pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.
Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This separates the kref for ion handles into two components.
Userspace requests through the ioctl will hold at most one
reference to the internally used kref. All additional requests
will increment a separate counter, and the original reference is
only put once that counter hits 0. This protects the kernel from
a poorly behaving userspace.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
[d-cagle@codeaurora.org: Resolve style issues]
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC
on the just allocated id, and the copy_to_user fails, the cleanup
code will attempt to free an already freed handle.
This adds a wrapper for ion_alloc that adds an ion_handle_get to
avoid this.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: commit e7f63771b6 ("ION: Sys_heap: Add cached pool to spead up cached buffer alloc")
the commit e7f63771b6 introduced the bug which didn't test page which maybe NULL.
and previous logic was right.
the e7f63771b6 has been merged in v4.8-rc3, only longterm 4.9.x has this bug,
and other longterm/stable version have not.
kernel panic is here when page is NULL:
Unable to handle kernel paging request at virtual address b0380000
pgd = d9d94000
[b0380000] *pgd=00000000
Internal error: Oops: 2805 [#1] PREEMPT SMP ARM
...
task: daa2dd00 task.stack: da194000
PC is at v7_dma_clean_range+0x1c/0x34
LR is at arm_dma_sync_single_for_device+0x44/0x58
pc : [<c011aa0c>] lr : [<c011645c>] psr: 200f0013
sp : da195da0 ip : dc1f9000 fp : c1043dc4
r10: 00000000 r9 : c16f1f58 r8 : 00000001
r7 : c1621f94 r6 : c0116418 r5 : 00000000 r4 : c011aa58
r3 : 0000003f r2 : 00000040 r1 : b0480000 r0 : b0380000
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5383d Table: 19d9406a DAC: 00000051
...
[<c011aa0c>] (v7_dma_clean_range) from [<c011645c>] (arm_dma_sync_single_for_device+0x44/0x58)
[<c011645c>] (arm_dma_sync_single_for_device) from [<c0117088>] (arm_dma_sync_sg_for_device+0x50/0x7c)
[<c0117088>] (arm_dma_sync_sg_for_device) from [<c0c033c4>] (ion_pages_sync_for_device+0xb0/0xec)
[<c0c033c4>] (ion_pages_sync_for_device) from [<c0c054ac>] (ion_system_heap_allocate+0x2a0/0x2e0)
[<c0c054ac>] (ion_system_heap_allocate) from [<c0c02c78>] (ion_alloc+0x12c/0x494)
[<c0c02c78>] (ion_alloc) from [<c0c03eac>] (ion_ioctl+0x510/0x63c)
[<c0c03eac>] (ion_ioctl) from [<c027c4b0>] (do_vfs_ioctl+0xa8/0x9b4)
[<c027c4b0>] (do_vfs_ioctl) from [<c027ce28>] (SyS_ioctl+0x6c/0x7c)
[<c027ce28>] (SyS_ioctl) from [<c0108a40>] (ret_fast_syscall+0x0/0x48)
Code: e3a02004 e1a02312 e2423001 e1c00003 (ee070f3a)
---[ end trace 89278304932c0e87 ]---
Kernel panic - not syncing: Fatal exception
Signed-off-by: Cheng Chao <cs.os.kernel@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The `np->permission' structure is smaller than the `np' structure but
sizeof(*np) worth of data is copied in there. Fix the size passed to
copy_from_user() to avoid overrun.
Fixes: 3d2ec9dcd5 ("staging: Android: Add 'vsoc' driver for cuttlefish.")
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 060ea4271a)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I61d1fd2029ac1ee9935b79f31b7f1906419f3f4d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This patch is against 4.9. It does not apply to master due to a large
rework of ion in 4.12 which removed the affected functions altogther.
4c23cbff07 ("staging: android: ion: Remove import interface")
Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch is 4.9.y only. Kernels 4.12 and later are unaffected, since
all the underlying ion_handle infrastructure has been ripped out.
The ION_IOC_{MAP,SHARE} ioctls drop and reacquire client->lock several
times while operating on one of the client's ion_handles. This creates
windows where userspace can call ION_IOC_FREE on the same client with
the same handle, and effectively make the kernel drop its own reference.
For example:
- thread A: ION_IOC_ALLOC creates an ion_handle with refcount 1
- thread A: starts ION_IOC_MAP and increments the refcount to 2
- thread B: ION_IOC_FREE decrements the refcount to 1
- thread B: ION_IOC_FREE decrements the refcount to 0 and frees the
handle
- thread A: continues ION_IOC_MAP with a dangling ion_handle * to
freed memory
Fix this by holding client->lock for the duration of
ION_IOC_{MAP,SHARE}, preventing the concurrent ION_IOC_FREE. Also
remove ion_handle_get_by_id(), since there's literally no way to use it
safely.
Cc: stable@vger.kernel.org # v4.11-
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-17328
Problem:
drop frames
Solution:
1. add trace for debug
2. less than 256K, do not use codec_mm allocation
3. osd fence crash
Verify:
local
Change-Id: Ibc0fe63b73cf20359bda1d743dfc6a14dc82c03f
Signed-off-by: rongrong zhou <rongrong.zhou@amlogic.com>
PD#SWPL-23516
Problem:
lmk is too agressive for kill process
Solution:
revert lmk change in
74a35431d2
Verify:
x301
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
Change-Id: I52ff4f32262a33c9b54802d4ab012d404c942384
PD#SWPL-17365
Problem:
There exits deadlock between ion_client_destroy
and ion_debug_heap_show.
ion_client_destroy will take debugfs_mutex and then
call debugfs_remove_recursive, which will wait for
the finish of debugfs_srcu's GP.
sys_read will enter debugfs_srcu'critical section,
then ion_debug_heap_show will try to get debugfs_mutex.
At last, deadlock occurs.
Solution:
change mutex_unlock place in ion_client_destroy,
don't let the mutex lock synchronize_srcu.
Verify:
autoreboot test on tl1
Change-Id: I7008a6bf21421ab08d84754ae52d0840e53900c9
Signed-off-by: binqi zhang <binqi.zhang@amlogic.com>
PD#SWPL-17365
Problem:
There are race condition between ion_client_destroy
and ion_debug_heap_show after adding memtrack function
Solution:
move debugfs_mutex to protect the ion_debug_heap_show
Verify:
autoreboot test on tl1
Change-Id: Ife30539426a003946db464bb7349746d991c6f36
Signed-off-by: binqi zhang <binqi.zhang@amlogic.com>
PD#SWPL-17365
Problem:
There exits deadlock between ion_client_destroy
and ion_debug_heap_show.
ion_client_destroy will take debugfs_mutex and then
call debugfs_remove_recursive, which will wait for
the finish of debugfs_srcu's GP.
sys_read will enter debugfs_srcu'critical section,
then ion_debug_heap_show will try to get debugfs_mutex.
At last, deadlock occurs.
Solution:
change mutex_unlock place in ion_client_destroy,
don't let the mutex lock synchronize_srcu.
Verify:
autoreboot test on tl1
Change-Id: I7008a6bf21421ab08d84754ae52d0840e53900c9
Signed-off-by: binqi zhang <binqi.zhang@amlogic.com>
PD#SWPL-17365
Problem:
There are race condition between ion_client_destroy
and ion_debug_heap_show after adding memtrack function
Solution:
move debugfs_mutex to protect the ion_debug_heap_show
Verify:
autoreboot test on tl1
Change-Id: Ife30539426a003946db464bb7349746d991c6f36
Signed-off-by: binqi zhang <binqi.zhang@amlogic.com>
PD#OTT-5276
Problem:
CTS EncodeDecodeTest failed. Ion sync ioctrl was
forwarded to a dummy implementation. So cached dma buffer
syncing between device and driver was inconsistent occasionally.
Solution:
Changed the dummy_dma_ops to swiotbl_dma_ops when ion_sync_for_device
Verify:
franklin, hertz
Change-Id: I16863bba6c3fe16b9c3b2b410ade6e45c9e74826
Signed-off-by: baocheng sun <baocheng.sun@amlogic.com>
PD#SWPL-9254
Problem:
uncached display unexpectly.
Solution:
Technically, calling dma_buf_map_attachment should return a buffer
properly dma_mapped. Add calls to dma_map_sg to begin_cpu_access to
ensure this happens. As a side effect, this lets Ion buffers take
advantage of the dma_buf sync ioctls.
Verify:
galilei, franklin
Change-Id: Ib6ca06e59e81031d3c65c2df8824b46baaba6c9f
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiyu Yang <Jiyu.Yang@amlogic.com>
PD#SWPL-9254
Problem:
Ion currently returns a single sg_table on each dma_map call. This is
incorrect for later usage.
Solution:
dup sg table on each dma_map call
Verify:
galilei, franklin
Change-Id: I6df2baa33bba9303b2ac25210ebaf56a337d56a2
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiyu Yang <Jiyu.Yang@amlogic.com>
PD#SWPL-3736
Problem:
H265 encoder use ge2d to do format convert, ge2d dst
buffer is allocated from ion heap and is cached buffer.
The cache consistency problem caused encoded stream error.
Solution:
ION add invalid cache function, invalid cache before
CPU access cache buffer
Verify:
U212
Change-Id: Ib14f2a9ee5b536c3546c5957fd0505cacae45f80
Signed-off-by: Yao.Liu <yao.liu@amlogic.com>
PD#SWPL-1909
Problem:
mem rw exception caused crashed.
Solution:
1. add mapping the highmem address by the func vmap().
2. remove the flag CODEC_MM_FLAGS_CPU if not necessary.
Verify:
p212, w400
Change-Id: I982c775d7c009335cae5802f0eb6287d22037db6
Signed-off-by: Nanxin Qin <nanxin.qin@amlogic.com>
PD#SWPL-807
Problem:
The app's window cound be black screen when launched if the ion system
does not retry to allocate memory with the gtp high flag.
Solution:
make sure the gtp flag is low default
Verify:
P212
Change-Id: I562125573f8175cd180196ca73eb04d7dd36add0
Signed-off-by: an.xi <an.xi@amlogic.com>
PD#173802: Panic trace is
[<c011824c>] (dma_cache_maint_page) from [<c0118400>] (arm_dma_sync_single_for_device+0x58/0x60)
[<c0118400>] (arm_dma_sync_single_for_device) from [<c0118f24>] (arm_dma_sync_sg_for_device+0x60/0x8c)
[<c0118f24>] (arm_dma_sync_sg_for_device) from [<c07e52d0>] (ion_pages_sync_for_device+0x108/0x144)
[<c07e52d0>] (ion_pages_sync_for_device) from [<c07e71b4>] (ion_system_heap_allocate+0x38c/0x3bc)
[<c07e71b4>] (ion_system_heap_allocate) from [<c07e4c2c>] (ion_alloc+0x1e4/0x4d8)
[<c07e4c2c>] (ion_alloc) from [<c07e59f0>] (ion_ioctl+0x3b8/0x428)
[<c07e59f0>] (ion_ioctl) from [<c02a9368>] (do_vfs_ioctl+0xc0/0xa34)
[<c02a9368>] (do_vfs_ioctl) from [<c02a9d58>] (SyS_ioctl+0x7c/0x8c)
[<c02a9d58>] (SyS_ioctl) from [<c0108800>] (ret_fast_syscall+0x0/0x48)
Change-Id: I7e94ea05334693b6e9bfcc2400c9f7f3ff26736e
Signed-off-by: Jianxin Pan <jianxin.pan@amlogic.com>
Signed-off-by: Victor Wan <victor.wan@amlogic.com>
Conflicts:
drivers/md/dm-bufio.c
drivers/media/dvb-core/dvb_frontend.c
drivers/usb/dwc3/core.c
drivers/usb/gadget/function/f_fs.c
Changes in 4.9.112
usb: cdc_acm: Add quirk for Uniden UBC125 scanner
USB: serial: cp210x: add CESINEL device ids
USB: serial: cp210x: add Silicon Labs IDs for Windows Update
usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub
n_tty: Fix stall at n_tty_receive_char_special().
n_tty: Access echo_* variables carefully.
staging: android: ion: Return an ERR_PTR in ion_map_kernel
vt: prevent leaking uninitialized data to userspace via /dev/vcs*
i2c: rcar: fix resume by always initializing registers before transfer
ipv4: Fix error return value in fib_convert_metrics()
kprobes/x86: Do not modify singlestep buffer while resuming
netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
Revert "sit: reload iphdr in ipip6_rcv"
net: phy: micrel: fix crash when statistic requested for KSZ9031 phy
ARM: dts: imx6q: Use correct SDMA script for SPI5 core
IB/hfi1: Fix user context tail allocation for DMA_RTAIL
x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths
x86/cpu: Re-apply forced caps every time CPU caps are re-read
mm: hugetlb: yield when prepping struct pages
tracing: Fix missing return symbol in function_graph output
scsi: sg: mitigate read/write abuse
s390: Correct register corruption in critical section cleanup
drbd: fix access after free
cifs: Fix infinite loop when using hard mount option
drm/udl: fix display corruption of the last line
jbd2: don't mark block as modified if the handle is out of credits
ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
ext4: always check block group bounds in ext4_init_block_bitmap()
ext4: only look at the bg_flags field if it is valid
ext4: verify the depth of extent tree in ext4_find_extent()
ext4: include the illegal physical block in the bad map ext4_error msg
ext4: clear i_data in ext4_inode_info when removing inline data
ext4: add more inode number paranoia checks
ext4: add more mount time checks of the superblock
ext4: check superblock mapped prior to committing
mlxsw: spectrum: Forbid linking of VLAN devices to devices that have uppers
HID: i2c-hid: Fix "incomplete report" noise
HID: hiddev: fix potential Spectre v1
HID: debug: check length before copy_to_user()
PM / OPP: Update voltage in case freq == old_freq
Kbuild: fix # escaping in .cmd files for future Make
media: cx25840: Use subdev host data for PLL override
mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
dm bufio: avoid sleeping while holding the dm_bufio lock
dm bufio: drop the lock when doing GFP_NOIO allocation
mtd: rawnand: mxc: set spare area size register explicitly
dm bufio: don't take the lock in dm_bufio_shrink_count
mtd: cfi_cmdset_0002: Change definition naming to retry write operation
mtd: cfi_cmdset_0002: Change erase functions to retry for error
mtd: cfi_cmdset_0002: Change erase functions to check chip good only
netfilter: nf_log: don't hold nf_log_mutex during user access
staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
Linux 4.9.112
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 4.9.109
x86/fpu: Hard-disable lazy FPU mode
bonding: correctly update link status during mii-commit phase
bonding: fix active-backup transition
bonding: require speed/duplex only for 802.3ad, alb and tlb
nvme-pci: initialize queue memory before interrupts
af_key: Always verify length of provided sadb_key
x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c code
nvmet: Move serial number from controller to subsystem
nvmet: don't report 0-bytes in serial number
nvmet: don't overwrite identify sn/fr with 0-bytes
gpio: No NULL owner
KVM: x86: introduce linear_{read,write}_system
KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system
staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
usbip: vhci_sysfs: fix potential Spectre v1
usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver
usb-storage: Add compatibility quirk flags for G-Technologies G-Drive
usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting
serial: sh-sci: Stop using printk format %pCr
tty/serial: atmel: use port->name as name in request_irq()
serial: samsung: fix maxburst parameter for DMA transactions
serial: 8250: omap: Fix idling of clocks for unused uarts
vmw_balloon: fixing double free when batching mode is off
tty: pl011: Avoid spuriously stuck-off interrupts
kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access
Input: goodix - add new ACPI id for GPD Win 2 touch screen
Input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID
crypto: vmx - Remove overly verbose printk from AES init routines
crypto: omap-sham - fix memleak
perf: sync up x86/.../cpufeatures.h
Linux 4.9.109
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 45ad559a29 upstream.
Syzbot reported yet another warning with Ion:
WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
Kernel panic - not syncing: panic_on_warn set ...
This is catching that a buffer was freed with an existing kernel mapping
still present. This can be easily be triggered from userspace by calling
DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
pr_warn_once to indicate the error without being disruptive.
Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix "warning: cast to pointer from integer of different size" when
printing the region shm physical address. Use the %pa conversion
specifier and pass the resource by reference.
Signed-off-by: Alistair Strachan <astrachan@google.com>
[sent upstream via staging https://patchwork.kernel.org/patch/10376967/]
Bug: 702147120
Change-Id: Ibb0c32b461821235155c464bfd5c5963db512734
Map the region shm as write-combining instead of uncachable.
Signed-off-by: Alistair Strachan <astrachan@google.com>
[sent upstream via staging https://patchwork.kernel.org/patch/10376965/]
Bug: 702147120
Change-Id: If587b4f26abaa3580b889b04dbb655f8d5b4a8ee
The /sys/kernel/debug/ion/clients/<client> file could disobey the
setting of kptr_restrict if a client went away after the file started
to be accessed. Use %pK when printing the ion client to avoid this
problem.
Some other debugging messages also did not use %pK, but since those
messages are not very useful and have been removed upstream, just remove
them instead.
Bug: 77937819
Change-Id: Ie45897fe2d6ec3f842a02883e8ec929ed2e76933
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Victor Wan <victor.wan@amlogic.com>
Conflicts:
arch/arm/configs/bcm2835_defconfig
arch/arm/configs/sunxi_defconfig
include/linux/cpufreq.h
init/main.c
PD#164558: mm: optimize for lowmemory killer
1. Remove change for LRU;
2. Only subtract cma file caches when task is not kswapd.
Change-Id: I09ad86fc9754c1136cd976d656a023dee6cbe2eb
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
The cuttlefish system is a virtual SoC architecture based on QEMU. It
uses the QEMU ivshmem feature to share memory regions between guest and
host with a custom protocol.
Signed-off-by: Greg Hartman <ghartman@google.com>
[sent upstream via staging https://patchwork.kernel.org/patch/10339507/]
Change-Id: Iaf5d7536898329a66d00764d8892d1395164519e
Signed-off-by: Alistair Strachan <astrachan@google.com>
commit 740a5759bf upstream.
ashmem_mutex may create a chain of dependencies like:
CPU0 CPU1
mmap syscall ioctl syscall
-> mmap_sem (acquired) -> ashmem_ioctl
-> ashmem_mmap -> ashmem_mutex (acquired)
-> ashmem_mutex (try to acquire) -> copy_from_user
-> mmap_sem (try to acquire)
There is a lock odering problem between mmap_sem and ashmem_mutex causing
a lockdep splat[1] during a syzcaller test. This patch fixes the problem
by move copy_from_user out of ashmem_mutex.
[1] https://www.spinics.net/lists/kernel/msg2733200.html
Fixes: ce8a3a9e76 (staging: android: ashmem: Fix a race condition in pin ioctls)
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Cc: "Joel Fernandes (Google)" <joel.opensrc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ashmem_mutex may create a chain of dependencies like:
CPU0 CPU1
mmap syscall ioctl syscall
-> mmap_sem (acquired) -> ashmem_ioctl
-> ashmem_mmap -> ashmem_mutex (acquired)
-> ashmem_mutex (try to acquire) -> copy_from_user
-> mmap_sem (try to acquire)
There is a lock odering problem between mmap_sem and ashmem_mutex causing
a lockdep splat[1] during a syzcaller test. This patch fixes the problem
by move copy_from_user out of ashmem_mutex.
[1] https://www.spinics.net/lists/kernel/msg2733200.html
Fixes: ce8a3a9e76 (staging: android: ashmem: Fix a race condition in pin ioctls)
Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 4.9.88
RDMA/ucma: Limit possible option size
RDMA/ucma: Check that user doesn't overflow QP state
RDMA/mlx5: Fix integer overflow while resizing CQ
drm/i915: Try EDID bitbanging on HDMI after failed read
scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
drm/i915: Always call to intel_display_set_init_power() in resume_early.
workqueue: Allow retrieval of current task's work struct
drm: Allow determining if current task is output poll worker
drm/nouveau: Fix deadlock on runtime suspend
drm/radeon: Fix deadlock on runtime suspend
drm/amdgpu: Fix deadlock on runtime suspend
drm/amdgpu: Notify sbios device ready before send request
drm/radeon: fix KV harvesting
drm/amdgpu: fix KV harvesting
drm/amdgpu:Correct max uvd handles
drm/amdgpu:Always save uvd vcpu_bo in VM Mode
MIPS: BMIPS: Do not mask IPIs during suspend
MIPS: ath25: Check for kzalloc allocation failure
MIPS: OCTEON: irq: Check for null return on kzalloc allocation
Input: matrix_keypad - fix race when disabling interrupts
loop: Fix lost writes caused by missing flag
virtio_ring: fix num_free handling in error case
KVM: s390: fix memory overwrites when not using SCA entries
kbuild: Handle builtin dtb file names containing hyphens
IB/mlx5: Fix incorrect size of klms in the memory region
bcache: fix crashes in duplicate cache device register
bcache: don't attach backing with duplicate UUID
x86/MCE: Serialize sysfs changes
perf tools: Fix trigger class trigger_on()
x86/spectre_v2: Don't check microcode versions when running under hypervisors
ALSA: hda/realtek: Limit mic boost on T480
ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
ALSA: hda/realtek - Make dock sound work on ThinkPad L570
ALSA: seq: Don't allow resizing pool in use
ALSA: seq: More protection for concurrent write and ioctl races
ALSA: hda: add dock and led support for HP EliteBook 820 G3
ALSA: hda: add dock and led support for HP ProBook 640 G2
nospec: Kill array_index_nospec_mask_check()
nospec: Include <asm/barrier.h> dependency
Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
x86/speculation: Use IBRS if available before calling into firmware
x86/retpoline: Support retpoline builds with Clang
x86/speculation, objtool: Annotate indirect calls/jumps for objtool
x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
x86/paravirt, objtool: Annotate indirect calls
watchdog: hpwdt: SMBIOS check
watchdog: hpwdt: Check source of NMI
watchdog: hpwdt: fix unused variable warning
watchdog: hpwdt: Remove legacy NMI sourcing.
ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
Input: tca8418_keypad - remove double read of key event register
tc358743: fix register i2c_rd/wr function fix
netfilter: add back stackpointer size checks
netfilter: x_tables: fix missing timer initialization in xt_LED
netfilter: nat: cope with negative port range
netfilter: IDLETIMER: be syzkaller friendly
netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
netfilter: bridge: ebt_among: add missing match size checks
netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
netfilter: x_tables: pass xt_counters struct instead of packet counter
netfilter: x_tables: pass xt_counters struct to counter allocator
netfilter: x_tables: pack percpu counter allocations
ext4: inplace xattr block update fails to deduplicate blocks
ubi: Fix race condition between ubi volume creation and udev
scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
NFS: Fix an incorrect type in struct nfs_direct_req
NFS: Fix unstable write completion
x86/module: Detect and skip invalid relocations
x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
ASoC: sgtl5000: Fix suspend/resume
ASoC: rt5651: Fix regcache sync errors on resume
serial: sh-sci: prevent lockup on full TTY buffers
tty/serial: atmel: add new version check for usart
uas: fix comparison for error code
staging: comedi: fix comedi_nsamples_left.
staging: android: ashmem: Fix lockdep issue during llseek
USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
usbip: vudc: fix null pointer dereference on udc->lock
usb: quirks: add control message delay for 1b1c:1b20
usb: usbmon: Read text within supplied buffer size
usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
serial: core: mark port as initialized in autoconfig
earlycon: add reg-offset to physical address before mapping
PCI: dwc: Fix enumeration end when reaching root subordinate
Linux 4.9.88
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit cb57469c95 upstream.
ashmem_mutex create a chain of dependencies like so:
(1)
mmap syscall ->
mmap_sem -> (acquired)
ashmem_mmap
ashmem_mutex (try to acquire)
(block)
(2)
llseek syscall ->
ashmem_llseek ->
ashmem_mutex -> (acquired)
inode_lock ->
inode->i_rwsem (try to acquire)
(block)
(3)
getdents ->
iterate_dir ->
inode_lock ->
inode->i_rwsem (acquired)
copy_to_user ->
mmap_sem (try to acquire)
There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.
[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48
Acked-by: Todd Kjos <tkjos@google.com>
Cc: Arve Hjonnevag <arve@android.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes <joelaf@google.com>
Acked-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#159608: mm: optimize for CMA allocate time
1. Make all amlogic-changed mm code configuarable, which are
wrapped by CONFIG_AMLOGIC_CMA/CONFIG_AMLOGIC_MEMORY_EXTEND
2. Implement some core code of CMA to a single file:
drivers/amlogic/memory_ext/aml_cma.c
3. detailed imporove steps:
a) use NOOP as default IO-scheduler for nand based storage.
which can avoid long time wait for page lock found in
CFQ scheduler;
b) use per-cpu thread to allocate CMA concurrent when driver
request large amount CMA memory; these threads have high
user nice value to reduce schedule delay;
c) increase task user nice of mmc queue and kswapd.
d) wake up kswapd if page are hold by kswap shrink list and
cma isolated test failed.
e) Fobidden low user nice task use CMA, which can avoid priority
inversion problem.
f) optimize for LRU usage, devide each type of LRU to 2 parts,
normal pages are linked after LRU head, CMA pages are linked
after cma_list.
g) avoid compaction case move cma forbidden pages to cma area.
h) Increase strength of lowmemory killer.
4. Improve read speed of /proc/pagetrace, a filter can be set to
reduce message which not print functions allocate memory less
than filter value:
echo filter=xxx > /proc/pagetrace
Change-Id: Ie79288b7947aa642e4f7eacc25565559a73660df
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
Changes in 4.9.84
vhost: use mutex_lock_nested() in vhost_dev_lock_vqs()
kcm: Check if sk_user_data already set in kcm_attach
kcm: Only allow TCP sockets to be attached to a KCM mux
cfg80211: check dev_set_name() return value
xfrm: skip policies marked as dead while rehashing
mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
xfrm: Fix stack-out-of-bounds read on socket policy lookup.
xfrm: check id proto in validate_tmpl()
sctp: set frag_point in sctp_setsockopt_maxseg correctly
blktrace: fix unlocked registration of tracepoints
drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE
Provide a function to create a NUL-terminated string from unterminated data
selinux: ensure the context is NUL terminated in security_context_to_sid_core()
selinux: skip bounded transition processing if the policy isn't loaded
crypto: x86/twofish-3way - Fix %rbp usage
staging: android: ion: Add __GFP_NOWARN for system contig heap
staging: android: ion: Switch from WARN to pr_warn
blk_rq_map_user_iov: fix error override
KVM: x86: fix escape of guest dr6 to the host
kcov: detect double association with a single task
netfilter: x_tables: fix int overflow in xt_alloc_table_info()
netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
netfilter: on sockopt() acquire sock lock only in the required scope
netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete
net: avoid skb_warn_bad_offload on IS_ERR
crypto: hash - annotate algorithms taking optional key
crypto: hash - prevent using keyed hashes without setting key
ASoC: ux500: add MODULE_LICENSE tag
video: fbdev/mmp: add MODULE_LICENSE
ARM: 8743/1: bL_switcher: add MODULE_LICENSE tag
arm64: dts: add #cooling-cells to CPU nodes
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
staging: android: ashmem: Fix a race condition in pin ioctls
binder: check for binder_thread allocation failure in binder_poll()
staging: iio: adc: ad7192: fix external frequency setting
staging: iio: ad5933: switch buffer mode to software
usbip: keep usbip_device sockfd state in sync with tcp_socket
usb: build drivers/usb/common/ when USB_SUPPORT is set
ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context
ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen
ARM: dts: logicpd-som-lv: Fix gpmc addresses for NAND and enet
ARM: dts: logicpd-somlv: Fix wl127x pinmux
ARM: dts: am4372: Correct the interrupts_properties of McASP
ARM: dts: am437x-cm-t43: Correct the dmas property of spi0
perf top: Fix window dimensions change handling
perf bench numa: Fixup discontiguous/sparse numa nodes
media: s5k6aa: describe some function parameters
pinctrl: sunxi: Fix A80 interrupt pin bank
pinctrl: sunxi: Fix A64 UART mux value
i40iw: Correct ARP index mask
RDMA/cma: Make sure that PSN is not over max allowed
sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune
scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none
ipvlan: Add the skb->mark as flow4's member to lookup route
m68k: add missing SOFTIRQENTRY_TEXT linker section
powerpc/perf: Fix oops when grouping different pmu events
s390/dasd: prevent prefix I/O error
ARM: dts: Fix elm interrupt compiler warning
gianfar: fix a flooded alignment reports because of padding issue.
net_sched: red: Avoid devision by zero
net_sched: red: Avoid illegal values
btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
brcmfmac: Avoid build error with make W=1
net: ethernet: arc: fix error handling in emac_rockchip_probe
509: fix printing uninitialized stack memory when OID is empty
gianfar: Disable EEE autoneg by default
dmaengine: ioat: Fix error handling path
dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved
clk: fix a panic error caused by accessing NULL pointer
ASoC: rockchip: disable clock on error
spi: sun4i: disable clocks in the remove function
xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
drm/armada: fix leak of crtc structure
dmaengine: jz4740: disable/unprepare clk if probe fails
usb: dwc3: gadget: Wait longer for controller to end command processing
usb: dwc3: of-simple: fix missing clk_disable_unprepare
mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
platform/x86: dell-laptop: Fix keyboard max lighting for Dell Latitude E6410
xen: XEN_ACPI_PROCESSOR is Dom0-only
hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
powerpc/64s: Fix conversion of slb_miss_common to use RFI_TO_USER/KERNEL
powerpc/64s: Simple RFI macro conversions
powerpc/64s: Improve RFI L1-D cache flush fallback
crypto: talitos - fix Kernel Oops on hashing an empty file
drm/i915: fix intel_backlight_device_register declaration
shmem: avoid maybe-uninitialized warning
clk: sunxi-ng: fix build error without CONFIG_RESET_CONTROLLER
vmxnet3: prevent building with 64K pages
perf/x86: Shut up false-positive -Wmaybe-uninitialized warning
PCI: vmd: Fix suspend handlers defined-but-not-used warning
gpio: intel-mid: Fix build warning when !CONFIG_PM
platform/x86: intel_mid_thermal: Fix suspend handlers unused warning
usb: musb: fix compilation warning on unused function
PCI: Change pci_host_common_probe() visibility
perf: xgene: Include module.h
video: fbdev: via: remove possibly unused variables
scsi: advansys: fix build warning for PCI=n
x86/ras/inject: Make it depend on X86_LOCAL_APIC=y
gpio: xgene: mark PM functions as __maybe_unused
arm64: define BUG() instruction without CONFIG_BUG
x86/fpu/math-emu: Fix possible uninitialized variable use
tools build: Add tools tree support for 'make -s'
x86/build: Silence the build with "make -s"
thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies
x86: add MULTIUSER dependency for KVM
dmaengine: zx: fix build warning
x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG
x86/vm86: Fix unused variable warning if THP is disabled
scsi: advansys: fix uninitialized data access
arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set
ALSA: hda/ca0132 - fix possible NULL pointer use
reiserfs: avoid a -Wmaybe-uninitialized warning
cw1200: fix bogus maybe-uninitialized warning
security/keys: BIG_KEY requires CONFIG_CRYPTO
drm: exynos: mark pm functions as __maybe_unused
rbd: silence bogus -Wmaybe-uninitialized warning
drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized
Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning
KVM: add X86_LOCAL_APIC dependency
shmem: fix compilation warnings on unused functions
tc358743: fix register i2c_rd/wr functions
go7007: add MEDIA_CAMERA_SUPPORT dependency
em28xx: only use mt9v011 if camera support is enabled
tw5864: use dev_warn instead of WARN to shut up warning
ISDN: eicon: reduce stack size of sig_ind function
clk: meson: gxbb: fix build error without RESET_CONTROLLER
kasan: rework Kconfig settings
drm/i915: hide unused intel_panel_set_backlight function
arm64: sunxi: always enable reset controller
binfmt_elf: compat: avoid unused function warning
spi: bcm-qspi: shut up warning about cfi header inclusion
idle: i7300: add PCI dependency
arm64: fix warning about swapper_pg_dir overflow
usb: phy: msm add regulator dependency
x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug
KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously
KVM: VMX: clean up declaration of VPID/EPT invalidation types
KVM: nVMX: invvpid handling improvements
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
Linux 4.9.84
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit ce8a3a9e76 upstream.
ashmem_pin_unpin() reads asma->file and asma->size before taking the
ashmem_mutex, so it can race with other operations that modify them.
Build-tested only.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e4e179a844 upstream.
Syzbot reported a warning with Ion:
WARNING: CPU: 0 PID: 3502 at drivers/staging/android/ion/ion-ioctl.c:73 ion_ioctl+0x2db/0x380 drivers/staging/android/ion/ion-ioctl.c:73
Kernel panic - not syncing: panic_on_warn set ...
This is a warning that validation of the ioctl fields failed. This was
deliberately added as a warning to make it very obvious to developers that
something needed to be fixed. In reality, this is overkill and disturbs
fuzzing. Switch to pr_warn for a message instead.
Reported-by: syzbot+fa2d5f63ee5904a0115a@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0c75f10312 upstream.
syzbot reported a warning from Ion:
WARNING: CPU: 1 PID: 3485 at mm/page_alloc.c:3926
...
__alloc_pages_nodemask+0x9fb/0xd80 mm/page_alloc.c:4252
alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2036
alloc_pages include/linux/gfp.h:492 [inline]
ion_system_contig_heap_allocate+0x40/0x2c0
drivers/staging/android/ion/ion_system_heap.c:374
ion_buffer_create drivers/staging/android/ion/ion.c:93 [inline]
ion_alloc+0x2c1/0x9e0 drivers/staging/android/ion/ion.c:420
ion_ioctl+0x26d/0x380 drivers/staging/android/ion/ion-ioctl.c:84
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
This is a warning about attempting to allocate order > MAX_ORDER. This
is coming from a userspace Ion allocation request. Since userspace is
free to request however much memory it wants (and the kernel is free to
deny its allocation), silence the allocation attempt with __GFP_NOWARN
in case it fails.
Reported-by: syzbot+76e7efc4748495855a4d@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
