Age | Commit message (Collapse) | Author |
|
Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
txn") introduced changes to how binder objects are copied. In doing so,
it unintentionally removed an offset alignment check done through calls
to binder_alloc_copy_from_buffer() -> check_buffer().
These calls were replaced in binder_get_object() with copy_from_user(),
so now an explicit offset alignment check is needed here. This avoids
later complications when unwinding the objects gets harder.
It is worth noting this check existed prior to commit 7a67a39320df
("binder: add function to copy binder object from buffer"), likely
removed due to redundancy at the time.
Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
Cc: <stable@vger.kernel.org>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 320661088
Link: https://lore.kernel.org/all/20240330190115.1877819-1-cmllamas@google.com/
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: Iaddabaa28de7ba7b7d35dbb639d38ca79dbc5077
(cherry picked from commit 0c9784b747c6a960e5b922e9ccff382db1b73ce4)
Signed-off-by: Lee Jones <joneslee@google.com>
|
|
Cherry-picked to this branch to avoid build-break when enabling build
of open-dice.ko in common-modules/virtual-device. There's no need to
respin.
Original commit message:
Update generated with:
tools/bazel run //common-modules/virtual-device:virtual_device_aarch64_abi_update_symbol_list
Bug: 324290965
Test: tools/bazel run //common-modules/virtual-device:virtual_device_aarch64_dist
Change-Id: Ib306c15d4acf9bd1e38499ab666fbf37eca44c5a
Signed-off-by: Istvan Nador <istvannador@google.com>
(cherry picked from commit 14e89262f0c2e8d076bb5df46f5c0a7801eb9f3c)
|
|
Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage()
with detailed analysis and a nice repro.
unix_stream_sendpage() tries to add data to the last skb in the peer's
recv queue without locking the queue.
If the peer's FD is passed to another socket and the socket's FD is
passed to the peer, there is a loop between them. If we close both
sockets without receiving FD, the sockets will be cleaned up by garbage
collection.
The garbage collection iterates such sockets and unlinks skb with
FD from the socket's receive queue under the queue's lock.
So, there is a race where unix_stream_sendpage() could access an skb
locklessly that is being released by garbage collection, resulting in
use-after-free.
To avoid the issue, unix_stream_sendpage() must lock the peer's recv
queue.
Note the issue does not exist in 6.5+ thanks to the recent sendpage()
refactoring.
This patch is originally written by Linus Torvalds.
BUG: unable to handle page fault for address: ffff988004dd6870
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
PREEMPT SMP PTI
CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0
Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44
RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246
RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284
RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0
RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00
R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8
FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x1a/0x1f
? page_fault_oops+0xa9/0x1e0
? fixup_exception+0x1d/0x310
? exc_page_fault+0xa8/0x150
? asm_exc_page_fault+0x22/0x30
? kmem_cache_alloc_node+0xa2/0x1e0
? __alloc_skb+0x16c/0x1e0
__alloc_skb+0x16c/0x1e0
alloc_skb_with_frags+0x48/0x1e0
sock_alloc_send_pskb+0x234/0x270
unix_stream_sendmsg+0x1f5/0x690
sock_sendmsg+0x5d/0x60
____sys_sendmsg+0x210/0x260
___sys_sendmsg+0x83/0xd0
? kmem_cache_alloc+0xc6/0x1c0
? avc_disable+0x20/0x20
? percpu_counter_add_batch+0x53/0xc0
? alloc_empty_file+0x5d/0xb0
? alloc_file+0x91/0x170
? alloc_file_pseudo+0x94/0x100
? __fget_light+0x9f/0x120
__sys_sendmsg+0x54/0xa0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x69/0xd3
RIP: 0033:0x7f174d639a7d
Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48
RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d
RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007
RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff
R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28
R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000
</TASK>
Bug: 299922588
Bug: 299123598
Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Reviewed-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 790c2f9d15b594350ae9bca7b236f2b1859de02c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ied4a40e6ae0e594ef84f36287bc6194602935585
|
|
Add the symbol __netif_rx which is needed by rmnet modules.
Symbols added:
__netif_rx
Bug: 308756580
Bug: 313538379
Change-Id: I26dfad610739a18764c9ac6dbd6edb798ba295b6
Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
(cherry picked from commit af888bd2a127e8074c41584e14e9cbf5e01676d2)
|
|
It turns out there are more subtle races beyond just the main part of
__iommu_probe_device() itself running in parallel - the dev_iommu_free()
on the way out of an unsuccessful probe can still manage to trip up
concurrent accesses to a device's fwspec. Thus, extend the scope of
iommu_probe_device_lock() to also serialise fwspec creation and initial
retrieval.
Reported-by: Zhenhua Huang <quic_zhenhuah@quicinc.com>
Link: https://lore.kernel.org/linux-iommu/e2e20e1c-6450-4ac5-9804-b0000acdf7de@quicinc.com/
Fixes: 01657bc14a39 ("iommu: Avoid races around device probe")
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Bug: 308940593
Bug: 313035219
Link: https://lore.kernel.org/all/16f433658661d7cadfea51e7c65da95826112a2b.1700071477.git.robin.murphy@arm.com/
Change-Id: I461df05b03644cb93bc93599cb9f5464bf893923
Signed-off-by: André Draszik <draszik@google.com>
(cherry picked from commit 95307ec5c864e39b7e1ad26eff3e98b06850b4d3)
|
|
When forking a child process, the parent write-protects anonymous pages
and COW-shares them with the child being forked using copy_present_pte().
We must not take any concurrent page faults on the source vma's as they
are being processed, as we expect both the vma and the pte's behind it
to be stable. For example, the anon_vma_fork() expects the parents
vma->anon_vma to not change during the vma copy.
A concurrent page fault on a page newly marked read-only by the page
copy might trigger wp_page_copy() and a anon_vma_prepare(vma) on the
source vma, defeating the anon_vma_clone() that wasn't done because the
parent vma originally didn't have an anon_vma, but we now might end up
copying a pte entry for a page that has one.
Before the per-vma lock based changes, the mmap_lock guaranteed
exclusion with concurrent page faults. But now we need to do a
vma_start_write() to make sure no concurrent faults happen on this vma
while it is being processed.
This fix can potentially regress some fork-heavy workloads. Kernel
build time did not show noticeable regression on a 56-core machine while
a stress test mapping 10000 VMAs and forking 5000 times in a tight loop
shows ~5% regression. If such fork time regression is unacceptable,
disabling CONFIG_PER_VMA_LOCK should restore its performance. Further
optimizations are possible if this regression proves to be problematic.
Bug: 310069501
Suggested-by: David Hildenbrand <david@redhat.com>
Reported-by: Jiri Slaby <jirislaby@kernel.org>
Closes: https://lore.kernel.org/all/dbdef34c-3a07-5951-e1ae-e9c6e3cdf51b@kernel.org/
Reported-by: Holger Hoffstätte <holger@applied-asynchrony.com>
Closes: https://lore.kernel.org/all/b198d649-f4bf-b971-31d0-e8433ec2a34c@applied-asynchrony.com/
Reported-by: Jacob Young <jacobly.alt@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217624
Fixes: 0bff0aaea03e ("x86/mm: try VMA lock-based page fault handling first")
Cc: stable@vger.kernel.org
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit fb49c455323ff8319a123dd312be9082c49a23a5)
Change-Id: Ic5aa9dc51a888b5b0319ec4ec6d2941424573ca0
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 0d9960403cb0fa936ab8dc34462ec446f3699c2e)
|
|
Allow UFSHCI 4.0 controllers to fully utilize MCQ queue slots.
Bug: 307782690
Bug: 308053086
Link: https://lore.kernel.org/all/20231101082402.20856-1-naomi.chu@mediatek.com/T/
Change-Id: Ib78db763ae5ff875c337774354de86e67f5017b8
Signed-off-by: Alice Chao <alice.chao@mediatek.com>
Signed-off-by: Naomi Chu <naomi.chu@mediatek.com>
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
|
|
The search and wrap around logic in the ufshcd_mcq_sqe_search() function
does not work correctly when the hwq's queue depth is not a power of two
number. Correct it so that any queue depth with a positive integer value
within the supported range would work.
Bug: 307782690
Bug: 308053135
Change-Id: I4350ac71da051db24923a587db435be2f7b7eebb
(cherry picked from commit d0c89af3130eb4ff962266bb7597690a696f1cbc)
Signed-off-by: "Bao D. Nguyen" <quic_nguyenb@quicinc.com>
Link: https://lore.kernel.org/r/ff49c15be205135ed3ec186f3086694c02867dbd.1692149603.git.quic_nguyenb@quicinc.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Fixes: 8d7290348992 ("scsi: ufs: mcq: Add supporting functions for MCQ abort")
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 2799026a2823e505ff230756c87ede4e68f37de1)
|
|
When qdepth is not power of 2, not every bit of the mask is 1, so
in sq_tail_slot some bits will be cleared unexpectedly.
Bug: 307782690
Bug: 308053086
Change-Id: I7acb5f08f6af87cb5057464827658197047d8641
(cherry picked from commit e01d05bbf6348ccd9f5a057280310d78ea9e7b52)
Signed-off-by: zhanghui <zhanghui31@xiaomi.com>
Link: https://lore.kernel.org/r/20230601124613.1446-1-zhanghui31@xiaomi.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 7350783e675a1fde810d0d0f3ddd10700c549a83)
|
|
In case the uvc gadget is super speed plus, the corresponding config
descriptor wasn't initialized. As a result, the host will not recognize
the devices when using super speed plus connection.
This patch initializes them to super speed descriptors.
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Shuzhen Wang <shuzhenwang@google.com>
Link: https://lore.kernel.org/r/20231027183440.1994315-1-shuzhenwang@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 301887900
(cherry picked from commit c70793fb7632a153862ee9060e6d48131469a29c
https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next)
[arakesh: Resolved minor merge conflicts in f_uvc.c]
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:d7da260d8bf5c7230ae25f4c6f25a4a69763d2c8)
Merged-In: I79c699bafaf959990da3a8101c8bfe0f8dabf72f
Change-Id: I79c699bafaf959990da3a8101c8bfe0f8dabf72f
|
|
operation
Take f_midi_bind() for example, when composite layer call it, it will
allocate hs descriptor by calling gadget_is_dualspeed() API to check
gadget max support speed capability, but most other gadget function didn't
do like this.
To follow other function drivers, it is safe to remove the check which
mean support all possible link speed by default in function driver.
Similar change apply to midi2 and uvc.
Also in midi and midi2, as there is no descriptor difference between
super speed and super speed plus, follow other gadget function drivers,
do not allocate descriptor for super speed plus, composite layer will
handle it properly.
Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
Link: https://lore.kernel.org/r/20230803091053.9714-5-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 301887900
(cherry picked from commit 46decc82ffd54212cc2c600031daec6e835a6503
https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next)
[arakesh: f_midi2.c doesn't exist, so dropped those changes]
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:512022f6b60aa67c19b7feb85b83fb3acd370180)
Merged-In: I8b287266b3973c66e559bd3eea9adbe95e051be7
Change-Id: I8b287266b3973c66e559bd3eea9adbe95e051be7
|
|
when call uvc_function_bind(), gadget still have no connection speed,
just follow other gadget function, use fs endpoint descriptor to allocate
a video endpoint, remove gadget_is_{super|dual}speed() API call.
Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
Link: https://lore.kernel.org/r/20230803091053.9714-4-quic_linyyuan@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 301887900
(cherry picked from commit 3c5b006f3ee800b4bd9ed37b3a8f271b8560126e
https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next)
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:3cac7f2d44a2a2ec8547fa9a1b52ad52037253d2)
Merged-In: I076e51716e4bab7a70a43ad3e080b4c4e110c9db
Change-Id: I076e51716e4bab7a70a43ad3e080b4c4e110c9db
|
|
These declarations are not implemented anymore, remove them.
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20230818124025.51576-1-yuehaibing@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 301887900
(cherry picked from commit ae257611573cde279d31be3961a59e255f567fb0
https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next)
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:07bfaa43d9820d7b540515cf4c8903e5ff704715)
Merged-In: Ib1ac4d7ecada70d467cd9b2d688f13ba3797a05c
Change-Id: Ib1ac4d7ecada70d467cd9b2d688f13ba3797a05c
|
|
This patch elaborates on some of the edge cases handled by
video_pump around setting no_interrupt flag, and brings the
code style in line with rest of the file.
Link: https://lore.kernel.org/20230602151916.GH26944@pendragon.ideasonboard.com/
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Message-ID: <20230602220455.313801-1-arakesh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 301887900
(cherry picked from commit 5ae8a35459e77fd9ddb1844baa8c736fc0223847
https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next)
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:037b01415dd222126469317c9b453bb8b69e4190)
Merged-In: Ie5f28e8d8f55158e32e0ff03b79f0f18cce7d6af
Change-Id: Ie5f28e8d8f55158e32e0ff03b79f0f18cce7d6af
|
|
Users complained about OOM errors during fork without triggering
compaction. This can be fixed by modifying the flags used in
mas_expected_entries() so that the compaction will be triggered in low
memory situations. Since mas_expected_entries() is only used during
fork, the extra argument does not need to be passed through.
Additionally, the two test_maple_tree test cases and one benchmark test
were altered to use the correct locking type so that allocations would
not trigger sleeping and thus fail. Testing was completed with lockdep
atomic sleep detection.
The additional locking change requires rwsem support additions to the
tools/ directory through the use of pthreads pthread_rwlock_t. With
this change test_maple_tree works in userspace, as a module, and
in-kernel.
Users may notice that the system gave up early on attempting to start
new processes instead of attempting to reclaim memory.
Link: https://lore.kernel.org/linux-mm/20231012155233.2272446-1-Liam.Howlett@oracle.com/
Fixes: 54a611b60590 ("Maple Tree: add new data structure")
Cc: <stable@vger.kernel.org>
Cc: jason.sim@samsung.com
Cc: Peng Zhang <zhangpeng.00@bytedance.com>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
(cherry picked from commit 099d7439ce03d0e7bc8f0c3d7878b562f3a48d3d
https: //git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-unstable)
Bug: 305860603
Bug: 307450282
Change-Id: I1ea250b37198fb3234136da4737b75c6ee3d9817
Signed-off-by: john.hsu <john.hsu@mediatek.com>
(cherry picked from commit 2dd1c535d11634999d74906ac08ea12b996ea7d6)
|
|
during bind operation"
This reverts commit 251aa28d1640b0ece15c4d4bd074d0449e858f90.
Reason for revert: b/301670242
The connect_lock mutex is not being released in error path. This patch was reverted upstream.
Signed-off-by: Neill Kapron <nkapron@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:b374d94195756312b78fccd8104bcd52cfa486c6)
Merged-In: I802a9a8afc9f23b1bf91fa4df4bfb5d207373b04
Change-Id: I802a9a8afc9f23b1bf91fa4df4bfb5d207373b04
|
|
use-after-free
[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]
In the event of a failure in tcf_change_indev(), fw_set_parms() will
immediately return an error after incrementing or decrementing
reference counter in tcf_bind_filter(). If attacker can control
reference counter to zero and make reference freed, leading to
use after free.
In order to prevent this, move the point of possible failure above the
point where the TC_FW_CLASSID is handled.
Bug: 292252062
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I9bf6f540b4eb23ea5641fb3efe6f3e621d7b6151
|
|
zs_pool->lock was added upstream as a replacement for the size_class
locks.
The tooling over-cautiously reports this as a ABI breakage but both
of these structs (zs_pool and size_class) are internal to zsmalloc.c.
Update the ABI to allow these changes.
Bug: 297093100
Bug: 297936826
Change-Id: Ib9fc5a036f75d89fb6bee4c146034f6c81759e04
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
|
|
We encountered many kernel exceptions of VM_BUG_ON(zspage->isolated ==
0) in dec_zspage_isolation() and BUG_ON(!pages[1]) in zs_unmap_object()
lately. This issue only occurs when migration and reclamation occur at
the same time.
With our memory stress test, we can reproduce this issue several times
a day. We have no idea why no one else encountered this issue. BTW,
we switched to the new kernel version with this defect a few months
ago.
Since fullness and isolated share the same unsigned int, modifications of
them should be protected by the same lock.
[andrew.yang@mediatek.com: move comment]
Link: https://lkml.kernel.org/r/20230727062910.6337-1-andrew.yang@mediatek.com
Link: https://lkml.kernel.org/r/20230721063705.11455-1-andrew.yang@mediatek.com
Fixes: c4549b871102 ("zsmalloc: remove zspage isolation for migration")
Change-Id: I4aeda0715d65f828bb88ad6fbf36b9927c7a5c4b
Signed-off-by: Andrew Yang <andrew.yang@mediatek.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 4b5d1e47b69426c0f7491d97d73ad0152d02d437)
Bug: 297093100
Bug: 297936826
[ Kalesh Singh - Fix trivial conflicts in zs_page_putback()]
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
|
|
Currently, zsmalloc has a hierarchy of locks, which includes a pool-level
migrate_lock, and a lock for each size class. We have to obtain both
locks in the hotpath in most cases anyway, except for zs_malloc. This
exception will no longer exist when we introduce a LRU into the zs_pool
for the new writeback functionality - we will need to obtain a pool-level
lock to synchronize LRU handling even in zs_malloc.
In preparation for zsmalloc writeback, consolidate these locks into a
single pool-level lock, which drastically reduces the complexity of
synchronization in zsmalloc.
We have also benchmarked the lock consolidation to see the performance
effect of this change on zram.
First, we ran a synthetic FS workload on a server machine with 36 cores
(same machine for all runs), using
fs_mark -d ../zram1mnt -s 100000 -n 2500 -t 32 -k
before and after for btrfs and ext4 on zram (FS usage is 80%).
Here is the result (unit is file/second):
With lock consolidation (btrfs):
Average: 13520.2, Median: 13531.0, Stddev: 137.5961482019028
Without lock consolidation (btrfs):
Average: 13487.2, Median: 13575.0, Stddev: 309.08283679298665
With lock consolidation (ext4):
Average: 16824.4, Median: 16839.0, Stddev: 89.97388510006668
Without lock consolidation (ext4)
Average: 16958.0, Median: 16986.0, Stddev: 194.7370021336469
As you can see, we observe a 0.3% regression for btrfs, and a 0.9%
regression for ext4. This is a small, barely measurable difference in my
opinion.
For a more realistic scenario, we also tries building the kernel on zram.
Here is the time it takes (in seconds):
With lock consolidation (btrfs):
real
Average: 319.6, Median: 320.0, Stddev: 0.8944271909999159
user
Average: 6894.2, Median: 6895.0, Stddev: 25.528415540334656
sys
Average: 521.4, Median: 522.0, Stddev: 1.51657508881031
Without lock consolidation (btrfs):
real
Average: 319.8, Median: 320.0, Stddev: 0.8366600265340756
user
Average: 6896.6, Median: 6899.0, Stddev: 16.04057355583023
sys
Average: 520.6, Median: 521.0, Stddev: 1.140175425099138
With lock consolidation (ext4):
real
Average: 320.0, Median: 319.0, Stddev: 1.4142135623730951
user
Average: 6896.8, Median: 6878.0, Stddev: 28.621670111997307
sys
Average: 521.2, Median: 521.0, Stddev: 1.7888543819998317
Without lock consolidation (ext4)
real
Average: 319.6, Median: 319.0, Stddev: 0.8944271909999159
user
Average: 6886.2, Median: 6887.0, Stddev: 16.93221781102523
sys
Average: 520.4, Median: 520.0, Stddev: 1.140175425099138
The difference is entirely within the noise of a typical run on zram.
This hardly justifies the complexity of maintaining both the pool lock and
the class lock. In fact, for writeback, we would need to introduce yet
another lock to prevent data races on the pool's LRU, further complicating
the lock handling logic. IMHO, it is just better to collapse all of these
into a single pool-level lock.
Link: https://lkml.kernel.org/r/20221128191616.1261026-4-nphamcs@gmail.com
Change-Id: Ib0eb09d7a69190fc4ffea8f819423c7f66d83379
Signed-off-by: Nhat Pham <nphamcs@gmail.com>
Suggested-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Minchan Kim <minchan@kernel.org>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Dan Streetman <ddstreet@ieee.org>
Cc: Nitin Gupta <ngupta@vflare.org>
Cc: Seth Jennings <sjenning@redhat.com>
Cc: Vitaly Wool <vitaly.wool@konsulko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit c0547d0b6a4b637db05406b90ba82e1b2e71de56)
Bug: 297093100
Bug: 297936826
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
|
|
periodic_count > 0
If initially isoc_count = 0, periodic_count > 0 and the io watchdog is
not started (e.g. just timed out), then the io watchdog may not run after
submitting isoc urbs and enable_periodic(). The isoc urbs may not complete
forever if the controller had already stopped periodic schedule.
This will try to call turn_on_io_watchdog() for each enable_periodic() to
ensure the io watchdog functions properly.
Bug: 295046582
Bug: 296794033
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20230809065327.952368-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c272dabf2d43c3523af1a40be3127e7a1f84540a
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
Change-Id: I0f10ec8bcf0e14269b2a9693617dd83327c26a20
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
|
|
Some NXP processor using chipidea IP has a bug when frame babble is
detected.
As per 4.15.1.1.1 Serial Bus Babble:
A babble condition also exists if IN transaction is in progress at
High-speed SOF2 point. This is called frame babble. The host controller
must disable the port to which the frame babble is detected.
The USB controller has disabled the port (PE cleared) and has asserted
USBERRINT when frame babble is detected, but PEC is not asserted.
Therefore, the SW isn't aware that port has been disabled. Then the
SW keeps sending packets to this port, but all of the transfers will
fail.
This workaround will firstly assert PCD by SW when USBERRINT is detected
and then judge whether port change has really occurred or not by polling
roothub status. Because the PEC doesn't get asserted in our case, this
patch will also assert it by SW when specific conditions are satisfied.
Bug: 295046582
Bug: 296794033
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20230809024432.535160-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit dda4b60ed70bd670eefda081f70c0cb20bbeb1fa
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
[JD: replaced has_ci_pec_bug with existing has_fsl_port_bug to avoid abi breakage]
Change-Id: I7d36cf656efda2dd46c0ddcca252b3de6ea434ee
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
|
|
Smatch detected potential error pointer dereference.
drivers/gpu/drm/drm_syncobj.c:888 drm_syncobj_transfer_to_timeline()
error: 'fence' dereferencing possible ERR_PTR()
The error pointer comes from dma_fence_allocate_private_stub(). One
caller expected error pointers and one expected NULL pointers. Change
it to return NULL and update the caller which expected error pointers,
drm_syncobj_assign_null_handle(), to check for NULL instead.
Bug: 286438670
Bug: 296793123
Fixes: f781f661e8c9 ("dma-buf: keep the signaling time of merged fences v3")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/b09f1996-3838-4fa2-9193-832b68262e43@moroto.mountain
(cherry picked from commit 00ae1491f970acc454be0df63f50942d94825860)
Change-Id: I9fe1e61543e84a0f22d8ec26e01d94b809620744
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
|
|
Some Android CTS is testing if the signaling time keeps consistent
during merges.
v2: use the current time if the fence is still in the signaling path and
the timestamp not yet available.
v3: improve comment, fix one more case to use the correct timestamp
Bug: 286438670
Bug: 296793123
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Luben Tuikov <luben.tuikov@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230630120041.109216-1-christian.koenig@amd.com
(cherry picked from commit f781f661e8c99b0cb34129f2e374234d61864e77)
Change-Id: I5cd3178213fc28ac67146f58fddf83f7d482fd76
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
|
|
MGLRU has a LRU list for each zone for each type (anon/file) in each
generation:
long nr_pages[MAX_NR_GENS][ANON_AND_FILE][MAX_NR_ZONES];
The min_seq (oldest generation) can progress independently for each
type but the max_seq (youngest generation) is shared for both anon and
file. This is to maintain a common frame of reference.
In order for eviction to advance the min_seq of a type, all the per-zone
lists in the oldest generation of that type must be empty.
The eviction logic only considers pages from eligible zones for
eviction or promotion.
scan_folios() {
...
for (zone = sc->reclaim_idx; zone >= 0; zone--) {
...
sort_folio(); // Promote
...
isolate_folio(); // Evict
}
...
}
Consider the system has the movable zone configured and default 4
generations. The current state of the system is as shown below
(only illustrating one type for simplicity):
Type: ANON
Zone DMA32 Normal Movable Device
Gen 0 0 0 4GB 0
Gen 1 0 1GB 1MB 0
Gen 2 1MB 4GB 1MB 0
Gen 3 1MB 1MB 1MB 0
Now consider there is a GFP_KERNEL allocation request (eligible zone
index <= Normal), evict_folios() will return without doing any work
since there are no pages to scan in the eligible zones of the oldest
generation. Reclaim won't make progress until triggered from a ZONE_MOVABLE
allocation request; which may not happen soon if there is a lot of free
memory in the movable zone. This can lead to OOM kills, although there
is 1GB pages in the Normal zone of Gen 1 that we have not yet tried to
reclaim.
This issue is not seen in the conventional active/inactive LRU since
there are no per-zone lists.
If there are no (not enough) folios to scan in the eligible zones, move
folios from ineligible zone (zone_index > reclaim_index) to the next
generation. This allows for the progression of min_seq and reclaiming
from the next generation (Gen 1).
Qualcomm, Mediatek and raspberrypi [1] discovered this issue independently.
[1] https://github.com/raspberrypi/linux/issues/5395
Link: https://lkml.kernel.org/r/20230802025606.346758-1-kaleshsingh@google.com
Fixes: ac35a4902374 ("mm: multi-gen LRU: minimal implementation")
Change-Id: I5bbf44bd7ffe42f4347df4be59a75c1603c9b947
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Reported-by: Charan Teja Kalla <quic_charante@quicinc.com>
Reported-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> [mediatek]
Tested-by: Charan Teja Kalla <quic_charante@quicinc.com>
Cc: Yu Zhao <yuzhao@google.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Brian Geffon <bgeffon@google.com>
Cc: Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Oleksandr Natalenko <oleksandr@natalenko.name>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Steven Barrett <steven@liquorix.net>
Cc: Suleiman Souhlal <suleiman@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Aneesh Kumar K V <aneesh.kumar@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 1462260adc41c5974362cb54ff577c2a15b8c7b2 https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-unstable)
Bug: 295078665
Bug: 288383787
Bug: 291719697
Bug: 296020093
Bug: 296152871
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit a7adb988970e13c42f3c7ca4fe157c35e8e885fe)
(cherry picked from commit 00ff53e1e06236335c32a14a7bcb87ea5ce2cc0d)
|
|
Avichal Rakesh reported a kernel panic that occurred when the UVC
gadget driver was removed from a gadget's configuration. The panic
involves a somewhat complicated interaction between the kernel driver
and a userspace component (as described in the Link tag below), but
the analysis did make one thing clear: The Gadget core should
accomodate gadget drivers calling usb_gadget_deactivate() as part of
their unbind procedure.
Currently this doesn't work. gadget_unbind_driver() calls
driver->unbind() while holding the udc->connect_lock mutex, and
usb_gadget_deactivate() attempts to acquire that mutex, which will
result in a deadlock.
The simple fix is for gadget_unbind_driver() to release the mutex when
invoking the ->unbind() callback. There is no particular reason for
it to be holding the mutex at that time, and the mutex isn't held
while the ->bind() callback is invoked. So we'll drop the mutex
before performing the unbind callback and reacquire it afterward.
We'll also add a couple of comments to usb_gadget_activate() and
usb_gadget_deactivate(). Because they run in process context they
must not be called from a gadget driver's ->disconnect() callback,
which (according to the kerneldoc for struct usb_gadget_driver in
include/linux/usb/gadget.h) may run in interrupt context. This may
help prevent similar bugs from arising in the future.
Reported-and-tested-by: Avichal Rakesh <arakesh@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: 286d9975a838 ("usb: gadget: udc: core: Prevent soft_connect_store() race")
Link: https://lore.kernel.org/linux-usb/4d7aa3f4-22d9-9f5a-3d70-1bd7148ff4ba@google.com/
Cc: Badhri Jagan Sridharan <badhri@google.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/48b2f1f1-0639-46bf-bbfc-98cb05a24914@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 291976100
(cherry picked from commit 65dadb2beeb7360232b09ebc4585b54475dfee06)
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:edfcc0980a22fdd21490ba38f4ae24346b562e39)
Merged-In: Icff01d8e88f041af4bda8726242de9cd518a247a
Change-Id: Icff01d8e88f041af4bda8726242de9cd518a247a
|
|
If you have trouble reading this new file format, please refresh your
prebuilt version of STG with repo sync.
Bug: 294213765
Change-Id: I4d7ee716231956c5f4da1343cc0db5170aaaa3b1
Signed-off-by: Giuliano Procida <gprocida@google.com>
(cherry picked from commit 29e2f3e3d1968adeff803689cb21434b9f12e3be)
|
|
Add the following symbol to allow vendor module to filter on-die tz genl event.
This helps avoid thermal-hal being woken up all the time by thermal genl
events, only the selected thermal_zone and cooling_device can send events from
kernel.
1 function symbol(s) added
'int __traceiter_android_vh_enable_thermal_genl_check(void*, int, int, int*)'
1 variable symbol(s) added
'struct tracepoint __tracepoint_android_vh_enable_thermal_genl_check'
Bug: 291846209
Change-Id: I763595ff1366196c6a16ff57d608042743fbe9fd
Signed-off-by: Will McVicker <willmcvicker@google.com>
(cherry picked from commit 3a8999c6830ef79a8d00301b633ae06899fc9b96)
Bug: 287008367
Bug: 295178116
Signed-off-by: André Draszik <draszik@google.com>
|
|
Add vendor enable_thermal_genl_check logic.
Filter on-die tz genl event.
To avoid thermal-hal being woken up all the time by thermal genl events,
only the selected thermal_zone and cooling_device can send events from
kernel.
Bug: 170682696
Bug: 291846209
Test: boot and thermal-hal can receive thermal genl events from kernel
Change-Id: Idb3f4b07a2a2740c01d8785910878bfe6edc832d
Signed-off-by: davidchao <davidchao@google.com>
Signed-off-by: Will McVicker <willmcvicker@google.com>
(cherry picked from commit 6ca2ff04a1b85c0145c965ab8562cd8072b4f3f5)
Bug: 287008367
Bug: 295178116
Signed-off-by: André Draszik <draszik@google.com>
|
|
Update symbols for Exynos WLBT driver.
1 function symbol(s) added
'unsigned long __find_nth_bit(const unsigned long*, unsigned long, unsigned long)'
Bug: 294470344
Bug: 295107610
Change-Id: I9f8d9d20f643b34bbc475dde468dbaa11f56e667
Signed-off-by: Junki Min <joonki.min@samsung.com>
(cherry picked from commit 960d9828eee1f1e74682e84cbab856bdb0c9d126)
|
|
6 function symbol(s) added
'struct device* device_find_child_by_name(struct device*, const char*)'
'void pci_free_irq(struct pci_dev*, unsigned int, void*)'
'int pci_request_irq(struct pci_dev*, unsigned int, irq_handler_t, irq_handler_t, void*, const char*, ...)'
'int pm_schedule_suspend(struct device*, unsigned int)'
'int rtnl_configure_link(struct net_device*, const struct ifinfomsg*)'
'struct net_device* rtnl_create_link(struct net*, const char*, unsigned char, const struct rtnl_link_ops*, struct nlattr**, struct netlink_ext_ack*)'
in which:
* device_find_child_by_name/rtnl_configure_link/rtnl_create_link are needed by wwan.ko.
Bug: 291865296
Bug: 294798992
Change-Id: I38b8a69313667318944387e1a19287b9c01cafee
Signed-off-by: zhaoping shu <zhaoping.shu@mediatek.com>
Signed-off-by: xiayu zhang <xiayu.zhang@mediatek.com>
Signed-off-by: ivan yang <ivan.yang@mediatek.com>
Signed-off-by: lambert wang <lambert.wang@mediatek.com>
(cherry picked from commit ca372ba9e750c31045f366e262db01ef8663c7aa)
|
|
2 function symbol(s) added
'bool kthread_freezable_should_stop(bool*)'
'int v4l2_enum_dv_timings_cap(struct v4l2_enum_dv_timings*, const struct v4l2_dv_timings_cap*, v4l2_check_dv_timings_fnc*, void*)'
Bug: 283014063
Bug: 294459321
Change-Id: Ib4f8f9c67277501dcaa2fa5d8f2867d5fa670de3
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
(cherry picked from commit 3bd3d137019f24d73379e14e9a5384cd72d567a6)
|
|
Update abi_gki_aarch64_qcom with symbols needed for
GCM_AES feature.
Leaf changes summary: 3 artifacts changed
Changed leaf types summary: 0 leaf type changed
Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 2 Added functions
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variables
2 Added functions:
[A] 'function void crypto_inc(u8*, unsigned int)'
[A] 'function void gf128mul_lle(be128*, const be128*)'
1 Added function symbol not referenced by debug info:
[A] copy_page
Bug: 279879797
Bug: 295000977
Change-Id: I4b735b3517a4cd41c94731577a2b5ba6febaceed
Signed-off-by: kamasali Satyanarayan <quic_kamasali@quicinc.com>
(cherry picked from commit 6eb48b89a513f80885fee2bffda0780aba392b23)
|
|
GIC700 erratum 2941627 may cause GIC-700 missing SPIs wake
requests when SPIs are deactivated while targeting a
sleeping CPU - ie a CPU for which the redistributor:
GICR_WAKER.ProcessorSleep == 1
This runtime situation can happen if an SPI that has been
activated on a core is retargeted to a different core, it
becomes pending and the target core subsequently enters a
power state quiescing the respective redistributor.
When this situation is hit, the de-activation carried out
on the core that activated the SPI (through either ICC_EOIR1_EL1
or ICC_DIR_EL1 register writes) does not trigger a wake
requests for the sleeping GIC redistributor even if the SPI
is pending.
Work around the erratum by de-activating the SPI using the
redistributor GICD_ICACTIVER register if the runtime
conditions require it (ie the IRQ was retargeted between
activation and de-activation).
Bug: 292459437
Bug: 294180741
Change-Id: Ide915b8c925a631a7fc9ccebca19d9175def162e
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20230704155034.148262-1-lpieralisi@kernel.org
(cherry picked from commit 6fe5c68ee6a1aae0ef291a56001e7888de547fa2 https://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git irq/irqchip-fixes)
Signed-off-by: Carlos Galo <carlosgalo@google.com>
(cherry picked from commit d3b37a712ab7a5d73a2c66156debe2e3d48df007)
|
|
1 function symbol(s) added
'void ttm_tt_unpopulate(struct ttm_device*, struct ttm_tt*)'
Bug: 291101811
Bug: 293812967
Change-Id: I0be29227b37734304f00fc7b8e2612a0fa6c3fff
Signed-off-by: Kyongho Cho <pullip.cho@samsung.com>
(cherry picked from commit db2c29e53dfe6a11d4565b5a462c6a640bf714ed)
|
|
Xclipse GPU driver depends on TTM for graphics buffer allocation and
management. It is required by customers to add graphics memory swap
to improve overall memory efficiency. However TTM's swap feature can't
be used since it selects victim buffer by LRU and we can't choose a
specific buffer to swap.
Xclipse GPU driver implements its own swap feature by means of APIs of
TTM. But the problem is TTM's buffer allocations statistics in ttm_tt.c
which are local to that file. Whenever a graphic buffer is swapped out,
the size of total page allocation should be decreased but it is not
possible from the outside of ttm_tt.c.
If the statistics is not maintained well, TTM ends up swapping out TTM
buffers globally which is unexpected.
Bug: 291101811
Bug: 293812967
Change-Id: I143c705834bcc196432c3ef59b49c9ec31f2e971
Signed-off-by: Kyongho Cho <pullip.cho@samsung.com>
(cherry picked from commit 7edb035c79ac74397f9f09cf3775e6e751c3cd40)
|
|
This adds passthrough support for flock on fuse-bpf files. It does not
give any control via a bpf filter. The flock will act as though it was
taken on the lower file.
Bug: 289882899
Test: fuse_test -t32 (flock_test)
Change-Id: Iba0b9630766cedbd3195532c5e929891593cfe30
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
|
Presently the data buffer used to return the per-UID timeout description
is created based on information provided by the user. It is expected
that the user populates a variable called 'timeouts_array_size' which is
heavily scrutinised to ensure the value provided is appropriate i.e.
smaller than the largest possible value but large enough to contain all
of the data we wish to pass back.
The issue is that the aforementioned scrutiny is imposed on a different
variable to the one expected. Contrary to expectation, the data buffer
is actually being allocated to the size specified in a variable named
'timeouts_array_size_out'. A variable originally designed to only
contain the output information i.e. the size of the data actually copied
to the user for consumption. This value is also user provided and is
not given the same level of scrutiny as the former.
The fix in this case is simple. Ignore 'timeouts_array_size_out' until
it is time to populate (over-write) it ourselves and use
'timeouts_array_size' to shape the buffer as intended.
Bug: 281547360
Change-Id: I95e12879a33a2355f9e4bc0ce2bfc3f229141aa8
Signed-off-by: Lee Jones <joneslee@google.com>
(cherry picked from commit 5a4d20a3eb4e651f88ed2f1f08cee066639ca801)
|
|
[ Upstream commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 ]
On corrupt gfs2 file systems the evict code can try to reference the
journal descriptor structure, jdesc, after it has been freed and set to
NULL. The sequence of events is:
init_journal()
...
fail_jindex:
gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
if (gfs2_holder_initialized(&ji_gh))
gfs2_glock_dq_uninit(&ji_gh);
fail:
iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
evict()
gfs2_evict_inode()
evict_linked_inode()
ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
<------references the now freed/zeroed sd_jdesc pointer.
The call to gfs2_trans_begin is done because the truncate_inode_pages
call can cause gfs2 events that require a transaction, such as removing
journaled data (jdata) blocks from the journal.
This patch fixes the problem by adding a check for sdp->sd_jdesc to
function gfs2_evict_inode. In theory, this should only happen to corrupt
gfs2 file systems, when gfs2 detects the problem, reports it, then tries
to evict all the system inodes it has read in up to that point.
Bug: 289870854
Reported-by: Yang Lan <lanyang0908@gmail.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 5ae4a618a1558d2b536fdd5d42e53d3e2d73870c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I501e8631e1b60479023f5e6ad957540f9e10bcd5
|
|
The 'mmu' parameter to enter_vmid_context() represents the target MMU
to switch to, so we should stash away the current MMU for restoration
by exit_vmid_context() rather than the one we're about to switch to!
Bug: 291568386
Fixes: 47318559bc51 ("ANDROID: KVM: arm64: Support TLB invalidation in guest context")
Tested-by: Mostafa Saleh <smostafa@google.com>
Reported-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I5d76c159424e32a6d70c598d0007f98ea80c1db4
|
|
15 function symbol(s) added
'int __sbitmap_queue_get(struct sbitmap_queue*)'
'bool blk_bio_list_merge(struct request_queue*, struct list_head*, struct bio*, unsigned int)'
'int blk_mq_debugfs_rq_show(struct seq_file*, void*)'
'void blk_mq_run_hw_queue(struct blk_mq_hw_ctx*, bool)'
'void sbitmap_add_wait_queue(struct sbitmap_queue*, struct sbq_wait_state*, struct sbq_wait*)'
'bool sbitmap_any_bit_set(const struct sbitmap*)'
'void sbitmap_del_wait_queue(struct sbq_wait*)'
'int sbitmap_init_node(struct sbitmap*, unsigned int, int, gfp_t, int, bool, bool)'
'void sbitmap_queue_clear(struct sbitmap_queue*, unsigned int, unsigned int)'
'int sbitmap_queue_init_node(struct sbitmap_queue*, unsigned int, int, bool, gfp_t, int)'
'void sbitmap_queue_resize(struct sbitmap_queue*, unsigned int)'
'void sbitmap_queue_show(struct sbitmap_queue*, struct seq_file*)'
'struct list_head* seq_list_next(void*, struct list_head*, loff_t*)'
'struct list_head* seq_list_start(struct list_head*, loff_t)'
'int timer_reduce(struct timer_list*, unsigned long)'
Bug: 291519378
Change-Id: Ifcd031f72f6ce45eb25b1b2398cc9f6e5231d82e
Signed-off-by: Yang Yang <yang.yang@vivo.com>
|
|
This commit is for adding initial symbol list form ExynosAuto SoCs.
"abi_gki_aarch64_exynosauto" is generated from minimal configs for build.
Bug: 291172090
Signed-off-by: Bumyong Lee <bumyong.lee@samsung.com>
Change-Id: I9114e0ec6881d7d5bdbe61e505e21a379801f69d
|
|
If CONFIG_LOCKDEP is enabled, export `sched_domains_mutex` as it is
indirectly accessed by the macro `for_each_domain()`. This allows
vendors to call the `for_each_domain()` macro with CONFIG_LOCKDEP
enabled via the GKI_BUILD_CONFIG_FRAGMENT.
Bug: 176254015
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Change-Id: Ia9f2989de41b2224c63855f2fd129cbeeac4f195
Signed-off-by: Will McVicker <willmcvicker@google.com>
(cherry picked from commit 7171a5de9832b53122a9787586e18e9523b5b47e)
(cherry picked from commit e2cdae06e22e6cfdbae696c5e40ad159a2cf9639)
|
|
Added symbol list for exynos mmc driver
1 function symbol(s) added
'int device_property_read_string_array(struct device*, const char*, const char**, size_t)'
Bug: 291187964
Change-Id: I79c289861ae01304d5da5c5887227e11330f1175
Signed-off-by: Jiss Jose <jiss.jose@samsung.com>
|
|
Update symbols for Exynos DRM/GPU driver
5 function symbol(s) added
'int __traceiter_android_vh_meminfo_proc_show(void*, struct seq_file*)'
'void copy_highpage(struct page*, struct page*)'
'void mark_page_accessed(struct page*)'
'void ttm_bo_unmap_virtual(struct ttm_buffer_object*)'
'int ttm_bo_wait(struct ttm_buffer_object*, bool, bool)'
1 variable symbol(s) added
'struct tracepoint __tracepoint_android_vh_meminfo_proc_show'
Bug: 290865075
Change-Id: I0ed0a853902e0ca277e3ea061a2124a48de17100
Signed-off-by: Junki Min <joonki.min@samsung.com>
|
|
1 function symbol(s) added
'bool sk_capable(const struct sock*, int)'
This symbol is needed by bluetooth.ko.
Bug: 290584277
Change-Id: I9d8b42057d263f451caa36b7d176bdf2560cce38
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
|
|
If dma_direct_alloc() alloc memory in size of 64MB, the inner function
dma_common_contiguous_remap() will allocate 128KB memory by invoking
the function kmalloc_array(). and the kmalloc_array seems to fail to try
to allocate 128KB mem.
Call trace:
[14977.928623] qcrosvm: page allocation failure: order:5, mode:0x40cc0
[14977.928638] dump_backtrace.cfi_jt+0x0/0x8
[14977.928647] dump_stack_lvl+0x80/0xb8
[14977.928652] warn_alloc+0x164/0x200
[14977.928657] __alloc_pages_slowpath+0x9f0/0xb4c
[14977.928660] __alloc_pages+0x21c/0x39c
[14977.928662] kmalloc_order+0x48/0x108
[14977.928666] kmalloc_order_trace+0x34/0x154
[14977.928668] __kmalloc+0x548/0x7e4
[14977.928673] dma_direct_alloc+0x11c/0x4f8
[14977.928678] dma_alloc_attrs+0xf4/0x138
[14977.928680] gh_vm_ioctl_set_fw_name+0x3c4/0x610 [gunyah]
[14977.928698] gh_vm_ioctl+0x90/0x14c [gunyah]
[14977.928705] __arm64_sys_ioctl+0x184/0x210
work around by doing kvmalloc_array instead.
Signed-off-by: Gao Xu <gaoxu2@hihonor.com>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Bug: 279161171
(cherry picked from commit 51ff97d54f02b4444dfc42e380ac4c058e12d5dd)
Change-Id: I665c0a2b06f5a97cef297c1d5a6618373b513299
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
|
|
As a supplement to commit 6c1c1552e610
("ANDROID: vendor_hook: add hooks to protect locking-tsk in cpu scheduler").
In rwsem read, we missed a lock-holding scenario, add it now.
Bug: 290868674
Change-Id: I718dd942b24b330a79283fc241dcbf47cc34c0c5
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
|
|
CONFIG_WWAN=m : WWAN driver core. This driver provides
a common framework for WWAN drivers.
Required to integrate modem devices with WWAN subsystem.
Selects CONFIG_WWAN_DEBUGFS=y; override to disable it
until it is required in the future.
Bug: 287170531
Change-Id: I18517a7aca17cfb5bdbb7ad0399fcb92c575a48e
Signed-off-by: lambert wang <lambert.wang@mediatek.com>
|
|
For global registers access, UNISOC have one special method called set/clear
mechanism that would avoid using hardware spinlock. But now regmap framework
does not support our set/clear mechanism, so add vendor hook to support
this feature.
Bug: 228907258
Signed-off-by: Xiaopeng Bai <xiaopeng.bai@unisoc.com>
Change-Id: I9a6651f07a048ffebd5c2d8e369a4e7b374bc182
(cherry picked from commit 53e342c183af58f03bd1445838a3f499e7fbd191)
|