mirror of
https://github.com/hardkernel/linux.git
synced 2026-06-05 10:31:46 +09:00
5162f9a67b7d9d48d43f69447c7119f20cdab03b
1163307 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Besar Wicaksono
|
5162f9a67b |
UPSTREAM: arm64: Add Neoverse-V2 part
[ Upstream commit f4d9d9dcc70b96b5e5d7801bd5fbf8491b07b13d ] Add the part number and MIDR for Neoverse-V2 Bug: 342491759 Signed-off-by: Besar Wicaksono <bwicaksono@nvidia.com> Reviewed-by: James Clark <james.clark@arm.com> Link: https://lore.kernel.org/r/20240109192310.16234-2-bwicaksono@nvidia.com Signed-off-by: Will Deacon <will@kernel.org> [ Mark: trivial backport ] Signed-off-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Chunhui Li <chunhui.li@mediatek.com> Change-Id: I2811f794a836d7c8f868b4f069e5d1e05ed69741 |
||
|
Faisal Hassan
|
1105954181 |
UPSTREAM: usb: dwc3: core: update LC timer as per USB Spec V3.2
This fix addresses STAR 9001285599, which only affects DWC_usb3 version 3.20a. The timer value for PM_LC_TIMER in DWC_usb3 3.20a for the Link ECN changes is incorrect. If the PM TIMER ECN is enabled via GUCTL2[19], the link compliance test (TD7.21) may fail. If the ECN is not enabled (GUCTL2[19] = 0), the controller will use the old timer value (5us), which is still acceptable for the link compliance test. Therefore, clear GUCTL2[19] to pass the USB link compliance test: TD 7.21. Cc: stable@vger.kernel.org Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com> Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/20240829094502.26502-1-quic_faisalh@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9149c9b0c7e046273141e41eebd8a517416144ac https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master) Bug: 366400205 Change-Id: I8708984ce6c626df0c02045199301aa536520e83 Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com> |
||
|
Kever Yang
|
cc274231f6 |
ANDROID: GKI: Add symbol for pci power limit
INFO: 1 function symbol(s) added 'u32 of_pci_get_slot_power_limit(struct device_node*, u8*, u8*)' Bug: 300024866 Change-Id: I558dbc6126dfd509ef200b08d5394c888aef9685 Signed-off-by: Kever Yang <kever.yang@rock-chips.com> |
||
|
Anant Goel
|
5a912daf87 |
ANDROID: OPP: fix function args mismatch for dev_pm_opp_add in pm_opp.h
The function prototype for dev_pm_opp_add differs between a
configuration when CONFIG_PM_OPP is set versus when CONFIG_PM_OPP is not
set.
Fix this mismatch by aligning the function arguments for the dummy
dev_pm_opp_add with the non-dummy version.
Bug: 369659366
Fixes:
|
||
|
meitaogao
|
bcc435d374 |
ANDROID: GKI: Update KMI symbol list for ASR
INFO: 9 function symbol(s) added 'unsigned int kmem_cache_size(struct kmem_cache*)' 'void media_device_unregister_entity(struct media_entity*)' 'void* memset16(uint16_t*, uint16_t, size_t)' 'const char* const* v4l2_ctrl_get_menu(u32)' 'bool v4l2_ctrl_type_op_equal(const struct v4l2_ctrl*, union v4l2_ctrl_ptr, union v4l2_ctrl_ptr)' 'void v4l2_ctrl_type_op_init(const struct v4l2_ctrl*, u32, union v4l2_ctrl_ptr)' 'void v4l2_ctrl_type_op_log(const struct v4l2_ctrl*)' 'void v4l2_m2m_buf_done_and_job_finish(struct v4l2_m2m_dev*, struct v4l2_m2m_ctx*, enum vb2_buffer_state)' 'struct vb2_v4l2_buffer* v4l2_m2m_last_buf(struct v4l2_m2m_queue_ctx*)' Bug: 369670477 Change-Id: I5c3fa32e903685836b7812d33df8ddd6b2c65054 Signed-off-by: meitaogao <meitaogao@asrmicro.com> |
||
|
yipeng xiang
|
9e167c1c27 |
ANDROID: GKI: Export a symbol “next_arg” for honor
Export a symbol “next_arg” in android/abi_gki_aarch64_honor Bug: 368221985 Change-Id: I0bd8fc321752f0fa3d103b56510b33eadcb6e39b Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com> |
||
|
Stephen Hemminger
|
4dcae85afd |
BACKPORT: netem: fix return value if duplicate enqueue fails
[ Upstream commit c07ff8592d57ed258afee5a5e04991a48dbaf382 ] There is a bug in netem_enqueue() introduced by commit |
||
|
Kalesh Singh
|
f4bcd4ef0f |
ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
In some cases VMAs are split without the mmap write lock held; later the lock is taken to fixup vm_flags of the original VMA. Since some uppper bits of vm_flags are used to encode the ELF padding ranges, they need to be modified on splits. This is usually handled correctly by __split_vma(). However in the above case, the flags get over witten later under the write lock. Preserve vm_flag bits on reset to correctly represent padding. Bug: 357901498 Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2 Signed-off-by: Kalesh Singh <kaleshsingh@google.com> |
||
|
Kalesh Singh
|
9027204d5a |
ANDROID: 16K: Introduce pgsize_migration_inline.h
Introduce inline header to avoid circular dependency. This will be used in a subsequent patch. Also take opportunity to do some small noop refactor in vma_pad_pages() and split_pad_vma() for more robust code. Bug: 357901498 Change-Id: Ia5f447758d0d07ed3e1429ca1e35dcc0741cc22a Signed-off-by: Kalesh Singh <kaleshsingh@google.com> |
||
|
Carlos Llamas
|
03b93dc707 |
FROMLIST: binder: fix BINDER_WORK_FROZEN_BINDER debug logs
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 366003708
Link: https://lore.kernel.org/all/20240924184401.76043-5-cmllamas@google.com/
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
9c6fdb6bf8 |
BACKPORT: FROMLIST: binder: fix freeze UAF in binder_release_work()
When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211 CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254 Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 ================================================================== This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 366003708 Link: https://lore.kernel.org/all/20240924184401.76043-4-cmllamas@google.com/ Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321 [cmllamas: drop BINDER_STAT_FREEZE as it's not supported here] Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
07a43515b0 |
FROMLIST: binder: fix OOB in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 366003708 Link: https://lore.kernel.org/all/20240924184401.76043-3-cmllamas@google.com/ Change-Id: I5ec9d49277a23b864862665b52213460750c535e Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
a26cde4055 |
FROMLIST: binder: fix node UAF in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped in order to acquire the node->lock first (lock nesting order). This can race with binder_node_release() and trigger a use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff53c04c29dd04 by task freeze/640 CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_add_freeze_work+0x148/0x478 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 Allocated by task 637: __kmalloc_cache_noprof+0x12c/0x27c binder_new_node+0x50/0x700 binder_transaction+0x35ac/0x6f74 binder_thread_write+0xfb8/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 Freed by task 637: kfree+0xf0/0x330 binder_thread_read+0x1e88/0x3a68 binder_ioctl+0x16d8/0x25ac __arm64_sys_ioctl+0x124/0x190 ================================================================== Fix the race by taking a temporary reference on the node before releasing the proc->inner lock. This ensures the node remains alive while in use. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas@google.com> Bug: 366003708 Link: https://lore.kernel.org/all/20240924184401.76043-2-cmllamas@google.com/ Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Philip Chen
|
df571cd9f1 |
FROMGIT: virtio_pmem: Check device status before requesting flush
If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated. Signed-off-by: Philip Chen <philipchen@chromium.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Pankaj Gupta <pankaj.gupta.linux@gmail.com Bug: 358391069 Change-Id: I325e6f0ea047c4c5fa82cf4b590cbf7240f39b7b (cherry picked from commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master) Signed-off-by: Philip Chen <philipchen@google.com> |
||
|
Kever Yang
|
b2a0a8f709 |
ANDROID: GKI: update rockchip symbols sync with kernel update
INFO: 2 function symbol(s) added 'struct clk* devm_clk_get_enabled(struct device*, const char*)' 'int devm_regulator_bulk_get_enable(struct device*, int, const char* const*)' Bug: 300024866 Change-Id: Ib10dc7eb710fc09c185513ba8bf5789c2c7ef5d1 Signed-off-by: Kever Yang <kever.yang@rock-chips.com> |
||
|
Chenghao Zhao
|
83e7e0486e |
ANDROID: GKI: Update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 369259421 Change-Id: I6954293467a50a758b27444bf51b7205d68dd34d Signed-off-by: Chenghao Zhao <zhaochenghao@honor.com> |
||
|
Vilas Bhat
|
5c7d0d4f4a |
ANDROID: GKI: Update kernel_aarch64_16k build config to match kernel_aarch64
Test: Built & Flashed 16k page size kernel to Pixel 8a. Bug: 361155105 Change-Id: Ibfaa96aeabe627f99effc1ae8dbaf3e86156425e Signed-off-by: Vilas Bhat <vilasbhat@google.com> |
||
|
Chenghao Zhao
|
2cd8ac816d |
ANDROID: ABI: update symbol list for honor
2 function symbol(s) added 'int netdev_get_name(struct net*, char*, int)' 'void tcp_send_active_reset(struct sock*, gfp_t)' Bug: 334000512 Change-Id: I83507ca33d4547088b61c6f83cfb48cc94474185 Signed-off-by: Chenghao Zhao <zhaochenghao@honor.com> |
||
|
Dezhi Huang
|
b5ee53c64e |
ANDROID: Allow vendor modules perform more operationson on sock.
Export netdev_get_name, tcp_send_active_reset functions, allow vendor modules perform more operations on socks and improve users' online experience.When users browse websites or watch videos, we will sense the bad sock is on which device, so that the sock can be switched to another good device by us, so that the internet service will no longer be stuck. In a similar scenario, if the user downloads from multiple devices and the rate of one device is low,we can reset the TCP stream with a lower rate and establish it on the device with a higher rate. Bug: 334000512 Change-Id: I9ed90ea9fe6f3dc9f11ae1661ca9f2f5fdad5820 Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit 21614c79408f0342363db9874d315fbb3ff6553b) |
||
|
Yuxuan Yan
|
e64a80a096 |
ANDROID: GKI: update symbol list file for xiaomi
add 3 function:
android_vh_page_should_be_protected()
android_vh_page_referenced_check_bypass()
__page_mapcount()
Bug: 348285765
Change-Id: Idbcdf69693a3f4e83ada35aebf3f138648c73d10
Signed-off-by: Yuxuan Yan <yanyuxuan3@xiaomi.corp-partner.google.com>
|
||
|
Yuxuan Yan
|
530ff6a3e6 |
ANDROID: GKI: add vendor hooks android_vh_page_should_be_protected() and
android_vh_modify_scan_control().
add two vendor hooks:
android_vh_page_should_be_protected():protect pages from memory
reclaim.
android_vh_page_referenced_check_bypass():bypass rmap in active list
shrink.
The new vendor data field in scan_control are used to track how many
pages are protected in current reclaim and the "protected / scanned"
rate. These parameters are useful for understanding the impact of page
protection operations on LRU and reclaim, helping us make better
decsions.
Bug: 348285765
Change-Id: I49567a4b1f978821a94da0a8339b2b8fdfd52daf
Signed-off-by: Yuxuan Yan <yanyuxuan3@xiaomi.corp-partner.google.com>
|
||
|
Greg Kroah-Hartman
|
41e1c6f937 |
Merge tag 'android14-6.1.99_r00' into android14-6.1
This merges up to the 6.1.99 LTS release into android14-6.1. This includes the following commits: * |
||
|
Dmitry Skiba
|
3b95e54867 |
ANDROID: Update the ABI symbol list
Adding the following symbols: - __traceiter_android_rvh_try_to_wake_up_success - __traceiter_android_vh_mm_kcompactd_cpu_online - __traceiter_android_vh_vmscan_kswapd_done - __traceiter_mm_vmscan_kswapd_wake - __tracepoint_android_rvh_try_to_wake_up_success - __tracepoint_android_vh_mm_kcompactd_cpu_online - __tracepoint_android_vh_vmscan_kswapd_done - __tracepoint_mm_vmscan_kswapd_wake Bug: 367400751 Change-Id: I658b4961666d93238feaa8f166012b76a69994eb Signed-off-by: Dmitry Skiba <dskiba@google.com> |
||
|
Dmitry Skiba
|
b3a2458fc6 |
ANDROID: mm: add vh for kcompactd_cpu_online()
kcompactd_cpu_online() changes kcompactd cpumask, potentially overwriting any vendor-specific cpumask that was there. This hook allows vendors to re-set the cpumask. Bug: 367400751 Change-Id: I45b92bcd16fbf2d5d76474287db659e32af64201 Signed-off-by: Dmitry Skiba <dskiba@google.com> |
||
|
jiangxinpei
|
532fad0092 |
ANDROID: ABI: update symbol list for honor
1 function symbol(s) added 'int __traceiter_android_vh_should_fault_around(void*, struct vm_fault*, bool*)' Bug: 362663044 Change-Id: Ie7634bc746e40142455c7bd22d876d519a02e0d5 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
Dezhi Huang
|
145b08312d |
ANDROID: vendor_hooks: add hook to perform targeted memory management
Add vendor_hook trace_android_vh_should_fault_around, allow vendor modules to skip the fault_around processing for less important processes. Bug: 362663044 Bug: 337547131 Change-Id: I792dca2038f5ad7cba1d212ef95407244958609d Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit 65ebb00fe7977348d5fcfa58985c29181f3ec173) |
||
|
jiangxinpei
|
c105083ac6 |
ANDROID: ABI: update symbol list for honor
3 function symbol(s) added 'int __traceiter_android_vh_do_read_fault(void*, struct vm_fault*, unsigned long)' 'int __traceiter_android_vh_filemap_map_pages(void*, struct file*, unsigned long, unsigned long, vm_fault_t)' 'int __traceiter_android_vh_filemap_read(void*, struct file*, loff_t, size_t)' Bug: 362665923 Change-Id: I49fa40c65d7d24799c815de0c2c02c12d09e8fd8 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
Sooyong Suk
|
eda4e9fa64 |
ANDROID: mm: add vendor hook in fault and read file
Add a vendor hook to notify vendor module fault and read events. Bug: 362665923 Bug: 351175506 Change-Id: I4c46e9e00aa5f5555fd42a6b0815563497658b34 Signed-off-by: Sooyong Suk <s.suk@samsung.corp-partner.google.com> (cherry picked from commit a9867d872e24fbe658e05f32b770e4b36c6e3773) |
||
|
David Chiang
|
814dd5bfa8 |
ANDROID: Update the ABI symbol list
Adding the following symbols to abi_gki_aarch64_pixel: - mbox_request_channel_byname Bug: 368167673 Change-Id: I031522377372a25bf5f9e97eb4832173463de390 Signed-off-by: David Chiang <davidchiang@google.com> |
||
|
jiangxinpei
|
8a268cb981 |
ANDROID: GKI: Update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 365506689 Change-Id: I604163b979660eaedbc13d3da5c9e3cdb8275e50 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
jiangxinpei
|
be07389110 |
ANDROID: Allow vendor modules perform operationson on memleak detect
When an LMK (Low Memory Killer) occurs, it is crucial for us to identify the underlying cause of low memory. Based on past experiences, memory leaks are often the root cause in such situations. The purpose of this function is to assist us in identifying which application or type of memory is experiencing memory leaks, thereby enabling us to effectively locate and address the memory leakage issue. Bug: 365506689 Bug: 346707562 Change-Id: I5d7d6bdbca30660f2a552211fd8aff40d3550df7 Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> (cherry picked from commit d61134668c2d37846a6cea3e1ab3c237f2c7bc99) |
||
|
jiangxinpei
|
47871c381d |
ANDROID: GKI: Update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 365506454 Change-Id: I5d9a7a41da2a6f97998fadbbcb447db53b873bcc Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> |
||
|
Dezhi Huang
|
c7b8f95c21 |
ANDROID: Allow vendor modules perform more operations on binder transaction.
Export binder_alloc_copy_from_buffer, allow vendor modules perform more operations on binder transaction and improve user operation fluency and timeliness experience. Bug: 365506454 Bug: 343139379 Change-Id: I4353763099d854a62d0b70b003fbaca00e2c76e4 Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit d8db83d94e14b48819bba18cb975943c237e33df) |
||
|
Daeho Jeong
|
d1f3a046a6 |
FROMGIT: f2fs: prevent atomic file from being dirtied before commit
Keep atomic file clean while updating and make it dirtied during commit
in order to avoid unnecessary and excessive inode updates in the previous
fix.
Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")
Change-Id: I2a29d047fa4233632876c61cf909340d1f60c26d
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Bug: 352181300
(cherry picked from commit fccaa81de87e80b1809906f7e438e5766fbdc172
https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git dev)
Change-Id: I5970e56a5318804cfebea340b5b19d6e0a66dc01
Signed-off-by: Daeho Jeong <daehojeong@google.com>
|
||
|
iabdullah
|
6e5b92a6a1 |
ANDROID: GKI: Add symbol list for exynosauto
These symbols are required to use custom driver for writing data into Serial device using common TTY drivers for basic data trasmit via UART/SPI. INFO: 2 function symbol(s) added 'int serdev_device_write(struct serdev_device*, const unsigned char*, size_t, long)' 'void serdev_device_write_wakeup(struct serdev_device*)' Bug: 356635235 Change-Id: Ia365485ad4b533e5e2826add9182bc98b5563f81 Signed-off-by: iabdullah <imrankhan.abdullah@harman.com> |
||
|
Pierre Couillaud
|
b18f8bbc04 |
ANDROID: GKI: Update symbol list for BCMSTB
Remove symbols obsoleted since including CONFIG_SERIAL_8250_BCM7271 Bug: 365149220 Change-Id: Id35a1c68e27359fa5e8a2d90cfa7be5346875ebf Signed-off-by: Pierre Couillaud <pierre@broadcom.com> |
||
|
Mukesh Ojha
|
ff74052448 |
BACKPORT: binder_alloc: Fix sleeping function called from invalid context
36c55ce8703c ("binder_alloc: Replace kcalloc with kvcalloc to
mitigate OOM issues") introduced schedule while atomic issue.
[ 2689.152635][ T4275] BUG: sleeping function called from invalid context at mm/vmalloc.c:2847
[ 2689.161291][ T4275] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4275, name: kworker/1:140
[ 2689.170708][ T4275] preempt_count: 1, expected: 0
[ 2689.175572][ T4275] RCU nest depth: 0, expected: 0
[ 2689.180521][ T4275] INFO: lockdep is turned off.
[ 2689.180523][ T4275] Preemption disabled at:
[ 2689.180525][ T4275] [<ffffffe031f2a2dc>] binder_alloc_deferred_release+0x2c/0x388
..
..
[ 2689.213419][ T4275] __might_resched+0x174/0x178
[ 2689.213423][ T4275] __might_sleep+0x48/0x7c
[ 2689.213426][ T4275] vfree+0x4c/0x15c
[ 2689.213430][ T4275] kvfree+0x24/0x44
[ 2689.213433][ T4275] binder_alloc_deferred_release+0x2c0/0x388
[ 2689.213436][ T4275] binder_proc_dec_tmpref+0x15c/0x2a8
[ 2689.213440][ T4275] binder_deferred_func+0xa8/0x8ec
[ 2689.213442][ T4275] process_one_work+0x254/0x59c
[ 2689.213447][ T4275] worker_thread+0x274/0x3ec
[ 2689.213450][ T4275] kthread+0x110/0x134
[ 2689.213453][ T4275] ret_from_fork+0x10/0x20
Fix it by moving the place of kvfree outside of spinlock context.
Fixes: 36c55ce8703c ("binder_alloc: Replace kcalloc with kvcalloc to mitigate OOM issues")
Acked-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
Link: https://lore.kernel.org/r/20240725062510.2856662-1-quic_mojha@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 356093827
Change-Id: Ic1e342ba8eb843dc49a6c4a91c7ba0f99d5e54fd
(cherry picked from commit 2c10a20f5e84ab777d29ed921d4c78d66de6d0fb)
[cmllamas: fix merge issues due to missing 36c55ce8703c]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Daniel Borkmann
|
75c9b1955b |
UPSTREAM: bpf: Fix overrunning reservations in ringbuf
[ Upstream commit cfa1a2329a691ffd991fcf7248a57d752e712881 ]
The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.
Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.
One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.
Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.
For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.
Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.
Bug: 349976340
Fixes:
|
||
|
Suren Baghdasaryan
|
fdec2610bf |
ANDROID: gki_config: Disable CONFIG_DEBUG_STACK_USAGE
This config option was not requested by any partner and has non-zero overhead on process creation. Disable it. Bug: 191150949 Bug: 365466166 Signed-off-by: Suren Baghdasaryan <surenb@google.com> Change-Id: Ia9547c989c22246c46ed9624a0707c6369ee4de0 |
||
|
Pierre Couillaud
|
d02968a023 |
ANDROID: gki_defconfig: Enable CONFIG_SERIAL_8250_BCM7271
Enable BCM UART driver for Broadcom Set Top Box SoCs. Bug: 365149220 Change-Id: I8784b1f5820dcdcecca8f71fc7d378dc0407f6a0 Signed-off-by: Pierre Couillaud <pierre@broadcom.com> Signed-off-by: Danesh Petigara <danesh.petigara@broadcom.com> |
||
|
Justin Chen
|
a752cdd96f |
BACKPORT: serial: 8250_bcm7271: improve bcm7271 8250 port
The 8250 BCM7271 UART is not a direct match to PORT_16550A and other
generic ports do not match its hardware capabilities. PORT_ALTR matches
the rx trigger levels, but its vendor configurations are not compatible.
Unfortunately this means we need to create another port to fully capture
the hardware capabilities of the BCM7271 UART.
To alleviate some latency pressures, we default the rx trigger level to 8.
Bug: 365149220
Change-Id: I41005a210439a3a54a9af16a96583662dc8d786d
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Acked-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/1692643978-16570-1-git-send-email-justin.chen@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Greg Kroah-Hartman
|
12f9bcc034 |
Merge 6.1.99 into android14-6.1-lts
Changes in 6.1.99 Revert "usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB" Linux 6.1.99 Change-Id: I330d0af3322ee885eea719688b8d260cd7cec39c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
e6e7b1084c |
Merge 6.1.98 into android14-6.1-lts
Changes in 6.1.98 locking/mutex: Introduce devm_mutex_init() crypto: hisilicon/debugfs - Fix debugfs uninit process issue drm/lima: fix shared irq handling on driver remove powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. media: dvb: as102-fe: Fix as10x_register_addr packing media: dvb-usb: dib0700_devices: Add missing release_firmware() IB/core: Implement a limit on UMAD receive List scsi: qedf: Make qedf_execute_tmf() non-preemptible crypto: aead,cipher - zeroize key buffer after use drm/amdgpu: Fix uninitialized variable warnings drm/amdgpu: Initialize timestamp for some legacy SOCs drm/amd/display: Check index msg_id before read or write drm/amd/display: Check pipe offset before setting vblank drm/amd/display: Skip finding free audio for unknown engine_id drm/amdgpu: fix uninitialized scalar variable warning media: dw2102: Don't translate i2c read into write sctp: prefer struct_size over open coded arithmetic firmware: dmi: Stop decoding on broken entry Input: ff-core - prefer struct_size over open coded arithmetic usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB wifi: mt76: replace skb_put with skb_put_zero net: dsa: mv88e6xxx: Correct check for empty list media: dvb-frontends: tda18271c2dd: Remove casting during div media: s2255: Use refcount_t instead of atomic_t for num_channels media: dvb-frontends: tda10048: Fix integer overflow i2c: i801: Annotate apanel_addr as __ro_after_init powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n orangefs: fix out-of-bounds fsid access kunit: Fix timeout message powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" igc: fix a log entry using uninitialized netdev bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD f2fs: check validation of fault attrs in f2fs_build_fault_attr() scsi: mpi3mr: Sanitise num_phys serial: imx: Raise TX trigger level to 8 jffs2: Fix potential illegal address access in jffs2_free_inode s390/pkey: Wipe sensitive data on failure btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation warning cdrom: rearrange last_media_change check to avoid unintentional overflow tools/power turbostat: Remember global max_die_id mac802154: fix time calculation in ieee802154_configure_durations() UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() net/mlx5: E-switch, Create ingress ACL when needed net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup() tcp_metrics: validate source addr length KVM: s390: fix LPSWEY handling e1000e: Fix S0ix residency on corporate systems net: allow skb_datagram_iter to be called from any context net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() wifi: wilc1000: fix ies_len type in connect path riscv: kexec: Avoid deadlock in kexec crash path netfilter: nf_tables: unconditionally flush pending work before notifier bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() selftests: fix OOM in msg_zerocopy selftest selftests: make order checking verbose in msg_zerocopy selftest inet_diag: Initialize pad field in struct inet_diag_req_v2 mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file platform/x86: toshiba_acpi: Fix quickstart quirk handling Revert "igc: fix a log entry using uninitialized netdev" nilfs2: fix inode number range checks nilfs2: add missing check for inode numbers on directory entries mm: optimize the redundant loop of mm_update_owner_next() mm: avoid overflows in dirty throttling logic btrfs: fix adding block group to a reclaim list and the unused list during reclaim f2fs: Add inline to f2fs_build_fault_attr() stub scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct fsnotify: Do not generate events for O_PATH file descriptors Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes drm/amdgpu/atomfirmware: silence UBSAN warning drm: panel-orientation-quirks: Add quirk for Valve Galileo powerpc/pseries: Fix scv instruction crash with kexec mtd: rawnand: Ensure ECC configuration is propagated to upper layers mtd: rawnand: Bypass a couple of sanity checks during NAND identification mtd: rawnand: rockchip: ensure NVDDR timings are rejected bnx2x: Fix multiple UBSAN array-index-out-of-bounds arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B ima: Avoid blocking in RCU read-side critical section media: dw2102: fix a potential buffer overflow clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents clk: mediatek: clk-mtk: Register MFG notifier in mtk_clk_simple_probe() clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr fs/ntfs3: Mark volume as dirty if xattr is broken ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 nvme-multipath: find NUMA path only for online numa-node dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset regmap-i2c: Subtract reg size from max_write platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro nvmet: fix a possible leak when destroy a ctrl during qp establishment kbuild: fix short log for AS in link-vmlinux.sh nfc/nci: Add the inconsistency check between the input data length and count spi: cadence: Ensure data lines set to low during dummy-cycle period null_blk: Do not allow runt zone with zone capacity smaller then zone size nilfs2: fix incorrect inode allocation from reserved inodes Linux 6.1.98 Change-Id: Ief3f201b2322bc9c300d53d11006c446c7f209d6 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
e44db5756e |
ANDROID: db845c symbol list additions
In commit |
||
|
jiangxinpei
|
04212acc42 |
ANDROID: GKI: Add initial symbol list for honor
Add symbol list for unisoc in android/abi_gki_aarch64_honor Bug: 332656187 Change-Id: Idaac6034d436d888d1cd61adc926f7eaca2eb51e Signed-off-by: jiangxinpei <jiangxinpei@honor.corp-partner.google.com> (cherry picked from commit 8d957bd1cdfc8e9de23e15b0ba3ef4d431e99aeb) |
||
|
Greg Kroah-Hartman
|
ab63f81b3a |
Revert "mm/page_alloc: Separate THP PCP into movable and non-movable categories"
This reverts commit
|
||
|
Carlos Llamas
|
27310ed6b6 |
ANDROID: binder: fix KMI issues due to frozen notification
The patches to support binder's frozen notification feature break the
KMI. This change fixes such issues by (1) moving proc->delivered_freeze
into the existing proc_wrapper struction, (2) dropping the frozen stats
support and (3) amending the STG due to a harmless enum binder_work_type
addition.
These are the reported KMI issues fixed by this patch:
function symbol 'int __traceiter_binder_transaction_received(void*, struct binder_transaction*)' changed
CRC changed from 0x74e9c98b to 0xfe0f8640
type 'struct binder_proc' changed
byte size changed from 584 to 632
member 'struct list_head delivered_death' changed
offset changed by 256
member 'struct list_head delivered_freeze' was added
13 members ('u32 max_threads' .. 'u64 android_oem_data1') changed
offset changed by 384
type 'struct binder_thread' changed
byte size changed from 464 to 496
2 members ('atomic_t tmp_ref' .. 'bool is_dead') changed
offset changed by 224
4 members ('struct task_struct* task' .. 'enum binder_prio_state prio_state') changed
offset changed by 256
type 'struct binder_stats' changed
byte size changed from 216 to 244
member changed from 'atomic_t br[21]' to 'atomic_t br[23]'
type changed from 'atomic_t[21]' to 'atomic_t[23]'
number of elements changed from 21 to 23
member changed from 'atomic_t bc[19]' to 'atomic_t bc[22]'
offset changed from 672 to 736
type changed from 'atomic_t[19]' to 'atomic_t[22]'
number of elements changed from 19 to 22
member changed from 'atomic_t obj_created[7]' to 'atomic_t obj_created[8]'
offset changed from 1280 to 1440
type changed from 'atomic_t[7]' to 'atomic_t[8]'
number of elements changed from 7 to 8
member changed from 'atomic_t obj_deleted[7]' to 'atomic_t obj_deleted[8]'
offset changed from 1504 to 1696
type changed from 'atomic_t[7]' to 'atomic_t[8]'
number of elements changed from 7 to 8
type 'enum binder_work_type' changed
enumerator 'BINDER_WORK_FROZEN_BINDER' (10) was added
enumerator 'BINDER_WORK_CLEAR_FREEZE_NOTIFICATION' (11) was added
Bug: 363013421
Change-Id: If9f1f14a2eda215a4c9cb0823c50c8e0e8079ef1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Yu-Ting Tseng
|
2f43c68d05 |
FROMGIT: binder: frozen notification binder_features flag
Add a flag to binder_features to indicate that the freeze notification feature is available. Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com> Acked-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20240709070047.4055369-6-yutingtseng@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 363013421 (cherry picked from commit 30b968b002a92870325a5c9d1ce78eba0ce386e7 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: Ic26c8ae42d27c6fd8f5daed5eecabd1652e29502 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Yu-Ting Tseng
|
eda0570485 |
BACKPORT: FROMGIT: binder: frozen notification
Frozen processes present a significant challenge in binder transactions.
When a process is frozen, it cannot, by design, accept and/or respond to
binder transactions. As a result, the sender needs to adjust its
behavior, such as postponing transactions until the peer process
unfreezes. However, there is currently no way to subscribe to these
state change events, making it impossible to implement frozen-aware
behaviors efficiently.
Introduce a binder API for subscribing to frozen state change events.
This allows programs to react to changes in peer process state,
mitigating issues related to binder transactions sent to frozen
processes.
Implementation details:
For a given binder_ref, the state of frozen notification can be one of
the followings:
1. Userspace doesn't want a notification. binder_ref->freeze is null.
2. Userspace wants a notification but none is in flight.
list_empty(&binder_ref->freeze->work.entry) = true
3. A notification is in flight and waiting to be read by userspace.
binder_ref_freeze.sent is false.
4. A notification was read by userspace and kernel is waiting for an ack.
binder_ref_freeze.sent is true.
When a notification is in flight, new state change events are coalesced into
the existing binder_ref_freeze struct. If userspace hasn't picked up the
notification yet, the driver simply rewrites the state. Otherwise, the
notification is flagged as requiring a resend, which will be performed
once userspace acks the original notification that's inflight.
See https://r.android.com/3070045 for how userspace is going to use this
feature.
Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240709070047.4055369-4-yutingtseng@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 363013421
(cherry picked from commit d579b04a52a183db47dfcb7a44304d7747d551e1
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I5dd32abba932ca7d03ae58660143e075ed778b81
[cmllamas: fix merge conflicts due to missing
|
||
|
Vincent Donnefort
|
822682e75d |
ANDROID: KVM: arm64: Fix cpu type for tracing HVCs
CPU being an int, we need to check if it is negative to ensure no out-of-bounds access. Make it unsigned. Bug: 229972309 Change-Id: I987a66d83c7bf3143a6ba287e929cd52de549850 Signed-off-by: Vincent Donnefort <vdonnefort@google.com> |