Add the following symbol for power_supply_core driver to be used in
bq27xxx_battery driver.
1 function symbol(s) added
'struct power_supply *__must_check power_supply_register_no_ws(struct
device *, const struct power_supply_desc *, const struct
power_supply_config *)'
Bug: 370695775
Change-Id: Ie47064f9724b52ef260c33f12e7681e0eee74a1e
Signed-off-by: Monish Chunara <quic_mchunara@quicinc.com>
virtio-audio is used in Haleytek and Volvo Cars audio.
Symbols added:
snd_device_new
snd_pcm_hw_limit_rates
_snd_pcm_stream_lock_irqsave
snd_pcm_stream_unlock_irqrestore
Bug: 370896645
Change-Id: I741aa41e4ecb873994e567734ebe6728e1de2a69
Signed-off-by: Victor Shutemov <victor@haleytek.com>
Commit 63fc9af83c ("soc: qcom: geni-se:
add desc struct to specify clocks from device match data") modifies a
structure in drivers/soc/qcom/qcom-geni-se.c as follows.
type 'struct geni_wrapper' changed
byte size changed from 48 to 56
member 'struct clk_bulk_data ahb_clks[2]' was removed
member 'struct clk_bulk_data clks[2]' was added
member 'unsigned int num_clks' was added
The Android 14 ABI tooling does not exclude this type definition.
This commit updates the ABI representation with the apparent break.
This is safe because the type is not visible to any other code.
Bug: 370629635
Change-Id: I9caeba4a48c4485e209352fa8fe56244e7859ea7
Signed-off-by: Giuliano Procida <gprocida@google.com>
The I2C Master Hub is a stripped down version of the GENI Serial Engine
QUP Wrapper Controller but only supporting I2C serial engines without
DMA support.
Prepare support for the I2C Master Hub variant by moving the required
clocks list to a new desc struct then passing it through the compatible
match data.
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Bug: 370629635
Change-Id: I3dacf29d5a1c630b676bf35644222fd96b399446
(cherry picked from commit 63fc9af83c)
Signed-off-by: Praveen Talari <quic_ptalari@quicinc.com>
2 function symbol(s) added
'int alloc_contig_range(unsigned long start, unsigned long end, unsigned migratetype, gfp_t gfp_mask)'
'void free_contig_range(unsigned long pfn, unsigned long nr_pages)'
Bug: 370415608
Change-Id: I6ed58458b26364c07779d4b4f662444f14e9a146
Signed-off-by: Seiya Wang <seiya.wang@mediatek.com>
When we share memory through FF-A and the description of the buffers
exceeds the size of the mapped buffer, the fragmentation API is used.
The fragmentation API allows specifying chunks of descriptors in subsequent
FF-A fragment calls and no upper limit has been established for this.
The entire memory region transferred is identified by a handle which can be
used to reclaim the transferred memory.
To be able to reclaim the memory, the description of the buffers has to fit
in the ffa_desc_buf.
Add a bounds check on the FF-A sharing path to prevent the memory reclaim
from failing.
Also do_ffa_mem_xfer() does not need __always_inline, except for the
BUILD_BUG_ON() aspect, which gets moved to a macro.
[maz: fixed the BUILD_BUG_ON() breakage with LLVM, thanks to Wei-Lin Chang
for the timely report]
Fixes: 634d90cf0a ("KVM: arm64: Handle FFA_MEM_LEND calls from the host")
Cc: stable@vger.kernel.org
Reviewed-by: Sebastian Ene <sebastianene@google.com>
Signed-off-by: Snehal Koukuntla <snehalreddy@google.com>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Link: https://lore.kernel.org/r/20240909180154.3267939-1-snehalreddy@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
(cherry picked from commit f26a525b77e040d584e967369af1e018d2d59112)
Bug: 298514256
Change-Id: If515f5c03db42e7c994f9f82bef6167b104d75e2
Signed-off-by: Snehal Koukuntla <snehalreddy@google.com>
The function prototype for dev_pm_opp_add differs between a
configuration when CONFIG_PM_OPP is set versus when CONFIG_PM_OPP is not
set.
Fix this mismatch by aligning the function arguments for the dummy
dev_pm_opp_add with the non-dummy version.
Bug: 369659366
Fixes: adf41f4737 ("BACKPORT: OPP: Add dev_pm_opp_add_dynamic() to allow more flexibility")
Change-Id: If23af6ba28bb493d619f96846545cb86608b285d
Signed-off-by: Anant Goel <quic_anantg@quicinc.com>
Export a symbol “next_arg” in android/abi_gki_aarch64_honor
Bug: 368221985
Change-Id: I0bd8fc321752f0fa3d103b56510b33eadcb6e39b
Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com>
[ Upstream commit c07ff8592d57ed258afee5a5e04991a48dbaf382 ]
There is a bug in netem_enqueue() introduced by
commit 5845f70638 ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.
This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then
the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
and the original packet is dropped.
In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.
Bug: 362391455
Fixes: 5845f70638 ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240819175753.5151-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 0486d31dd8)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I390f02549c726e961f57daace468d5cd48468722
In some cases VMAs are split without the mmap write lock held;
later the lock is taken to fixup vm_flags of the original VMA.
Since some uppper bits of vm_flags are used to encode the ELF
padding ranges, they need to be modified on splits. This is
usually handled correctly by __split_vma(). However in the above
case, the flags get over witten later under the write lock.
Preserve vm_flag bits on reset to correctly represent padding.
Bug: 357901498
Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Introduce inline header to avoid circular dependency. This
will be used in a subsequent patch.
Also take opportunity to do some small noop refactor in
vma_pad_pages() and split_pad_vma() for more robust code.
Bug: 357901498
Change-Id: Ia5f447758d0d07ed3e1429ca1e35dcc0741cc22a
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-5-cmllamas@google.com/
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
binder_release_work+0x398/0x3d0
binder_deferred_func+0xb60/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
Allocated by task 703:
__kmalloc_cache_noprof+0x130/0x280
binder_thread_write+0xdb4/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
invoke_syscall+0x6c/0x254
Freed by task 211:
kfree+0xc4/0x230
binder_deferred_func+0xae8/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-4-cmllamas@google.com/
Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321
[cmllamas: drop BINDER_STAT_FREEZE as it's not supported here]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped to
acquire the node->lock first (lock nesting order). This can race with
binder_deferred_release() which removes the nodes from the proc->nodes
rbtree and adds them into binder_dead_nodes list. This leads to a broken
iteration in binder_add_freeze_work() as rb_next() will use data from
binder_dead_nodes, triggering an out-of-bounds access:
==================================================================
BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124
Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18
Hardware name: linux,dummy-virt (DT)
Call trace:
rb_next+0xfc/0x124
binder_add_freeze_work+0x344/0x534
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
The buggy address belongs to the variable:
binder_dead_nodes+0x10/0x40
[...]
==================================================================
This is possible because proc->nodes (rbtree) and binder_dead_nodes
(list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply
break out of the iteration.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-3-cmllamas@google.com/
Change-Id: I5ec9d49277a23b864862665b52213460750c535e
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped in
order to acquire the node->lock first (lock nesting order). This can
race with binder_node_release() and trigger a use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff53c04c29dd04 by task freeze/640
CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_add_freeze_work+0x148/0x478
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
Allocated by task 637:
__kmalloc_cache_noprof+0x12c/0x27c
binder_new_node+0x50/0x700
binder_transaction+0x35ac/0x6f74
binder_thread_write+0xfb8/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
Freed by task 637:
kfree+0xf0/0x330
binder_thread_read+0x1e88/0x3a68
binder_ioctl+0x16d8/0x25ac
__arm64_sys_ioctl+0x124/0x190
==================================================================
Fix the race by taking a temporary reference on the node before
releasing the proc->inner lock. This ensures the node remains alive
while in use.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-2-cmllamas@google.com/
Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411
Signed-off-by: Carlos Llamas <cmllamas@google.com>
If a pmem device is in a bad status, the driver side could wait for
host ack forever in virtio_pmem_flush(), causing the system to hang.
So add a status check in the beginning of virtio_pmem_flush() to return
early if the device is not activated.
Signed-off-by: Philip Chen <philipchen@chromium.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Pankaj Gupta <pankaj.gupta.linux@gmail.com
Bug: 358391069
Change-Id: I325e6f0ea047c4c5fa82cf4b590cbf7240f39b7b
(cherry picked from commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master)
Signed-off-by: Philip Chen <philipchen@google.com>
Update symbol list for honor in android/abi_gki_aarch64_honor
Bug: 369259421
Change-Id: I6954293467a50a758b27444bf51b7205d68dd34d
Signed-off-by: Chenghao Zhao <zhaochenghao@honor.com>
Export netdev_get_name, tcp_send_active_reset functions, allow vendor
modules perform more operations on socks and improve users' online
experience.When users browse websites or watch videos, we will sense
the bad sock is on which device, so that the sock can be switched to
another good device by us, so that the internet service will no longer
be stuck. In a similar scenario, if the user downloads from multiple
devices and the rate of one device is low,we can reset the TCP stream
with a lower rate and establish it on the device with a higher rate.
Bug: 334000512
Change-Id: I9ed90ea9fe6f3dc9f11ae1661ca9f2f5fdad5820
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit 21614c79408f0342363db9874d315fbb3ff6553b)
android_vh_modify_scan_control().
add two vendor hooks:
android_vh_page_should_be_protected():protect pages from memory
reclaim.
android_vh_page_referenced_check_bypass():bypass rmap in active list
shrink.
The new vendor data field in scan_control are used to track how many
pages are protected in current reclaim and the "protected / scanned"
rate. These parameters are useful for understanding the impact of page
protection operations on LRU and reclaim, helping us make better
decsions.
Bug: 348285765
Change-Id: I49567a4b1f978821a94da0a8339b2b8fdfd52daf
Signed-off-by: Yuxuan Yan <yanyuxuan3@xiaomi.corp-partner.google.com>
kcompactd_cpu_online() changes kcompactd cpumask, potentially
overwriting any vendor-specific cpumask that was there. This
hook allows vendors to re-set the cpumask.
Bug: 367400751
Change-Id: I45b92bcd16fbf2d5d76474287db659e32af64201
Signed-off-by: Dmitry Skiba <dskiba@google.com>
Add vendor_hook trace_android_vh_should_fault_around, allow vendor modules
to skip the fault_around processing for less important processes.
Bug: 362663044
Bug: 337547131
Change-Id: I792dca2038f5ad7cba1d212ef95407244958609d
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit 65ebb00fe7977348d5fcfa58985c29181f3ec173)
Adding the following symbols to abi_gki_aarch64_pixel:
- mbox_request_channel_byname
Bug: 368167673
Change-Id: I031522377372a25bf5f9e97eb4832173463de390
Signed-off-by: David Chiang <davidchiang@google.com>
Update symbol list for honor in android/abi_gki_aarch64_honor
Bug: 365506689
Change-Id: I604163b979660eaedbc13d3da5c9e3cdb8275e50
Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com>
When an LMK (Low Memory Killer) occurs, it is crucial for us to identify
the underlying cause of low memory. Based on past experiences, memory
leaks are often the root cause in such situations. The purpose of this
function is to assist us in identifying which application or type of
memory is experiencing memory leaks, thereby enabling us to effectively
locate and address the memory leakage issue.
Bug: 365506689
Bug: 346707562
Change-Id: I5d7d6bdbca30660f2a552211fd8aff40d3550df7
Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com>
(cherry picked from commit d61134668c2d37846a6cea3e1ab3c237f2c7bc99)
Update symbol list for honor in android/abi_gki_aarch64_honor
Bug: 365506454
Change-Id: I5d9a7a41da2a6f97998fadbbcb447db53b873bcc
Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com>
Export binder_alloc_copy_from_buffer, allow vendor modules perform more operations
on binder transaction and improve user operation fluency and timeliness experience.
Bug: 365506454
Bug: 343139379
Change-Id: I4353763099d854a62d0b70b003fbaca00e2c76e4
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit d8db83d94e14b48819bba18cb975943c237e33df)
Keep atomic file clean while updating and make it dirtied during commit
in order to avoid unnecessary and excessive inode updates in the previous
fix.
Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")
Change-Id: I2a29d047fa4233632876c61cf909340d1f60c26d
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Bug: 352181300
(cherry picked from commit fccaa81de87e80b1809906f7e438e5766fbdc172
https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev)
Change-Id: I5970e56a5318804cfebea340b5b19d6e0a66dc01
Signed-off-by: Daeho Jeong <daehojeong@google.com>
These symbols are required to use custom driver
for writing data into Serial device
using common TTY drivers for basic data trasmit via UART/SPI.
INFO: 2 function symbol(s) added
'int serdev_device_write(struct serdev_device*, const unsigned char*, size_t, long)'
'void serdev_device_write_wakeup(struct serdev_device*)'
Bug: 356635235
Change-Id: Ia365485ad4b533e5e2826add9182bc98b5563f81
Signed-off-by: iabdullah <imrankhan.abdullah@harman.com>
Remove symbols obsoleted since including CONFIG_SERIAL_8250_BCM7271
Bug: 365149220
Change-Id: Id35a1c68e27359fa5e8a2d90cfa7be5346875ebf
Signed-off-by: Pierre Couillaud <pierre@broadcom.com>
[ Upstream commit cfa1a2329a691ffd991fcf7248a57d752e712881 ]
The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.
Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.
One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.
Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.
For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.
Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.
Bug: 349976340
Fixes: 457f44363a ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Reported-by: Muhammad Ramdhan <ramdhan@starlabs.sg>
Co-developed-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Co-developed-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20240621140828.18238-1-daniel@iogearbox.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d1b9df0435)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I57847858a13e15118ef18a00257e45f96597e938
This config option was not requested by any partner and has non-zero
overhead on process creation. Disable it.
Bug: 191150949
Bug: 365466166
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ia9547c989c22246c46ed9624a0707c6369ee4de0
Monish Chunara