From 992b5f98cad8a8bd0da106a113c25429aeb183cd Mon Sep 17 00:00:00 2001 From: David Brazdil Date: Thu, 13 Oct 2022 14:20:53 +0100 Subject: [PATCH 01/27] ANDROID: KVM: arm64: s2mpu: Add SysMMU_SYNC timeout The SysMMU_SYNC provides an invalidation-complete signal to the hypervisor. Currently the hypervisor will wait indefinitely for the SYNC to set the SYNC_COMP_COMPLETE bit. In practice, this case deadlock as the hypervisor holds the host lock while waiting for the SYNC. To avoid deadlock, adjust the algorithm to time out after a given number of reads of the SYNC_COMP register (new constant SYNC_TIMEOUT_BASE). This can be a small number as most attempts succeed after a single read of the SFR. If the wait-loop times out, the hypervisor will try again, multiplying the maximum number of SFR reads with SYNC_TIMEOUT_MULTIPLIER each time. This number was selected to grow quickly, in case there is a lot of DMA traffic that would be slowing down the SYNC request. Finally, if the hardware does not set the bit even after SYNC_MAX_RETRIES, the algorithm will give up to avoid deadlock. The value was selected so that the worst-case time spent in __wait_for_invalidation_complete() remains tolerable. Bug: 250727777 Signed-off-by: David Brazdil Change-Id: I00098753bcc46a894943bbdb3a61acc3a8e5e5d2 --- arch/arm64/kvm/hyp/nvhe/iommu/s2mpu.c | 38 ++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/iommu/s2mpu.c b/arch/arm64/kvm/hyp/nvhe/iommu/s2mpu.c index ff5d7d1044e5..20c65f7489ed 100644 --- a/arch/arm64/kvm/hyp/nvhe/iommu/s2mpu.c +++ b/arch/arm64/kvm/hyp/nvhe/iommu/s2mpu.c @@ -24,6 +24,10 @@ #define PA_MAX ((phys_addr_t)SZ_1G * NR_GIGABYTES) +#define SYNC_MAX_RETRIES 5 +#define SYNC_TIMEOUT 5 +#define SYNC_TIMEOUT_MULTIPLIER 3 + #define CTX_CFG_ENTRY(ctxid, nr_ctx, vid) \ (CONTEXT_CFG_VALID_VID_CTX_VID(ctxid, vid) \ | (((ctxid) < (nr_ctx)) ? CONTEXT_CFG_VALID_VID_CTX_VALID(ctxid) : 0)) @@ -158,11 +162,20 @@ static void __set_control_regs(struct pkvm_iommu *dev) writel_relaxed(ctrl0, dev->va + REG_NS_CTRL0); } -/* Poll the given SFR until its value has all bits of a given mask set. */ -static void __wait_until(void __iomem *addr, u32 mask) +/* + * Poll the given SFR until its value has all bits of a given mask set. + * Returns true if successful, false if not successful after a given number of + * attempts. + */ +static bool __wait_until(void __iomem *addr, u32 mask, size_t max_attempts) { - while ((readl_relaxed(addr) & mask) != mask) - continue; + size_t i; + + for (i = 0; i < max_attempts; i++) { + if ((readl_relaxed(addr) & mask) == mask) + return true; + } + return false; } /* Poll the given SFR as long as its value has all bits of a given mask set. */ @@ -175,14 +188,27 @@ static void __wait_while(void __iomem *addr, u32 mask) static void __wait_for_invalidation_complete(struct pkvm_iommu *dev) { struct pkvm_iommu *sync; + size_t i, timeout; /* * Wait for transactions to drain if SysMMU_SYNCs were registered. * Assumes that they are in the same power domain as the S2MPU. + * + * The algorithm will try initiating the SYNC if the SYNC_COMP_COMPLETE + * bit has not been set after a given number of attempts, increasing the + * timeout exponentially each time. If this cycle fails a given number + * of times, the algorithm will give up completely to avoid deadlock. */ for_each_child(sync, dev) { - writel_relaxed(SYNC_CMD_SYNC, sync->va + REG_NS_SYNC_CMD); - __wait_until(sync->va + REG_NS_SYNC_COMP, SYNC_COMP_COMPLETE); + timeout = SYNC_TIMEOUT; + for (i = 0; i < SYNC_MAX_RETRIES; i++) { + writel_relaxed(SYNC_CMD_SYNC, sync->va + REG_NS_SYNC_CMD); + if (__wait_until(sync->va + REG_NS_SYNC_COMP, + SYNC_COMP_COMPLETE, timeout)) { + break; + } + timeout *= SYNC_TIMEOUT_MULTIPLIER; + } } /* Must not access SFRs while S2MPU is busy invalidating (v9 only). */ From 2f8253b7e6e563cc19cffa120c72f6f528664103 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 18 Oct 2022 09:03:15 -0700 Subject: [PATCH 02/27] ANDROID: vendor hook to control pagevec flush The pagevec batching causes lru_add_drain_all which is too expensive sometimes. This patch adds a new vendor hook to drain the pagevec immediately depending on the page's type. Bug: 251881967 Signed-off-by: Minchan Kim Change-Id: Id17e14e69197993ddad511a40c96e51674c02834 --- drivers/android/vendor_hooks.c | 1 + include/trace/hooks/mm.h | 3 +++ mm/swap.c | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c index 73efd5503d2f..61b42b3ede98 100644 --- a/drivers/android/vendor_hooks.c +++ b/drivers/android/vendor_hooks.c @@ -225,6 +225,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_calc_alloc_flags); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_mm_compaction_begin); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_mm_compaction_end); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_rmqueue); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_pagevec_drain); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_pagecache_get_page); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_filemap_fault_get_page); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_filemap_fault_cache_page); diff --git a/include/trace/hooks/mm.h b/include/trace/hooks/mm.h index 263b867d453c..58b56440e970 100644 --- a/include/trace/hooks/mm.h +++ b/include/trace/hooks/mm.h @@ -61,6 +61,9 @@ DECLARE_HOOK(android_vh_rmqueue, unsigned int alloc_flags, int migratetype), TP_ARGS(preferred_zone, zone, order, gfp_flags, alloc_flags, migratetype)); +DECLARE_HOOK(android_vh_pagevec_drain, + TP_PROTO(struct page *page, bool *ret), + TP_ARGS(page, ret)); DECLARE_HOOK(android_vh_pagecache_get_page, TP_PROTO(struct address_space *mapping, pgoff_t index, int fgp_flags, gfp_t gfp_mask, struct page *page), diff --git a/mm/swap.c b/mm/swap.c index 2f69e44ca737..467282ac2e96 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -43,6 +43,9 @@ #define CREATE_TRACE_POINTS #include +#undef CREATE_TRACE_POINTS +#include + /* How many pages do we try to swap or page in/out together? */ int page_cluster; @@ -267,6 +270,7 @@ static bool pagevec_add_and_need_flush(struct pagevec *pvec, struct page *page) lru_cache_disabled()) ret = true; + trace_android_vh_pagevec_drain(page, &ret); return ret; } From 90db4c38b9242a4658baf50647c34c6f261450f6 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 18 Oct 2022 11:26:25 -0700 Subject: [PATCH 03/27] ANDROID: Update the ABI representation 1 function symbol(s) added 'int __traceiter_android_vh_pagevec_drain(void *, struct page *, bool *)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_pagevec_drain' Bug: 251881967 Signed-off-by: Minchan Kim Change-Id: I8a45e6aba2fbbc6a05ec7086f4ce009c57fe15ff --- android/abi_gki_aarch64.xml | 70 ++++++++++++++------------------- android/abi_gki_aarch64_generic | 2 + 2 files changed, 31 insertions(+), 41 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 06d41dd2254d..691612a1b91f 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -274,6 +274,7 @@ + @@ -3802,6 +3803,7 @@ + @@ -9979,23 +9981,7 @@ - - - - - - - - - - - - - - - - - + @@ -45184,11 +45170,6 @@ - - - - - @@ -110387,8 +110368,8 @@ - - + + @@ -110963,10 +110944,10 @@ - - - - + + + + @@ -111046,9 +111027,9 @@ - - - + + + @@ -111081,13 +111062,19 @@ - + + + + + + + + + + - - - - + @@ -111499,7 +111486,7 @@ - + @@ -111512,13 +111499,14 @@ - + - + + @@ -120915,10 +120903,10 @@ - + - + diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic index d9a45368005a..57554e7100fc 100644 --- a/android/abi_gki_aarch64_generic +++ b/android/abi_gki_aarch64_generic @@ -2260,6 +2260,7 @@ __traceiter_android_vh_mm_compaction_end __traceiter_android_vh_of_i2c_get_board_info __traceiter_android_vh_pagecache_get_page + __traceiter_android_vh_pagevec_drain __traceiter_android_vh_pin_user_pages __traceiter_android_vh_rebuild_root_domains_bypass __traceiter_android_vh_resume_end @@ -2377,6 +2378,7 @@ __tracepoint_android_vh_mm_compaction_end __tracepoint_android_vh_of_i2c_get_board_info __tracepoint_android_vh_pagecache_get_page + __tracepoint_android_vh_pagevec_drain __tracepoint_android_vh_pin_user_pages __tracepoint_android_vh_rebuild_root_domains_bypass __tracepoint_android_vh_resume_end From 788ba5e9de7687013e73f27c724ce033a639f474 Mon Sep 17 00:00:00 2001 From: Kever Yang Date: Fri, 9 Sep 2022 17:23:44 +0800 Subject: [PATCH 04/27] ANDROID: GKI: Add build for rockchip platform This patch add build entry for rockchip platform Bug: 239396464 Signed-off-by: Kever Yang Change-Id: I12a8619505ece318d3c890ab1253798f88780a9e --- android/abi_gki_aarch64_rockchip | 0 arch/arm64/configs/rockchip_gki.fragment | 342 +++++++++++++++++++++++ build.config.gki.aarch64 | 1 + build.config.rockchip | 8 + 4 files changed, 351 insertions(+) create mode 100644 android/abi_gki_aarch64_rockchip create mode 100644 arch/arm64/configs/rockchip_gki.fragment create mode 100644 build.config.rockchip diff --git a/android/abi_gki_aarch64_rockchip b/android/abi_gki_aarch64_rockchip new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/arch/arm64/configs/rockchip_gki.fragment b/arch/arm64/configs/rockchip_gki.fragment new file mode 100644 index 000000000000..6253108101a8 --- /dev/null +++ b/arch/arm64/configs/rockchip_gki.fragment @@ -0,0 +1,342 @@ +CONFIG_AP6XXX=m +CONFIG_ARCH_ROCKCHIP=y +CONFIG_ARM_ROCKCHIP_BUS_DEVFREQ=m +CONFIG_ARM_ROCKCHIP_CPUFREQ=m +CONFIG_ARM_ROCKCHIP_DMC_DEVFREQ=m +CONFIG_BACKLIGHT_PWM=m +CONFIG_BATTERY_CW2015=m +CONFIG_BATTERY_CW2017=m +CONFIG_BATTERY_CW221X=m +CONFIG_BATTERY_RK817=m +CONFIG_BATTERY_RK818=m +CONFIG_BLK_DEV_NVME=m +CONFIG_BMA2XX_ACC=m +CONFIG_CHARGER_BQ25700=m +CONFIG_CHARGER_BQ25890=m +CONFIG_CHARGER_RK817=m +CONFIG_CHARGER_RK818=m +CONFIG_CHARGER_SC89890=m +CONFIG_CHARGER_SGM41542=m +CONFIG_CHR_DEV_SCH=m +CONFIG_CHR_DEV_SG=m +CONFIG_COMMON_CLK_PWM=m +CONFIG_COMMON_CLK_RK808=m +CONFIG_COMMON_CLK_ROCKCHIP=m +CONFIG_COMMON_CLK_SCMI=m +CONFIG_COMPASS_AK8963=m +CONFIG_COMPASS_AK8975=m +CONFIG_COMPASS_DEVICE=m +CONFIG_CPUFREQ_DT=m +CONFIG_CPU_FREQ_GOV_ONDEMAND=m +CONFIG_CPU_FREQ_GOV_USERSPACE=m +CONFIG_CPU_RK3588=y +CONFIG_CRYPTO_AES_ARM64_CE_CCM=m +CONFIG_CRYPTO_DEV_ROCKCHIP=m +CONFIG_CRYPTO_DEV_ROCKCHIP_DEV=m +CONFIG_CRYPTO_GHASH_ARM64_CE=m +CONFIG_CRYPTO_SHA1_ARM64_CE=m +CONFIG_CRYPTO_TWOFISH=m +CONFIG_DEVFREQ_EVENT_ROCKCHIP_NOCP=m +CONFIG_DMABUF_HEAPS_CMA=m +CONFIG_DMABUF_HEAPS_SYSTEM=m +CONFIG_DRAGONRISE_FF=y +CONFIG_DRM_DISPLAY_CONNECTOR=m +CONFIG_DRM_DW_HDMI_CEC=m +CONFIG_DRM_DW_HDMI_I2S_AUDIO=m +CONFIG_DRM_MAXIM_MAX96745=m +CONFIG_DRM_MAXIM_MAX96752F=m +CONFIG_DRM_MAXIM_MAX96755F=m +CONFIG_DRM_PANEL_SIMPLE=m +CONFIG_DRM_RK1000_TVE=m +CONFIG_DRM_RK630_TVE=m +CONFIG_DRM_ROCKCHIP=m +CONFIG_DRM_ROCKCHIP_RK628=m +CONFIG_DRM_ROHM_BU18XL82=m +CONFIG_DRM_SII902X=m +CONFIG_DTC_SYMBOLS=y +CONFIG_DW_WATCHDOG=m +CONFIG_GPIO_ROCKCHIP=m +CONFIG_GREENASIA_FF=y +CONFIG_GSENSOR_DEVICE=m +CONFIG_GS_DA223=m +CONFIG_GS_KXTJ9=m +CONFIG_GS_LIS3DH=m +CONFIG_GS_LSM303D=m +CONFIG_GS_MC3230=m +CONFIG_GS_MMA7660=m +CONFIG_GS_MMA8452=m +CONFIG_GS_MXC6655XA=m +CONFIG_GS_SC7660=m +CONFIG_GS_SC7A20=m +CONFIG_GS_SC7A30=m +CONFIG_GYROSCOPE_DEVICE=m +CONFIG_GYRO_EWTSA=m +CONFIG_GYRO_L3G20D=m +CONFIG_GYRO_L3G4200D=m +CONFIG_GYRO_LSM330=m +CONFIG_GYRO_MPU6500=m +CONFIG_GYRO_MPU6880=m +CONFIG_HALL_DEVICE=m +CONFIG_HID_A4TECH=m +CONFIG_HID_ACRUX=m +CONFIG_HID_ACRUX_FF=y +CONFIG_HID_ALPS=m +CONFIG_HID_APPLEIR=m +CONFIG_HID_AUREAL=m +CONFIG_HID_BELKIN=m +CONFIG_HID_CHERRY=m +CONFIG_HID_CHICONY=m +CONFIG_HID_CYPRESS=m +CONFIG_HID_DRAGONRISE=m +CONFIG_HID_EMS_FF=m +CONFIG_HID_EZKEY=m +CONFIG_HID_GREENASIA=m +CONFIG_HID_GYRATION=m +CONFIG_HID_HOLTEK=m +CONFIG_HID_ICADE=m +CONFIG_HID_KENSINGTON=m +CONFIG_HID_KEYTOUCH=m +CONFIG_HID_KYE=m +CONFIG_HID_LCPOWER=m +CONFIG_HID_LENOVO=m +CONFIG_HID_MONTEREY=m +CONFIG_HID_NTRIG=m +CONFIG_HID_ORTEK=m +CONFIG_HID_PANTHERLORD=m +CONFIG_HID_PETALYNX=m +CONFIG_HID_PRIMAX=m +CONFIG_HID_SAITEK=m +CONFIG_HID_SAMSUNG=m +CONFIG_HID_SMARTJOYPLUS=m +CONFIG_HID_SPEEDLINK=m +CONFIG_HID_STEELSERIES=m +CONFIG_HID_SUNPLUS=m +CONFIG_HID_THINGM=m +CONFIG_HID_THRUSTMASTER=m +CONFIG_HID_TIVO=m +CONFIG_HID_TOPSEED=m +CONFIG_HID_TWINHAN=m +CONFIG_HID_WALTOP=m +CONFIG_HID_ZEROPLUS=m +CONFIG_HID_ZYDACRON=m +CONFIG_HS_MH248=m +CONFIG_HW_RANDOM_ROCKCHIP=m +CONFIG_I2C_CHARDEV=m +CONFIG_I2C_GPIO=m +CONFIG_I2C_HID=m +CONFIG_I2C_RK3X=m +CONFIG_IEP=m +CONFIG_IIO_BUFFER_CB=m +CONFIG_INPUT_RK805_PWRKEY=m +CONFIG_KEYBOARD_ADC=m +CONFIG_LEDS_GPIO=m +CONFIG_LEDS_RGB13H=m +CONFIG_LEDS_TRIGGER_BACKLIGHT=m +CONFIG_LEDS_TRIGGER_DEFAULT_ON=m +CONFIG_LEDS_TRIGGER_HEARTBEAT=m +CONFIG_LIGHT_DEVICE=m +CONFIG_LSM330_ACC=m +CONFIG_LS_CM3217=m +CONFIG_LS_CM3218=m +CONFIG_LS_STK3410=m +CONFIG_LS_UCS14620=m +CONFIG_MALI_BIFROST=m +CONFIG_MALI_BIFROST_DEBUG=y +CONFIG_MALI_BIFROST_EXPERT=y +CONFIG_MALI_CSF_SUPPORT=y +CONFIG_MALI_PLATFORM_NAME="rk" +CONFIG_MALI_PWRSOFT_765=y +CONFIG_MFD_RK628=m +CONFIG_MFD_RK630_I2C=m +CONFIG_MFD_RK806_SPI=m +CONFIG_MFD_RK808=m +CONFIG_MMC_DW=m +CONFIG_MMC_DW_ROCKCHIP=m +CONFIG_MMC_SDHCI_OF_ARASAN=m +CONFIG_MMC_SDHCI_OF_DWCMSHC=m +CONFIG_MPU6500_ACC=m +CONFIG_MPU6880_ACC=m +CONFIG_OPTEE=m +CONFIG_PANTHERLORD_FF=y +CONFIG_PCIEASPM_EXT=m +CONFIG_PCIE_DW_ROCKCHIP=m +CONFIG_PCIE_ROCKCHIP_HOST=m +CONFIG_PHY_ROCKCHIP_CSI2_DPHY=m +CONFIG_PHY_ROCKCHIP_DP=m +CONFIG_PHY_ROCKCHIP_EMMC=m +CONFIG_PHY_ROCKCHIP_INNO_DSIDPHY=m +CONFIG_PHY_ROCKCHIP_INNO_HDMI=m +CONFIG_PHY_ROCKCHIP_INNO_USB2=m +CONFIG_PHY_ROCKCHIP_INNO_USB3=m +CONFIG_PHY_ROCKCHIP_NANENG_COMBO_PHY=m +CONFIG_PHY_ROCKCHIP_NANENG_EDP=m +CONFIG_PHY_ROCKCHIP_PCIE=m +CONFIG_PHY_ROCKCHIP_SAMSUNG_DCPHY=m +CONFIG_PHY_ROCKCHIP_SAMSUNG_HDPTX=m +CONFIG_PHY_ROCKCHIP_SAMSUNG_HDPTX_HDMI=m +CONFIG_PHY_ROCKCHIP_SNPS_PCIE3=m +CONFIG_PHY_ROCKCHIP_TYPEC=m +CONFIG_PHY_ROCKCHIP_USB=m +CONFIG_PHY_ROCKCHIP_USBDP=m +CONFIG_PINCTRL_RK805=m +CONFIG_PINCTRL_RK806=m +CONFIG_PINCTRL_ROCKCHIP=m +CONFIG_PL330_DMA=m +CONFIG_PROXIMITY_DEVICE=m +CONFIG_PS_STK3410=m +CONFIG_PS_UCS14620=m +CONFIG_PWM_ROCKCHIP=m +CONFIG_REGULATOR_ACT8865=m +CONFIG_REGULATOR_FAN53555=m +CONFIG_REGULATOR_GPIO=m +CONFIG_REGULATOR_LP8752=m +CONFIG_REGULATOR_MP8865=m +CONFIG_REGULATOR_PWM=m +CONFIG_REGULATOR_RK806=m +CONFIG_REGULATOR_RK808=m +CONFIG_REGULATOR_RK860X=m +CONFIG_REGULATOR_TPS65132=m +CONFIG_REGULATOR_WL2868C=m +CONFIG_REGULATOR_XZ3216=m +CONFIG_RFKILL_RK=m +CONFIG_RK_CONSOLE_THREAD=y +CONFIG_RK_HEADSET=m +CONFIG_ROCKCHIP_ANALOGIX_DP=y +CONFIG_ROCKCHIP_CDN_DP=y +CONFIG_ROCKCHIP_CPUINFO=m +CONFIG_ROCKCHIP_DEBUG=m +CONFIG_ROCKCHIP_DW_DP=y +CONFIG_ROCKCHIP_DW_HDCP2=m +CONFIG_ROCKCHIP_DW_HDMI=y +CONFIG_ROCKCHIP_DW_MIPI_DSI=y +CONFIG_ROCKCHIP_EFUSE=m +CONFIG_ROCKCHIP_GRF=m +CONFIG_ROCKCHIP_INNO_HDMI=y +CONFIG_ROCKCHIP_IODOMAIN=m +CONFIG_ROCKCHIP_IOMMU=m +CONFIG_ROCKCHIP_IPA=m +CONFIG_ROCKCHIP_LVDS=y +CONFIG_ROCKCHIP_MPP_AV1DEC=y +CONFIG_ROCKCHIP_MPP_IEP2=y +CONFIG_ROCKCHIP_MPP_JPGDEC=y +CONFIG_ROCKCHIP_MPP_RKVDEC=y +CONFIG_ROCKCHIP_MPP_RKVDEC2=y +CONFIG_ROCKCHIP_MPP_RKVENC=y +CONFIG_ROCKCHIP_MPP_RKVENC2=y +CONFIG_ROCKCHIP_MPP_SERVICE=m +CONFIG_ROCKCHIP_MPP_VDPU1=y +CONFIG_ROCKCHIP_MPP_VDPU2=y +CONFIG_ROCKCHIP_MPP_VEPU1=y +CONFIG_ROCKCHIP_MPP_VEPU2=y +CONFIG_ROCKCHIP_MULTI_RGA=m +CONFIG_ROCKCHIP_OPP=m +CONFIG_ROCKCHIP_OTP=m +CONFIG_ROCKCHIP_PHY=m +CONFIG_ROCKCHIP_PM_DOMAINS=m +CONFIG_ROCKCHIP_PVTM=m +CONFIG_ROCKCHIP_REMOTECTL=m +CONFIG_ROCKCHIP_REMOTECTL_PWM=m +CONFIG_ROCKCHIP_RGB=y +CONFIG_ROCKCHIP_RKNPU=m +CONFIG_ROCKCHIP_SARADC=m +CONFIG_ROCKCHIP_SIP=m +CONFIG_ROCKCHIP_SUSPEND_MODE=m +CONFIG_ROCKCHIP_SYSTEM_MONITOR=m +CONFIG_ROCKCHIP_THERMAL=m +CONFIG_ROCKCHIP_TIMER=m +CONFIG_ROCKCHIP_VENDOR_STORAGE=m +CONFIG_ROCKCHIP_VENDOR_STORAGE_UPDATE_LOADER=y +CONFIG_RTC_DRV_HYM8563=m +CONFIG_RTC_DRV_RK808=m +CONFIG_SENSOR_DEVICE=m +CONFIG_SERIAL_8250_DW=m +CONFIG_SMARTJOYPLUS_FF=y +CONFIG_SND_SIMPLE_CARD=m +CONFIG_SND_SOC_BT_SCO=m +CONFIG_SND_SOC_CX2072X=m +CONFIG_SND_SOC_DUMMY_CODEC=m +CONFIG_SND_SOC_ES7202=m +CONFIG_SND_SOC_ES7210=m +CONFIG_SND_SOC_ES7243E=m +CONFIG_SND_SOC_ES8311=m +CONFIG_SND_SOC_ES8316=m +CONFIG_SND_SOC_ES8323=m +CONFIG_SND_SOC_ES8326=m +CONFIG_SND_SOC_ES8396=m +CONFIG_SND_SOC_RK3328=m +CONFIG_SND_SOC_RK817=m +CONFIG_SND_SOC_RK_CODEC_DIGITAL=m +CONFIG_SND_SOC_ROCKCHIP=m +CONFIG_SND_SOC_ROCKCHIP_HDMI=m +CONFIG_SND_SOC_ROCKCHIP_I2S=m +CONFIG_SND_SOC_ROCKCHIP_I2S_TDM=m +CONFIG_SND_SOC_ROCKCHIP_MULTICODECS=m +CONFIG_SND_SOC_ROCKCHIP_PDM=m +CONFIG_SND_SOC_ROCKCHIP_SPDIF=m +CONFIG_SND_SOC_ROCKCHIP_SPDIFRX=m +CONFIG_SND_SOC_RT5640=m +CONFIG_SND_SOC_SPDIF=m +CONFIG_SPI_ROCKCHIP=m +CONFIG_SPI_SPIDEV=m +CONFIG_SW_SYNC=m +CONFIG_SYSCON_REBOOT_MODE=m +CONFIG_TEE=m +CONFIG_TEST_POWER=m +CONFIG_TOUCHSCREEN_ELAN5515=m +CONFIG_TOUCHSCREEN_GSL3673=m +CONFIG_TOUCHSCREEN_GSLX680_PAD=m +CONFIG_TYPEC_DP_ALTMODE=m +CONFIG_TYPEC_FUSB302=m +CONFIG_TYPEC_HUSB311=m +CONFIG_UCS12CM0=m +CONFIG_USB_DWC2=m +CONFIG_USB_NET_CDC_MBIM=m +CONFIG_USB_NET_DM9601=m +CONFIG_USB_NET_GL620A=m +CONFIG_USB_NET_KALMIA=m +CONFIG_USB_NET_MCS7830=m +CONFIG_USB_NET_PLUSB=m +CONFIG_USB_NET_SMSC75XX=m +CONFIG_USB_NET_SMSC95XX=m +CONFIG_USB_OHCI_HCD=m +# CONFIG_USB_OHCI_HCD_PCI is not set +CONFIG_USB_OHCI_HCD_PLATFORM=m +CONFIG_USB_PRINTER=m +CONFIG_USB_SERIAL=m +CONFIG_USB_SERIAL_GENERIC=y +CONFIG_USB_TRANCEVIBRATOR=m +CONFIG_VIDEO_AW36518=m +CONFIG_VIDEO_AW8601=m +CONFIG_VIDEO_CN3927V=m +CONFIG_VIDEO_DW9714=m +CONFIG_VIDEO_FP5510=m +CONFIG_VIDEO_GC2145=m +CONFIG_VIDEO_GC2385=m +CONFIG_VIDEO_GC4C33=m +CONFIG_VIDEO_GC8034=m +CONFIG_VIDEO_IMX415=m +CONFIG_VIDEO_LT6911UXC=m +CONFIG_VIDEO_LT7911D=m +CONFIG_VIDEO_NVP6188=m +CONFIG_VIDEO_OV02B10=m +CONFIG_VIDEO_OV13850=m +CONFIG_VIDEO_OV13855=m +CONFIG_VIDEO_OV50C40=m +CONFIG_VIDEO_OV5695=m +CONFIG_VIDEO_OV8858=m +CONFIG_VIDEO_RK628_BT1120=m +CONFIG_VIDEO_RK628_CSI=m +CONFIG_VIDEO_RK_IRCUT=m +CONFIG_VIDEO_ROCKCHIP_CIF=m +CONFIG_VIDEO_ROCKCHIP_ISP=m +CONFIG_VIDEO_ROCKCHIP_ISPP=m +CONFIG_VIDEO_S5K3L6XX=m +CONFIG_VIDEO_S5KJN1=m +CONFIG_VIDEO_SGM3784=m +CONFIG_VIDEO_THCV244=m +CONFIG_VL6180=m +CONFIG_WIFI_BUILD_MODULE=y +CONFIG_WL_ROCKCHIP=m +CONFIG_ZRAM=m +CONFIG_ZSMALLOC=m +# CONFIG_USB_DUMMY_HCD is not set diff --git a/build.config.gki.aarch64 b/build.config.gki.aarch64 index dde70d69dd33..ad7b6b86db07 100644 --- a/build.config.gki.aarch64 +++ b/build.config.gki.aarch64 @@ -18,6 +18,7 @@ android/abi_gki_aarch64_generic android/abi_gki_aarch64_virtual_device android/abi_gki_aarch64_db845c android/abi_gki_aarch64_hikey960 +android/abi_gki_aarch64_rockchip " FILES="${FILES} diff --git a/build.config.rockchip b/build.config.rockchip new file mode 100644 index 000000000000..297c4c95a14b --- /dev/null +++ b/build.config.rockchip @@ -0,0 +1,8 @@ +. ${ROOT_DIR}/${KERNEL_DIR}/build.config.gki.aarch64 + + +DEFCONFIG=rockchip_aarch64_gki_defconfig +KMI_SYMBOL_LIST=android/abi_gki_aarch64_rockchip +PRE_DEFCONFIG_CMDS="KCONFIG_CONFIG=${ROOT_DIR}/common/arch/arm64/configs/${DEFCONFIG} ${ROOT_DIR}/common/scripts/kconfig/merge_config.sh -m -r ${ROOT_DIR}/common/arch/arm64/configs/gki_defconfig ${ROOT_DIR}/common/arch/arm64/configs/rockchip_gki.fragment" +POST_DEFCONFIG_CMDS="rm ${ROOT_DIR}/common/arch/arm64/configs/${DEFCONFIG}" + From cf3742cba4781799ca8bf8e8467810f6a5938e38 Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Wed, 29 Jun 2022 15:53:55 +0200 Subject: [PATCH 05/27] UPSTREAM: fbmem: Check virtual screen sizes in fb_set_var() commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream. Verify that the fbdev or drm driver correctly adjusted the virtual screen sizes. On failure report the failing driver and reject the screen size change. Signed-off-by: Helge Deller Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Greg Kroah-Hartman Bug: b81212828ad1 Signed-off-by: Todd Kjos Change-Id: Ia1a16bfbda7f62f1707a5a54ba774a058698a4e3 --- drivers/video/fbdev/core/fbmem.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 00939ca2065a..f30a4fa26da4 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1019,6 +1019,16 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) if (ret) return ret; + /* verify that virtual resolution >= physical resolution */ + if (var->xres_virtual < var->xres || + var->yres_virtual < var->yres) { + pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n", + info->fix.id, + var->xres_virtual, var->yres_virtual, + var->xres, var->yres); + return -EINVAL; + } + if ((var->activate & FB_ACTIVATE_MASK) != FB_ACTIVATE_NOW) return 0; From 739b963eb83a4904979935abe68e76f1a34bf9b1 Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Sat, 25 Jun 2022 12:56:49 +0200 Subject: [PATCH 06/27] UPSTREAM: fbcon: Disallow setting font bigger than screen size commit 65a01e601dbba8b7a51a2677811f70f783766682 upstream. Prevent that users set a font size which is bigger than the physical screen. It's unlikely this may happen (because screens are usually much larger than the fonts and each font char is limited to 32x32 pixels), but it may happen on smaller screens/LCD displays. Signed-off-by: Helge Deller Reviewed-by: Daniel Vetter Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org # v4.14+ Signed-off-by: Greg Kroah-Hartman Bug: b81212828ad1 Signed-off-by: Todd Kjos Change-Id: I47e139779ab835a16d0b6b060e798ad35cad9f9b --- drivers/video/fbdev/core/fbcon.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index f102519ccefb..8d81e9321cf7 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2510,6 +2510,11 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, if (charcount != 256 && charcount != 512) return -EINVAL; + /* font bigger than screen resolution ? */ + if (w > FBCON_SWAP(info->var.rotate, info->var.xres, info->var.yres) || + h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres)) + return -EINVAL; + /* Make sure drawing engine can handle the font */ if (!(info->pixmap.blit_x & (1 << (font->width - 1))) || !(info->pixmap.blit_y & (1 << (font->height - 1)))) From 2823b3889dac79f71c74298430764d88b3fa423e Mon Sep 17 00:00:00 2001 From: Helge Deller Date: Sat, 25 Jun 2022 13:00:34 +0200 Subject: [PATCH 07/27] UPSTREAM: fbcon: Prevent that screen size is smaller than font size commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 upstream. We need to prevent that users configure a screen size which is smaller than the currently selected font size. Otherwise rendering chars on the screen will access memory outside the graphics memory region. This patch adds a new function fbcon_modechange_possible() which implements this check and which later may be extended with other checks if necessary. The new function is called from the FBIOPUT_VSCREENINFO ioctl handler in fbmem.c, which will return -EINVAL if userspace asked for a too small screen size. Signed-off-by: Helge Deller Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Greg Kroah-Hartman Bug: b81212828ad1 Signed-off-by: Todd Kjos Change-Id: I6ac4cce2aeea4dcca222ea2b395cc2baa1008894 --- drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 4 +++- include/linux/fbcon.h | 4 ++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 8d81e9321cf7..b4260a830e78 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2776,6 +2776,34 @@ void fbcon_update_vcs(struct fb_info *info, bool all) } EXPORT_SYMBOL(fbcon_update_vcs); +/* let fbcon check if it supports a new screen resolution */ +int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var) +{ + struct fbcon_ops *ops = info->fbcon_par; + struct vc_data *vc; + unsigned int i; + + WARN_CONSOLE_UNLOCKED(); + + if (!ops) + return 0; + + /* prevent setting a screen size which is smaller than font size */ + for (i = first_fb_vc; i <= last_fb_vc; i++) { + vc = vc_cons[i].d; + if (!vc || vc->vc_mode != KD_TEXT || + registered_fb[con2fb_map[i]] != info) + continue; + + if (vc->vc_font.width > FBCON_SWAP(var->rotate, var->xres, var->yres) || + vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres)) + return -EINVAL; + } + + return 0; +} +EXPORT_SYMBOL_GPL(fbcon_modechange_possible); + int fbcon_mode_deleted(struct fb_info *info, struct fb_videomode *mode) { diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index f30a4fa26da4..3b3ccb235522 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1119,7 +1119,9 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, return -EFAULT; console_lock(); lock_fb_info(info); - ret = fb_set_var(info, &var); + ret = fbcon_modechange_possible(info, &var); + if (!ret) + ret = fb_set_var(info, &var); if (!ret) fbcon_update_vcs(info, var.activate & FB_ACTIVATE_ALL); unlock_fb_info(info); diff --git a/include/linux/fbcon.h b/include/linux/fbcon.h index ff5596dd30f8..2382dec6d6ab 100644 --- a/include/linux/fbcon.h +++ b/include/linux/fbcon.h @@ -15,6 +15,8 @@ void fbcon_new_modelist(struct fb_info *info); void fbcon_get_requirement(struct fb_info *info, struct fb_blit_caps *caps); void fbcon_fb_blanked(struct fb_info *info, int blank); +int fbcon_modechange_possible(struct fb_info *info, + struct fb_var_screeninfo *var); void fbcon_update_vcs(struct fb_info *info, bool all); void fbcon_remap_all(struct fb_info *info); int fbcon_set_con2fb_map_ioctl(void __user *argp); @@ -33,6 +35,8 @@ static inline void fbcon_new_modelist(struct fb_info *info) {} static inline void fbcon_get_requirement(struct fb_info *info, struct fb_blit_caps *caps) {} static inline void fbcon_fb_blanked(struct fb_info *info, int blank) {} +static inline int fbcon_modechange_possible(struct fb_info *info, + struct fb_var_screeninfo *var) { return 0; } static inline void fbcon_update_vcs(struct fb_info *info, bool all) {} static inline void fbcon_remap_all(struct fb_info *info) {} static inline int fbcon_set_con2fb_map_ioctl(void __user *argp) { return 0; } From d257ef6764f228145d0fca24998162809bb5b9f7 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Wed, 19 Oct 2022 08:25:34 -0700 Subject: [PATCH 08/27] ANDROID: vendor hook for TLB batching control Add vendor hook for flushing TLB batching in zap_pte_range. Bug: 238728493 Signed-off-by: Minchan Kim Change-Id: If2de5f070dd7b76624961f5a91440bf69a99ca2d --- drivers/android/vendor_hooks.c | 3 +++ include/trace/hooks/mm.h | 9 +++++++++ mm/memory.c | 6 +++++- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c index 61b42b3ede98..1029e13d81bb 100644 --- a/drivers/android/vendor_hooks.c +++ b/drivers/android/vendor_hooks.c @@ -282,6 +282,9 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_get_from_fragment_pool); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_exclude_reserved_zone); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_include_reserved_zone); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_alloc_pages_slowpath); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_start); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_force_flush); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_end); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_cma_alloc_adjust); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_show_mem); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_print_slabinfo_header); diff --git a/include/trace/hooks/mm.h b/include/trace/hooks/mm.h index 58b56440e970..60fe3d30f80b 100644 --- a/include/trace/hooks/mm.h +++ b/include/trace/hooks/mm.h @@ -100,6 +100,15 @@ DECLARE_HOOK(android_vh_alloc_pages_slowpath, DECLARE_HOOK(android_vh_cma_alloc_adjust, TP_PROTO(struct zone *zone, bool *is_cma_alloc), TP_ARGS(zone, is_cma_alloc)); +DECLARE_HOOK(android_vh_zap_pte_range_tlb_start, + TP_PROTO(void *unused), + TP_ARGS(unused)); +DECLARE_HOOK(android_vh_zap_pte_range_tlb_force_flush, + TP_PROTO(struct page *page, bool *flush), + TP_ARGS(page, flush)); +DECLARE_HOOK(android_vh_zap_pte_range_tlb_end, + TP_PROTO(void *unused), + TP_ARGS(unused)); DECLARE_HOOK(android_vh_print_slabinfo_header, TP_PROTO(struct seq_file *m), TP_ARGS(m)); diff --git a/mm/memory.c b/mm/memory.c index a038d72a8110..f0fa06835537 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1233,12 +1233,14 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, tlb_change_page_size(tlb, PAGE_SIZE); again: + trace_android_vh_zap_pte_range_tlb_start(NULL); init_rss_vec(rss); start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl); pte = start_pte; flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); do { + bool flush = false; pte_t ptent = *pte; if (pte_none(ptent)) continue; @@ -1279,8 +1281,9 @@ again: page_remove_rmap(page, false); if (unlikely(page_mapcount(page) < 0)) print_bad_pte(vma, addr, ptent, page); + trace_android_vh_zap_pte_range_tlb_force_flush(page, &flush); if (unlikely(__tlb_remove_page(tlb, page)) || - lru_cache_disabled()) { + lru_cache_disabled() || flush) { force_flush = 1; addr += PAGE_SIZE; break; @@ -1346,6 +1349,7 @@ again: tlb_flush_mmu(tlb); } + trace_android_vh_zap_pte_range_tlb_end(NULL); if (addr != end) { cond_resched(); goto again; From f45d10e83bd9abcb41542b2affda8e224611811d Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Wed, 19 Oct 2022 09:03:29 -0700 Subject: [PATCH 09/27] ANDROID: Update the ABI representation 3 function symbol(s) added 'int __traceiter_android_vh_zap_pte_range_tlb_end(void *, void *)' 'int __traceiter_android_vh_zap_pte_range_tlb_force_flush(void *, struct page *, bool *)' 'int __traceiter_android_vh_zap_pte_range_tlb_start(void *, void *)' 3 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_zap_pte_range_tlb_end' 'struct tracepoint __tracepoint_android_vh_zap_pte_range_tlb_force_flush' 'struct tracepoint __tracepoint_android_vh_zap_pte_range_tlb_start' Bug: 238728493 Signed-off-by: Minchan Kim Change-Id: Ic05e935faca01f8241af395726145966237708b4 --- android/abi_gki_aarch64.xml | 249 ++++++++++++++++++-------------- android/abi_gki_aarch64_generic | 6 + 2 files changed, 143 insertions(+), 112 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 691612a1b91f..58ae42c81fb6 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -307,6 +307,9 @@ + + + @@ -3836,6 +3839,9 @@ + + + @@ -4957,7 +4963,7 @@ - + @@ -7021,7 +7027,7 @@ - + @@ -11633,7 +11639,7 @@ - + @@ -12140,7 +12146,7 @@ - + @@ -14242,7 +14248,7 @@ - + @@ -14538,7 +14544,7 @@ - + @@ -15896,7 +15902,7 @@ - + @@ -21391,7 +21397,7 @@ - + @@ -33485,7 +33491,7 @@ - + @@ -35954,13 +35960,13 @@ - + - + - + @@ -35984,7 +35990,7 @@ - + @@ -36002,13 +36008,13 @@ - + - + @@ -36017,7 +36023,7 @@ - + @@ -36026,7 +36032,7 @@ - + @@ -39090,7 +39096,7 @@ - + @@ -43352,7 +43358,7 @@ - + @@ -46376,7 +46382,7 @@ - + @@ -51078,7 +51084,7 @@ - + @@ -54389,7 +54395,7 @@ - + @@ -60240,7 +60246,7 @@ - + @@ -64648,7 +64654,7 @@ - + @@ -69442,7 +69448,7 @@ - + @@ -71441,15 +71447,7 @@ - - - - - - - - - + @@ -71463,7 +71461,7 @@ - + @@ -71471,7 +71469,7 @@ - + @@ -71479,12 +71477,12 @@ - + - + @@ -71492,7 +71490,7 @@ - + @@ -71500,7 +71498,7 @@ - + @@ -71520,7 +71518,7 @@ - + @@ -71528,7 +71526,7 @@ - + @@ -71539,7 +71537,7 @@ - + @@ -71547,7 +71545,7 @@ - + @@ -71555,7 +71553,7 @@ - + @@ -71563,7 +71561,7 @@ - + @@ -71577,7 +71575,7 @@ - + @@ -71606,7 +71604,7 @@ - + @@ -71617,7 +71615,7 @@ - + @@ -71625,7 +71623,7 @@ - + @@ -71633,7 +71631,7 @@ - + @@ -71641,7 +71639,7 @@ - + @@ -71649,7 +71647,7 @@ - + @@ -71660,7 +71658,7 @@ - + @@ -71668,7 +71666,7 @@ - + @@ -71679,7 +71677,7 @@ - + @@ -71690,7 +71688,7 @@ - + @@ -71704,7 +71702,7 @@ - + @@ -71712,7 +71710,7 @@ - + @@ -71729,7 +71727,7 @@ - + @@ -71737,7 +71735,7 @@ - + @@ -71745,7 +71743,7 @@ - + @@ -71753,7 +71751,7 @@ - + @@ -71779,12 +71777,12 @@ - + - + @@ -71825,7 +71823,7 @@ - + @@ -71833,7 +71831,7 @@ - + @@ -71841,7 +71839,7 @@ - + @@ -71849,6 +71847,14 @@ + + + + + + + + @@ -81662,10 +81668,10 @@ - + - + @@ -85105,7 +85111,7 @@ - + @@ -85507,7 +85513,7 @@ - + @@ -87676,7 +87682,7 @@ - + @@ -88037,7 +88043,7 @@ - + @@ -88771,7 +88777,7 @@ - + @@ -98843,7 +98849,7 @@ - + @@ -99072,7 +99078,7 @@ - + @@ -99243,7 +99249,7 @@ - + @@ -99342,7 +99348,7 @@ - + @@ -99351,7 +99357,7 @@ - + @@ -111286,6 +111292,22 @@ + + + + + + + + + + + + + + + + @@ -111539,6 +111561,9 @@ + + + @@ -124172,12 +124197,12 @@ - - - - - - + + + + + + @@ -127379,11 +127404,11 @@ - - - - - + + + + + @@ -128759,16 +128784,16 @@ - - - - + + + + - - - - + + + + @@ -128815,23 +128840,23 @@ - - - - + + + + - - - - + + + + - - - - - + + + + + diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic index 57554e7100fc..6c012a295572 100644 --- a/android/abi_gki_aarch64_generic +++ b/android/abi_gki_aarch64_generic @@ -2292,6 +2292,9 @@ __traceiter_android_vh_ufs_update_sysfs __traceiter_android_vh_usb_dev_resume __traceiter_android_vh_usb_dev_suspend + __traceiter_android_vh_zap_pte_range_tlb_end + __traceiter_android_vh_zap_pte_range_tlb_force_flush + __traceiter_android_vh_zap_pte_range_tlb_start __traceiter_clock_set_rate __traceiter_cpu_frequency __traceiter_device_pm_callback_end @@ -2410,6 +2413,9 @@ __tracepoint_android_vh_ufs_update_sysfs __tracepoint_android_vh_usb_dev_resume __tracepoint_android_vh_usb_dev_suspend + __tracepoint_android_vh_zap_pte_range_tlb_end + __tracepoint_android_vh_zap_pte_range_tlb_force_flush + __tracepoint_android_vh_zap_pte_range_tlb_start __tracepoint_clock_set_rate __tracepoint_cpu_frequency __tracepoint_device_pm_callback_end From 74e2ea264cd1895c493b9008b62bfea98dacf3f6 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Thu, 20 Oct 2022 16:03:35 -0700 Subject: [PATCH 10/27] ANDROID: vendor hook to control bh_lru and lru_cache_disable Add vendor hook for bh_lru and lru_cache_disable Bug: 238728493 Signed-off-by: Minchan Kim Change-Id: I81bfad317cf6e8633186ebb3238644306d7a102d --- drivers/android/vendor_hooks.c | 3 +++ fs/buffer.c | 7 +++++++ include/trace/hooks/buffer.h | 22 ++++++++++++++++++++++ include/trace/hooks/mm.h | 3 +++ mm/page_alloc.c | 9 +++++++-- 5 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 include/trace/hooks/buffer.h diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c index 1029e13d81bb..442537ee4fc1 100644 --- a/drivers/android/vendor_hooks.c +++ b/drivers/android/vendor_hooks.c @@ -61,6 +61,7 @@ #include #include #include +#include #ifdef __GENKSYMS__ #include #endif @@ -285,6 +286,8 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_alloc_pages_slowpath); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_start); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_force_flush); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_end); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_bh_lru_install); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_skip_lru_disable); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_cma_alloc_adjust); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_show_mem); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_print_slabinfo_header); diff --git a/fs/buffer.c b/fs/buffer.c index 13dd0f71f762..029e806a85bd 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -51,6 +51,8 @@ #include "internal.h" +#include + static int fsync_buffers_list(spinlock_t *lock, struct list_head *list); static int submit_bh_wbc(int op, int op_flags, struct buffer_head *bh, enum rw_hint hint, struct writeback_control *wbc); @@ -1262,6 +1264,7 @@ static void bh_lru_install(struct buffer_head *bh) struct buffer_head *evictee = bh; struct bh_lru *b; int i; + bool skip = false; check_irqs_on(); /* @@ -1273,6 +1276,10 @@ static void bh_lru_install(struct buffer_head *bh) if (lru_cache_disabled()) return; + trace_android_vh_bh_lru_install(bh->b_page, &skip); + if (skip) + return; + bh_lru_lock(); b = this_cpu_ptr(&bh_lrus); diff --git a/include/trace/hooks/buffer.h b/include/trace/hooks/buffer.h new file mode 100644 index 000000000000..50e8f71dab9f --- /dev/null +++ b/include/trace/hooks/buffer.h @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM buffer + +#define TRACE_INCLUDE_PATH trace/hooks + +#if !defined(_TRACE_HOOK_BUFFER_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_HOOK_BUFFER_H + +#include +#include + +DECLARE_HOOK(android_vh_bh_lru_install, + TP_PROTO(struct page *page, bool *flush), + TP_ARGS(page, flush)); + +/* macro versions of hooks are no longer required */ + +#endif /* _TRACE_HOOK_BUFFER_H */ + +/* This part must be outside protection */ +#include diff --git a/include/trace/hooks/mm.h b/include/trace/hooks/mm.h index 60fe3d30f80b..94d18851fc2a 100644 --- a/include/trace/hooks/mm.h +++ b/include/trace/hooks/mm.h @@ -109,6 +109,9 @@ DECLARE_HOOK(android_vh_zap_pte_range_tlb_force_flush, DECLARE_HOOK(android_vh_zap_pte_range_tlb_end, TP_PROTO(void *unused), TP_ARGS(unused)); +DECLARE_HOOK(android_vh_skip_lru_disable, + TP_PROTO(bool *skip), + TP_ARGS(skip)); DECLARE_HOOK(android_vh_print_slabinfo_header, TP_PROTO(struct seq_file *m), TP_ARGS(m)); diff --git a/mm/page_alloc.c b/mm/page_alloc.c index bebdf55d7272..6a28798a3d61 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -8826,6 +8826,8 @@ static int __alloc_contig_migrate_range(struct compact_control *cc, unsigned int tries = 0; unsigned int max_tries = 5; int ret = 0; + bool skip = false; + struct page *page; struct migration_target_control mtc = { .nid = zone_to_nid(cc->zone), @@ -8835,7 +8837,9 @@ static int __alloc_contig_migrate_range(struct compact_control *cc, if (cc->alloc_contig && cc->mode == MIGRATE_ASYNC) max_tries = 1; - lru_cache_disable(); + trace_android_vh_skip_lru_disable(&skip); + if (!skip) + lru_cache_disable(); while (pfn < end || !list_empty(&cc->migratepages)) { if (fatal_signal_pending(current)) { @@ -8870,7 +8874,8 @@ static int __alloc_contig_migrate_range(struct compact_control *cc, info->nr_migrated += cc->nr_migratepages; } - lru_cache_enable(); + if (!skip) + lru_cache_enable(); if (ret < 0) { if (ret == -EBUSY) { alloc_contig_dump_pages(&cc->migratepages); From 6e0df30312948a671436e084074ed72bf8abb78b Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Fri, 21 Oct 2022 09:49:34 -0700 Subject: [PATCH 11/27] ANDROID: Update the ABI representation 2 function symbol(s) added 'int __traceiter_android_vh_bh_lru_install(void *, struct page *, bool *)' 'int __traceiter_android_vh_skip_lru_disable(void *, bool *)' 2 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_bh_lru_install' 'struct tracepoint __tracepoint_android_vh_skip_lru_disable' Bug: 238728493 Signed-off-by: Minchan Kim Change-Id: I8969b67398496e69a816ad8cd5af081e2e90dbff --- android/abi_gki_aarch64.xml | 419 +++++++++++++++++--------------- android/abi_gki_aarch64_generic | 4 + 2 files changed, 222 insertions(+), 201 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 58ae42c81fb6..6a96fd7c4a3e 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -254,6 +254,7 @@ + @@ -284,6 +285,7 @@ + @@ -3786,6 +3788,7 @@ + @@ -3816,6 +3819,7 @@ + @@ -4931,7 +4935,7 @@ - + @@ -4963,7 +4967,7 @@ - + @@ -7027,7 +7031,7 @@ - + @@ -8904,7 +8908,7 @@ - + @@ -11639,7 +11643,7 @@ - + @@ -12146,7 +12150,7 @@ - + @@ -14248,7 +14252,7 @@ - + @@ -14544,7 +14548,7 @@ - + @@ -15902,7 +15906,7 @@ - + @@ -21397,7 +21401,7 @@ - + @@ -26250,7 +26254,7 @@ - + @@ -33491,7 +33495,7 @@ - + @@ -35960,13 +35964,13 @@ - + - + - + @@ -35990,7 +35994,7 @@ - + @@ -36008,13 +36012,13 @@ - + - + @@ -36023,7 +36027,7 @@ - + @@ -36032,7 +36036,7 @@ - + @@ -39096,7 +39100,7 @@ - + @@ -43358,7 +43362,7 @@ - + @@ -46382,7 +46386,7 @@ - + @@ -51084,7 +51088,7 @@ - + @@ -54395,7 +54399,7 @@ - + @@ -60246,7 +60250,7 @@ - + @@ -61759,7 +61763,7 @@ - + @@ -61850,7 +61854,7 @@ - + @@ -64654,7 +64658,7 @@ - + @@ -69448,7 +69452,7 @@ - + @@ -71447,7 +71451,15 @@ - + + + + + + + + + @@ -71461,7 +71473,7 @@ - + @@ -71469,7 +71481,7 @@ - + @@ -71477,12 +71489,12 @@ - + - + @@ -71490,7 +71502,7 @@ - + @@ -71498,7 +71510,7 @@ - + @@ -71518,7 +71530,7 @@ - + @@ -71526,7 +71538,7 @@ - + @@ -71537,7 +71549,7 @@ - + @@ -71545,7 +71557,7 @@ - + @@ -71553,7 +71565,7 @@ - + @@ -71561,7 +71573,7 @@ - + @@ -71575,7 +71587,7 @@ - + @@ -71604,7 +71616,7 @@ - + @@ -71615,7 +71627,7 @@ - + @@ -71623,7 +71635,7 @@ - + @@ -71631,7 +71643,7 @@ - + @@ -71639,7 +71651,7 @@ - + @@ -71647,7 +71659,7 @@ - + @@ -71658,7 +71670,7 @@ - + @@ -71666,7 +71678,7 @@ - + @@ -71677,7 +71689,7 @@ - + @@ -71688,7 +71700,7 @@ - + @@ -71702,7 +71714,7 @@ - + @@ -71710,7 +71722,7 @@ - + @@ -71727,7 +71739,7 @@ - + @@ -71735,7 +71747,7 @@ - + @@ -71743,7 +71755,7 @@ - + @@ -71751,7 +71763,7 @@ - + @@ -71777,12 +71789,12 @@ - + - + @@ -71823,7 +71835,7 @@ - + @@ -71831,7 +71843,7 @@ - + @@ -71839,7 +71851,7 @@ - + @@ -71847,14 +71859,6 @@ - - - - - - - - @@ -71916,27 +71920,27 @@ - + - + - + - + - + - + - + @@ -71952,22 +71956,22 @@ - + - + - + - + - + - + @@ -72026,36 +72030,36 @@ - + - + - + - + - + - + - + - + - + - + @@ -72066,7 +72070,7 @@ - + @@ -72090,96 +72094,96 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -76837,7 +76841,7 @@ - + @@ -81668,10 +81672,10 @@ - + - + @@ -85111,7 +85115,7 @@ - + @@ -85513,7 +85517,7 @@ - + @@ -86960,7 +86964,7 @@ - + @@ -87040,22 +87044,22 @@ - + - + - + - + - + - + @@ -87682,7 +87686,7 @@ - + @@ -88043,7 +88047,7 @@ - + @@ -88777,7 +88781,7 @@ - + @@ -98849,7 +98853,7 @@ - + @@ -99078,7 +99082,7 @@ - + @@ -99249,7 +99253,7 @@ - + @@ -99348,7 +99352,7 @@ - + @@ -99357,7 +99361,7 @@ - + @@ -99502,7 +99506,7 @@ - + @@ -99510,7 +99514,7 @@ - + @@ -99518,7 +99522,7 @@ - + @@ -99526,12 +99530,12 @@ - + - + @@ -99539,7 +99543,7 @@ - + @@ -99550,7 +99554,7 @@ - + @@ -99558,18 +99562,18 @@ - + - + - - + + @@ -99583,12 +99587,12 @@ - + - + @@ -99596,12 +99600,12 @@ - + - + @@ -99609,12 +99613,12 @@ - + - + @@ -99631,7 +99635,7 @@ - + @@ -99639,7 +99643,7 @@ - + @@ -99647,12 +99651,12 @@ - + - + @@ -99660,7 +99664,7 @@ - + @@ -99668,7 +99672,7 @@ - + @@ -99685,12 +99689,12 @@ - + - + @@ -99716,7 +99720,7 @@ - + @@ -99727,7 +99731,7 @@ - + @@ -99747,7 +99751,7 @@ - + @@ -99770,7 +99774,7 @@ - + @@ -99784,12 +99788,12 @@ - + - + @@ -99800,7 +99804,7 @@ - + @@ -99814,7 +99818,7 @@ - + @@ -99825,7 +99829,7 @@ - + @@ -99839,7 +99843,7 @@ - + @@ -99853,12 +99857,12 @@ - + - + @@ -99866,7 +99870,7 @@ - + @@ -99880,7 +99884,7 @@ - + @@ -99888,7 +99892,7 @@ - + @@ -99899,7 +99903,7 @@ - + @@ -99916,7 +99920,7 @@ - + @@ -99936,7 +99940,7 @@ - + @@ -99953,7 +99957,7 @@ - + @@ -99964,7 +99968,7 @@ - + @@ -99972,7 +99976,7 @@ - + @@ -99980,7 +99984,7 @@ - + @@ -99988,7 +99992,7 @@ - + @@ -100002,7 +100006,7 @@ - + @@ -100010,7 +100014,7 @@ - + @@ -100021,7 +100025,7 @@ - + @@ -100038,7 +100042,7 @@ - + @@ -104848,7 +104852,7 @@ - + @@ -107717,7 +107721,7 @@ - + @@ -110950,6 +110954,12 @@ + + + + + + @@ -111143,6 +111153,11 @@ + + + + + @@ -111508,6 +111523,7 @@ + @@ -111538,6 +111554,7 @@ + diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic index 6c012a295572..dd002bf38e0c 100644 --- a/android/abi_gki_aarch64_generic +++ b/android/abi_gki_aarch64_generic @@ -2241,6 +2241,7 @@ __traceiter_android_rvh_update_rt_rq_load_avg __traceiter_android_rvh_util_est_update __traceiter_android_vh_arch_set_freq_scale + __traceiter_android_vh_bh_lru_install __traceiter_android_vh_cma_alloc_adjust __traceiter_android_vh_cma_alloc_finish __traceiter_android_vh_cma_alloc_start @@ -2269,6 +2270,7 @@ __traceiter_android_vh_scheduler_tick __traceiter_android_vh_setscheduler_uclamp __traceiter_android_vh_show_max_freq + __traceiter_android_vh_skip_lru_disable __traceiter_android_vh_snd_compr_use_pause_in_drain __traceiter_android_vh_sound_usb_support_cpu_suspend __traceiter_android_vh_sysrq_crash @@ -2362,6 +2364,7 @@ __tracepoint_android_rvh_update_rt_rq_load_avg __tracepoint_android_rvh_util_est_update __tracepoint_android_vh_arch_set_freq_scale + __tracepoint_android_vh_bh_lru_install __tracepoint_android_vh_cma_alloc_adjust __tracepoint_android_vh_cma_alloc_finish __tracepoint_android_vh_cma_alloc_start @@ -2390,6 +2393,7 @@ __tracepoint_android_vh_scheduler_tick __tracepoint_android_vh_setscheduler_uclamp __tracepoint_android_vh_show_max_freq + __tracepoint_android_vh_skip_lru_disable __tracepoint_android_vh_snd_compr_use_pause_in_drain __tracepoint_android_vh_sound_usb_support_cpu_suspend __tracepoint_android_vh_sysrq_crash From 4ae8e2c20f97a026396a88ac7105a59c828ab5ce Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 28 Sep 2022 21:56:15 +0200 Subject: [PATCH 12/27] UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Bug: 253641805 Reported-by: Soenke Huster Tested-by: Soenke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I70d3a1188609751797cbabe905028d92d1700f17 --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index fd614a5a00b4..bde2e647bc3a 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2219,7 +2219,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len; lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); From d96c2b5944cc4f09bdb597681dbbb0d7b6dba9b1 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 28 Sep 2022 22:01:37 +0200 Subject: [PATCH 13/27] UPSTREAM: wifi: cfg80211/mac80211: reject bad MBSSID elements commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, and the minimum is 1 since a multiple BSSID set with just one BSSID doesn't make sense (the # of BSSIDs is limited by 2^n). Limit this in the parsing in both cfg80211 and mac80211, rejecting any elements with an invalid value. This fixes potentially bad shifts in the processing of these inside the cfg80211_gen_new_bssid() function later. I found this during the investigation of CVE-2022-41674 fixed by the previous patch. Bug: 253641805 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Fixes: 78ac51f81532 ("mac80211: support multi-bssid") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I7aa0b1a425fcf3a7797e83afa8ad6dd68b283b48 --- net/mac80211/util.c | 2 ++ net/wireless/scan.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/mac80211/util.c b/net/mac80211/util.c index a1f129292ad8..11d5686893c6 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1409,6 +1409,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { if (elem->datalen < 2) continue; + if (elem->data[0] < 1 || elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 new_bssid[ETH_ALEN]; diff --git a/net/wireless/scan.c b/net/wireless/scan.c index bde2e647bc3a..555e3867c23a 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2084,6 +2084,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { if (elem->datalen < 4) continue; + if (elem->data[0] < 1 || (int)elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 profile_len; From d56839bb09e63a394d7bb91d0ff1965537266f2f Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 29 Sep 2022 21:50:44 +0200 Subject: [PATCH 14/27] UPSTREAM: wifi: cfg80211: ensure length byte is present before access commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Bug: 254180332 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I6ece37c57ca56462566adbcac6def6b35dc5b799 --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 555e3867c23a..173f27e5c993 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2); From 1e18328c84a58aa50db10e8e41cc4be8555f227d Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 30 Sep 2022 23:44:23 +0200 Subject: [PATCH 15/27] UPSTREAM: wifi: cfg80211: fix BSS refcounting bugs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Bug: 253642015 Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I408bf72ca59b6ffbe2aba460f3e9326bf1c94eec --- net/wireless/scan.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 173f27e5c993..b732281a3757 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev, lockdep_assert_held(&rdev->bss_lock); bss->refcount++; - if (bss->pub.hidden_beacon_bss) { - bss = container_of(bss->pub.hidden_beacon_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } - if (bss->pub.transmitted_bss) { - bss = container_of(bss->pub.transmitted_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } + + if (bss->pub.hidden_beacon_bss) + bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; + + if (bss->pub.transmitted_bss) + bss_from_pub(bss->pub.transmitted_bss)->refcount++; } static inline void bss_ref_put(struct cfg80211_registered_device *rdev, @@ -1729,6 +1723,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, new->refcount = 1; INIT_LIST_HEAD(&new->hidden_list); INIT_LIST_HEAD(&new->pub.nontrans_list); + /* we'll set this later if it was non-NULL */ + new->pub.transmitted_bss = NULL; if (rcu_access_pointer(tmp->pub.proberesp_ies)) { hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); @@ -1965,9 +1961,14 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, */ if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, &res->pub)) { - if (__cfg80211_unlink_bss(rdev, res)) + if (__cfg80211_unlink_bss(rdev, res)) { rdev->bss_generation++; + res = NULL; + } } + + if (!res) + return NULL; } trace_cfg80211_return_bss(&res->pub); From 88b3da7668d4fb700003edd9de285b050c02848a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Sat, 1 Oct 2022 00:01:44 +0200 Subject: [PATCH 16/27] UPSTREAM: wifi: cfg80211: avoid nontransmitted BSS list corruption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Bug: 253642088 Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: If83261f8b711f5ad0ce922abea2c35fedbc36c39 --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index b732281a3757..551fe8c476e1 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, rcu_read_unlock(); + /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0; From 7e9ccb517ab92d0b2b39f0cbb9108dc1c0eb131a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 5 Oct 2022 15:10:09 +0200 Subject: [PATCH 17/27] UPSTREAM: wifi: mac80211_hwsim: avoid mac80211 warning on bad rate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 1833b6f46d7e2830251a063935ab464256defe22 upstream. If the tool on the other side (e.g. wmediumd) gets confused about the rate, we hit a warning in mac80211. Silence that by effectively duplicating the check here and dropping the frame silently (in mac80211 it's dropped with the warning). Bug: 254180332 Reported-by: Sönke Huster Tested-by: Sönke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Ieb3a258b998aca815efc5d09492ce66e461b5b88 --- drivers/net/wireless/mac80211_hwsim.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 9157257925e1..94ac50ea6956 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3678,6 +3678,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, rx_status.band = channel->band; rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); + if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates) + goto out; rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); hdr = (void *)skb->data; From 4bff45998e6cdaf54b1711f98612d5b37cdc1a3a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 5 Oct 2022 21:24:10 +0200 Subject: [PATCH 18/27] UPSTREAM: wifi: mac80211: fix crash in beacon protection for P2P-device MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device. This fixes CVE-2022-42722. Bug: 253642089 Reported-by: Sönke Huster Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Ie3336b950136e26debbe835f97ad450d03f6baad --- net/mac80211/rx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 1e7614abd947..c033ac60c41f 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1976,10 +1976,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + - NUM_DEFAULT_BEACON_KEYS) { - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, - skb->data, - skb->len); + NUM_DEFAULT_BEACON_KEYS) { + if (rx->sdata->dev) + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, + skb->data, + skb->len); return RX_DROP_MONITOR; /* unexpected BIP keyidx */ } @@ -2127,7 +2128,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) /* either the frame has been decrypted or will be dropped */ status->flag |= RX_FLAG_DECRYPTED; - if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) + if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && + rx->sdata->dev)) cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, skb->data, skb->len); From 13c3ed22feeb25d6cda5157dbd3cf184960b6a07 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 5 Oct 2022 23:11:43 +0200 Subject: [PATCH 19/27] UPSTREAM: wifi: cfg80211: update hidden BSSes to avoid WARN_ON MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream. When updating beacon elements in a non-transmitted BSS, also update the hidden sub-entries to the same beacon elements, so that a future update through other paths won't trigger a WARN_ON(). The warning is triggered because the beacon elements in the hidden BSSes that are children of the BSS should always be the same as in the parent. Bug: 254180332 Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Iea4669ba97b926dfa67e9592b3a263d3f18508e5 --- net/wireless/scan.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 551fe8c476e1..45f0ec0398af 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1595,6 +1595,23 @@ struct cfg80211_non_tx_bss { u8 bssid_index; }; +static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, + const struct cfg80211_bss_ies *new_ies, + const struct cfg80211_bss_ies *old_ies) +{ + struct cfg80211_internal_bss *bss; + + /* Assign beacon IEs to all sub entries */ + list_for_each_entry(bss, &known->hidden_list, hidden_list) { + const struct cfg80211_bss_ies *ies; + + ies = rcu_access_pointer(bss->pub.beacon_ies); + WARN_ON(ies != old_ies); + + rcu_assign_pointer(bss->pub.beacon_ies, new_ies); + } +} + static bool cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, struct cfg80211_internal_bss *known, @@ -1618,7 +1635,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); } else if (rcu_access_pointer(new->pub.beacon_ies)) { const struct cfg80211_bss_ies *old; - struct cfg80211_internal_bss *bss; if (known->pub.hidden_beacon_bss && !list_empty(&known->hidden_list)) { @@ -1646,16 +1662,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, if (old == rcu_access_pointer(known->pub.ies)) rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); - /* Assign beacon IEs to all sub entries */ - list_for_each_entry(bss, &known->hidden_list, hidden_list) { - const struct cfg80211_bss_ies *ies; - - ies = rcu_access_pointer(bss->pub.beacon_ies); - WARN_ON(ies != old); - - rcu_assign_pointer(bss->pub.beacon_ies, - new->pub.beacon_ies); - } + cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); @@ -2300,6 +2307,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, } else { old = rcu_access_pointer(nontrans_bss->beacon_ies); rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); + cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), + new_ies, old); rcu_assign_pointer(nontrans_bss->ies, new_ies); if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); From 12bd079b610a18e0294a6e579962f96fd0eb1e76 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 14 Oct 2022 18:41:48 +0200 Subject: [PATCH 20/27] UPSTREAM: mac80211: mlme: find auth challenge directly There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Bug: 254180332 Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones (cherry picked from commit 66dacdbc2e830e1187bf0f1171ca257d816ab7e3) Change-Id: Ife49cbad96bb43064449d93b8f8ada9db24be540 --- net/mac80211/ieee80211_i.h | 2 -- net/mac80211/mlme.c | 11 ++++++----- net/mac80211/util.c | 4 ---- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index fe8f586886b4..28282b0d82a6 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1480,7 +1480,6 @@ struct ieee802_11_elems { const u8 *supp_rates; const u8 *ds_params; const struct ieee80211_tim_ie *tim; - const u8 *challenge; const u8 *rsn; const u8 *rsnx; const u8 *erp_info; @@ -1533,7 +1532,6 @@ struct ieee802_11_elems { u8 ssid_len; u8 supp_rates_len; u8 tim_len; - u8 challenge_len; u8 rsn_len; u8 rsnx_len; u8 ext_supp_rates_len; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 0dba353d3f8f..6ae97707770f 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2899,14 +2899,14 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata, { struct ieee80211_local *local = sdata->local; struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data; + const struct element *challenge; u8 *pos; - struct ieee802_11_elems elems; u32 tx_flags = 0; pos = mgmt->u.auth.variable; - ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, auth_data->bss->bssid); - if (!elems.challenge) + challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, + len - (pos - (u8 *)mgmt)); + if (!challenge) return; auth_data->expected_transaction = 4; drv_mgd_prepare_tx(sdata->local, sdata, 0); @@ -2914,7 +2914,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata, tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS | IEEE80211_TX_INTFL_MLME_CONN_TX; ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, - elems.challenge - 2, elems.challenge_len + 2, + (void *)challenge, + challenge->datalen + sizeof(*challenge), auth_data->bss->bssid, auth_data->bss->bssid, auth_data->key, auth_data->key_len, auth_data->key_idx, tx_flags); diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 11d5686893c6..e6b5d164a0ee 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1124,10 +1124,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, } else elem_parse_failed = true; break; - case WLAN_EID_CHALLENGE: - elems->challenge = pos; - elems->challenge_len = elen; - break; case WLAN_EID_VENDOR_SPECIFIC: if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && pos[2] == 0xf2) { From 187e6dad2a37ea4a79bdba5fbf07b11f1d83bcf7 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 14 Oct 2022 18:41:49 +0200 Subject: [PATCH 21/27] UPSTREAM: wifi: mac80211: don't parse mbssid in assoc response This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Bug: 254180332 Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones (cherry picked from commit 353b5c8d4bea712774ccc631782ed8cc3630528a) Change-Id: Ie554c036923c94b125035141a3bffafc129a5aa6 --- net/mac80211/mlme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 6ae97707770f..543fff520abb 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3300,7 +3300,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, } capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info); ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); if (elems->aid_resp) aid = le16_to_cpu(elems->aid_resp->aid); @@ -3702,7 +3702,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata, return; ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && elems.timeout_int && From 6c543641c68ccf3904a08d915f98c1ed633de08e Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 14 Oct 2022 18:41:50 +0200 Subject: [PATCH 22/27] UPSTREAM: wifi: mac80211: fix MBSSID parsing use-after-free Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Bug: 253642087 Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I68b07f5850a7ef363d631043d01f58a08aea9274 --- net/mac80211/ieee80211_i.h | 2 ++ net/mac80211/mlme.c | 6 +++++- net/mac80211/scan.c | 2 ++ net/mac80211/util.c | 7 ++++++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 28282b0d82a6..5bfa4e1ff9b8 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1546,6 +1546,8 @@ struct ieee802_11_elems { u8 country_elem_len; u8 bssid_index_len; + void *nontx_profile; + /* whether a parse error occurred while retrieving these elements */ bool parse_error; }; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 543fff520abb..2d133e5c5799 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3394,6 +3394,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata, sdata_info(sdata, "AP bug: VHT operation missing from AssocResp\n"); } + kfree(bss_elems.nontx_profile); } /* @@ -4039,6 +4040,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, ifmgd->assoc_data->timeout = jiffies; ifmgd->assoc_data->timeout_started = true; run_again(sdata, ifmgd->assoc_data->timeout); + kfree(elems.nontx_profile); return; } @@ -4216,7 +4218,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, ieee80211_report_disconnect(sdata, deauth_buf, sizeof(deauth_buf), true, WLAN_REASON_DEAUTH_LEAVING); - return; + goto free; } if (sta && elems.opmode_notif) @@ -4231,6 +4233,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata, elems.cisco_dtpc_elem); ieee80211_bss_info_change_notify(sdata, changed); +free: + kfree(elems.nontx_profile); } void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata, diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 6b50cb5e0e3c..ad088324a6d3 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee80211_local *local, rx_status, beacon); } + kfree(elems.nontx_profile); + return bss; } diff --git a/net/mac80211/util.c b/net/mac80211/util.c index e6b5d164a0ee..7fa6efa8b83c 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1483,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, nontransmitted_profile, nontransmitted_profile_len); + if (!nontransmitted_profile_len) { + nontransmitted_profile_len = 0; + kfree(nontransmitted_profile); + nontransmitted_profile = NULL; + } } crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter, @@ -1512,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action, offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count = elems->bssid_index->dtim_count; - kfree(nontransmitted_profile); + elems->nontx_profile = nontransmitted_profile; return crc; } From 1c741865f4ffd536f6431ea4cf37de38810dd839 Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Mon, 24 Oct 2022 10:21:34 +0000 Subject: [PATCH 23/27] ANDROID: Update the ABI representation 5 function symbol(s) added 'int __traceiter_android_rvh_prepare_prio_fork(void *, struct task_struct *)' 'int __traceiter_android_rvh_set_user_nice(void *, struct task_struct *, long int *, bool *)' 'int __traceiter_android_rvh_setscheduler(void *, struct task_struct *)' 'void check_preempt_curr(struct rq *, struct task_struct *, int)' 'void resched_curr(struct rq *)' 3 variable symbol(s) added 'struct tracepoint __tracepoint_android_rvh_prepare_prio_fork' 'struct tracepoint __tracepoint_android_rvh_set_user_nice' 'struct tracepoint __tracepoint_android_rvh_setscheduler' Bug: 245675204 Signed-off-by: Rick Yiu Change-Id: Ic17fa9f74255dc887ccd650c73aea42d217d0b06 --- android/abi_gki_aarch64.xml | 280 ++++++++++++++++++-------------- android/abi_gki_aarch64_generic | 8 + 2 files changed, 167 insertions(+), 121 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 6a96fd7c4a3e..d7bcb94be9c3 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -232,12 +232,15 @@ + + + @@ -637,6 +640,7 @@ + @@ -2759,6 +2763,7 @@ + @@ -3766,12 +3771,15 @@ + + + @@ -4935,7 +4943,7 @@ - + @@ -8908,7 +8916,7 @@ - + @@ -26254,7 +26262,7 @@ - + @@ -61763,7 +61771,7 @@ - + @@ -61854,7 +61862,7 @@ - + @@ -71920,27 +71928,27 @@ - + - + - + - + - + - + - + @@ -71956,22 +71964,22 @@ - + - + - + - + - + - + @@ -72030,36 +72038,36 @@ - + - + - + - + - + - + - + - + - + - + @@ -72070,7 +72078,7 @@ - + @@ -72094,96 +72102,96 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -76841,7 +76849,7 @@ - + @@ -86964,7 +86972,7 @@ - + @@ -87044,22 +87052,22 @@ - + - + - + - + - + - + @@ -99506,7 +99514,7 @@ - + @@ -99514,7 +99522,7 @@ - + @@ -99522,7 +99530,7 @@ - + @@ -99530,12 +99538,12 @@ - + - + @@ -99543,7 +99551,7 @@ - + @@ -99554,7 +99562,7 @@ - + @@ -99562,18 +99570,18 @@ - + - + - - + + @@ -99587,12 +99595,12 @@ - + - + @@ -99600,12 +99608,12 @@ - + - + @@ -99613,12 +99621,12 @@ - + - + @@ -99635,7 +99643,7 @@ - + @@ -99643,7 +99651,7 @@ - + @@ -99651,12 +99659,12 @@ - + - + @@ -99664,7 +99672,7 @@ - + @@ -99672,7 +99680,7 @@ - + @@ -99689,12 +99697,12 @@ - + - + @@ -99720,7 +99728,7 @@ - + @@ -99731,7 +99739,7 @@ - + @@ -99751,7 +99759,7 @@ - + @@ -99774,7 +99782,7 @@ - + @@ -99788,12 +99796,12 @@ - + - + @@ -99804,7 +99812,7 @@ - + @@ -99818,7 +99826,7 @@ - + @@ -99829,7 +99837,7 @@ - + @@ -99843,7 +99851,7 @@ - + @@ -99857,12 +99865,12 @@ - + - + @@ -99870,7 +99878,7 @@ - + @@ -99884,7 +99892,7 @@ - + @@ -99892,7 +99900,7 @@ - + @@ -99903,7 +99911,7 @@ - + @@ -99920,7 +99928,7 @@ - + @@ -99940,7 +99948,7 @@ - + @@ -99957,7 +99965,7 @@ - + @@ -99968,7 +99976,7 @@ - + @@ -99976,7 +99984,7 @@ - + @@ -99984,7 +99992,7 @@ - + @@ -99992,7 +100000,7 @@ - + @@ -100006,7 +100014,7 @@ - + @@ -100014,7 +100022,7 @@ - + @@ -100025,7 +100033,7 @@ - + @@ -100042,7 +100050,7 @@ - + @@ -104852,7 +104860,7 @@ - + @@ -107721,7 +107729,7 @@ - + @@ -110796,6 +110804,11 @@ + + + + + @@ -110837,6 +110850,18 @@ + + + + + + + + + + + + @@ -111501,12 +111526,15 @@ + + + @@ -113293,6 +113321,12 @@ + + + + + + @@ -124281,6 +124315,10 @@ + + + + diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic index dd002bf38e0c..c875ab5429ab 100644 --- a/android/abi_gki_aarch64_generic +++ b/android/abi_gki_aarch64_generic @@ -189,6 +189,7 @@ cfg80211_vendor_cmd_reply __cfi_slowpath __check_object_size + check_preempt_curr __class_create class_destroy class_interface_unregister @@ -1804,6 +1805,7 @@ __request_percpu_irq __request_region request_threaded_irq + resched_curr resume_cpus return_address revalidate_disk_size @@ -2223,12 +2225,15 @@ __traceiter_android_rvh_post_init_entity_util_avg __traceiter_android_rvh_preempt_disable __traceiter_android_rvh_preempt_enable + __traceiter_android_rvh_prepare_prio_fork __traceiter_android_rvh_remove_entity_load_avg __traceiter_android_rvh_sched_fork __traceiter_android_rvh_select_task_rq_fair __traceiter_android_rvh_select_task_rq_rt __traceiter_android_rvh_set_iowait + __traceiter_android_rvh_setscheduler __traceiter_android_rvh_set_task_cpu + __traceiter_android_rvh_set_user_nice __traceiter_android_rvh_typec_tcpci_chk_contaminant __traceiter_android_rvh_typec_tcpci_get_vbus __traceiter_android_rvh_uclamp_eff_get @@ -2346,12 +2351,15 @@ __tracepoint_android_rvh_post_init_entity_util_avg __tracepoint_android_rvh_preempt_disable __tracepoint_android_rvh_preempt_enable + __tracepoint_android_rvh_prepare_prio_fork __tracepoint_android_rvh_remove_entity_load_avg __tracepoint_android_rvh_sched_fork __tracepoint_android_rvh_select_task_rq_fair __tracepoint_android_rvh_select_task_rq_rt __tracepoint_android_rvh_set_iowait + __tracepoint_android_rvh_setscheduler __tracepoint_android_rvh_set_task_cpu + __tracepoint_android_rvh_set_user_nice __tracepoint_android_rvh_typec_tcpci_chk_contaminant __tracepoint_android_rvh_typec_tcpci_get_vbus __tracepoint_android_rvh_uclamp_eff_get From a17e132ec4f290621666311e73f43202706d2743 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Thu, 27 Oct 2022 08:29:17 -0700 Subject: [PATCH 24/27] ANDROID: vendor hook to control blk_plug for memory reclaim Add vendor hook to contorl blk plugging. Bug: 255471591 Bug: 238728493 Change-Id: I96b73cec14f0d2fea46a4828526e6ae5aa5c71b7 Signed-off-by: Minchan Kim --- drivers/android/vendor_hooks.c | 3 +++ include/trace/hooks/mm.h | 9 +++++++++ mm/madvise.c | 9 +++++++-- mm/vmscan.c | 18 ++++++++++++++++++ 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c index 442537ee4fc1..bfd9a74a0f61 100644 --- a/drivers/android/vendor_hooks.c +++ b/drivers/android/vendor_hooks.c @@ -283,6 +283,9 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_get_from_fragment_pool); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_exclude_reserved_zone); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_include_reserved_zone); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_alloc_pages_slowpath); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_do_madvise_blk_plug); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_shrink_inactive_list_blk_plug); +EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_reclaim_pages_plug); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_start); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_force_flush); EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_zap_pte_range_tlb_end); diff --git a/include/trace/hooks/mm.h b/include/trace/hooks/mm.h index 94d18851fc2a..236aaeeff274 100644 --- a/include/trace/hooks/mm.h +++ b/include/trace/hooks/mm.h @@ -100,6 +100,15 @@ DECLARE_HOOK(android_vh_alloc_pages_slowpath, DECLARE_HOOK(android_vh_cma_alloc_adjust, TP_PROTO(struct zone *zone, bool *is_cma_alloc), TP_ARGS(zone, is_cma_alloc)); +DECLARE_HOOK(android_vh_do_madvise_blk_plug, + TP_PROTO(int behavior, bool *do_plug), + TP_ARGS(behavior, do_plug)); +DECLARE_HOOK(android_vh_shrink_inactive_list_blk_plug, + TP_PROTO(bool *do_plug), + TP_ARGS(do_plug)); +DECLARE_HOOK(android_vh_reclaim_pages_plug, + TP_PROTO(bool *do_plug), + TP_ARGS(do_plug)); DECLARE_HOOK(android_vh_zap_pte_range_tlb_start, TP_PROTO(void *unused), TP_ARGS(unused)); diff --git a/mm/madvise.c b/mm/madvise.c index 8920a7125389..937301fb9bc5 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -31,6 +31,7 @@ #include #include #include +#include #include @@ -1266,6 +1267,7 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh int write; size_t len; struct blk_plug plug; + bool do_plug = true; start = untagged_addr(start); @@ -1300,10 +1302,13 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh mmap_read_lock(mm); } - blk_start_plug(&plug); + trace_android_vh_do_madvise_blk_plug(behavior, &do_plug); + if (do_plug) + blk_start_plug(&plug); error = madvise_walk_vmas(mm, start, end, behavior, madvise_vma_behavior); - blk_finish_plug(&plug); + if (do_plug) + blk_finish_plug(&plug); if (write) mmap_write_unlock(mm); else diff --git a/mm/vmscan.c b/mm/vmscan.c index d09d63861544..f4a22e18951d 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -70,6 +70,9 @@ #undef CREATE_TRACE_POINTS #include +#undef CREATE_TRACE_POINTS +#include + EXPORT_TRACEPOINT_SYMBOL_GPL(mm_vmscan_direct_reclaim_begin); EXPORT_TRACEPOINT_SYMBOL_GPL(mm_vmscan_direct_reclaim_end); @@ -2005,6 +2008,8 @@ shrink_inactive_list(unsigned long nr_to_scan, struct lruvec *lruvec, enum vm_event_item item; struct pglist_data *pgdat = lruvec_pgdat(lruvec); bool stalled = false; + struct blk_plug plug; + bool do_plug = false; while (unlikely(too_many_isolated(pgdat, file, sc))) { if (stalled) @@ -2038,11 +2043,16 @@ shrink_inactive_list(unsigned long nr_to_scan, struct lruvec *lruvec, if (nr_taken == 0) return 0; + trace_android_vh_shrink_inactive_list_blk_plug(&do_plug); + if (do_plug) + blk_start_plug(&plug); nr_reclaimed = shrink_page_list(&page_list, pgdat, sc, &stat, false); spin_lock_irq(&pgdat->lru_lock); move_pages_to_lru(lruvec, &page_list); + if (do_plug) + blk_finish_plug(&plug); __mod_node_page_state(pgdat, NR_ISOLATED_ANON + file, -nr_taken); lru_note_cost(lruvec, file, stat.nr_pageout); @@ -2188,6 +2198,8 @@ unsigned long reclaim_pages(struct list_head *page_list) LIST_HEAD(node_page_list); struct reclaim_stat dummy_stat; struct page *page; + struct blk_plug plug; + bool do_plug = false; struct scan_control sc = { .gfp_mask = GFP_KERNEL, .priority = DEF_PRIORITY, @@ -2196,6 +2208,10 @@ unsigned long reclaim_pages(struct list_head *page_list) .may_swap = 1, }; + trace_android_vh_reclaim_pages_plug(&do_plug); + if (do_plug) + blk_start_plug(&plug); + while (!list_empty(page_list)) { page = lru_to_page(page_list); if (nid == NUMA_NO_NODE) { @@ -2231,6 +2247,8 @@ unsigned long reclaim_pages(struct list_head *page_list) putback_lru_page(page); } } + if (do_plug) + blk_finish_plug(&plug); return nr_reclaimed; } From 86d2835139698e9f92a49bcd5849259919832468 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Thu, 27 Oct 2022 14:20:33 -0700 Subject: [PATCH 25/27] ANDROID: Update the ABI representation 3 function symbol(s) added 'int __traceiter_android_vh_do_madvise_blk_plug(void *, int, bool *)' 'int __traceiter_android_vh_reclaim_pages_plug(void *, bool *)' 'int __traceiter_android_vh_shrink_inactive_list_blk_plug(void *, bool *)' 3 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_do_madvise_blk_plug' 'struct tracepoint __tracepoint_android_vh_reclaim_pages_plug' 'struct tracepoint __tracepoint_android_vh_shrink_inactive_list_blk_plug' Bug: 255471591 Change-Id: I4021425fea85fead6c2e85b057b33efeccbf2f6f Signed-off-by: Minchan Kim --- android/abi_gki_aarch64.xml | 235 ++++++++++++++++++-------------- android/abi_gki_aarch64_generic | 6 + 2 files changed, 136 insertions(+), 105 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index d7bcb94be9c3..9d4b5cd90e25 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -263,6 +263,7 @@ + @@ -281,6 +282,7 @@ + @@ -288,6 +290,7 @@ + @@ -3802,6 +3805,7 @@ + @@ -3820,6 +3824,7 @@ + @@ -3827,6 +3832,7 @@ + @@ -111018,6 +111024,12 @@ + + + + + + @@ -111130,6 +111142,11 @@ + + + + + @@ -111178,9 +111195,14 @@ - - - + + + + + + + + @@ -111332,20 +111354,20 @@ - - - + + + - - - - + + + + - - - + + + @@ -111557,6 +111579,7 @@ + @@ -111575,6 +111598,7 @@ + @@ -111582,7 +111606,8 @@ - + + @@ -111606,9 +111631,9 @@ - - - + + + @@ -113123,30 +113148,30 @@ - - - - - - - + + + + + + + - - - - - + + + + + - - - - - - - - + + + + + + + + @@ -113163,25 +113188,25 @@ - - - - - - - - - - - + + + + + + + + + + + - - - - - - + + + + + + @@ -113223,9 +113248,9 @@ - - - + + + @@ -113264,24 +113289,24 @@ - - - + + + - - - + + + - - - + + + - - - + + + @@ -113298,9 +113323,9 @@ - - - + + + @@ -119438,16 +119463,16 @@ - - - + + + - - - - - + + + + + @@ -119576,8 +119601,8 @@ - - + + @@ -119601,29 +119626,29 @@ - - - + + + - - - - - + + + + + - - - + + + - - + + - - + + @@ -119696,10 +119721,10 @@ - - - - + + + + @@ -123937,8 +123962,8 @@ - - + + @@ -127545,8 +127570,8 @@ - - + + diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic index c875ab5429ab..3a76d3602f24 100644 --- a/android/abi_gki_aarch64_generic +++ b/android/abi_gki_aarch64_generic @@ -2252,6 +2252,7 @@ __traceiter_android_vh_cma_alloc_start __traceiter_android_vh_cpu_idle_enter __traceiter_android_vh_cpu_idle_exit + __traceiter_android_vh_do_madvise_blk_plug __traceiter_android_vh_dump_throttled_rt_tasks __traceiter_android_vh_dup_task_struct __traceiter_android_vh_early_resume_begin @@ -2269,12 +2270,14 @@ __traceiter_android_vh_pagevec_drain __traceiter_android_vh_pin_user_pages __traceiter_android_vh_rebuild_root_domains_bypass + __traceiter_android_vh_reclaim_pages_plug __traceiter_android_vh_resume_end __traceiter_android_vh_rmqueue __traceiter_android_vh_sched_setaffinity_early __traceiter_android_vh_scheduler_tick __traceiter_android_vh_setscheduler_uclamp __traceiter_android_vh_show_max_freq + __traceiter_android_vh_shrink_inactive_list_blk_plug __traceiter_android_vh_skip_lru_disable __traceiter_android_vh_snd_compr_use_pause_in_drain __traceiter_android_vh_sound_usb_support_cpu_suspend @@ -2378,6 +2381,7 @@ __tracepoint_android_vh_cma_alloc_start __tracepoint_android_vh_cpu_idle_enter __tracepoint_android_vh_cpu_idle_exit + __tracepoint_android_vh_do_madvise_blk_plug __tracepoint_android_vh_dump_throttled_rt_tasks __tracepoint_android_vh_dup_task_struct __tracepoint_android_vh_early_resume_begin @@ -2395,12 +2399,14 @@ __tracepoint_android_vh_pagevec_drain __tracepoint_android_vh_pin_user_pages __tracepoint_android_vh_rebuild_root_domains_bypass + __tracepoint_android_vh_reclaim_pages_plug __tracepoint_android_vh_resume_end __tracepoint_android_vh_rmqueue __tracepoint_android_vh_sched_setaffinity_early __tracepoint_android_vh_scheduler_tick __tracepoint_android_vh_setscheduler_uclamp __tracepoint_android_vh_show_max_freq + __tracepoint_android_vh_shrink_inactive_list_blk_plug __tracepoint_android_vh_skip_lru_disable __tracepoint_android_vh_snd_compr_use_pause_in_drain __tracepoint_android_vh_sound_usb_support_cpu_suspend From 9966a706d19ee5869c87ce611eb45ee2979d1654 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 17 Oct 2022 17:52:05 -0700 Subject: [PATCH 26/27] FROMGIT: f2fs: let's avoid to get cp_rwsem twice by f2fs_evict_inode by d_invalidate f2fs_unlink -> f2fs_lock_op -> d_invalidate -> shrink_dentry_list -> iput_final -> f2fs_evict_inode -> f2fs_lock_op Bug: 253968159 Reviewed-by: Chao Yu Tested-by: Yangtao Li Signed-off-by: Jaegeuk Kim Change-Id: I281afd7ffa0c66509ec5984fd7774ccd4ddef1f4 (cherry picked from commit 14dc00a0e2dbea4b685ab9723ff511fcfd223c18 git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev) --- fs/f2fs/namei.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index 0de98abd7282..b93695d28e43 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -623,6 +623,8 @@ static int f2fs_unlink(struct inode *dir, struct dentry *dentry) goto fail; } f2fs_delete_entry(de, page, dir, inode); + f2fs_unlock_op(sbi); + #ifdef CONFIG_UNICODE /* VFS negative dentries are incompatible with Encoding and * Case-insensitiveness. Eventually we'll want avoid @@ -633,8 +635,6 @@ static int f2fs_unlink(struct inode *dir, struct dentry *dentry) if (IS_CASEFOLDED(dir)) d_invalidate(dentry); #endif - f2fs_unlock_op(sbi); - if (IS_DIRSYNC(dir)) f2fs_sync_fs(sbi->sb, 1); fail: From 559e6700c32ffcd82c3194d059b4c31939c14e71 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Mon, 31 Oct 2022 10:21:02 +0000 Subject: [PATCH 27/27] ANDROID: Update the ABI representation 2 function symbol(s) added 'int __traceiter_android_vh_binder_restore_priority(void *, struct binder_transaction *, struct task_struct *)' 'int __traceiter_android_vh_binder_set_priority(void *, struct binder_transaction *, struct task_struct *)' 2 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_binder_restore_priority' 'struct tracepoint __tracepoint_android_vh_binder_set_priority' Bug: 226003124 Change-Id: I4129848ba6537d398cc7a2aab5960c65b280b9a4 Signed-off-by: Chungkai Mei --- android/abi_gki_aarch64.xml | 20 ++++++++++++++++++++ android/abi_gki_aarch64_generic | 4 ++++ 2 files changed, 24 insertions(+) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 9d4b5cd90e25..a9334233428c 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -258,6 +258,8 @@ + + @@ -3800,6 +3802,8 @@ + + @@ -101716,6 +101720,7 @@ + @@ -105097,6 +105102,7 @@ + @@ -110991,6 +110997,18 @@ + + + + + + + + + + + + @@ -111574,6 +111592,8 @@ + + diff --git a/android/abi_gki_aarch64_generic b/android/abi_gki_aarch64_generic index 3a76d3602f24..b02c2b60c7a2 100644 --- a/android/abi_gki_aarch64_generic +++ b/android/abi_gki_aarch64_generic @@ -2247,6 +2247,8 @@ __traceiter_android_rvh_util_est_update __traceiter_android_vh_arch_set_freq_scale __traceiter_android_vh_bh_lru_install + __traceiter_android_vh_binder_restore_priority + __traceiter_android_vh_binder_set_priority __traceiter_android_vh_cma_alloc_adjust __traceiter_android_vh_cma_alloc_finish __traceiter_android_vh_cma_alloc_start @@ -2376,6 +2378,8 @@ __tracepoint_android_rvh_util_est_update __tracepoint_android_vh_arch_set_freq_scale __tracepoint_android_vh_bh_lru_install + __tracepoint_android_vh_binder_restore_priority + __tracepoint_android_vh_binder_set_priority __tracepoint_android_vh_cma_alloc_adjust __tracepoint_android_vh_cma_alloc_finish __tracepoint_android_vh_cma_alloc_start