From: Greg Kroah-Hartman Date: Mon, 28 Aug 2017 04:51:51 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.68~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e670c984058bec2274522a30438fb89b9bc11e5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: android-binder-fix-proc-tsk-check.patch binder-use-group-leader-instead-of-open-thread.patch binder-use-wake-up-hint-for-synchronous-transactions.patch clarify-and-fix-max_lfs_filesize-macros.patch iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch revert-android-binder-sanity-check-at-binder-ioctl.patch staging-rtl8188eu-add-rnx-n150nub-support.patch --- diff --git a/queue-4.9/android-binder-fix-proc-tsk-check.patch b/queue-4.9/android-binder-fix-proc-tsk-check.patch new file mode 100644 index 00000000000..08411c8bc45 --- /dev/null +++ b/queue-4.9/android-binder-fix-proc-tsk-check.patch @@ -0,0 +1,32 @@ +From b2a6d1b999a4c13e5997bb864694e77172d45250 Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Fri, 28 Jul 2017 13:56:08 +0200 +Subject: ANDROID: binder: fix proc->tsk check. + +From: Martijn Coenen + +commit b2a6d1b999a4c13e5997bb864694e77172d45250 upstream. + +Commit c4ea41ba195d ("binder: use group leader instead of open thread")' +was incomplete and didn't update a check in binder_mmap(), causing all +mmap() calls into the binder driver to fail. + +Signed-off-by: Martijn Coenen +Tested-by: John Stultz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2875,7 +2875,7 @@ static int binder_mmap(struct file *filp + const char *failure_string; + struct binder_buffer *buffer; + +- if (proc->tsk != current) ++ if (proc->tsk != current->group_leader) + return -EINVAL; + + if ((vma->vm_end - vma->vm_start) > SZ_4M) diff --git a/queue-4.9/binder-use-group-leader-instead-of-open-thread.patch b/queue-4.9/binder-use-group-leader-instead-of-open-thread.patch new file mode 100644 index 00000000000..074126f5efe --- /dev/null +++ b/queue-4.9/binder-use-group-leader-instead-of-open-thread.patch @@ -0,0 +1,35 @@ +From c4ea41ba195d01c9af66fb28711a16cc97caa9c5 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Thu, 29 Jun 2017 12:01:36 -0700 +Subject: binder: use group leader instead of open thread + +From: Todd Kjos + +commit c4ea41ba195d01c9af66fb28711a16cc97caa9c5 upstream. + +The binder allocator assumes that the thread that +called binder_open will never die for the lifetime of +that proc. That thread is normally the group_leader, +however it may not be. Use the group_leader instead +of current. + +Signed-off-by: Todd Kjos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2972,8 +2972,8 @@ static int binder_open(struct inode *nod + proc = kzalloc(sizeof(*proc), GFP_KERNEL); + if (proc == NULL) + return -ENOMEM; +- get_task_struct(current); +- proc->tsk = current; ++ get_task_struct(current->group_leader); ++ proc->tsk = current->group_leader; + INIT_LIST_HEAD(&proc->todo); + init_waitqueue_head(&proc->wait); + proc->default_priority = task_nice(current); diff --git a/queue-4.9/binder-use-wake-up-hint-for-synchronous-transactions.patch b/queue-4.9/binder-use-wake-up-hint-for-synchronous-transactions.patch new file mode 100644 index 00000000000..2b3b089e735 --- /dev/null +++ b/queue-4.9/binder-use-wake-up-hint-for-synchronous-transactions.patch @@ -0,0 +1,38 @@ +From 00b40d613352c623aaae88a44e5ded7c912909d7 Mon Sep 17 00:00:00 2001 +From: Riley Andrews +Date: Thu, 29 Jun 2017 12:01:37 -0700 +Subject: binder: Use wake up hint for synchronous transactions. + +From: Riley Andrews + +commit 00b40d613352c623aaae88a44e5ded7c912909d7 upstream. + +Use wake_up_interruptible_sync() to hint to the scheduler binder +transactions are synchronous wakeups. Disable preemption while waking +to avoid ping-ponging on the binder lock. + +Signed-off-by: Todd Kjos +Signed-off-by: Omprakash Dhyade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -1724,8 +1724,12 @@ static void binder_transaction(struct bi + list_add_tail(&t->work.entry, target_list); + tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; + list_add_tail(&tcomplete->entry, &thread->todo); +- if (target_wait) +- wake_up_interruptible(target_wait); ++ if (target_wait) { ++ if (reply || !(t->flags & TF_ONE_WAY)) ++ wake_up_interruptible_sync(target_wait); ++ else ++ wake_up_interruptible(target_wait); ++ } + return; + + err_get_unused_fd_failed: diff --git a/queue-4.9/clarify-and-fix-max_lfs_filesize-macros.patch b/queue-4.9/clarify-and-fix-max_lfs_filesize-macros.patch new file mode 100644 index 00000000000..524c47146c0 --- /dev/null +++ b/queue-4.9/clarify-and-fix-max_lfs_filesize-macros.patch @@ -0,0 +1,81 @@ +From 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 27 Aug 2017 12:12:25 -0700 +Subject: Clarify (and fix) MAX_LFS_FILESIZE macros + +From: Linus Torvalds + +commit 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad upstream. + +We have a MAX_LFS_FILESIZE macro that is meant to be filled in by +filesystems (and other IO targets) that know they are 64-bit clean and +don't have any 32-bit limits in their IO path. + +It turns out that our 32-bit value for that limit was bogus. On 32-bit, +the VM layer is limited by the page cache to only 32-bit index values, +but our logic for that was confusing and actually wrong. We used to +define that value to + + (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1) + +which is actually odd in several ways: it limits the index to 31 bits, +and then it limits files so that they can't have data in that last byte +of a page that has the highest 31-bit index (ie page index 0x7fffffff). + +Neither of those limitations make sense. The index is actually the full +32 bit unsigned value, and we can use that whole full page. So the +maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG". + +However, we do wan tto avoid the maximum index, because we have code +that iterates over the page indexes, and we don't want that code to +overflow. So the maximum size of a file on a 32-bit host should +actually be one page less than the full 32-bit index. + +So the actual limit is ULONG_MAX << PAGE_SHIFT. That means that we will +not actually be using the page of that last index (ULONG_MAX), but we +can grow a file up to that limit. + +The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug +Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5 +volume. It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one +byte less), but the actual true VM limit is one page less than 16TiB. + +This was invisible until commit c2a9737f45e2 ("vfs,mm: fix a dead loop +in truncate_inode_pages_range()"), which started applying that +MAX_LFS_FILESIZE limit to block devices too. + +NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is +actually just the offset type itself (loff_t), which is signed. But for +clarity, on 64-bit, just use the maximum signed value, and don't make +people have to count the number of 'f' characters in the hex constant. + +So just use LLONG_MAX for the 64-bit case. That was what the value had +been before too, just written out as a hex constant. + +Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") +Reported-and-tested-by: Doug Nazar +Cc: Andreas Dilger +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Dave Kleikamp +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/fs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -941,9 +941,9 @@ static inline struct file *get_file(stru + /* Page cache limit. The filesystems should put that into their s_maxbytes + limits, otherwise bad things can happen in VM. */ + #if BITS_PER_LONG==32 +-#define MAX_LFS_FILESIZE (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1) ++#define MAX_LFS_FILESIZE ((loff_t)ULONG_MAX << PAGE_SHIFT) + #elif BITS_PER_LONG==64 +-#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL) ++#define MAX_LFS_FILESIZE ((loff_t)LLONG_MAX) + #endif + + #define FL_POSIX 1 diff --git a/queue-4.9/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch b/queue-4.9/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch new file mode 100644 index 00000000000..35dd1ae6acc --- /dev/null +++ b/queue-4.9/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch @@ -0,0 +1,82 @@ +From f1664eaacec31035450132c46ed2915fd2b2049a Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Sat, 12 Aug 2017 09:09:21 -0700 +Subject: iio: hid-sensor-trigger: Fix the race with user space powering up sensors + +From: Srinivas Pandruvada + +commit f1664eaacec31035450132c46ed2915fd2b2049a upstream. + +It has been reported for a while that with iio-sensor-proxy service the +rotation only works after one suspend/resume cycle. This required a wait +in the systemd unit file to avoid race. I found a Yoga 900 where I could +reproduce this. + +The problem scenerio is: +- During sensor driver init, enable run time PM and also set a + auto-suspend for 3 seconds. + This result in one runtime resume. But there is a check to avoid +a powerup in this sequence, but rpm is active +- User space iio-sensor-proxy tries to power up the sensor. Since rpm is + active it will simply return. But sensors were not actually +powered up in the prior sequence, so actaully the sensors will not work +- After 3 seconds the auto suspend kicks + +If we add a wait in systemd service file to fire iio-sensor-proxy after +3 seconds, then now everything will work as the runtime resume will +actually powerup the sensor as this is a user request. + +To avoid this: +- Remove the check to match user requested state, this will cause a + brief powerup, but if the iio-sensor-proxy starts immediately it will +still work as the sensors are ON. +- Also move the autosuspend delay to place when user requested turn off + of sensors, like after user finished raw read or buffer disable + +Signed-off-by: Srinivas Pandruvada +Tested-by: Bastien Nocera +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c +@@ -36,8 +36,6 @@ static int _hid_sensor_power_state(struc + s32 poll_value = 0; + + if (state) { +- if (!atomic_read(&st->user_requested_state)) +- return 0; + if (sensor_hub_device_open(st->hsdev)) + return -EIO; + +@@ -86,6 +84,9 @@ static int _hid_sensor_power_state(struc + &report_val); + } + ++ pr_debug("HID_SENSOR %s set power_state %d report_state %d\n", ++ st->pdev->name, state_val, report_val); ++ + sensor_hub_get_feature(st->hsdev, st->power_state.report_id, + st->power_state.index, + sizeof(state_val), &state_val); +@@ -107,6 +108,7 @@ int hid_sensor_power_state(struct hid_se + ret = pm_runtime_get_sync(&st->pdev->dev); + else { + pm_runtime_mark_last_busy(&st->pdev->dev); ++ pm_runtime_use_autosuspend(&st->pdev->dev); + ret = pm_runtime_put_autosuspend(&st->pdev->dev); + } + if (ret < 0) { +@@ -201,8 +203,6 @@ int hid_sensor_setup_trigger(struct iio_ + /* Default to 3 seconds, but can be changed from sysfs */ + pm_runtime_set_autosuspend_delay(&attrb->pdev->dev, + 3000); +- pm_runtime_use_autosuspend(&attrb->pdev->dev); +- + return ret; + error_unreg_trigger: + iio_trigger_unregister(trig); diff --git a/queue-4.9/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch b/queue-4.9/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch new file mode 100644 index 00000000000..bd8d28e001a --- /dev/null +++ b/queue-4.9/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch @@ -0,0 +1,32 @@ +From fdd0d32eb95f135041236a6885d9006315aa9a1d Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Fri, 4 Aug 2017 01:37:27 +0300 +Subject: iio: imu: adis16480: Fix acceleration scale factor for adis16480 + +From: Dragos Bogdan + +commit fdd0d32eb95f135041236a6885d9006315aa9a1d upstream. + +According to the datasheet, the range of the acceleration is [-10 g, + 10 g], +so the scale factor should be 10 instead of 5. + +Signed-off-by: Dragos Bogdan +Acked-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis16480.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -696,7 +696,7 @@ static const struct adis16480_chip_info + .gyro_max_val = IIO_RAD_TO_DEGREE(22500), + .gyro_max_scale = 450, + .accel_max_val = IIO_M_S_2_TO_G(12500), +- .accel_max_scale = 5, ++ .accel_max_scale = 10, + }, + [ADIS16485] = { + .channels = adis16485_channels, diff --git a/queue-4.9/revert-android-binder-sanity-check-at-binder-ioctl.patch b/queue-4.9/revert-android-binder-sanity-check-at-binder-ioctl.patch new file mode 100644 index 00000000000..f1984720aef --- /dev/null +++ b/queue-4.9/revert-android-binder-sanity-check-at-binder-ioctl.patch @@ -0,0 +1,49 @@ +From a2b18708ee14baec4ef9c0fba96070bba14d0081 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Wed, 5 Jul 2017 13:46:01 -0700 +Subject: Revert "android: binder: Sanity check at binder ioctl" + +From: Todd Kjos + +commit a2b18708ee14baec4ef9c0fba96070bba14d0081 upstream. + +This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27. + +The patch introduced a race in the binder driver. An attempt to fix the +race was submitted in "[PATCH v2] android: binder: fix dangling pointer +comparison", however the conclusion in the discussion for that patch +was that the original patch should be reverted. + +The reversion is being done as part of the fine-grained locking +patchset since the patch would need to be refactored when +proc->vmm_vm_mm is removed from struct binder_proc and added +in the binder allocator. + +Signed-off-by: Todd Kjos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2760,10 +2760,6 @@ static long binder_ioctl(struct file *fi + /*pr_info("binder_ioctl: %d:%d %x %lx\n", + proc->pid, current->pid, cmd, arg);*/ + +- if (unlikely(current->mm != proc->vma_vm_mm)) { +- pr_err("current mm mismatch proc mm\n"); +- return -EINVAL; +- } + trace_binder_ioctl(cmd, arg); + + ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); +@@ -2978,7 +2974,6 @@ static int binder_open(struct inode *nod + return -ENOMEM; + get_task_struct(current); + proc->tsk = current; +- proc->vma_vm_mm = current->mm; + INIT_LIST_HEAD(&proc->todo); + init_waitqueue_head(&proc->wait); + proc->default_priority = task_nice(current); diff --git a/queue-4.9/series b/queue-4.9/series index 90a2b969ad1..0276aa31779 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -64,3 +64,11 @@ netfilter-nat-fix-src-map-lookup.patch bluetooth-hidp-fix-possible-might-sleep-error-in-hidp_session_thread.patch bluetooth-cmtp-fix-possible-might-sleep-error-in-cmtp_session.patch bluetooth-bnep-fix-possible-might-sleep-error-in-bnep_session.patch +revert-android-binder-sanity-check-at-binder-ioctl.patch +binder-use-group-leader-instead-of-open-thread.patch +binder-use-wake-up-hint-for-synchronous-transactions.patch +android-binder-fix-proc-tsk-check.patch +iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch +iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch +staging-rtl8188eu-add-rnx-n150nub-support.patch +clarify-and-fix-max_lfs_filesize-macros.patch diff --git a/queue-4.9/staging-rtl8188eu-add-rnx-n150nub-support.patch b/queue-4.9/staging-rtl8188eu-add-rnx-n150nub-support.patch new file mode 100644 index 00000000000..0d16bf8915f --- /dev/null +++ b/queue-4.9/staging-rtl8188eu-add-rnx-n150nub-support.patch @@ -0,0 +1,29 @@ +From f299aec6ebd747298e35934cff7709c6b119ca52 Mon Sep 17 00:00:00 2001 +From: Charles Milette +Date: Fri, 18 Aug 2017 16:30:34 -0400 +Subject: staging: rtl8188eu: add RNX-N150NUB support + +From: Charles Milette + +commit f299aec6ebd747298e35934cff7709c6b119ca52 upstream. + +Add support for USB Device Rosewill RNX-N150NUB. +VendorID: 0x0bda, ProductID: 0xffef + +Signed-off-by: Charles Milette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -45,6 +45,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ ++ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ + }; +