This reverts commit 1bb8a65190.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: I68007ae6d5eb0aaebd76817b9f53110eed86b597
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 5.15.115
power: supply: bq27xxx: expose battery data when CI=1
power: supply: bq27xxx: Move bq27xxx_battery_update() down
power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes
power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier()
power: supply: bq24190: Call power_supply_changed() after updating input current
bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
net/mlx5: devcom only supports 2 ports
net/mlx5e: Fix deadlock in tc route query code
net/mlx5: Devcom, serialize devcom registration
platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering
platform/x86: ISST: Remove 8 socket limit
net: phy: mscc: enable VSC8501/2 RGMII RX clock
net: dsa: introduce helpers for iterating through ports using dp
net: dsa: mt7530: rework mt753[01]_setup
net: dsa: mt7530: split-off common parts from mt7531_setup
net: dsa: mt7530: fix network connectivity with multiple CPU ports
Bonding: add arp_missed_max option
bonding: fix send_peer_notif overflow
binder: fix UAF caused by faulty buffer cleanup
irqchip/mips-gic: Get rid of the reliance on irq_cpu_online()
irqchip/mips-gic: Use raw spinlock for gic_lock
net/mlx5e: Fix SQ wake logic in ptp napi_poll context
xdp: Allow registering memory model without rxq reference
net: page_pool: use in_softirq() instead
page_pool: fix inconsistency for page_pool_ring_[un]lock()
irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable
xdp: xdp_mem_allocator can be NULL in trace_mem_connect().
bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
Revert "binder_alloc: add missing mmap_lock calls when using the VMA"
Revert "android: binder: stop saving a pointer to the VMA"
binder: add lockless binder_alloc_(set|get)_vma()
binder: fix UAF of alloc->vma in race with munmap()
ipv{4,6}/raw: fix output xfrm lookup wrt protocol
netfilter: ctnetlink: Support offloaded conntrack entry deletion
Linux 5.15.115
Change-Id: I04ebd85160057dcc604a7b2b13f7fdadc08329ac
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This catches the -lts branch up with all of the recent changes that have
gone into the non-lts branch, INCLUDING the ABI update which we want
here to ensure that we do NOT break any newly added dependent symbols
(and to bring back in the reverts that were required before the ABI
break).
This includes the following commits:
1463dca508 ANDROID: 6/16/2023 KMI update
61d1582c93 UPSTREAM: tipc: check the bearer min mtu properly when setting it by netlink
5b20b206c4 UPSTREAM: tipc: do not update mtu if msg_max is too small in mtu negotiation
b288e3eb9a UPSTREAM: tipc: add tipc_bearer_min_mtu to calculate min mtu
63225f30d6 UPSTREAM: ASoC: fsl_micfil: Fix error handler with pm_runtime_enable
b64f71ac97 UPSTREAM: firmware: arm_sdei: Fix sleep from invalid context BUG
a45af5569a UPSTREAM: uapi/linux/const.h: prefer ISO-friendly __typeof__
18bae38a20 UPSTREAM: sched: Fix DEBUG && !SCHEDSTATS warn
8b4a04dce2 UPSTREAM: sched: Make struct sched_statistics independent of fair sched class
7f1bd76f41 UPSTREAM: platform: Provide a remove callback that returns no value
b529f9de5b ANDROID: GKI: reserve extra arm64 cpucaps for ABI preservation
2ab1955d56 ANDROID: KVM: arm64: Allow setting {P,U}XN in stage-2 PTEs
69e2ba2e16 ANDROID: KVM: arm64: Restrict host-to-hyp MMIO donations
3f060ac3de ANDROID: KVM: arm64: Allow state changes of MMIO pages
57574f0ae2 ANDROID: KVM: arm64: Allow MMIO perm changes from modules
951d15786a ANDROID: KVM: arm64: Don't allocate from handle_host_mem_abort
e609adf5cb ANDROID: KVM: arm64: Donate IOMMU regions to pKVM
1386a01618 ANDROID: KVM: arm64: Map MMIO donation as device at EL2
9debaf482d ANDROID: KVM: arm64: Don't recycle pages from host mem abort
aa4b272b34 ANDROID: KVM: arm64: Pin host stage-2 tables
97877e974b ANDROID: KVM: arm64: Move kvm_pte_follow() to header
76380240a2 ANDROID: KVM: arm64: Pre-populate host stage2
a2b45ad90a ANDROID: KVM: arm64: Fix the host ownership later
d522a07153 ANDROID: KVM: arm64: Don't recycle non-default PTEs
2bad47ce33 ANDROID: KVM: arm64: Introduce kvm_pgtable_stage2_reclaim_leaves
da5b14f0a1 ANDROID: KVM: arm64: Deprecate late pKVM module loading
2c641cfce1 BACKPORT: FROMGIT: usb: core: add sysfs entry for usb device state
61067bd1c2 BACKPORT: usb: xhci: plat: remove error log for failure to get usb-phy
4b219f7fc9 BACKPORT: usb: xhci: plat: Add USB 3.0 phy support
7b23f0d62a UPSTREAM: usb: dwc3: core: add support for realtek SoCs custom's global register start address
2c2c2503ed ANDROID: GKI: Enable CONFIG_RPMSG_CTRL
182ac7a9d9 UPSTREAM: mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
a6c1ea62c9 UPSTREAM: mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
ad90aba4d6 UPSTREAM: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
267d3e1f3f ANDROID: set CONFIG_IKHEADERS=m for gki_defconfig.
c1d1130811 UPSTREAM: usb: gadget: uvc: queue empty isoc requests if no video buffer is available
634ea38c4e ANDROID: Update the ABI symbol list
719fc80624 ANDROID: fs: Add vendor hooks for ep_create_wakeup_source & timerfd_create
4742f48a5a BACKPORT: arm64: Enable KCSAN
d2d27f72cf ANDROID: block: Partially revert "Send requeued requests to the I/O scheduler"
cc244e96d7 Revert "ANDROID: block: Warn if a zoned write is about to be reordered"
Change-Id: Ifb116236a7ed04eaf472d088aa36a470eb6b138d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 7919af1dcb.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: I259c54a3c0d6fbaf33cca4978a6aaae413967dc1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit f191711553.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: I7393417fd72169adce4460c33e283085dcc86ad5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Set KMI_GENERATION=9 for 6/16 KMI update
variable symbol changed from 'struct static_key_false cpu_hwcap_keys[75]' to 'struct static_key_false cpu_hwcap_keys[95]'
CRC changed from 0xfe9a697c to 0x41aad71d
type changed from 'struct static_key_false[75]' to 'struct static_key_false[95]'
number of elements changed from 75 to 95
function symbol 'struct block_device* I_BDEV(struct inode*)' changed
CRC changed from 0x6ad768b0 to 0x8d400dbd
function symbol 'void* PDE_DATA(const struct inode*)' changed
CRC changed from 0x1b12d990 to 0xc3c38b5c
function symbol 'void __ClearPageMovable(struct page*)' changed
CRC changed from 0x5ed16e08 to 0xf489e5e8
... 3676 omitted; 3679 symbols have only CRC changes
type 'enum cpuhp_state' changed
enumerator 'CPUHP_AP_ARM_SDEI_STARTING' (114) was removed
enumerator 'CPUHP_AP_ARM_VFP_STARTING' value changed from 115 to 114
enumerator 'CPUHP_AP_ARM64_DEBUG_MONITORS_STARTING' value changed from 116 to 115
enumerator 'CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING' value changed from 117 to 116
enumerator 'CPUHP_AP_PERF_ARM_ACPI_STARTING' value changed from 118 to 117
enumerator 'CPUHP_AP_PERF_ARM_STARTING' value changed from 119 to 118
enumerator 'CPUHP_AP_ARM_L2X0_STARTING' value changed from 120 to 119
enumerator 'CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING' value changed from 121 to 120
enumerator 'CPUHP_AP_ARM_ARCH_TIMER_STARTING' value changed from 122 to 121
enumerator 'CPUHP_AP_ARM_GLOBAL_TIMER_STARTING' value changed from 123 to 122
enumerator 'CPUHP_AP_JCORE_TIMER_STARTING' value changed from 124 to 123
enumerator 'CPUHP_AP_ARM_TWD_STARTING' value changed from 125 to 124
enumerator 'CPUHP_AP_QCOM_TIMER_STARTING' value changed from 126 to 125
enumerator 'CPUHP_AP_TEGRA_TIMER_STARTING' value changed from 127 to 126
enumerator 'CPUHP_AP_ARMADA_TIMER_STARTING' value changed from 128 to 127
enumerator 'CPUHP_AP_MARCO_TIMER_STARTING' value changed from 129 to 128
enumerator 'CPUHP_AP_MIPS_GIC_TIMER_STARTING' value changed from 130 to 129
enumerator 'CPUHP_AP_ARC_TIMER_STARTING' value changed from 131 to 130
enumerator 'CPUHP_AP_RISCV_TIMER_STARTING' value changed from 132 to 131
enumerator 'CPUHP_AP_CLINT_TIMER_STARTING' value changed from 133 to 132
enumerator 'CPUHP_AP_CSKY_TIMER_STARTING' value changed from 134 to 133
enumerator 'CPUHP_AP_TI_GP_TIMER_STARTING' value changed from 135 to 134
enumerator 'CPUHP_AP_HYPERV_TIMER_STARTING' value changed from 136 to 135
enumerator 'CPUHP_AP_KVM_STARTING' value changed from 137 to 136
enumerator 'CPUHP_AP_KVM_ARM_VGIC_INIT_STARTING' value changed from 138 to 137
enumerator 'CPUHP_AP_KVM_ARM_VGIC_STARTING' value changed from 139 to 138
enumerator 'CPUHP_AP_KVM_ARM_TIMER_STARTING' value changed from 140 to 139
enumerator 'CPUHP_AP_DUMMY_TIMER_STARTING' value changed from 141 to 140
enumerator 'CPUHP_AP_ARM_XEN_STARTING' value changed from 142 to 141
enumerator 'CPUHP_AP_ARM_CORESIGHT_STARTING' value changed from 143 to 142
enumerator 'CPUHP_AP_ARM_CORESIGHT_CTI_STARTING' value changed from 144 to 143
enumerator 'CPUHP_AP_ARM64_ISNDEP_STARTING' value changed from 145 to 144
enumerator 'CPUHP_AP_SMPCFD_DYING' value changed from 146 to 145
enumerator 'CPUHP_AP_X86_TBOOT_DYING' value changed from 147 to 146
enumerator 'CPUHP_AP_ARM_CACHE_B15_RAC_DYING' value changed from 148 to 147
enumerator 'CPUHP_AP_ONLINE' value changed from 149 to 148
enumerator 'CPUHP_TEARDOWN_CPU' value changed from 150 to 149
enumerator 'CPUHP_AP_ONLINE_IDLE' value changed from 151 to 150
enumerator 'CPUHP_AP_SCHED_WAIT_EMPTY' value changed from 152 to 151
enumerator 'CPUHP_AP_SMPBOOT_THREADS' value changed from 153 to 152
enumerator 'CPUHP_AP_X86_VDSO_VMA_ONLINE' value changed from 154 to 153
enumerator 'CPUHP_AP_IRQ_AFFINITY_ONLINE' value changed from 155 to 154
enumerator 'CPUHP_AP_BLK_MQ_ONLINE' value changed from 156 to 155
enumerator 'CPUHP_AP_ARM_MVEBU_SYNC_CLOCKS' value changed from 157 to 156
enumerator 'CPUHP_AP_X86_INTEL_EPB_ONLINE' value changed from 158 to 157
enumerator 'CPUHP_AP_PERF_ONLINE' value changed from 159 to 158
enumerator 'CPUHP_AP_PERF_X86_ONLINE' value changed from 160 to 159
enumerator 'CPUHP_AP_PERF_X86_UNCORE_ONLINE' value changed from 161 to 160
enumerator 'CPUHP_AP_PERF_X86_AMD_UNCORE_ONLINE' value changed from 162 to 161
enumerator 'CPUHP_AP_PERF_X86_AMD_POWER_ONLINE' value changed from 163 to 162
enumerator 'CPUHP_AP_PERF_X86_RAPL_ONLINE' value changed from 164 to 163
enumerator 'CPUHP_AP_PERF_X86_CQM_ONLINE' value changed from 165 to 164
enumerator 'CPUHP_AP_PERF_X86_CSTATE_ONLINE' value changed from 166 to 165
enumerator 'CPUHP_AP_PERF_X86_IDXD_ONLINE' value changed from 167 to 166
enumerator 'CPUHP_AP_PERF_S390_CF_ONLINE' value changed from 168 to 167
enumerator 'CPUHP_AP_PERF_S390_SF_ONLINE' value changed from 169 to 168
enumerator 'CPUHP_AP_PERF_ARM_CCI_ONLINE' value changed from 170 to 169
enumerator 'CPUHP_AP_PERF_ARM_CCN_ONLINE' value changed from 171 to 170
enumerator 'CPUHP_AP_PERF_ARM_HISI_DDRC_ONLINE' value changed from 172 to 171
enumerator 'CPUHP_AP_PERF_ARM_HISI_HHA_ONLINE' value changed from 173 to 172
enumerator 'CPUHP_AP_PERF_ARM_HISI_L3_ONLINE' value changed from 174 to 173
enumerator 'CPUHP_AP_PERF_ARM_HISI_PA_ONLINE' value changed from 175 to 174
enumerator 'CPUHP_AP_PERF_ARM_HISI_SLLC_ONLINE' value changed from 176 to 175
enumerator 'CPUHP_AP_PERF_ARM_L2X0_ONLINE' value changed from 177 to 176
enumerator 'CPUHP_AP_PERF_ARM_QCOM_L2_ONLINE' value changed from 178 to 177
enumerator 'CPUHP_AP_PERF_ARM_QCOM_L3_ONLINE' value changed from 179 to 178
enumerator 'CPUHP_AP_PERF_ARM_APM_XGENE_ONLINE' value changed from 180 to 179
enumerator 'CPUHP_AP_PERF_ARM_CAVIUM_TX2_UNCORE_ONLINE' value changed from 181 to 180
enumerator 'CPUHP_AP_PERF_POWERPC_NEST_IMC_ONLINE' value changed from 182 to 181
enumerator 'CPUHP_AP_PERF_POWERPC_CORE_IMC_ONLINE' value changed from 183 to 182
enumerator 'CPUHP_AP_PERF_POWERPC_THREAD_IMC_ONLINE' value changed from 184 to 183
enumerator 'CPUHP_AP_PERF_POWERPC_TRACE_IMC_ONLINE' value changed from 185 to 184
enumerator 'CPUHP_AP_PERF_POWERPC_HV_24x7_ONLINE' value changed from 186 to 185
enumerator 'CPUHP_AP_PERF_POWERPC_HV_GPCI_ONLINE' value changed from 187 to 186
enumerator 'CPUHP_AP_PERF_CSKY_ONLINE' value changed from 188 to 187
enumerator 'CPUHP_AP_WATCHDOG_ONLINE' value changed from 189 to 188
enumerator 'CPUHP_AP_WORKQUEUE_ONLINE' value changed from 190 to 189
enumerator 'CPUHP_AP_RANDOM_ONLINE' value changed from 191 to 190
enumerator 'CPUHP_AP_RCUTREE_ONLINE' value changed from 192 to 191
enumerator 'CPUHP_AP_BASE_CACHEINFO_ONLINE' value changed from 193 to 192
enumerator 'CPUHP_AP_ONLINE_DYN' value changed from 194 to 193
enumerator 'CPUHP_AP_ONLINE_DYN_END' value changed from 224 to 223
enumerator 'CPUHP_AP_MM_DEMOTION_ONLINE' value changed from 225 to 224
enumerator 'CPUHP_AP_X86_HPET_ONLINE' value changed from 226 to 225
enumerator 'CPUHP_AP_X86_KVM_CLK_ONLINE' value changed from 227 to 226
enumerator 'CPUHP_AP_DTPM_CPU_ONLINE' value changed from 228 to 227
enumerator 'CPUHP_AP_ACTIVE' value changed from 229 to 228
enumerator 'CPUHP_ANDROID_RESERVED_1' value changed from 230 to 229
enumerator 'CPUHP_ANDROID_RESERVED_2' value changed from 231 to 230
enumerator 'CPUHP_ANDROID_RESERVED_3' value changed from 232 to 231
enumerator 'CPUHP_ANDROID_RESERVED_4' value changed from 233 to 232
enumerator 'CPUHP_ONLINE' value changed from 234 to 233
type 'struct task_struct' changed
byte size changed from 4672 to 4736
5 members ('struct sched_rt_entity rt' .. 'struct uclamp_se uclamp[2]') changed
offset changed by -1536
member 'struct sched_statistics stats' was added
189 members ('struct hlist_head preempt_notifiers' .. 'u64 android_kabi_reserved8') changed
offset changed by 832
member 'struct thread_struct thread' changed
offset changed by 768
type 'struct platform_driver' changed
byte size changed from 240 to 248
member 'void(* remove_new)(struct platform_device*)' was added
7 members ('void(* shutdown)(struct platform_device*)' .. 'u64 android_kabi_reserved1') changed
offset changed by 64
type 'struct sched_entity' changed
byte size changed from 512 to 320
member 'struct sched_statistics statistics' was removed
5 members ('int depth' .. 'unsigned long runnable_weight') changed
offset changed by -1728
5 members ('struct sched_avg avg' .. 'u64 android_kabi_reserved4') changed
offset changed by -1536
type 'struct tipc_bearer' changed
member 'u16 encap_hlen' was added
type 'enum kvm_pgtable_prot' changed
enumerator 'KVM_PGTABLE_PROT_PXN' (32) was added
enumerator 'KVM_PGTABLE_PROT_UXN' (64) was added
Bug: 287162457
Change-Id: Icccb0e4826e7693fdae5c4463be6664db1de421c
Signed-off-by: Carlos Llamas <cmllamas@google.com>
[ Upstream commit 35a089b5d7 ]
Checking the bearer min mtu with tipc_udp_mtu_bad() only works for
IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the
min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU
for min mtu, which works for both IPv4 and IPv6 UDP bearer.
Note that tipc_udp_mtu_bad() is still used to check media min mtu
in __tipc_nl_media_set(), as m->mtu currently is only used by the
IPv4 UDP bearer as its default mtu value.
Fixes: 682cd3cf94 ("tipc: confgiure and apply UDP bearer MTU on running links")
Change-Id: I585703598475f2de30353fcc7a96e295fe63549b
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 673cb47989)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 56077b56cd ]
When doing link mtu negotiation, a malicious peer may send Activate msg
with a very small mtu, e.g. 4 in Shuang's testing, without checking for
the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
tipc: Too large msg, purging xmit list 1 5 0 40 4!
tipc: Too large msg, purging xmit list 1 15 0 60 4!
And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
named_distribute(), and when purging it in tipc_link_xmit(), a crash
was even caused:
general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
Call Trace:
<IRQ>
skb_release_data+0xf9/0x1d0
kfree_skb_reason+0x40/0x100
tipc_link_xmit+0x57a/0x740 [tipc]
tipc_node_xmit+0x16c/0x5c0 [tipc]
tipc_named_node_up+0x27f/0x2c0 [tipc]
tipc_node_write_unlock+0x149/0x170 [tipc]
tipc_rcv+0x608/0x740 [tipc]
tipc_udp_recv+0xdc/0x1f0 [tipc]
udp_queue_rcv_one_skb+0x33e/0x620
udp_unicast_rcv_skb.isra.72+0x75/0x90
__udp4_lib_rcv+0x56d/0xc20
ip_protocol_deliver_rcu+0x100/0x2d0
This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
and not updating mtu if it is too small.
Fixes: ed193ece26 ("tipc: simplify link mtu negotiation")
Reported-by: Shuang Li <shuali@redhat.com>
Change-Id: I84fb5694b763c1e9d1a93643d849d8d17dbf5cd8
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 575e84d90a)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 3ae6d66b60 ]
As different media may requires different min mtu, and even the
same media with different net family requires different min mtu,
add tipc_bearer_min_mtu() to calculate min mtu accordingly.
This API will be used to check the new mtu when doing the link
mtu negotiation in the next patch.
Change-Id: Ic9917ba5e26138b813dd037d38c52ce7adb3ea03
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 56077b56cd ("tipc: do not update mtu if msg_max is too small in mtu negotiation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 5cf99d5f65)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit d2c48b2387 ]
Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra
triggers:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0
preempt_count: 0, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by cpuhp/0/24:
#0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248
#1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248
#2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130
irq event stamp: 36
hardirqs last enabled at (35): [<ffffda301e85b7bc>] finish_task_switch+0xb4/0x2b0
hardirqs last disabled at (36): [<ffffda301e812fec>] cpuhp_thread_fun+0x21c/0x248
softirqs last enabled at (0): [<ffffda301e80b184>] copy_process+0x63c/0x1ac0
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...]
Hardware name: WIWYNN Mt.Jade Server [...]
Call trace:
dump_backtrace+0x114/0x120
show_stack+0x20/0x70
dump_stack_lvl+0x9c/0xd8
dump_stack+0x18/0x34
__might_resched+0x188/0x228
rt_spin_lock+0x70/0x120
sdei_cpuhp_up+0x3c/0x130
cpuhp_invoke_callback+0x250/0xf08
cpuhp_thread_fun+0x120/0x248
smpboot_thread_fn+0x280/0x320
kthread+0x130/0x140
ret_from_fork+0x10/0x20
sdei_cpuhp_up() is called in the STARTING hotplug section,
which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry
instead to execute the cpuhp cb later, with preemption enabled.
SDEI originally got its own cpuhp slot to allow interacting
with perf. It got superseded by pNMI and this early slot is not
relevant anymore. [1]
Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the
calling CPU. It is checked that preemption is disabled for them.
_ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'.
Preemption is enabled in those threads, but their cpumask is limited
to 1 CPU.
Move 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb
don't trigger them.
Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call
which acts on the calling CPU.
[1]:
https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/
Suggested-by: James Morse <james.morse@arm.com>
Change-Id: If68806613938a753ba8113cf3421c545934cf3a2
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
Link: https://lore.kernel.org/r/20230216084920.144064-1-pierre.gondois@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 66caf22787)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 31088f6f79 ]
typeof is (still) a GNU extension, which means that it cannot be used when
building ISO C (e.g. -std=c99). It should therefore be avoided in uapi
headers in favour of the ISO-friendly __typeof__.
Unfortunately this issue could not be detected by
CONFIG_UAPI_HEADER_TEST=y as the __ALIGN_KERNEL() macro is not expanded in
any uapi header.
This matters from a userspace perspective, not a kernel one. uapi
headers and their contents are expected to be usable in a variety of
situations, and in particular when building ISO C applications (with
-std=c99 or similar).
This particular problem can be reproduced by trying to use the
__ALIGN_KERNEL macro directly in application code, say:
int align(int x, int a)
{
return __KERNEL_ALIGN(x, a);
}
and trying to build that with -std=c99.
Link: https://lkml.kernel.org/r/20230411092747.3759032-1-kevin.brodsky@arm.com
Fixes: a79ff731a1 ("netfilter: xtables: make XT_ALIGN() usable in exported headers by exporting __ALIGN_KERNEL()")
Change-Id: I4204df6f16689acb4d0786e3edf2b6ebc457c4e3
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
Reported-by: Ruben Ayrapetyan <ruben.ayrapetyan@arm.com>
Tested-by: Ruben Ayrapetyan <ruben.ayrapetyan@arm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
Cc: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 397eb669da)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 769fdf83df upstream.
When !SCHEDSTATS schedstat_enabled() is an unconditional 0 and the
whole block doesn't exist, however GCC figures the scoped variable
'stats' is unused and complains about it.
Upgrade the warning from -Wunused-variable to -Wunused-but-set-variable
by writing it in two statements. This fixes the build because the new
warning is in W=1.
Given that whole if(0) {} thing, I don't feel motivated to change
things overly much and quite strongly feel this is the compiler being
daft.
Fixes: cb3e971c435d ("sched: Make struct sched_statistics independent of fair sched class")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Change-Id: I3b1f6cc605ae53a43f4a75a8d1a6cf2a947998ea
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0a008c5098)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit ceeadb83ae ]
If we want to use the schedstats facility to trace other sched classes, we
should make it independent of fair sched class. The struct sched_statistics
is the schedular statistics of a task_struct or a task_group. So we can
move it into struct task_struct and struct task_group to achieve the goal.
After the patch, schestats are orgnized as follows,
struct task_struct {
...
struct sched_entity se;
struct sched_rt_entity rt;
struct sched_dl_entity dl;
...
struct sched_statistics stats;
...
};
Regarding the task group, schedstats is only supported for fair group
sched, and a new struct sched_entity_stats is introduced, suggested by
Peter -
struct sched_entity_stats {
struct sched_entity se;
struct sched_statistics stats;
} __no_randomize_layout;
Then with the se in a task_group, we can easily get the stats.
The sched_statistics members may be frequently modified when schedstats is
enabled, in order to avoid impacting on random data which may in the same
cacheline with them, the struct sched_statistics is defined as cacheline
aligned.
As this patch changes the core struct of scheduler, so I verified the
performance it may impact on the scheduler with 'perf bench sched
pipe', suggested by Mel. Below is the result, in which all the values
are in usecs/op.
Before After
kernel.sched_schedstats=0 5.2~5.4 5.2~5.4
kernel.sched_schedstats=1 5.3~5.5 5.3~5.5
[These data is a little difference with the earlier version, that is
because my old test machine is destroyed so I have to use a new
different test machine.]
Almost no impact on the sched performance.
No functional change.
[lkp@intel.com: reported build failure in earlier version]
Change-Id: I3df219ae37b431796057e380098afa7f6bb2bc63
Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Mel Gorman <mgorman@suse.de>
Link: https://lore.kernel.org/r/20210905143547.4668-3-laoar.shao@gmail.com
Stable-dep-of: 39afe5d6fc ("sched/fair: Fix inaccurate tally of ttwu_move_affine")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c3b9f95598)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 5c5a7680e6 ]
struct platform_driver::remove returning an integer made driver authors
expect that returning an error code was proper error handling. However
the driver core ignores the error and continues to remove the device
because there is nothing the core could do anyhow and reentering the
remove callback again is only calling for trouble.
So this is an source for errors typically yielding resource leaks in the
error path.
As there are too many platform drivers to neatly convert them all to
return void in a single go, do it in several steps after this patch:
a) Convert all drivers to implement .remove_new() returning void instead
of .remove() returning int;
b) Change struct platform_driver::remove() to return void and so make
it identical to .remove_new();
c) Change all drivers back to .remove() now with the better prototype;
d) drop struct platform_driver::remove_new().
While this touches all drivers eventually twice, steps a) and c) can be
done one driver after another and so reduces coordination efforts
immensely and simplifies review.
Change-Id: I35e14b74375e32f1351bfebfa794e2f3fec99776
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20221209150914.3557650-1-u.kleine-koenig@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: c766c90faf ("media: rcar_fdp1: Fix refcount leak in probe and remove function")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d18789f434)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Over the lifetime of the kernel, new arm64 cpucaps need to be added to
handle errata and other fun stuff. So reserve 20 spots for us to use in
the future as this is an ABI-stable structure that we can not increase
over time without major problems.
Bug: 151154716
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I37bdac374e2570f61ab54919712fd62c7e541e67
FEAT_XNX allows to specify PXN and UXN attributes on stage-2 entries.
Make this usable from pKVM by exposing two new kvm_pgtable_prot entries
for each of them.
No functional changes intended.
Bug: 264070847
Change-Id: I47d861fa64ba511370b182f4609fe1c27695a949
Signed-off-by: Quentin Perret <qperret@google.com>
Nothing currently prevents the donation of an MMIO region to the
hypervisor for backing e.g. guest stage-2 page-tables, tracing buffers,
hyp vm and vcpu metadata, or any other donation to EL2. However, the
only confirmed use-case for MMIO donations are for protecting the IOMMU
registers as well as for vendor module usage.
Restrict the donation of MMIO regions to these two paths only by
introducing a new helper function.
Bug: 264070847
Change-Id: I914508fb3e3547fcfabca8557bdf7948cb796099
Signed-off-by: Quentin Perret <qperret@google.com>
We've historically disallowed state changes for MMIO pages -- the host
had sole ownership of all of them. However, changing the state of those
pages has clearly become a goal both to support vendor extensions to
the hypervisor, as well as to support device assignment in the longer
term. To pave the way towards this support, let's allow certain state
transitions for MMIO pages.
Bug: 264070847
Change-Id: I9803b572c90d8a694c3d43a0ee0d7b4f4124fe4a
Signed-off-by: Quentin Perret <qperret@google.com>
We now allow donations of MMIO ranges, let's also allow modules to
change host stage-2 permissions.
Bug: 264070847
Change-Id: Ia72678bb27559d9a7963dbc5ffb5a101efcbbad2
Signed-off-by: Quentin Perret <qperret@google.com>
There shouldn't be any reason to ever need allocating from the host
stage-2 pool during mem aborts now that the base page-table structure
is pinned. To prevent future regressions in this area, introduce a new
sanity check that will warn when hyp_page_alloc() is used from the mem
wrong paths.
Bug: 264070847
Change-Id: I7a7c606fe01558790e4ffcd3534f8976caf48bd0
Signed-off-by: Quentin Perret <qperret@google.com>
The MMIO register space for IOMMUs controlled by the hypervisor is
currently unmapped from the host stage-2, and we rely on the host abort
path to not accidentally map them. However, this approach becomes
increasingly difficult to maintain as we introduce support for donating
MMIO regions and not just memory -- nothing prevents the host from
donating a protected MMIO register to another entity for example.
Now that MMIO donations are possible, let's use the proper
host-donate-hyp machinery to implement this. As a nice side effect, this
guarantees the host stage-2 page-table is annotated with hyp ownership
for those IOMMU regions, which guarantees the core range alignment
feature in the host mem abort parth will do the right thing without
requiring a second pass in the IOMMU code. This also turns the host
stage-2 PTEs into "non-default" entries, hence avoiding issues with the
coallescing code looking forward.
Bug: 264070847
Change-Id: I1fad1b1be36f3b654190a912617e780141945a8f
Signed-off-by: Quentin Perret <qperret@google.com>
We now support donations of MMIO ranges to the hypervisor. Make sure to
update the donation logic to correctly map these pages with device
mappings.
Bug: 264070847
Change-Id: I36558f05ed47d1e3dc06e4e24151241474b4ff77
Signed-off-by: Quentin Perret <qperret@google.com>
We're now guaranteed by construction to not require structural changes
to the host stage-2 page-table from the host memory abort path, so let's
use the low-level __host_stage2_idmap() function directly instead of the
higher-level wrapper that attempts page recycling when running out of
memory.
Bug: 264070847
Change-Id: I2db34777386931bfb3f93ea3b3e51e1e2a10ea79
Signed-off-by: Quentin Perret <qperret@google.com>
Now that the host stage-2 page-table is entirely pre-populated in
__pkvm_init_finalize(), we know that by the end of this function, the
structure of the page-table will remain stable until the host calls in
the hypervisor to require e.g. a page-table changes (by e.g. running a
guest). This does not necessarily mean that no host mem aborts will
occur -- there may be null PTEs in the host stage-2 due to collapsed
block mappings from fix_host_ownership() for example -- but all those
aborts should be trivially handled without requiring structural changes
to the page-table. This has the nice side effect of guaranteeing that
host_mem_abort() will not allocate from the host stage-2 pool. In order
to ensure this desirable property is retained for the lifetime of the
system even in the presence of the coalescing feature, let's 'pin' the
structure of the page-table as-is by taking an additional reference
from each table entry.
Bug: 264070847
Change-Id: If870d7485cc38f6ad714901e710287911f111897
Signed-off-by: Quentin Perret <qperret@google.com>
We will soon need to use kvm_pte_follow() from outside pgtable.c, so
move it to the header file as static inline.
Bug: 264070847
Change-Id: I319dff1b352a4acd8d9a5cc74acb5f1758be358f
Signed-off-by: Quentin Perret <qperret@google.com>
We will soon attempt to avoid any memory allocations from the host mem
abort path. In order to pave the way towards supporting this, let's
pre-populate the host stage-2 for the entire address space using as many
block mappings as possible. Some of these mappings may need to be
collapsed shortly after from fix_host_ownership() for example, so this
doesn't guarantee the absence of memory aborts altogether, but helps
getting the structure of the page-table in the right shape early on.
Bug: 264070847
Change-Id: Ib3ce25c893f779437ce473d64e08e8876870556c
Signed-off-by: Quentin Perret <qperret@google.com>
The fix_host_ownership() path walks the hypervisor's stage-1 page-table
to adjust the host's stage-2 accordingly. However, this is done before
the hyp stage-1 refcount has been fixed up, and before the hyp percpu
fixmap has been created. This all works right now as we start off with
an empty host stage-2, so none of the changes require the usage of the
fixmap for e.g. CMOs.
To prepare the ground for doing fix_host_ownership() with a non-empty
page-table, finalize the hyp stage-1 upfront.
Bug: 264070847
Change-Id: I6aff3ac2f835be3fb3fba7660540c0a9b99c097d
Signed-off-by: Quentin Perret <qperret@google.com>
When recycling host stage-2 page-table pages, we currenly blindly
unmap all 'non-moveable' regions. To prepare the ground for allowing the
mapping of those regions with non-default attributes, let's switch to
using the recently introduced kvm_pgtable_stage2_reclaim_leaf() helper
which will only reclaim pages containing PTEs with default attributes.
Bug: 264070847
Change-Id: I4a441a20abe84d2405efcfa403908078c10be841
Signed-off-by: Quentin Perret <qperret@google.com>
We will soon improve the mechanism by which the host's stage-2
page-table pages are recycled whenever its pool runs out of pages. To
prepare thecground for this, introduce a new helper function in the
page-table code allowing to reclaim leaf pages that don't hold counted
PTEs.
Bug: 264070847
Change-Id: Ie172bf11f2980e45bc908002368759f74f42d195
Signed-off-by: Quentin Perret <qperret@google.com>
Previously it was possible to load a pKVM module after the userspace has
started, leaving on the modules the task of disabling the feature
(__pkvm_close_module_registration HVC).
Depreacte this way of loading modules in favor of the pre-userspace
loading via the cmdline kvm-arm.protected_modules=<module1>,<module2>.
Bug: 254835242
Change-Id: I38eef46b1482ff03af610b3b5d21b3ebfadda59b
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
[ qperret: fixed trivial conflict in nvhe/iommu.c due to aosp/2571370 ]
Signed-off-by: Quentin Perret <qperret@google.com>
Changes in 5.15.114
usb: gadget: Properly configure the device for remote wakeup
usb: dwc3: fix gadget mode suspend interrupt handler issue
dt-bindings: ata: ahci-ceva: convert to yaml
dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries
watchdog: sp5100_tco: Immediately trigger upon starting.
ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
spi: fsl-spi: Re-organise transfer bits_per_word adaptation
spi: fsl-cpm: Use 16 bit mode for large transfers with even size
ocfs2: Switch to security_inode_init_security()
arm64: Also reset KASAN tag if page is not PG_mte_tagged
ALSA: hda/ca0132: add quirk for EVGA X299 DARK
ALSA: hda: Fix unhandled register update during auto-suspend period
ALSA: hda/realtek: Enable headset onLenovo M70/M90
mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works
ASoC: rt5682: Disable jack detection interrupt during suspend
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
m68k: Move signal frame following exception on 68020/030
parisc: Handle kgdb breakpoints only in kernel context
parisc: Allow to reboot machine after system halt
gpio: mockup: Fix mode of debugfs files
btrfs: use nofs when cleaning up aborted transactions
dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type
x86/mm: Avoid incomplete Global INVLPG flushes
selftests/memfd: Fix unknown type name build failure
parisc: Fix flush_dcache_page() for usage from irq context
perf/x86/uncore: Correct the number of CHAs on SPR
x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
debugobjects: Don't wake up kswapd from fill_pool()
fbdev: udlfb: Fix endpoint check
net: fix stack overflow when LRO is disabled for virtual interfaces
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
USB: core: Add routines for endpoint checks in old drivers
USB: sisusbvga: Add endpoint checks
media: radio-shark: Add endpoint checks
ASoC: lpass: Fix for KASAN use_after_free out of bounds
net: fix skb leak in __skb_tstamp_tx()
selftests: fib_tests: mute cleanup error message
octeontx2-pf: Fix TSOv6 offload
bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
cifs: mapchars mount option ignored
power: supply: leds: Fix blink to LED on transition
power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe
power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
power: supply: bq27xxx: Fix I2C IRQ race on remove
power: supply: bq27xxx: Fix poll_interval handling and races on remove
power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status()
power: supply: sbs-charger: Fix INHIBITED bit for Status reg
firmware: arm_ffa: Check if ffa_driver remove is present before executing
firmware: arm_ffa: Fix FFA device names for logical partitions
fs: fix undefined behavior in bit shift for SB_NOUSER
regulator: pca9450: Fix BUCK2 enable_mask
coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
sctp: fix an issue that plpmtu can never go to complete state
forcedeth: Fix an error handling path in nv_probe()
platform/mellanox: mlxbf-pmc: fix sscanf() error checking
net/mlx5e: do as little as possible in napi poll when budget is 0
net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs
net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE
net/mlx5: Fix error message when failing to allocate device memory
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay
firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors
regulator: mt6359: add read check for PMIC MT6359
3c589_cs: Fix an error handling path in tc589_probe()
net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
Linux 5.15.114
Change-Id: Id1e4400f1ebeb6b72fb01fb1093dc807d8a9acc3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit 392a06f965 ("Bluetooth: hci_bcm: Fall back to getting bdaddr
from EFI if not set"), a "#include <linux/efi.h>" was added which caused
the CRC generation of some bluetooth symbols to be modified due to some
structures now coming into "scope".
Fix this up by hacking in our favorite __GENKSYMS__ test, which fixes
everything up right and all is calm again.
Bug: 161946584
Fixes: 392a06f965 ("Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set")
Change-Id: I5ddb1d3895f079980c3efd64ae773b91da3ca809
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Expose usb device state to userland as the information is useful in
detecting non-compliant setups and diagnosing enumeration failures.
For example:
- End-to-end signal integrity issues: the device would fail port reset
repeatedly and thus be stuck in POWERED state.
- Charge-only cables (missing D+/D- lines): the device would never enter
POWERED state as the HC would not see any pullup.
What's the status quo?
We do have error logs such as "Cannot enable. Maybe the USB cable is bad?"
to flag potential setup issues, but there's no good way to expose them to
userspace.
Why add a sysfs entry in struct usb_port instead of struct usb_device?
The struct usb_device is not device_add() to the system until it's in
ADDRESS state hence we would miss the first two states. The struct
usb_port is a better place to keep the information because its life
cycle is longer than the struct usb_device that is attached to the port.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202306042228.e532af6e-oliver.sang@intel.com
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Roy Luo <royluo@google.com>
Message-ID: <20230608015913.1679984-1-royluo@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(Backport conflicts: connector_ops wasn't there in port.c)
Bug: 285199434
(cherry picked from commit 83cb2604f6
https: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/ usb-testing)
Signed-off-by: Roy Luo <royluo@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:ce2ae89fb6e5f73ae046aeb039a406ec10e626ba)
Change-Id: I1a0da6686e57be05ef10ae98892599eb37074014
This reverts commit 5cf99d5f65.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: I2ef502e5e126be33ac37cf124e7bfc7a2e7098f2
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 575e84d90a.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: Ia606733632cba7b98183f09559e6f561653e5733
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 673cb47989.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: I97b5bb9a4c40c5cdf1f20b612782917e166fbe8c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 66caf22787.
It breaks the Android kernel abi, but will be brought in through a
different branch to ensure it ends up in the tree properly.
Bug: 161946584
Change-Id: I65e8ac1f57e138b38ba4e56a6595925e32029825
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 3a4ff14b0e.
It breaks the build due to previous abi preservations. Will be brought
back at a later time.
Bug: 161946584
Change-Id: I334bb523efe52dc3d868123cbbf204ba94cb1505
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Remove this log to avoid non-error conditions.
If CONFIG_USB_PHY is disabled, the following error message appears:
[ 0.231609] xhci-hcd f10f0000.usb3: xhci_plat_probe get usb3phy fail (ret=-6)
[ 0.239716] xhci-hcd f10f8000.usb3: xhci_plat_probe get usb3phy fail (ret=-6)
In this case, devm_usb_get_phy_by_phandle is declared static inline
and returns -ENXIO.
It is easy to pinpoint the failure to get the usb-phy using the debug
log in drivers/usb/phy/phy.c. Therefore, it can be removed.
Signed-off-by: Stanley Chang <stanley_chang@realtek.com>
Tested-by: Klaus Kudielka <klaus.kudielka@gmail.com>
Link: https://lore.kernel.org/r/20230510075129.28047-1-stanley_chang@realtek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 286930662
(cherry picked from commit 424e02931e
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
Signed-off-by: Stanley Chang <stanley_chang@realtek.com>
Change-Id: I872ceb810cd0389700342911cc601f1703d557cd
The Realtek RTD SoCs were designed with the global register address
offset at 0x8100. The default address offset is constant at
DWC3_GLOBALS_REGS_START (0xc100). Therefore, add a check if the
compatible name of the parent is realtek,rtd-dwc3, then global
register start address will remap to 0x8100.
Signed-off-by: Stanley Chang <stanley_chang@realtek.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20230505025104.18321-1-stanley_chang@realtek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 286930198
(cherry picked from commit ec5eb43813
git: //git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next)
Change-Id: I436a3a3bd79696764ccd2fad104182ae8a1c9006
Signed-off-by: Stanley Chang <stanley_chang@realtek.com>
Changes in 5.15.113
drm/mipi-dsi: Set the fwnode for mipi_dsi_device
ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe()
scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in W-LUN suspend
tick/broadcast: Make broadcast device replacement work correctly
linux/dim: Do nothing if no time delta between samples
net: stmmac: switch to use interrupt for hw crosstimestamping
net: stmmac: Initialize MAC_ONEUS_TIC_COUNTER register
net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
netfilter: nf_tables: always release netdev hooks from notifier
netfilter: conntrack: fix possible bug_on with enable_hooks=1
netlink: annotate accesses to nlk->cb_running
net: annotate sk->sk_err write from do_recvmmsg()
net: deal with most data-races in sk_wait_event()
net: add vlan_get_protocol_and_depth() helper
tcp: add annotations around sk->sk_shutdown accesses
gve: Remove the code of clearing PBA bit
ipvlan:Fix out-of-bounds caused by unclear skb->cb
net: datagram: fix data-races in datagram_poll()
af_unix: Fix a data race of sk->sk_receive_queue->qlen.
af_unix: Fix data races around sk->sk_shutdown.
drm/i915/dp: prevent potential div-by-zero
fbdev: arcfb: Fix error handling in arcfb_probe()
ext4: remove an unused variable warning with CONFIG_QUOTA=n
ext4: reflect error codes from ext4_multi_mount_protect() to its callers
ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled
ext4: fix lockdep warning when enabling MMP
ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set
ext4: allow ext4_get_group_info() to fail
refscale: Move shutdown from wait_event() to wait_event_idle()
rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
drm/displayid: add displayid_get_header() and check bounds better
drm/amd/display: Use DC_LOG_DC in the trasform pixel function
regmap: cache: Return error in cache sync operations for REGCACHE_NONE
arm64: dts: qcom: msm8996: Add missing DWC3 quirks
media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
memstick: r592: Fix UAF bug in r592_remove due to race condition
firmware: arm_sdei: Fix sleep from invalid context BUG
ACPI: EC: Fix oops when removing custom query handlers
remoteproc: stm32_rproc: Add mutex protection for workqueue
drm/tegra: Avoid potential 32-bit integer overflow
drm/msm/dp: Clean up handling of DP AUX interrupts
ACPICA: Avoid undefined behavior: applying zero offset to null pointer
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
drm/amd: Fix an out of bounds error in BIOS parser
media: Prefer designated initializers over memset for subdev pad ops
wifi: ath: Silence memcpy run-time false positive warning
bpf: Annotate data races in bpf_local_storage
wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
ext2: Check block size validity during mount
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
bnxt: avoid overflow in bnxt_get_nvram_directory()
net: pasemi: Fix return type of pasemi_mac_start_tx()
net: Catch invalid index in XPS mapping
scsi: target: iscsit: Free cmds before session free
lib: cpu_rmap: Avoid use after free on rmap->obj array entries
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
gfs2: Fix inode height consistency check
scsi: ufs: ufs-pci: Add support for Intel Lunar Lake
ext4: set goal start correctly in ext4_mb_normalize_request
ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
f2fs: fix to drop all dirty pages during umount() if cp_error is set
f2fs: fix to check readonly condition correctly
samples/bpf: Fix fout leak in hbm's run_bpf_prog
bpf: Add preempt_count_{sub,add} into btf id deny list
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
null_blk: Always check queue mode setting from configfs
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
wifi: ath11k: Fix SKB corruption in REO destination ring
nbd: fix incomplete validation of ioctl arg
ipvs: Update width of source for ip_vs_sync_conn_options
Bluetooth: btintel: Add LE States quirk support
Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
HID: logitech-hidpp: Don't use the USB serial for USB devices
HID: logitech-hidpp: Reconcile USB and Unifying serials
spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
HID: wacom: generic: Set battery quirk only when we see battery data
usb: typec: tcpm: fix multiple times discover svids error
serial: 8250: Reinit port->pm on port specific driver unbind
mcb-pci: Reallocate memory region to avoid memory overlapping
sched: Fix KCSAN noinstr violation
recordmcount: Fix memory leaks in the uwrite function
RDMA/core: Fix multiple -Warray-bounds warnings
iommu/arm-smmu-qcom: Limit the SMR groups to 128
fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'
fs/ntfs3: Enhance the attribute size check
fs/ntfs3: Fix NULL dereference in ni_write_inode
fs/ntfs3: Validate MFT flags before replaying logs
fs/ntfs3: Add length check in indx_get_root
fs/ntfs3: Fix a possible null-pointer dereference in ni_clear()
clk: tegra20: fix gcc-7 constant overflow warning
iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
iommu/sprd: Release dma buffer to avoid memory leak
Input: xpad - add constants for GIP interface numbers
phy: st: miphy28lp: use _poll_timeout functions for waits
soundwire: qcom: gracefully handle too many ports in DT
mfd: dln2: Fix memory leak in dln2_probe()
parisc: Replace regular spinlock with spin_trylock on panic path
platform/x86: hp-wmi: Support touchpad on/off
platform/x86: Move existing HP drivers to a new hp subdir
platform/x86: hp-wmi: add micmute to hp_wmi_keymap struct
xfrm: don't check the default policy if the policy allows the packet
Revert "Fix XFRM-I support for nested ESP tunnels"
drm/msm/dp: unregister audio driver during unbind
drm/msm/dpu: Add INTF_5 interrupts
drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header
drm/msm/dpu: Remove duplicate register defines from INTF
dt-bindings: display/msm: dsi-controller-main: Document qcom, master-dsi and qcom, sync-dual-dsi
ASoC: fsl_micfil: Fix error handler with pm_runtime_enable
cpupower: Make TSC read per CPU for Mperf monitor
af_key: Reject optional tunnel/BEET mode templates in outbound policies
selftests: seg6: disable DAD on IPv6 router cfg for srv6_end_dt4_l3vpn_test
selftets: seg6: disable rp_filter by default in srv6_end_dt4_l3vpn_test
net: fec: Better handle pm_runtime_get() failing in .remove()
net: phy: dp83867: add w/a for packet errors seen with short cables
ALSA: firewire-digi00x: prevent potential use after free
ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
vsock: avoid to close connected socket after the timeout
tcp: fix possible sk_priority leak in tcp_v4_send_reset()
serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
serial: 8250_bcm7271: balance clk_enable calls
serial: 8250_bcm7271: fix leak in `brcmuart_probe`
erspan: get the proto with the md version for collect_md
net: hns3: fix output information incomplete for dumping tx queue info with debugfs
net: hns3: fix sending pfc frames after reset issue
net: hns3: fix reset delay time to avoid configuration timeout
media: netup_unidvb: fix use-after-free at del_timer()
SUNRPC: double free xprt_ctxt while still in use
tracing: Introduce helpers to safely handle dynamic-sized sockaddrs
SUNRPC: Clean up svc_deferred_class trace events
SUNRPC: Remove dead code in svc_tcp_release_rqst()
SUNRPC: Remove svc_rqst::rq_xprt_hlen
SUNRPC: always free ctxt when freeing deferred request
SUNRPC: Fix trace_svc_register() call site
drm/exynos: fix g2d_open/close helper function definitions
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
virtio-net: Maintain reverse cleanup order
virtio_net: Fix error unwinding of XDP initialization
tipc: add tipc_bearer_min_mtu to calculate min mtu
tipc: do not update mtu if msg_max is too small in mtu negotiation
tipc: check the bearer min mtu properly when setting it by netlink
s390/cio: include subchannels without devices also for evaluation
net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
net: bcmgenet: Restore phy_stop() depending upon suspend/close
wifi: mac80211: fix min center freq offset tracing
wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock
wifi: iwlwifi: mvm: don't trust firmware n_channels
scsi: storvsc: Don't pass unused PFNs to Hyper-V host
cassini: Fix a memory leak in the error handling path of cas_init_one()
net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset
igb: fix bit_shift to be in [1..8] range
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
netfilter: nf_tables: fix nft_trans type confusion
netfilter: nft_set_rbtree: fix null deref on element insertion
bridge: always declare tunnel functions
ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
USB: usbtmc: Fix direction for 0-length ioctl control messages
usb-storage: fix deadlock when a scsi command timeouts more than once
USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
usb: dwc3: debugfs: Resume dwc3 before accessing registers
usb: gadget: u_ether: Fix host MAC address case
usb: typec: altmodes/displayport: fix pin_assignment_show
xhci-pci: Only run d3cold avoidance quirk for s2idle
xhci: Fix incorrect tracking of free space on transfer rings
ALSA: hda: Fix Oops by 9.1 surround channel names
ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
ALSA: hda/realtek: Add quirk for Clevo L140AU
ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
can: kvaser_pciefd: Call request_irq() before enabling interrupts
can: kvaser_pciefd: Empty SRB buffer in probe
can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
can: kvaser_pciefd: Disable interrupts in probe error path
SMB3: Close all deferred handles of inode in case of handle lease break
SMB3: drop reference to cfile before sending oplock break
ksmbd: smb2: Allow messages padded to 8byte boundary
ksmbd: allocate one more byte for implied bcc[0]
ksmbd: fix wrong UserName check in session_user
ksmbd: fix global-out-of-bounds in smb2_find_context_vals
statfs: enforce statfs[64] structure initialization
serial: Add support for Advantech PCI-1611U card
serial: 8250_exar: Add support for USR298x PCI Modems
serial: qcom-geni: fix enabling deactivated interrupt
thunderbolt: Clear registers properly when auto clear isn't in use
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
ceph: force updating the msg pointer in non-split case
powerpc/iommu: Incorrect DDW Table is referenced for SR-IOV device
tpm/tpm_tis: Disable interrupts for more Lenovo devices
powerpc/64s/radix: Fix soft dirty tracking
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
s390/qdio: fix do_sqbs() inline assembly constraint
HID: wacom: Force pen out of prox if no events have been received in a while
HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
HID: wacom: add three styli to wacom_intuos_get_tool_type
Linux 5.15.113
Change-Id: I569d3206b4380293549c195bf71ae101fc818c78
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit 9fbf10148f ("bus: mhi: Move host MHI code to "host"
directory"), the mhi.ko module moved directories, which breaks the build
of the db845c target in the Android TH testing environment. Update the
BUILD.bazel file with the new location of the kernel module.
Fixes: 9fbf10148f ("bus: mhi: Move host MHI code to "host" directory")
Change-Id: Ib39224dc50055b22d58a27eeb60948ae67b637b0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Setting CONFIG_RPMSG_CTRL=y to add a user-space control interface
for RPMSG. It can provide a user-space program to create endpoints with
specific service name, source, and destination addresses.
Bug: 286965107
Change-Id: I86bc065d4b83582b3322f0823e46536ca5847cf6
Signed-off-by: James Tai <james.tai@realtek.com>
Changes in 5.15.112
ring-buffer: Ensure proper resetting of atomic variables in ring_buffer_reset_online_cpus
crypto: ccp - Clear PSP interrupt status register before calling handler
ubifs: Fix AA deadlock when setting xattr for encrypted file
ubifs: Fix memory leak in do_rename
bus: mhi: Move host MHI code to "host" directory
bus: mhi: host: Remove duplicate ee check for syserr
bus: mhi: host: Use mhi_tryset_pm_state() for setting fw error state
bus: mhi: host: Range check CHDBOFF and ERDBOFF
mailbox: zynq: Switch to flexible array to simplify code
mailbox: zynqmp: Fix counts of child nodes
ASoC: soc-pcm: use GFP_ATOMIC for dpcm structure
ASoC: soc-pcm: align BE 'atomicity' with that of the FE
ASoC: soc-pcm: Fix and cleanup DPCM locking
ASoC: soc-pcm: serialize BE triggers
ASoC: soc-pcm: test refcount before triggering
ASoC: soc-pcm: fix BE handling of PAUSE_RELEASE
fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
drm/hyperv: Don't overwrite dirt_needed value set by host
scsi: qedi: Fix use after free bug in qedi_remove()
net/ncsi: clear Tx enable mode when handling a Config required AEN
net/sched: cls_api: remove block_cb from driver_list before freeing
sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
selftests: srv6: make srv6_end_dt46_l3vpn_test more robust
net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu
writeback: fix call of incorrect macro
watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe()
RISC-V: mm: Enable huge page support to kernel_page_present() function
net/sched: act_mirred: Add carrier check
r8152: fix flow control issue of RTL8156A
r8152: fix the poor throughput for 2.5G devices
r8152: move setting r8153b_rx_agg_chg_indicate()
sfc: Fix module EEPROM reporting for QSFP modules
rxrpc: Fix hard call timeout units
octeontx2-af: Secure APR table update with the lock
octeontx2-af: Skip PFs if not enabled
octeontx2-pf: Disable packet I/O for graceful exit
octeontx2-vf: Detach LF resources on probe cleanup
ionic: remove noise from ethtool rxnfc error msg
ethtool: Fix uninitialized number of lanes
ionic: catch failure from devlink_alloc
af_packet: Don't send zero-byte data in packet_sendmsg_spkt().
drm/amdgpu: add a missing lock for AMDGPU_SCHED
ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init`
net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621
virtio_net: split free_unused_bufs()
virtio_net: suppress cpu stall when free_unused_bufs
net: enetc: check the index of the SFI rather than the handle
perf scripts intel-pt-events.py: Fix IPC output for Python 2
perf vendor events power9: Remove UTF-8 characters from JSON files
perf pmu: zfree() expects a pointer to a pointer to zero it after freeing its contents
perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp()
crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs()
crypto: engine - check if BH is disabled during completion
crypto: api - Add scaffolding to change completion function signature
crypto: engine - Use crypto_request_complete
crypto: engine - fix crypto_queue backlog handling
perf symbols: Fix return incorrect build_id size in elf_read_build_id()
perf evlist: Refactor evlist__for_each_cpu()
perf stat: Separate bperf from bpf_profiler
btrfs: fix btrfs_prev_leaf() to not return the same key twice
btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones
btrfs: fix encoded write i_size corruption with no-holes
btrfs: don't free qgroup space unless specified
btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add
btrfs: print-tree: parent bytenr must be aligned to sector size
btrfs: fix space cache inconsistency after error loading it from disk
cifs: fix pcchunk length type in smb2_copychunk_range
cifs: release leases for deferred close handles when freezing
platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet
platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
inotify: Avoid reporting event with invalid wd
smb3: fix problem remounting a share after shutdown
SMB3: force unmount was failing to close deferred close files
sh: math-emu: fix macro redefined warning
sh: mcount.S: fix build error when PRINTK is not enabled
sh: init: use OF_EARLY_FLATTREE for early init
sh: nmi_debug: fix return value of __setup handler
remoteproc: stm32: Call of_node_put() on iteration error
remoteproc: st: Call of_node_put() on iteration error
remoteproc: imx_rproc: Call of_node_put() on iteration error
ARM: dts: exynos: fix WM8960 clock name in Itop Elite
ARM: dts: s5pv210: correct MIPI CSIS clock name
drm/bridge: lt8912b: Fix DSI Video Mode
drm/msm: fix NULL-deref on snapshot tear down
drm/msm: fix NULL-deref on irq uninstall
f2fs: fix potential corruption when moving a directory
drm/panel: otm8009a: Set backlight parent to panel device
drm/amd/display: fix flickering caused by S/G mode
drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini()
drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras
drm/amdgpu: Fix vram recover doesn't work after whole GPU reset (v2)
drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend
HID: wacom: Set a default resolution for older tablets
HID: wacom: insert timestamp to packed Bluetooth (BT) events
fs/ntfs3: Refactoring of various minor issues
ASoC: soc-pcm: Fix DPCM lockdep warning due to nested stream locks
ASoC: soc-compress: Inherit atomicity from DAI link for Compress FE
ASoC: soc-pcm: Move debugfs removal out of spinlock
ASoC: DPCM: Don't pick up BE without substream
ASoC: soc-pcm.c: call __soc_pcm_close() in soc_pcm_close()
drm/i915/dg2: Support 4k@30 on HDMI
drm/i915/dg2: Add additional HDMI pixel clock frequencies
drm/i915/dg2: Add HDMI pixel clock frequencies 267.30 and 319.89 MHz
drm/msm: Remove struct_mutex usage
drm/msm/adreno: fix runtime PM imbalance at gpu load
drm/amd/display: Refine condition of cursor visibility for pipe-split
drm/amd/display: Add NULL plane_state check for cursor disable logic
wifi: rtw88: rtw8821c: Fix rfe_option field width
ksmbd: set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO
ksmbd: fix multi session connection failure
ksmbd: replace sessions list in connection with xarray
ksmbd: add channel rwlock
ksmbd: fix kernel oops from idr_remove()
ksmbd: fix racy issue while destroying session on multichannel
ksmbd: fix deadlock in ksmbd_find_crypto_ctx()
ksmbd: not allow guest user on multichannel
locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers
ext4: fix WARNING in mb_find_extent
ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
ext4: fix data races when using cached status extents
ext4: check iomap type only if ext4_iomap_begin() does not fail
ext4: improve error recovery code paths in __ext4_remount()
ext4: improve error handling from ext4_dirhash()
ext4: fix deadlock when converting an inline directory in nojournal mode
ext4: add bounds checking in get_max_inline_xattr_value_size()
ext4: bail out of ext4_xattr_ibody_get() fails for any reason
ext4: remove a BUG_ON in ext4_mb_release_group_pa()
ext4: fix invalid free tracking in ext4_xattr_move_to_block()
drm/msm/adreno: adreno_gpu: Use suspend() instead of idle() on load error
serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
drbd: correctly submit flush bio on barrier
RISC-V: Fix up a cherry-pick warning in setup_vm_final()
drm/amd/display: Fix hang when skipping modeset
Linux 5.15.112
Change-Id: Ie61cc0aea78266c2c5adb0a889f55affa78883e5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 397eb669da which is
commit 31088f6f79 upstream.
It breaks the CRC generation of loads of symbols, and is not needed at
all for any real Android issue at this point in time, so revert it to
preserve the ABI.
Bug: 161946584
Change-Id: I93095fb07b431a194e21bb21d4cd22435445dca3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 8fe72b76db ]
There was a bug where this code forgot to unlock the tdev->mutex if the
kzalloc() failed. Fix this issue, by moving the allocation outside the
lock.
Bug: 275340532
Fixes: 2d1e952a2b ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 7d233f9359)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I7a4a1bf06abbb2092aceb72610e3f894b2bfbf0f
[ Upstream commit 2d1e952a2b ]
If a user can make copy_from_user() fail, there is a potential for
UAF/DF due to a lack of locking around the allocation, use and freeing
of the data buffers.
This issue is not theoretical. I managed to author a POC for it:
BUG: KASAN: double-free in kfree+0x5c/0xac
Free of addr ffff29280be5de00 by task poc/356
CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0
show_stack+0x18/0x40
dump_stack_lvl+0x64/0x80
print_report+0x188/0x48c
kasan_report_invalid_free+0xa0/0xc0
____kasan_slab_free+0x174/0x1b0
__kasan_slab_free+0x18/0x24
__kmem_cache_free+0x130/0x2e0
kfree+0x5c/0xac
mbox_test_message_write+0x208/0x29c
full_proxy_write+0x90/0xf0
vfs_write+0x154/0x440
ksys_write+0xcc/0x180
__arm64_sys_write+0x44/0x60
invoke_syscall+0x60/0x190
el0_svc_common.constprop.0+0x7c/0x160
do_el0_svc+0x40/0xf0
el0_svc+0x2c/0x6c
el0t_64_sync_handler+0xf4/0x120
el0t_64_sync+0x18c/0x190
Allocated by task 356:
kasan_save_stack+0x3c/0x70
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xc0
kmalloc_trace+0x58/0x70
mbox_test_message_write+0x6c/0x29c
full_proxy_write+0x90/0xf0
vfs_write+0x154/0x440
ksys_write+0xcc/0x180
__arm64_sys_write+0x44/0x60
invoke_syscall+0x60/0x190
el0_svc_common.constprop.0+0x7c/0x160
do_el0_svc+0x40/0xf0
el0_svc+0x2c/0x6c
el0t_64_sync_handler+0xf4/0x120
el0t_64_sync+0x18c/0x190
Freed by task 357:
kasan_save_stack+0x3c/0x70
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
____kasan_slab_free+0x13c/0x1b0
__kasan_slab_free+0x18/0x24
__kmem_cache_free+0x130/0x2e0
kfree+0x5c/0xac
mbox_test_message_write+0x208/0x29c
full_proxy_write+0x90/0xf0
vfs_write+0x154/0x440
ksys_write+0xcc/0x180
__arm64_sys_write+0x44/0x60
invoke_syscall+0x60/0x190
el0_svc_common.constprop.0+0x7c/0x160
do_el0_svc+0x40/0xf0
el0_svc+0x2c/0x6c
el0t_64_sync_handler+0xf4/0x120
el0t_64_sync+0x18c/0x190
Bug: 275340532
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit cad1abbe48)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I79753a9a63d8b04e139eaaeb9435bf1d05d38892
commit 7e01c7f704 upstream.
Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than
the calculated "min" value, but greater than zero, the logic sets
tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in
cdc_ncm_fill_tx_frame() where all the data is handled.
For small values of dwNtbOutMaxSize the memory allocated during
alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to
how size is aligned at alloc time:
size = SKB_DATA_ALIGN(size);
size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
Thus we hit the same bug that we tried to squash with
commit 2be6d4d16a ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
Low values of dwNtbOutMaxSize do not cause an issue presently because at
alloc_skb() time more memory (512b) is allocated than required for the
SKB headers alone (320b), leaving some space (512b - 320b = 192b)
for CDC data (172b).
However, if more elements (for example 3 x u64 = [24b]) were added to
one of the SKB header structs, say 'struct skb_shared_info',
increasing its original size (320b [320b aligned]) to something larger
(344b [384b aligned]), then suddenly the CDC data (172b) no longer
fits in the spare SKB data area (512b - 384b = 128b).
Consequently the SKB bounds checking semantics fails and panics:
skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
[snip]
Call Trace:
<TASK>
skb_put+0x151/0x210 net/core/skbuff.c:2047
skb_put_zero include/linux/skbuff.h:2422 [inline]
cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
cdc_ncm_tx_fixup+0xa3/0x100
Deal with too low values of dwNtbOutMaxSize, clamp it in the range
[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure
enough data space is allocated to handle CDC data by making sure
dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
Fixes: 289507d336 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning")
Cc: stable@vger.kernel.org
Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d
Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230517133808.1873695-2-tudor.ambarus@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 281604646
Bug: 281606231
Change-Id: Ic1d912e7bf2ba53620eb8293b68ec6046422e047
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
