Add vendor hook to get metainfo of direct/buffered read and write.
Determine hot files in each performance-sensitive user scenario.
Bug: 380502059
Change-Id: Ie7604852df637d6664afd72e87bd6d4b14bbc2a2
Signed-off-by: Rui Chen <chenrui9@honor.com>
In some situations where xhci removal happens parallel to xhci_handshake,
we encounter a scenario where the xhci_handshake can't succeed, and it
polls until timeout.
If xhci_handshake runs until timeout it can on some platforms result in
a long wait which might lead to a watchdog timeout.
Add a helper that checks xhci status during the handshake, and exits if
set state is entered. Use this helper in places where xhci_handshake is
called unlocked and has a long timeout. For example xhci command timeout
and xhci reset.
[commit message and code comment rewording -Mathias]
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20231019102924.2797346-18-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 383443034
Change-Id: Iec54af32dcf6b07075e3f084dba914fc43635ee6
(cherry picked from commit 6ccb83d6c4972ebe6ae49de5eba051de3638362c)
Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com>
This reverts commit 62bbb08add179b68e2ce0ede59f3c4b37d6c92a8.
Reason for revert: b/382800956
Bug: 382800956
Change-Id: Ic7a0cdbb060c12c1628a5859d795e78cd6b9341d
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit c376628415656f16d398aad95c218a06805038bd)
Signed-off-by: Lee Jones <joneslee@google.com>
This reverts commit e1ba90026d98e53f5736131f3363424e83315f00.
Reapplying only to re-revert with the correct Change-Id
Bug: 382800956
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Icdd08040f04ed7e85d31b7f8551ee2ef1d0b95b0
[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
Bug: 380395346
Fixes: 27ce405039 ("HID: fix data access in implement()")
Reported-by: Benoît Sevens <bsevens@google.com>
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 9d9f5c75c0)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I31f64f2745347137bbc415eb35b7fab5761867f3
A fwnode link between specific supplier-consumer fwnodes can be added
multiple times for multiple reasons. If that dependency doesn't exist,
deleting the fwnode link once doesn't guarantee that it won't get created
again.
So, add FWLINK_FLAG_IGNORE flag to mark a fwnode link as one that needs to
be completely ignored. Since a fwnode link's flags is an OR of all the
flags passed to all the fwnode_link_add() calls to create that specific
fwnode link, the FWLINK_FLAG_IGNORE flag is preserved and can be used to
mark a fwnode link as on that need to be completely ignored until it is
deleted.
Signed-off-by: Saravana Kannan <saravanak@google.com>
Acked-by: "Rafael J. Wysocki" <rafael@kernel.org>
Reviewed-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20240305050458.1400667-3-saravanak@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit b7e1241d8f77ed64404a5e4450f43a319310fc91)
Change-Id: If9cbc4adf796816a6c04de049d57d7a5d0858e27
Bug: 347344057
When the free segment is used up during CP disable, many write or
ioctl operations will get ENOSPC error codes, even if there are
still many blocks available. We can reproduce it in the following
steps:
dd if=/dev/zero of=f2fs.img bs=1M count=65
mkfs.f2fs -f f2fs.img
mount f2fs.img f2fs_dir -o checkpoint=disable:10%
cd f2fs_dir
i=1 ; while [[ $i -lt 50 ]] ; do (file_name=./2M_file$i ; dd \
if=/dev/random of=$file_name bs=1M count=2); i=$((i+1)); done
sync
i=1 ; while [[ $i -lt 50 ]] ; do (file_name=./2M_file$i ; truncate \
-s 1K $file_name); i=$((i+1)); done
sync
dd if=/dev/zero of=./file bs=1M count=20
In f2fs_need_SSR() function, it is allowed to use SSR to allocate
blocks when CP is disabled, so in f2fs_is_checkpoint_ready function,
can we judge the number of invalid blocks when free segment is not
enough, and return ENOSPC only if the number of invalid blocks is
also not enough.
Signed-off-by: Qi Han <hanqi@vivo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 84b5bb8bf0f6a78c232a20c2eecdbb8112ac2703)
Signed-off-by: Daniel Rosenberg <drosen@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:225caf3bdf7a4977ae50ba9b5c5470a16d480100)
Merged-In: I41ad315f603cd764d0e9b8ef984447e7116b1514
Change-Id: I41ad315f603cd764d0e9b8ef984447e7116b1514
There are very similar codes in inc_valid_block_count() and
inc_valid_node_count() which is used for available user block
count calculation.
This patch introduces a new helper get_available_block_count()
to include those common codes, and used it to clean up codes.
Change-Id: Ie2ce55bdac091bc4880478eeba2a76e1608726e3
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 0f1c6ede6da9f7c5dd7380b74a64850298279168)
[Added line for F2FS_IO_ALIGNED, which was removed in later kernels]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
When two client of the same gpio call pinctrl_select_state() for the
same functionality, we are seeing NULL pointer issue while accessing
desc->mux_owner.
Let's say two processes A, B executing in pin_request() for the same pin
and process A updates the desc->mux_usecount but not yet updated the
desc->mux_owner while process B see the desc->mux_usecount which got
updated by A path and further executes strcmp and while accessing
desc->mux_owner it crashes with NULL pointer.
Serialize the access to mux related setting with a mutex lock.
cpu0 (process A) cpu1(process B)
pinctrl_select_state() { pinctrl_select_state() {
pin_request() { pin_request() {
...
....
} else {
desc->mux_usecount++;
desc->mux_usecount && strcmp(desc->mux_owner, owner)) {
if (desc->mux_usecount > 1)
return 0;
desc->mux_owner = owner;
} }
Bug: 376023321
Bug: 381832937
Link: https://lore.kernel.org/lkml/20241014192930.1539673-1-quic_mojha@quicinc.com/
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
(cherry picked from commit 5a3e85c3c397c781393ea5fb2f45b1f60f8a4e6e
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl.git for-next)
Change-Id: Ib417544f0dcc5174d6f9b01d0243c19162f82fff
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>
Some shared memory areas might only support a certain access width,
such as 32-bit, which memcpy_{from,to}_io() does not adhere to at least
on ARM64 by making both 8-bit and 64-bit accesses to such memory.
Update the shmem layer to support reading from and writing to such
shared memory area using the specified I/O width in the Device Tree. The
various transport layers making use of the shmem.c code are updated
accordingly to pass the I/O accessors that they store.
Bug: 369085303
Change-Id: I97d80dd4027fe8290781ad7fc3859c2bdaf34522
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Message-Id: <20240827182450.3608307-3-florian.fainelli@broadcom.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
(cherry picked from commit 2cd7f3db25feeb7c204e36df9f1bb13bea3a3a20)
Signed-off-by: Danesh Petigara <danesh.petigara@broadcom.com>
Signed-off-by: Pierre Couillaud <pierre@broadcom.com>
Changes in 6.1.118
Revert "Bluetooth: fix use-after-free in accessing skb after sending it"
Revert "Bluetooth: hci_sync: Fix overwriting request callback"
Revert "Bluetooth: af_bluetooth: Fix deadlock"
Revert "Bluetooth: hci_core: Fix possible buffer overflow"
Revert "Bluetooth: hci_conn: Consolidate code for aborting connections"
9p: Avoid creating multiple slab caches with the same name
irqchip/ocelot: Fix trigger register address
nvme: tcp: avoid race between queue_lock lock and destroy
block: Fix elevator_get_default() checking for NULL q->tag_set
HID: multitouch: Add support for B2402FVA track point
HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
nvme: disable CC.CRIME (NVME_CC_CRIME)
bpf: use kvzmalloc to allocate BPF verifier environment
crypto: api - Fix liveliness check in crypto_alg_tested
crypto: marvell/cesa - Disable hash algorithms
sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
drm/vmwgfx: Limit display layout ioctl array size to VMWGFX_NUM_DISPLAY_UNITS
nvme-multipath: defer partition scanning
powerpc/powernv: Free name on error in opal_event_init()
nvme: make keep-alive synchronous operation
vDPA/ifcvf: Fix pci_read_config_byte() return code handling
bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6
fs: Fix uninitialized value issue in from_kuid and from_kgid
HID: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad
HID: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard
LoongArch: Use "Exception return address" to comment ERA
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
md/raid10: improve code of mrdev in raid10_sync_request
io_uring: fix possible deadlock in io_register_iowq_max_workers()
uprobes: encapsulate preparation of uprobe args buffer
uprobe: avoid out-of-bounds memory access of fetching args
drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
ext4: fix timer use-after-free on failed mount
Bluetooth: L2CAP: Fix uaf in l2cap_connect
mm: krealloc: Fix MTE false alarm in __do_krealloc
platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors
fs/ntfs3: Fix general protection fault in run_is_mapped_full
9p: fix slab cache name creation for real
Linux 6.1.118
Change-Id: I759ed42e553a2b40786b3c6da5fea53b15e58751
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Steps on the way to 6.1.118
Merges around these reverts as we have already reverted them in our tree
and directly merging causes conflicts.
Change-Id: I92d2b4fe1428b1979ee3e0f63247eb3400378e3a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 6.1.117
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator
arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node
arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc
arm64: dts: imx8qm: Fix VPU core alias name
arm64: dts: imx8qxp: Add VPU subsystem file
arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs
arm64: dts: imx8mp: correct sdhc ipg clk
ARM: dts: rockchip: fix rk3036 acodec node
ARM: dts: rockchip: drop grf reference from rk3036 hdmi
ARM: dts: rockchip: Fix the spi controller on rk3036
ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
HID: core: zero-initialize the report buffer
platform/x86/amd/pmc: Detect when STB is not available
sunrpc: handle -ENOTCONN in xs_tcp_setup_socket()
NFSv3: only use NFS timeout for MOUNT when protocols are compatible
NFSv3: handle out-of-order write replies.
nfs: avoid i_lock contention in nfs_clear_invalid_mapping
security/keys: fix slab-out-of-bounds in key_task_permission
net: enetc: set MAC address to the VF net_device
sctp: properly validate chunk size in sctp_sf_ootb()
can: c_can: fix {rx,tx}_errors statistics
ice: change q_index variable type to s16 to store -1 value
i40e: fix race condition by adding filter's intermediate sync state
net: hns3: fix kernel crash when uninstalling driver
net: phy: ti: add PHY_RST_AFTER_CLK_EN flag
net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case
virtio_net: Add hash_key_length check
net: arc: fix the device for dma_map_single/dma_unmap_single
net: arc: rockchip: fix emac mdio node support
Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown"
media: stb0899_algo: initialize cfr before using it
media: dvbdev: prevent the risk of out of memory access
media: dvb_frontend: don't play tricks with underflow values
media: adv7604: prevent underflow condition when reporting colorspace
scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer
ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
tools/lib/thermal: Fix sampling handler context ptr
thermal/of: support thermal zones w/o trips subnode
ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove
media: ar0521: don't overflow when checking PLL values
media: s5p-jpeg: prevent buffer overflows
media: cx24116: prevent overflows on SNR calculus
media: pulse8-cec: fix data timestamp at pulse8_setup()
media: v4l2-tpg: prevent the risk of a division by zero
media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation
can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
ksmbd: Fix the missing xa_store error check
ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
pwm: imx-tpm: Use correct MODULO value for EPWM mode
drm/amdgpu: Adjust debugfs eviction and IB access permissions
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
thermal/drivers/qcom/lmh: Remove false lockdep backtrace
dm cache: correct the number of origin blocks to match the target length
dm cache: fix flushing uninitialized delayed_work on cache_ctr error
dm cache: fix out-of-bounds access to the dirty bitset when resizing
dm cache: optimize dirty bit checking with find_next_bit when resizing
dm cache: fix potential out-of-bounds access on the first resume
dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
ALSA: usb-audio: Add quirk for HP 320 FHD Webcam
ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3
posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone
nfs: Fix KMSAN warning in decode_getfattr_attrs()
net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()
net: vertexcom: mse102x: Fix possible double free of TX skb
mptcp: use sock_kfree_s instead of kfree
arm64: Kconfig: Make SME depend on BROKEN for now
btrfs: reinitialize delayed ref list after deleting it from the list
riscv/purgatory: align riscv_kernel_entry
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
Revert "wifi: mac80211: fix RCU list iterations"
net: do not delay dst_entries_add() in dst_release()
kselftest/arm64: Initialise current at build time in signal tests
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
filemap: Fix bounds checking in filemap_read()
fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
signal: restore the override_rlimit logic
usb: musb: sunxi: Fix accessing an released usb phy
usb: dwc3: fix fault at system suspend if device was already runtime suspended
usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
USB: serial: io_edgeport: fix use after free in debug printk
USB: serial: qcserial: add support for Sierra Wireless EM86xx
USB: serial: option: add Fibocom FG132 0x0112 composition
USB: serial: option: add Quectel RG650V
irqchip/gic-v3: Force propagation of the active state with a read-back
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
ucounts: fix counter leak in inc_rlimit_get_ucounts()
ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022
net: sched: use RCU read-side critical section in taprio_dump()
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
media: amphion: Fix VPU core alias name
Linux 6.1.117
Change-Id: Ib8a7f11f5567a9ab25f77bdf672338f1ac116853
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Similar to how we failed to cross-check the state from the completer's
PoV on the hyp_ack_unshare() path, we fail to do so from
host_ack_unshare().
This shouldn't cause problems in practice as this can only be called on
the guest_unshare_host() path, and guest currently don't have the
ability to share their pages with anybody other than the host. But this
again is rather fragile, so let's simply do the proper check -- it isn't
very costly thanks to the hyp_vmemmap optimisation.
Bug: 381409114
Change-Id: I3770b7db55c579758863e41f50ab30f6a8bb4a0c
Signed-off-by: Quentin Perret <qperret@google.com>
There are multiple pKVM memory transitions where the state of a page is
not cross-checked from the completer's PoV for performance reasons.
For example, if a page is PKVM_PAGE_OWNED from the initiator's PoV,
we should be guaranteed by construction that it is PKVM_NOPAGE for
everybody else, hence allowing us to save a page-table lookup.
When it was introduced, hyp_ack_unshare() followed that logic and bailed
out without checking the PKVM_PAGE_SHARED_BORROWED state in the
hypervisor's stage-1. This was correct as we could safely assume that
all host-initiated shares were directed at the hypervisor at the time.
But with the introduction of other types of shares (e.g. for FF-A or
non-protected guests), it is now very much required to cross check this
state to prevent the host from running __pkvm_host_unshare_hyp() on a
page shared with TZ or a non-protected guest.
Thankfully, if an attacker were to try this, the hyp_unmap() call from
hyp_complete_unshare() would fail, hence causing to WARN() from
__do_unshare() with the host lock held, which is fatal. But this is
fragile at best, and can hardly be considered a security measure.
Let's just do the right thing and always check the state from
hyp_ack_unshare().
Bug: 381409114
Link: https://lore.kernel.org/kvmarm/20241128154406.602875-1-qperret@google.com/
Change-Id: Id3bbd1fc3c75df506b0919f4d6f7be74b6f013f3
Signed-off-by: Quentin Perret <qperret@google.com>
Changes in 6.1.116
cpufreq: Generalize of_perf_domain_get_sharing_cpumask phandle format
cpufreq: Avoid a bad reference count on CPU node
selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test
mm: remove kern_addr_valid() completely
fs/proc/kcore: avoid bounce buffer for ktext data
fs/proc/kcore: convert read_kcore() to read_kcore_iter()
fs/proc/kcore: reinstate bounce buffer for KCORE_TEXT regions
fs/proc/kcore.c: allow translation of physical memory addresses
cgroup: Fix potential overflow issue when checking max_depth
wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd()
mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING
wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
wifi: ath11k: Fix invalid ring usage in full monitor mode
wifi: brcm80211: BRCM_TRACING should depend on TRACING
RDMA/cxgb4: Dump vendor specific QP details
RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down
RDMA/bnxt_re: synchronize the qp-handle table array
wifi: iwlwifi: mvm: disconnect station vifs if recovery failed
wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()
ASoC: cs42l51: Fix some error handling paths in cs42l51_probe()
macsec: Fix use-after-free while sending the offloading packet
net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data
ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow()
gtp: allow -1 to be specified as file description from userspace
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()
bpf: Fix out-of-bounds write in trie_get_next_key()
netfilter: Fix use-after-free in get_info()
netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs
net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension
mlxsw: spectrum_ptp: Add missing verification before pushing Tx header
mlxsw: spectrum_router: Add support for double entry RIFs
mlxsw: spectrum_ipip: Rename Spectrum-2 ip6gre operations
mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
iomap: convert iomap_unshare_iter to use large folios
iomap: improve shared block detection in iomap_unshare_iter
iomap: don't bother unsharing delalloc extents
iomap: share iomap_unshare_iter predicate code with fsdax
fsdax: remove zeroing code from dax_unshare_iter
fsdax: dax_unshare_iter needs to copy entire blocks
iomap: turn iomap_want_unshare_iter into an inline function
compiler-gcc: be consistent with underscores use for `no_sanitize`
compiler-gcc: remove attribute support check for `__no_sanitize_address__`
kasan: Fix Software Tag-Based KASAN with GCC
firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state()
afs: Automatically generate trace tag enums
afs: Fix missing subdir edit when renamed between parent dirs
ACPI: CPPC: Make rmw_lock a raw_spin_lock
fs/ntfs3: Check if more than chunk-size bytes are written
fs/ntfs3: Fix warning possible deadlock in ntfs_set_state
fs/ntfs3: Stale inode instead of bad
fs/ntfs3: Fix possible deadlock in mi_read
fs/ntfs3: Additional check in ni_clear()
scsi: scsi_transport_fc: Allow setting rport state to current state
net: amd: mvme147: Fix probe banner message
NFS: remove revoked delegation from server's delegation list
misc: sgi-gru: Don't disable preemption in GRU driver
usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler
usb: gadget: dummy_hcd: Set transfer interval to 1 microframe
usb: gadget: dummy_hcd: execute hrtimer callback in softirq context
USB: gadget: dummy-hcd: Fix "task hung" problem
ALSA: usb-audio: Add quirks for Dell WD19 dock
usbip: tools: Fix detach_port() invalid port error path
usb: phy: Fix API devm_usb_put_phy() can not release the phy
usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes()
xhci: Fix Link TRB DMA in command ring stopped completion event
xhci: Use pm_runtime_get to prevent RPM on unsupported systems
Revert "driver core: Fix uevent_show() vs driver detach race"
wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower
wifi: ath10k: Fix memory leak in management tx
wifi: cfg80211: clear wdev->cqm_config pointer on free
wifi: iwlegacy: Clear stale interrupts before resuming device
staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()
iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()
iio: light: veml6030: fix microlux value calculation
nilfs2: fix potential deadlock with newly created symlinks
block: fix sanity checks in blk_rq_map_user_bvec
cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction
riscv: vdso: Prevent the compiler from inserting calls to memset()
ALSA: hda/realtek: Limit internal Mic boost on Dell platform
riscv: efi: Set NX compat flag in PE/COFF header
riscv: Use '%u' to format the output of 'cpu'
riscv: Remove unused GENERATING_ASM_OFFSETS
riscv: Remove duplicated GET_RM
cxl/acpi: Move rescan to the workqueue
cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices()
mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE
mm/page_alloc: treat RT tasks similar to __GFP_HIGH
mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags
mm/page_alloc: explicitly define what alloc flags deplete min reserves
mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves
mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves
ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
mctp i2c: handle NULL header address
ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1
nvmet-auth: assign dh_key to NULL after kfree_sensitive
kasan: remove vmalloc_percpu test
io_uring: rename kiocb_end_write() local helper
fs: create kiocb_{start,end}_write() helpers
io_uring: use kiocb_{start,end}_write() helpers
io_uring/rw: fix missing NOWAIT check for O_DIRECT start write
mm: migrate: try again if THP split is failed due to page refcnt
migrate: convert unmap_and_move() to use folios
migrate: convert migrate_pages() to use folios
mm/migrate.c: stop using 0 as NULL pointer
migrate_pages: organize stats with struct migrate_pages_stats
migrate_pages: separate hugetlb folios migration
migrate_pages: restrict number of pages to migrate in batch
migrate_pages: split unmap_and_move() to _unmap() and _move()
vmscan,migrate: fix page count imbalance on node stats when demoting pages
io_uring: always lock __io_cqring_overflow_flush
x86/bugs: Use code segment selector for VERW operand
wifi: mac80211: fix NULL dereference at band check in starting tx ba session
nilfs2: fix kernel bug due to missing clearing of checked flag
wifi: iwlwifi: mvm: fix 6 GHz scan construction
mm: shmem: fix data-race in shmem_getattr()
LoongArch: Fix build errors due to backported TIMENS
mtd: spi-nor: winbond: fix w25q128 regression
drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing
drm/amd/display: Skip on writeback when it's not applicable
vt: prevent kernel-infoleak in con_font_get()
mm: avoid gcc complaint about pointer casting
migrate_pages_batch: fix statistics for longterm pin retry
Linux 6.1.116
Change-Id: Iaffbf84fc3f7e545b5a8d2956b3c57df84abdab4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Steps on the way to 6.1.116
Resolves merge conflicts in:
mm/page_alloc.c
Change-Id: Ia976acbcca01bc21d497c9c1a9a5ba791a39c593
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
After enable 16K page size, an infinite loop may occur in
fiemap (fm_length=UINT64_MAX) on a file, such as the 16KB
scratch.img during the remount operation in Android.
The condition for whether fiemap continues to map is to check
whether the number of bytes corresponding to the next map.m_lblk
exceeds blks_to_bytes(inode,max_inode_blocks(inode)) if there are HOLE.
The latter does not take into account the maximum size of a file with 16KB
page size, so the loop cannot be jumped out.
The following is the fail trace:
When f2fs_map_blocks reaches map.m_lblk=3936, it needs to go to the
first direct node block, so the map is 3936 + 4090 = 8026,
The next map is the second direct node block, that is,
8026 + 4090 = 12116,
The next map is the first indirect node block, that is,
12116 + 4090 * 4090 = 16740216,
The next map is the second indirect node block, that is,
16740216 + 4090 * 4090 = 33468316,
The next map is the first double indirect node block, that is,
33468316 + 4090 * 4090 * 4090 = 68451397316
Since map.m_lblk represents the address of a block, which is 32
bits, truncation will occur, that is, 68451397316 becomes
4026887876, and the number of bytes corresponding to the block
number does not exceed blks_to_bytes(inode,max_inode_blocks(inode)),
so the loop will not be jumped out.
The next time, it will be considered that it should still be a
double indirect node block, that is,
4026887876 + 4090 * 4090 * 4090 = 72444816876, which will be
truncated to 3725340140, and the loop will not be jumped out.
156.374871: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 0, start blkaddr = 0x8e00, len = 0x200, flags = 2,seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.374916: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 512, start blkaddr = 0x0, len = 0x0, flags = 0 , seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.374920: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 513, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
......
156.385747: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 3935, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385752: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 3936, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385755: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 8026, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385758: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 12116, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385761: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 16740216, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385764: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 33468316, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385767: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 4026887876, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385770: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 3725340140, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385772: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 4026887876, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
156.385775: f2fs_map_blocks: dev = (254,57), ino = 7449, file offset = 3725340140, start blkaddr = 0x0, len = 0x0, flags = 0, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
Commit a6a010f5def5 ("f2fs: Restrict max filesize for 16K f2fs")
has set the maximum allowed file size to (U32_MAX + 1) * F2FS_BLKSIZE,
so max_file_blocks should be used here to limit it, that is,
maxbytes defined above. And the max_inode_blocks function is not
called by other functions except here, so cleanup it.
Signed-off-by: Xiuhong Wang <xiuhong.wang@unisoc.com>
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit a7a7c1d423a6351a6541e95c797da5358e5ad1ea)
Bug: 375052311
Test: fiemap_writer_test --gtest_filter=FiemapWriterTest.CreateUnalignedFile
Signed-off-by: Daniel Rosenberg <drosen@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:fffd1d38a4e6b678e915859b77b50fe207ac0613)
Merged-In: I9ac9e56550716bd118c832e5e092792b7d231097
Change-Id: I9ac9e56550716bd118c832e5e092792b7d231097
[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ]
In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
to be either root or ingress. This assumption is bogus since it's valid
to create egress qdiscs with major handle ffff:
Budimir Markovic found that for qdiscs like DRR that maintain an active
class list, it will cause a UAF with a dangling class pointer.
In 066a3b5b23, the concern was to avoid iterating over the ingress
qdisc since its parent is itself. The proper fix is to stop when parent
TC_H_ROOT is reached because the only way to retrieve ingress is when a
hierarchy which does not contain a ffff: major handle call into
qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
In the scenario where major ffff: is an egress qdisc in any of the tree
levels, the updates will also propagate to TC_H_ROOT, which then the
iteration must stop.
Fixes: 066a3b5b23 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
net/sched/sch_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Horman <horms@kernel.org>
Bug: 377197048
Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 597cf9748c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I4ef8bee1095f7c51e4d458b25cd331018188b3d6
In f2fs_do_write_data_page, when the data block is NULL_ADDR, it skips
writepage considering that it has been already truncated.
This results in an infinite loop as the PAGECACHE_TAG_TOWRITE tag is not
cleared during the writeback process for a compressed file including
NULL_ADDR in compress_mode=user.
This is the reproduction process:
1. dd if=/dev/zero bs=4096 count=1024 seek=1024 of=testfile
2. f2fs_io compress testfile
3. dd if=/dev/zero bs=4096 count=1 conv=notrunc of=testfile
4. f2fs_io decompress testfile
To prevent the problem, let's check whether the cluster is fully
allocated before redirty its pages.
Bug: 325092012
Fixes: 5fdb322ff2 ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE")
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
Tested-by: Jaewook Kim <jw5454.kim@samsung.com>
Change-Id: I0abb6bca0bb227f4f895c59e28b47b203ba0f280
Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit f785cec298c95d00058560c0715233294a04b8f3)
f2fs won't compress non-full cluster in tail of file, let's skip
dirtying and rewrite such cluster during f2fs_ioc_{,de}compress_file.
Bug: 325092012
Change-Id: I88e6b431b27b4768a312e0977ebe1c9e9cc23600
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 025b3602b5)
This patch allows f2fs_ioc_{,de}compress_file() to be interrupted, so that,
userspace won't be blocked when manual {,de}compression on large file is
interrupted by signal.
Bug: 325092012
Change-Id: I020026926732b184f227621cd64506dae92a00a1
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 3a2c0e55f9)
This patch covers sanity check logic on cluster w/ CONFIG_F2FS_CHECK_FS,
otherwise, there will be performance regression while querying cluster
mapping info.
Callers of f2fs_is_compressed_cluster() only care about whether cluster
is compressed or not, rather than # of valid blocks in compressed cluster,
so, let's adjust f2fs_is_compressed_cluster()'s logic according to
caller's requirement.
Bug: 325092012
Change-Id: Ie3ddef60c5a3cdb2b18b0261f7188d39b7147935
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 2aaea533bf063ed3b442df5fe5f6abfc538054c9)
Fix to support SEEK_DATA and SEEK_HOLE for compression files
Bug: 325092012
Change-Id: Iba62c53e634682205f84c8dc3566ab8df9079158
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit a94c7fded76bfd1a061deae7be80fedbfa26774e)
The tooling is configured to block any changes that has a chance to
break ABI, including the possibly safe:
* replacement of ANDROID_KABI_RESERVE with ANDROID_KABI_USE
* changes to internal structures that are not accessible to modules
* addition of enumerators
These changes are difficult for the tooling to identify as definitively
non-breaking, therefore, a human reviewer must check the change and
approve it as non-breaking.
This change adds a file to record the approval with the change that was
marked as breaking. This allows the tooling to:
* unblock presubmits for the change
* don't block presubmits when it is cherry-picked to another branch
* filter compatibility reports between a release branch and a tip of the
development branch it was forked from
The file is prefilled with all breaks that happened from the KMI freeze.
Bug: 365521273
Change-Id: I63fbed5c364cb8c7bd149bf40d084d3d87533bf7
Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
Add hook to record the reason for calling hw_protection_shutdown
Bug: 380204228
Bug: 334006616
Change-Id: I9dce8056693c96f1d5f1fab9af02a2e68ed6ab91
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit 70e95a10a553c0c530694b8939d25fbb984647d0)
Add the pending proc->delivered_freeze work to the debugfs output. This
information was omitted in the original implementation of the freeze
notification and can be valuable for debugging issues.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-9-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit cb2aeb2ec25884133110ffe5a67ff3cf7dee5ceb
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Ifc9a22b52e38c35af661732486fa1f154adb34de
[cmllamas: fix KMI break with proc_wrapper()]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
If a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION
before calling binder_freeze_notification_done(), then it is detached
from its reference (e.g. ref->freeze) but the work remains queued in
proc->delivered_freeze. This leads to a memory leak when the process
exits as any pending entries in proc->delivered_freeze are not freed:
unreferenced object 0xffff38e8cfa36180 (size 64):
comm "binder-util", pid 655, jiffies 4294936641
hex dump (first 32 bytes):
b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8..
0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K.....
backtrace (crc 95983b32):
[<000000000d0582cf>] kmemleak_alloc+0x34/0x40
[<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280
[<00000000313b1704>] binder_thread_write+0xdec/0x439c
[<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc
[<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190
[<00000000b439adee>] invoke_syscall+0x6c/0x254
[<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230
[<0000000084f72311>] do_el0_svc+0x40/0x58
[<000000008b872457>] el0_svc+0x38/0x78
[<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c
[<00000000a8ec61bf>] el0t_64_sync+0x190/0x194
This patch fixes the leak by ensuring that any pending entries in
proc->delivered_freeze are freed during binder_deferred_release().
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-8-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 1db76ec2b4b206ff943e292a0b55e68ff3443598
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Iafdec3421c521b4b591b94455deba7ee5102c8ca
[cmllamas: drop BINDER_STAT_FREEZE and use proc_wrapper()]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Add hooks to capture various per-zone memory stats when
a trigger threshold is hit.
Bug: 379593530
Change-Id: Ia748b9525da3996366802f536e66eaa35af4416e
Signed-off-by: Jing Wei <jing.wei5@transsion.com>
Greg Kroah-Hartman