Merge the recent changes in android14-6.1 into android14-6.1-lts to
catch up on abi changes and other issues fixed there already. Changes
included in here are:
* 5a912daf87 ANDROID: OPP: fix function args mismatch for dev_pm_opp_add in pm_opp.h
* bcc435d374 ANDROID: GKI: Update KMI symbol list for ASR
* 9e167c1c27 ANDROID: GKI: Export a symbol “next_arg” for honor
* 4dcae85afd BACKPORT: netem: fix return value if duplicate enqueue fails
* f4bcd4ef0f ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
* 9027204d5a ANDROID: 16K: Introduce pgsize_migration_inline.h
* 03b93dc707 FROMLIST: binder: fix BINDER_WORK_FROZEN_BINDER debug logs
* 9c6fdb6bf8 BACKPORT: FROMLIST: binder: fix freeze UAF in binder_release_work()
* 07a43515b0 FROMLIST: binder: fix OOB in binder_add_freeze_work()
* a26cde4055 FROMLIST: binder: fix node UAF in binder_add_freeze_work()
* df571cd9f1 FROMGIT: virtio_pmem: Check device status before requesting flush
* b2a0a8f709 ANDROID: GKI: update rockchip symbols sync with kernel update
* 83e7e0486e ANDROID: GKI: Update symbol list for honor
* 5c7d0d4f4a ANDROID: GKI: Update `kernel_aarch64_16k` build config to match `kernel_aarch64`
* 2cd8ac816d ANDROID: ABI: update symbol list for honor
* b5ee53c64e ANDROID: Allow vendor modules perform more operationson on sock.
* e64a80a096 ANDROID: GKI: update symbol list file for xiaomi
* 530ff6a3e6 ANDROID: GKI: add vendor hooks android_vh_page_should_be_protected() and android_vh_modify_scan_control().
* 41e1c6f937 Merge tag 'android14-6.1.99_r00' into android14-6.1
* 3b95e54867 ANDROID: Update the ABI symbol list
* b3a2458fc6 ANDROID: mm: add vh for kcompactd_cpu_online()
* 532fad0092 ANDROID: ABI: update symbol list for honor
* 145b08312d ANDROID: vendor_hooks: add hook to perform targeted memory management
* c105083ac6 ANDROID: ABI: update symbol list for honor
* eda4e9fa64 ANDROID: mm: add vendor hook in fault and read file
* 814dd5bfa8 ANDROID: Update the ABI symbol list
* 8a268cb981 ANDROID: GKI: Update symbol list for honor
* be07389110 ANDROID: Allow vendor modules perform operationson on memleak detect
* 47871c381d ANDROID: GKI: Update symbol list for honor
* c7b8f95c21 ANDROID: Allow vendor modules perform more operations on binder transaction.
* d1f3a046a6 FROMGIT: f2fs: prevent atomic file from being dirtied before commit
* 6e5b92a6a1 ANDROID: GKI: Add symbol list for exynosauto
* b18f8bbc04 ANDROID: GKI: Update symbol list for BCMSTB
* ff74052448 BACKPORT: binder_alloc: Fix sleeping function called from invalid context
* 75c9b1955b UPSTREAM: bpf: Fix overrunning reservations in ringbuf
* fdec2610bf ANDROID: gki_config: Disable CONFIG_DEBUG_STACK_USAGE
* d02968a023 ANDROID: gki_defconfig: Enable CONFIG_SERIAL_8250_BCM7271
* a752cdd96f BACKPORT: serial: 8250_bcm7271: improve bcm7271 8250 port
* 04212acc42 ANDROID: GKI: Add initial symbol list for honor
* 27310ed6b6 ANDROID: binder: fix KMI issues due to frozen notification
* 2f43c68d05 FROMGIT: binder: frozen notification binder_features flag
* eda0570485 BACKPORT: FROMGIT: binder: frozen notification
* 822682e75d ANDROID: KVM: arm64: Fix cpu type for tracing HVCs
* c7596f093d ANDROID: gki_defconfig: Enable CONFIG_RTC_HCTOSYS for x86
* d1af8906d9 ANDROID: GKI: Update symbol list for vivo
* 9eca8763c1 ANDROID: vendor_hooks: add hooks for exting task's swp_entrys
* 03a4ae5d99 ANDROID: gki_defconfig: Enable Broadcom SoCs
* ef0ea14d63 ANDROID: ABI: Update xiaomi symbol list
* eabf8327ed ANDROID: Update the ABI symbol list
* f88293625b UPSTREAM: PM: domains: Add helper functions to attach/detach multiple PM domains
* 7b1e2d9798 UPSTREAM: OPP: Fix -Wunsequenced in _of_add_opp_table_v1()
* c33dbb3b87 UPSTREAM: firmware: arm_scmi: Specify the performance level when adding an OPP
* 47933171f3 BACKPORT: firmware: arm_scmi: Simplify error path in scmi_dvfs_device_opps_add()
* b50a013d33 BACKPORT: OPP: Extend support for the opp-level beyond required-opps
* 9ba5e19e0d UPSTREAM: OPP: Extend dev_pm_opp_data with a level
* adf41f4737 BACKPORT: OPP: Add dev_pm_opp_add_dynamic() to allow more flexibility
* 9c1597d2e4 UPSTREAM: dt-bindings: power: Clarify performance capabilities of power-domains
* dda942f010 UPSTREAM: dt-bindings: firmware: arm,scmi: Extend bindings for protocol@13
* ff18572d05 UPSTREAM: dt-bindings: arm: cpus: Add a power-domain-name for a performance-domain
* 5c0092ff97 UPSTREAM: PM: domains: Allow genpd providers to manage OPP tables directly by its FW
* c638aef4e9 UPSTREAM: cpufreq: scmi: Add support to parse domain-id using #power-domain-cells
* 0ccb8d6efa UPSTREAM: cpufreq: scmi: Avoid one OF parsing in scmi_get_sharing_cpus()
* 1a6e883184 UPSTREAM: firmware: arm_scmi: Drop redundant ->device_domain_id() from perf ops
* 3aa5b5408f UPSTREAM: firmware: arm_scmi: Align perf ops to use domain-id as in-parameter
* 49da9f2745 UPSTREAM: cpufreq: scmi: Prepare to move OF parsing of domain-id to cpufreq
* 742d32f206 BACKPORT: firmware: arm_scmi: Extend perf protocol ops to get information of a domain
* b99f37e4a6 BACKPORT: firmware: arm_scmi: Extend perf protocol ops to get number of domains
* 09ab235661 ANDROID: vendor_hooks: export shrink_slab
* 8a0fa49a77 UPSTREAM: erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails
* 7c5c6b6397 UPSTREAM: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
* a1895da8bd ANDROID: GKI: Add initial sunxi symbol list
* b5e374dda9 FROMLIST: usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"
* 841cae8810 UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune()
* 3bb5a64ae9 ANDROID: Update the ABI symbol list
* 6cbdf0e239 ANDROID: Update the ABI symbol list
* 25641a61ba ANDROID: GKI: Update symbol list for mtk
* 82b9eb64eb FROMGIT: KVM: arm64: Ensure TLBI uses correct VMID after changing context
* 9920d2584e FROMGIT: KVM: arm64: Invalidate EL1&0 TLB entries for all VMIDs in nvhe hyp init
* 1a48a88fcb FROMGIT: BACKPORT: KVM: arm64: Don't pass a TLBI level hint when zapping table entries
* 02fcfc12fc Merge tag 'android14-6.1.93_r00' into android14-6.1
* 42515e9246 ANDROID: sched: Add android_vh_set_task_comm
* 0f23336b97 BACKPORT: UPSTREAM: sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath
* 370ea8bc2e FROMLIST: binder: fix UAF caused by offsets overwrite
* f8f9a197f4 ANDROID: binder: fix KMI-break due to proc->dmap
* a55053f3a8 UPSTREAM: binder: fix descriptor lookup for context manager
* c5f1e68340 BACKPORT: binder: use bitmap for faster descriptor lookup
* 514bdc80b9 UPSTREAM: perf/core: Fix potential NULL deref
* faf32723dc BACKPORT: scsi: ufs: core: Fix ufshcd_abort_one racing issue
* 4d735ca7bb BACKPORT: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue
Change-Id: Ib03de3ba63c1e5c7fc2782fefe352aaa5d234ba1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The function prototype for dev_pm_opp_add differs between a
configuration when CONFIG_PM_OPP is set versus when CONFIG_PM_OPP is not
set.
Fix this mismatch by aligning the function arguments for the dummy
dev_pm_opp_add with the non-dummy version.
Bug: 369659366
Fixes: adf41f4737 ("BACKPORT: OPP: Add dev_pm_opp_add_dynamic() to allow more flexibility")
Change-Id: If23af6ba28bb493d619f96846545cb86608b285d
Signed-off-by: Anant Goel <quic_anantg@quicinc.com>
Export a symbol “next_arg” in android/abi_gki_aarch64_honor
Bug: 368221985
Change-Id: I0bd8fc321752f0fa3d103b56510b33eadcb6e39b
Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com>
[ Upstream commit c07ff8592d57ed258afee5a5e04991a48dbaf382 ]
There is a bug in netem_enqueue() introduced by
commit 5845f70638 ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.
This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then
the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
and the original packet is dropped.
In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.
Bug: 362391455
Fixes: 5845f70638 ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240819175753.5151-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 0486d31dd8)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I390f02549c726e961f57daace468d5cd48468722
In some cases VMAs are split without the mmap write lock held;
later the lock is taken to fixup vm_flags of the original VMA.
Since some uppper bits of vm_flags are used to encode the ELF
padding ranges, they need to be modified on splits. This is
usually handled correctly by __split_vma(). However in the above
case, the flags get over witten later under the write lock.
Preserve vm_flag bits on reset to correctly represent padding.
Bug: 357901498
Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Introduce inline header to avoid circular dependency. This
will be used in a subsequent patch.
Also take opportunity to do some small noop refactor in
vma_pad_pages() and split_pad_vma() for more robust code.
Bug: 357901498
Change-Id: Ia5f447758d0d07ed3e1429ca1e35dcc0741cc22a
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-5-cmllamas@google.com/
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
binder_release_work+0x398/0x3d0
binder_deferred_func+0xb60/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
Allocated by task 703:
__kmalloc_cache_noprof+0x130/0x280
binder_thread_write+0xdb4/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
invoke_syscall+0x6c/0x254
Freed by task 211:
kfree+0xc4/0x230
binder_deferred_func+0xae8/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-4-cmllamas@google.com/
Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321
[cmllamas: drop BINDER_STAT_FREEZE as it's not supported here]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped to
acquire the node->lock first (lock nesting order). This can race with
binder_deferred_release() which removes the nodes from the proc->nodes
rbtree and adds them into binder_dead_nodes list. This leads to a broken
iteration in binder_add_freeze_work() as rb_next() will use data from
binder_dead_nodes, triggering an out-of-bounds access:
==================================================================
BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124
Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18
Hardware name: linux,dummy-virt (DT)
Call trace:
rb_next+0xfc/0x124
binder_add_freeze_work+0x344/0x534
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
The buggy address belongs to the variable:
binder_dead_nodes+0x10/0x40
[...]
==================================================================
This is possible because proc->nodes (rbtree) and binder_dead_nodes
(list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply
break out of the iteration.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-3-cmllamas@google.com/
Change-Id: I5ec9d49277a23b864862665b52213460750c535e
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped in
order to acquire the node->lock first (lock nesting order). This can
race with binder_node_release() and trigger a use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff53c04c29dd04 by task freeze/640
CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_add_freeze_work+0x148/0x478
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
Allocated by task 637:
__kmalloc_cache_noprof+0x12c/0x27c
binder_new_node+0x50/0x700
binder_transaction+0x35ac/0x6f74
binder_thread_write+0xfb8/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
Freed by task 637:
kfree+0xf0/0x330
binder_thread_read+0x1e88/0x3a68
binder_ioctl+0x16d8/0x25ac
__arm64_sys_ioctl+0x124/0x190
==================================================================
Fix the race by taking a temporary reference on the node before
releasing the proc->inner lock. This ensures the node remains alive
while in use.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-2-cmllamas@google.com/
Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411
Signed-off-by: Carlos Llamas <cmllamas@google.com>
If a pmem device is in a bad status, the driver side could wait for
host ack forever in virtio_pmem_flush(), causing the system to hang.
So add a status check in the beginning of virtio_pmem_flush() to return
early if the device is not activated.
Signed-off-by: Philip Chen <philipchen@chromium.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Pankaj Gupta <pankaj.gupta.linux@gmail.com
Bug: 358391069
Change-Id: I325e6f0ea047c4c5fa82cf4b590cbf7240f39b7b
(cherry picked from commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master)
Signed-off-by: Philip Chen <philipchen@google.com>
Update symbol list for honor in android/abi_gki_aarch64_honor
Bug: 369259421
Change-Id: I6954293467a50a758b27444bf51b7205d68dd34d
Signed-off-by: Chenghao Zhao <zhaochenghao@honor.com>
Export netdev_get_name, tcp_send_active_reset functions, allow vendor
modules perform more operations on socks and improve users' online
experience.When users browse websites or watch videos, we will sense
the bad sock is on which device, so that the sock can be switched to
another good device by us, so that the internet service will no longer
be stuck. In a similar scenario, if the user downloads from multiple
devices and the rate of one device is low,we can reset the TCP stream
with a lower rate and establish it on the device with a higher rate.
Bug: 334000512
Change-Id: I9ed90ea9fe6f3dc9f11ae1661ca9f2f5fdad5820
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit 21614c79408f0342363db9874d315fbb3ff6553b)
android_vh_modify_scan_control().
add two vendor hooks:
android_vh_page_should_be_protected():protect pages from memory
reclaim.
android_vh_page_referenced_check_bypass():bypass rmap in active list
shrink.
The new vendor data field in scan_control are used to track how many
pages are protected in current reclaim and the "protected / scanned"
rate. These parameters are useful for understanding the impact of page
protection operations on LRU and reclaim, helping us make better
decsions.
Bug: 348285765
Change-Id: I49567a4b1f978821a94da0a8339b2b8fdfd52daf
Signed-off-by: Yuxuan Yan <yanyuxuan3@xiaomi.corp-partner.google.com>
kcompactd_cpu_online() changes kcompactd cpumask, potentially
overwriting any vendor-specific cpumask that was there. This
hook allows vendors to re-set the cpumask.
Bug: 367400751
Change-Id: I45b92bcd16fbf2d5d76474287db659e32af64201
Signed-off-by: Dmitry Skiba <dskiba@google.com>
Add vendor_hook trace_android_vh_should_fault_around, allow vendor modules
to skip the fault_around processing for less important processes.
Bug: 362663044
Bug: 337547131
Change-Id: I792dca2038f5ad7cba1d212ef95407244958609d
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit 65ebb00fe7977348d5fcfa58985c29181f3ec173)
Adding the following symbols to abi_gki_aarch64_pixel:
- mbox_request_channel_byname
Bug: 368167673
Change-Id: I031522377372a25bf5f9e97eb4832173463de390
Signed-off-by: David Chiang <davidchiang@google.com>
Update symbol list for honor in android/abi_gki_aarch64_honor
Bug: 365506689
Change-Id: I604163b979660eaedbc13d3da5c9e3cdb8275e50
Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com>
When an LMK (Low Memory Killer) occurs, it is crucial for us to identify
the underlying cause of low memory. Based on past experiences, memory
leaks are often the root cause in such situations. The purpose of this
function is to assist us in identifying which application or type of
memory is experiencing memory leaks, thereby enabling us to effectively
locate and address the memory leakage issue.
Bug: 365506689
Bug: 346707562
Change-Id: I5d7d6bdbca30660f2a552211fd8aff40d3550df7
Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com>
(cherry picked from commit d61134668c2d37846a6cea3e1ab3c237f2c7bc99)
Update symbol list for honor in android/abi_gki_aarch64_honor
Bug: 365506454
Change-Id: I5d9a7a41da2a6f97998fadbbcb447db53b873bcc
Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com>
Export binder_alloc_copy_from_buffer, allow vendor modules perform more operations
on binder transaction and improve user operation fluency and timeliness experience.
Bug: 365506454
Bug: 343139379
Change-Id: I4353763099d854a62d0b70b003fbaca00e2c76e4
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit d8db83d94e14b48819bba18cb975943c237e33df)
This reverts commit b4e147d3f1 which is
commit c82a1662d4548c454de5343b88f69b9fc82266b3 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Iea8ece3b5c88a97395e25c2ba7a512872a81e93f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 2bc78ff25f which is
commit 822c91e72eac568ed8d83765634f00decb45666c upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: If8dc383e04251ba799709f922a570097a65982ac
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit c3f8e2ec3c which is
commit b1bbd20f35e19774ea01989320495e09ac44fba3 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I3c84527151f1018837dce6c1c77756ae4909da8e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 7118f97916 which is
commit ab477b766edd3bfb6321a6e3df4c790612613fae upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I504fb7dbfa49fb2d1b79107fc35325b9d5bc399d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit cf3a73eeb5 which is
commit 520713a93d550406dae14d49cdb8778d70cecdfd upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I53affa8f6283544467f3335459862a5a5c04e500
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Keep atomic file clean while updating and make it dirtied during commit
in order to avoid unnecessary and excessive inode updates in the previous
fix.
Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")
Change-Id: I2a29d047fa4233632876c61cf909340d1f60c26d
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Bug: 352181300
(cherry picked from commit fccaa81de87e80b1809906f7e438e5766fbdc172
https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev)
Change-Id: I5970e56a5318804cfebea340b5b19d6e0a66dc01
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Changes in 6.1.104
arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings
arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB
arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB
sysctl: allow change system v ipc sysctls inside ipc namespace
sysctl: allow to change limits for posix messages queues
sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)
sysctl: always initialize i_uid/i_gid
ext4: make ext4_es_insert_extent() return void
ext4: refactor ext4_da_map_blocks()
ext4: convert to exclusive lock while inserting delalloc extents
ext4: factor out a common helper to query extent map
ext4: check the extent status again before inserting delalloc block
cpufreq: qcom-nvmem: Convert to platform remove callback returning void
cpufreq: qcom-nvmem: Simplify driver data allocation
cpufreq: qcom-nvmem: fix memory leaks in probe error paths
leds: trigger: Remove unused function led_trigger_rename_static()
leds: trigger: Store brightness set by led_trigger_event()
leds: trigger: Call synchronize_rcu() before calling trig->activate()
leds: triggers: Flush pending brightness before activating trigger
mm: restrict the pcp batch scale factor to avoid too long latency
mm: page_alloc: control latency caused by zone PCP draining
mm/page_alloc: fix pcp->count race between drain_pages_zone() vs __rmqueue_pcplist()
f2fs: fix to avoid use SSR allocate when do defragment
f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid
irqdomain: Fixed unbalanced fwnode get and put
drm/udl: Rename struct udl_drm_connector to struct udl_connector
drm/udl: Test pixel limit in mode-config's mode-valid function
drm/udl: Use USB timeout constant when reading EDID
drm/udl: Various improvements to the connector
drm/udl: Move connector to modesetting code
drm/udl: Remove DRM_CONNECTOR_POLL_HPD
drm/i915/dp: Don't switch the LTTPR mode on an active link
MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000
MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a
MIPS: dts: loongson: Fix liointc IRQ polarity
MIPS: dts: loongson: Fix ls2k1000-rtc interrupt
HID: amd_sfh: Remove duplicate cleanup
HID: amd_sfh: Split sensor and HID initialization
HID: amd_sfh: Move sensor discovery before HID device initialization
drm/nouveau: prime: fix refcount underflow
drm/vmwgfx: Fix overlay when using Screen Targets
drm/vmwgfx: Trigger a modeset when the screen moves
sched: act_ct: take care of padding in struct zones_ht_key
ALSA: hda: conexant: Fix headset auto detect fail in the polling mode
Bluetooth: hci_sync: Fix suspending with wrong filter policy
net: axienet: start napi before enabling Rx/Tx
rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink().
ice: respect netif readiness in AF_XDP ZC related ndo's
ice: don't busy wait for Rx queue disable in ice_qp_dis()
ice: replace synchronize_rcu with synchronize_net
ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog
net/iucv: fix use after free in iucv_sock_close()
drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro
net: mvpp2: Don't re-use loop iterator
ALSA: hda: Conditionally use snooping for AMD HDMI
netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().
netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().
net/mlx5: Lag, don't use the hardcoded value of the first port
net/mlx5: Fix missing lock on sync reset reload
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
ipv6: fix ndisc_is_useropt() handling for PIO
riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
arm64: jump_label: Ensure patched jump_labels are visible to all CPUs
rust: SHADOW_CALL_STACK is incompatible with Rust
platform/chrome: cros_ec_proto: Lock device when updating MKBP version
HID: wacom: Modify pen IDs
btrfs: zoned: fix zone_unusable accounting on making block group read-write again
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
mptcp: sched: check both directions for backup
ALSA: usb-audio: Correct surround channels in UAC1 channel map
ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
Revert "ALSA: firewire-lib: obsolete workqueue for period update"
Revert "ALSA: firewire-lib: operate for period elapse event in process context"
drm/vmwgfx: Fix a deadlock in dma buf fence polling
drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
mptcp: fix user-space PM announced address accounting
mptcp: distinguish rcv vs sent backup flag in requests
mptcp: fix NL PM announced address accounting
mptcp: fix bad RCVPRUNED mib accounting
mptcp: pm: only set request_bkup flag when sending MP_PRIO
mptcp: fix duplicate data handling
selftests: mptcp: always close input's FD if opened
netfilter: ipset: Add list flush to cancel_gc
Linux 6.1.104
Change-Id: I6e7acf04893dbbfc6dc8e57c1f2bdb487687f227
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
These symbols are required to use custom driver
for writing data into Serial device
using common TTY drivers for basic data trasmit via UART/SPI.
INFO: 2 function symbol(s) added
'int serdev_device_write(struct serdev_device*, const unsigned char*, size_t, long)'
'void serdev_device_write_wakeup(struct serdev_device*)'
Bug: 356635235
Change-Id: Ia365485ad4b533e5e2826add9182bc98b5563f81
Signed-off-by: iabdullah <imrankhan.abdullah@harman.com>
This reverts commit b39ec657ac which is
commit 8f8bf52ed5b76fc7958b0fbe3131540aecdff8ac upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Id0361c629d7c4941f132ac93f035f05fc5bf5099
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 99dab05987 which is
commit 3a5e76283672efddf47cea39ccfe9f5735cc91d5 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I46d93ecc53d873a566f2d3ef8a9e8acf3a09cc59
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 550cb99691 which is
commit eb8c507296 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Ibfe863eab77b6e07e72bd50022cd994ee15d75dc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 6b8ccab544 which is
commit 83ab38ef0a0b2407d43af9575bb32333fdd74fb2 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: Ie36013c12e969a77b3f68bd37a3b4caab877d593
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit 29a8d4e02f ("cgroup/cpuset: Prevent UAF in
proc_cpuset_show()"), a new .h file is added to kernel/cgroup/cpuset.c
which ends up changing the CRC for cpuset_cpus_allowed(). Fix this up
by only including it in the real build, not when generating the looney
crc values.
Fixes: 29a8d4e02f ("cgroup/cpuset: Prevent UAF in proc_cpuset_show()")
Change-Id: I151a87d3bae9f2319d1a965a4bf715cffead702e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit ed2c202dac which is
commit 3a5465418f5fd970e86a86c7f4075be262682840 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I29cfc492dd3ef6c7a9ebc2aa28d238f392a48ce6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 681583ad67 which is
commit 72d04bdcf3f7d7e07d82f9757946f68802a7270a upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I6c645c8b4a157820561507a1cf3c1180b94aebff
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Remove symbols obsoleted since including CONFIG_SERIAL_8250_BCM7271
Bug: 365149220
Change-Id: Id35a1c68e27359fa5e8a2d90cfa7be5346875ebf
Signed-off-by: Pierre Couillaud <pierre@broadcom.com>
This reverts commit e63c0422d2 which is
commit d329605287020c3d1c3b0dadc63d8208e7251382 upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I53506770d54046f8b8c62edf1342aed9797f33f8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit cfa1a2329a691ffd991fcf7248a57d752e712881 ]
The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.
Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.
One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.
Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.
For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.
Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.
Bug: 349976340
Fixes: 457f44363a ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Reported-by: Muhammad Ramdhan <ramdhan@starlabs.sg>
Co-developed-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Co-developed-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20240621140828.18238-1-daniel@iogearbox.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d1b9df0435)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I57847858a13e15118ef18a00257e45f96597e938
Greg Kroah-Hartman