/* * Backlight control code for Sharp Zaurus SL-5500 * * Copyright 2005 John Lenz * Maintainer: Pavel Machek (unless John wants to :-) * GPL v2 * * This driver assumes single CPU. That's okay, because collie is * slightly old hardware, and no one is going to retrofit second CPU to * old PDA. */ /* LCD power functions */ #include #include #include #include #include #include #include #include #include #include #include #include "../../../arch/arm/mach-sa1100/generic.h" static struct backlight_device *locomolcd_bl_device; static struct locomo_dev *locomolcd_dev; static unsigned long locomolcd_flags; #define LOCOMOLCD_SUSPENDED 0x01 static void locomolcd_on(int comadj) { locomo_gpio_set_dir(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VSHA_ON, 0); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VSHA_ON, 1); mdelay(2); locomo_gpio_set_dir(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VSHD_ON, 0); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VSHD_ON, 1); mdelay(2); locomo_m62332_senddata(locomolcd_dev, comadj, 0); mdelay(5); locomo_gpio_set_dir(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VEE_ON, 0); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VEE_ON, 1); mdelay(10); /* TFTCRST | CPSOUT=0 | CPSEN */ locomo_writel(0x01, locomolcd_dev->mapbase + LOCOMO_TC); /* Set CPSD */ locomo_writel(6, locomolcd_dev->mapbase + LOCOMO_CPSD); /* TFTCRST | CPSOUT=0 | CPSEN */ locomo_writel((0x04 | 0x01), locomolcd_dev->mapbase + LOCOMO_TC); mdelay(10); locomo_gpio_set_dir(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_MOD, 0); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_MOD, 1); } static void locomolcd_off(int comadj) { /* TFTCRST=1 | CPSOUT=1 | CPSEN = 0 */ locomo_writel(0x06, locomolcd_dev->mapbase + LOCOMO_TC); mdelay(1); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VSHA_ON, 0); mdelay(110); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VEE_ON, 0); mdelay(700); /* TFTCRST=0 | CPSOUT=0 | CPSEN = 0 */ locomo_writel(0, locomolcd_dev->mapbase + LOCOMO_TC); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_MOD, 0); locomo_gpio_write(locomolcd_dev->dev.parent, LOCOMO_GPIO_LCD_VSHD_ON, 0); } void locomolcd_power(int on) { int comadj = sharpsl_param.comadj; unsigned long flags; local_irq_save(flags); if (!locomolcd_dev) { local_irq_restore(flags); return; } /* read comadj */ if (comadj == -1 && machine_is_collie()) comadj = 128; if (comadj == -1 && machine_is_poodle()) comadj = 118; if (on) locomolcd_on(comadj); else locomolcd_off(comadj); local_irq_restore(flags); } EXPORT_SYMBOL(locomolcd_power); static int current_intensity; static int locomolcd_set_intensity(struct backlight_device *bd) { int intensity = bd->props.brightness; if (bd->props.power != FB_BLANK_UNBLANK) intensity = 0; if (bd->props.fb_blank != FB_BLANK_UNBLANK) intensity = 0; if (locomolcd_flags & LOCOMOLCD_SUSPENDED) intensity = 0; switch (intensity) { /* * AC and non-AC are handled differently, * but produce same results in sharp code? */ case 0: locomo_frontlight_set(locomolcd_dev, 0, 0, 161); break; case 1: locomo_frontlight_set(locomolcd_dev, 117, 0, 161); break; case 2: locomo_frontlight_set(locomolcd_dev, 163, 0, 148); break; case 3: locomo_frontlight_set(locomolcd_dev, 194, 0, 161); break; case 4: locomo_frontlight_set(locomolcd_dev, 194, 1, 161); break; default: return -ENODEV; } current_intensity = intensity; return 0; } static int locomolcd_get_intensity(struct backlight_device *bd) { return current_intensity; } static const struct backlight_ops locomobl_data = { .get_brightness = locomolcd_get_intensity, .update_status = locomolcd_set_intensity, }; #ifdef CONFIG_PM_SLEEP static int locomolcd_suspend(struct device *dev) { locomolcd_flags |= LOCOMOLCD_SUSPENDED; locomolcd_set_intensity(locomolcd_bl_device); return 0; } static int locomolcd_resume(struct device *dev) { locomolcd_flags &= ~LOCOMOLCD_SUSPENDED; locomolcd_set_intensity(locomolcd_bl_device); return 0; } #endif static SIMPLE_DEV_PM_OPS(locomolcd_pm_ops, locomolcd_suspend, locomolcd_resume); static int locomolcd_probe(struct locomo_dev *ldev) { struct backlight_properties props; unsigned long flags; local_irq_save(flags); locomolcd_dev = ldev; locomo_gpio_set_dir(ldev->dev.parent, LOCOMO_GPIO_FL_VR, 0); /* * the poodle_lcd_power function is called for the first time * from fs_initcall, which is before locomo is activated. * We need to recall poodle_lcd_power here */ if (machine_is_poodle()) locomolcd_power(1); local_irq_restore(flags); memset(&props, 0, sizeof(struct backlight_properties)); props.type = BACKLIGHT_RAW; props.max_brightness = 4; locomolcd_bl_device = backlight_device_register("locomo-bl", &ldev->dev, NULL, &locomobl_data, &props); if (IS_ERR(locomolcd_bl_device)) return PTR_ERR(locomolcd_bl_device); /* Set up frontlight so that screen is readable */ locomolcd_bl_device->props.brightness = 2; locomolcd_set_intensity(locomolcd_bl_device); return 0; } static int locomolcd_remove(struct locomo_dev *dev) { unsigned long flags; locomolcd_bl_device->props.brightness = 0; locomolcd_bl_device->props.power = 0; locomolcd_set_intensity(locomolcd_bl_device); backlight_device_unregister(locomolcd_bl_device); local_irq_save(flags); locomolcd_dev = NULL; local_irq_restore(flags); return 0; } static struct locomo_driver poodle_lcd_driver = { .drv = { .name = "locomo-backlight", .pm = &locomolcd_pm_ops, }, .devid = LOCOMO_DEVID_BACKLIGHT, .probe = locomolcd_probe, .remove = locomolcd_remove, }; static int __init locomolcd_init(void) { return locomo_driver_register(&poodle_lcd_driver); } static void __exit locomolcd_exit(void) { locomo_driver_unregister(&poodle_lcd_driver); } module_init(locomolcd_init); module_exit(locomolcd_exit); MODULE_AUTHOR("John Lenz , Pavel Machek "); MODULE_DESCRIPTION("Collie LCD driver"); MODULE_LICENSE("GPL"); se they will be freed and new ones will be allocated in i2c_hid_start(), at point which the device's report size is known. But at this point ihid->irq is already running, and may call i2c_hid_get_input() which passes ihid->inbuf to i2c_master_recv(). Since this handler runs in a separate thread, ihid->inbuf may be freed at this very moment, and i2c_master_recv() will write on memory which may be already owned by a different part of the kernel, corrupting its data. This problem has been observed on an Asus UX360UA laptop which has an I2C touchpad, and results in a complete system freeze or an unusable slowness with a lof of "BUG: unable to handle kernel paging request at <address>" warnings. Enabling SLUB debugging shows a use-after-free warning on memory allocated in i2c_hid_alloc_buffers() and freed in i2c_hid_free_buffers(): ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: 0xffff880264083273-0xffff88026408329e. first byte 0x0 instead of 0x6b INFO: Allocated in i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] age=35793 cpu=2 pid=430 ___slab_alloc+0x41e/0x460 __slab_alloc+0x20/0x40 __kmalloc+0x210/0x280 i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] i2c_hid_probe+0x12f/0x5e0 [i2c_hid] i2c_device_probe+0x10a/0x1b0 driver_probe_device+0x220/0x4a0 __device_attach_driver+0x71/0xa0 bus_for_each_drv+0x67/0xb0 __device_attach+0xdc/0x170 device_initial_probe+0x13/0x20 bus_probe_device+0x92/0xa0 device_add+0x4aa/0x670 device_register+0x1a/0x20 i2c_new_device+0x18e/0x230 acpi_i2c_add_device+0x1a0/0x210 INFO: Freed in i2c_hid_free_buffers+0x16/0x60 [i2c_hid] age=7552 cpu=1 pid=1473 __slab_free+0x221/0x330 kfree+0x139/0x160 i2c_hid_free_buffers+0x16/0x60 [i2c_hid] i2c_hid_start+0x2a9/0x2df [i2c_hid] mt_probe+0x160/0x22e [hid_multitouch] hid_device_probe+0xd7/0x150 [hid] driver_probe_device+0x220/0x4a0 __driver_attach+0x84/0x90 bus_for_each_dev+0x6c/0xc0 driver_attach+0x1e/0x20 bus_add_driver+0x1c3/0x280 driver_register+0x60/0xe0 __hid_register_driver+0x53/0x90 [hid] 0xffffffffc004f01e do_one_initcall+0xb3/0x1f0 do_init_module+0x5f/0x1d0 INFO: Slab 0xffffea0009902080 objects=20 used=20 fp=0x (null) flags=0x17fff8000004080 INFO: Object 0xffff880264083260 @offset=4704 fp=0x (null) Bytes b4 ffff880264083250: 8d e6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ Object ffff880264083260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object ffff880264083270: 6b 6b 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 kkk............. Object ffff880264083280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff880264083290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Redzone ffff8802640832a0: bb bb bb bb bb bb bb bb ........ Padding ffff8802640833e0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ CPU: 1 PID: 1503 Comm: python3 Tainted: G B 4.4.21+ #10 Hardware name: ASUSTeK COMPUTER INC. UX360UA/UX360UA, BIOS UX360UA.200 05/05/2016 0000000000000086 00000000622d48a2 ffff88026061ba38 ffffffff813f6044 ffff880264082010 ffff880264083260 ffff88026061ba78 ffffffff811e8eab 0000000000000008 ffff880200000001 ffff88026408329f ffff88026a007700 Call Trace: [<ffffffff813f6044>] dump_stack+0x63/0x8f [<ffffffff811e8eab>] print_trailer+0x14b/0x1f0 [<ffffffff811e94c1>] check_bytes_and_report+0xc1/0x100 [<ffffffff811e96c4>] check_object+0x1c4/0x240 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120 [<ffffffff811e9b44>] alloc_debug_processing+0x104/0x180 [<ffffffff811eb7be>] ___slab_alloc+0x41e/0x460 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120 [<ffffffff8124590b>] ? __getblk_gfp+0x2b/0x60 [<ffffffff8129b969>] ? ext4_getblk+0xa9/0x190 [<ffffffff811eb820>] __slab_alloc+0x20/0x40 [<ffffffff811ed320>] __kmalloc+0x210/0x280 [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120 [<ffffffff812c1602>] ? ext4fs_dirhash+0xc2/0x2a0 [<ffffffff81293fde>] ext4_htree_store_dirent+0x3e/0x120 [<ffffffff812a4f47>] htree_dirblock_to_tree+0x187/0x1b0 [<ffffffff812a5fd2>] ext4_htree_fill_tree+0xb2/0x2e0 [<ffffffff811ebb7a>] ? kmem_cache_alloc_trace+0x1fa/0x220 [<ffffffff81293e45>] ? ext4_readdir+0x775/0x8b0 [<ffffffff81293cb1>] ext4_readdir+0x5e1/0x8b0 [<ffffffff81221c82>] iterate_dir+0x92/0x120 [<ffffffff81222118>] SyS_getdents+0x98/0x110 [<ffffffff81221d10>] ? iterate_dir+0x120/0x120 [<ffffffff818157f2>] entry_SYSCALL_64_fastpath+0x16/0x71 FIX kmalloc-64: Restoring 0xffff880264083273-0xffff88026408329e=0x6b FIX kmalloc-64: Marking all objects used Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'include/trace/events/swiotlb.h')