group_leader);
++ proc->tsk = current->group_leader;
+ INIT_LIST_HEAD(&proc->todo);
+ init_waitqueue_head(&proc->wait);
+ proc->default_priority = task_nice(current);
--- /dev/null
+From 00b40d613352c623aaae88a44e5ded7c912909d7 Mon Sep 17 00:00:00 2001
+From: Riley Andrews <riandrews@google.com>
+Date: Thu, 29 Jun 2017 12:01:37 -0700
+Subject: binder: Use wake up hint for synchronous transactions.
+
+From: Riley Andrews <riandrews@google.com>
+
+commit 00b40d613352c623aaae88a44e5ded7c912909d7 upstream.
+
+Use wake_up_interruptible_sync() to hint to the scheduler binder
+transactions are synchronous wakeups. Disable preemption while waking
+to avoid ping-ponging on the binder lock.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1724,8 +1724,12 @@ static void binder_transaction(struct bi
+ list_add_tail(&t->work.entry, target_list);
+ tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
+ list_add_tail(&tcomplete->entry, &thread->todo);
+- if (target_wait)
+- wake_up_interruptible(target_wait);
++ if (target_wait) {
++ if (reply || !(t->flags & TF_ONE_WAY))
++ wake_up_interruptible_sync(target_wait);
++ else
++ wake_up_interruptible(target_wait);
++ }
+ return;
+
+ err_get_unused_fd_failed:
--- /dev/null
+From 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 27 Aug 2017 12:12:25 -0700
+Subject: Clarify (and fix) MAX_LFS_FILESIZE macros
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad upstream.
+
+We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
+filesystems (and other IO targets) that know they are 64-bit clean and
+don't have any 32-bit limits in their IO path.
+
+It turns out that our 32-bit value for that limit was bogus. On 32-bit,
+the VM layer is limited by the page cache to only 32-bit index values,
+but our logic for that was confusing and actually wrong. We used to
+define that value to
+
+ (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
+
+which is actually odd in several ways: it limits the index to 31 bits,
+and then it limits files so that they can't have data in that last byte
+of a page that has the highest 31-bit index (ie page index 0x7fffffff).
+
+Neither of those limitations make sense. The index is actually the full
+32 bit unsigned value, and we can use that whole full page. So the
+maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".
+
+However, we do wan tto avoid the maximum index, because we have code
+that iterates over the page indexes, and we don't want that code to
+overflow. So the maximum size of a file on a 32-bit host should
+actually be one page less than the full 32-bit index.
+
+So the actual limit is ULONG_MAX << PAGE_SHIFT. That means that we will
+not actually be using the page of that last index (ULONG_MAX), but we
+can grow a file up to that limit.
+
+The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
+Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
+volume. It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
+byte less), but the actual true VM limit is one page less than 16TiB.
+
+This was invisible until commit c2a9737f45e2 ("vfs,mm: fix a dead loop
+in truncate_inode_pages_range()"), which started applying that
+MAX_LFS_FILESIZE limit to block devices too.
+
+NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
+actually just the offset type itself (loff_t), which is signed. But for
+clarity, on 64-bit, just use the maximum signed value, and don't make
+people have to count the number of 'f' characters in the hex constant.
+
+So just use LLONG_MAX for the 64-bit case. That was what the value had
+been before too, just written out as a hex constant.
+
+Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
+Reported-and-tested-by: Doug Nazar <nazard@nazar.ca>
+Cc: Andreas Dilger <adilger@dilger.ca>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Dave Kleikamp <shaggy@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/fs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -941,9 +941,9 @@ static inline struct file *get_file(stru
+ /* Page cache limit. The filesystems should put that into their s_maxbytes
+ limits, otherwise bad things can happen in VM. */
+ #if BITS_PER_LONG==32
+-#define MAX_LFS_FILESIZE (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
++#define MAX_LFS_FILESIZE ((loff_t)ULONG_MAX << PAGE_SHIFT)
+ #elif BITS_PER_LONG==64
+-#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL)
++#define MAX_LFS_FILESIZE ((loff_t)LLONG_MAX)
+ #endif
+
+ #define FL_POSIX 1
--- /dev/null
+From f1664eaacec31035450132c46ed2915fd2b2049a Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Sat, 12 Aug 2017 09:09:21 -0700
+Subject: iio: hid-sensor-trigger: Fix the race with user space powering up sensors
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit f1664eaacec31035450132c46ed2915fd2b2049a upstream.
+
+It has been reported for a while that with iio-sensor-proxy service the
+rotation only works after one suspend/resume cycle. This required a wait
+in the systemd unit file to avoid race. I found a Yoga 900 where I could
+reproduce this.
+
+The problem scenerio is:
+- During sensor driver init, enable run time PM and also set a
+ auto-suspend for 3 seconds.
+ This result in one runtime resume. But there is a check to avoid
+a powerup in this sequence, but rpm is active
+- User space iio-sensor-proxy tries to power up the sensor. Since rpm is
+ active it will simply return. But sensors were not actually
+powered up in the prior sequence, so actaully the sensors will not work
+- After 3 seconds the auto suspend kicks
+
+If we add a wait in systemd service file to fire iio-sensor-proxy after
+3 seconds, then now everything will work as the runtime resume will
+actually powerup the sensor as this is a user request.
+
+To avoid this:
+- Remove the check to match user requested state, this will cause a
+ brief powerup, but if the iio-sensor-proxy starts immediately it will
+still work as the sensors are ON.
+- Also move the autosuspend delay to place when user requested turn off
+ of sensors, like after user finished raw read or buffer disable
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Tested-by: Bastien Nocera <hadess@hadess.net>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
+@@ -36,8 +36,6 @@ static int _hid_sensor_power_state(struc
+ s32 poll_value = 0;
+
+ if (state) {
+- if (!atomic_read(&st->user_requested_state))
+- return 0;
+ if (sensor_hub_device_open(st->hsdev))
+ return -EIO;
+
+@@ -86,6 +84,9 @@ static int _hid_sensor_power_state(struc
+ &report_val);
+ }
+
++ pr_debug("HID_SENSOR %s set power_state %d report_state %d\n",
++ st->pdev->name, state_val, report_val);
++
+ sensor_hub_get_feature(st->hsdev, st->power_state.report_id,
+ st->power_state.index,
+ sizeof(state_val), &state_val);
+@@ -107,6 +108,7 @@ int hid_sensor_power_state(struct hid_se
+ ret = pm_runtime_get_sync(&st->pdev->dev);
+ else {
+ pm_runtime_mark_last_busy(&st->pdev->dev);
++ pm_runtime_use_autosuspend(&st->pdev->dev);
+ ret = pm_runtime_put_autosuspend(&st->pdev->dev);
+ }
+ if (ret < 0) {
+@@ -201,8 +203,6 @@ int hid_sensor_setup_trigger(struct iio_
+ /* Default to 3 seconds, but can be changed from sysfs */
+ pm_runtime_set_autosuspend_delay(&attrb->pdev->dev,
+ 3000);
+- pm_runtime_use_autosuspend(&attrb->pdev->dev);
+-
+ return ret;
+ error_unreg_trigger:
+ iio_trigger_unregister(trig);
--- /dev/null
+From fdd0d32eb95f135041236a6885d9006315aa9a1d Mon Sep 17 00:00:00 2001
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+Date: Fri, 4 Aug 2017 01:37:27 +0300
+Subject: iio: imu: adis16480: Fix acceleration scale factor for adis16480
+
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+
+commit fdd0d32eb95f135041236a6885d9006315aa9a1d upstream.
+
+According to the datasheet, the range of the acceleration is [-10 g, + 10 g],
+so the scale factor should be 10 instead of 5.
+
+Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16480.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/adis16480.c
++++ b/drivers/iio/imu/adis16480.c
+@@ -696,7 +696,7 @@ static const struct adis16480_chip_info
+ .gyro_max_val = IIO_RAD_TO_DEGREE(22500),
+ .gyro_max_scale = 450,
+ .accel_max_val = IIO_M_S_2_TO_G(12500),
+- .accel_max_scale = 5,
++ .accel_max_scale = 10,
+ },
+ [ADIS16485] = {
+ .channels = adis16485_channels,
--- /dev/null
+From a2b18708ee14baec4ef9c0fba96070bba14d0081 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Wed, 5 Jul 2017 13:46:01 -0700
+Subject: Revert "android: binder: Sanity check at binder ioctl"
+
+From: Todd Kjos <tkjos@android.com>
+
+commit a2b18708ee14baec4ef9c0fba96070bba14d0081 upstream.
+
+This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27.
+
+The patch introduced a race in the binder driver. An attempt to fix the
+race was submitted in "[PATCH v2] android: binder: fix dangling pointer
+comparison", however the conclusion in the discussion for that patch
+was that the original patch should be reverted.
+
+The reversion is being done as part of the fine-grained locking
+patchset since the patch would need to be refactored when
+proc->vmm_vm_mm is removed from struct binder_proc and added
+in the binder allocator.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2760,10 +2760,6 @@ static long binder_ioctl(struct file *fi
+ /*pr_info("binder_ioctl: %d:%d %x %lx\n",
+ proc->pid, current->pid, cmd, arg);*/
+
+- if (unlikely(current->mm != proc->vma_vm_mm)) {
+- pr_err("current mm mismatch proc mm\n");
+- return -EINVAL;
+- }
+ trace_binder_ioctl(cmd, arg);
+
+ ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);
+@@ -2978,7 +2974,6 @@ static int binder_open(struct inode *nod
+ return -ENOMEM;
+ get_task_struct(current);
+ proc->tsk = current;
+- proc->vma_vm_mm = current->mm;
+ INIT_LIST_HEAD(&proc->todo);
+ init_waitqueue_head(&proc->wait);
+ proc->default_priority = task_nice(current);
bluetooth-hidp-fix-possible-might-sleep-error-in-hidp_session_thread.patch
bluetooth-cmtp-fix-possible-might-sleep-error-in-cmtp_session.patch
bluetooth-bnep-fix-possible-might-sleep-error-in-bnep_session.patch
+revert-android-binder-sanity-check-at-binder-ioctl.patch
+binder-use-group-leader-instead-of-open-thread.patch
+binder-use-wake-up-hint-for-synchronous-transactions.patch
+android-binder-fix-proc-tsk-check.patch
+iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch
+iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch
+staging-rtl8188eu-add-rnx-n150nub-support.patch
+clarify-and-fix-max_lfs_filesize-macros.patch
--- /dev/null
+From f299aec6ebd747298e35934cff7709c6b119ca52 Mon Sep 17 00:00:00 2001
+From: Charles Milette <charlesmilette@gmail.com>
+Date: Fri, 18 Aug 2017 16:30:34 -0400
+Subject: staging: rtl8188eu: add RNX-N150NUB support
+
+From: Charles Milette <charlesmilette@gmail.com>
+
+commit f299aec6ebd747298e35934cff7709c6b119ca52 upstream.
+
+Add support for USB Device Rosewill RNX-N150NUB.
+VendorID: 0x0bda, ProductID: 0xffef
+
+Signed-off-by: Charles Milette <charles.milette@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -45,6 +45,7 @@ static struct usb_device_id rtw_usb_id_t
+ {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
+ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+ {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
++ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+ {} /* Terminating entry */
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
