This reverts commit 4c150ff0cc193b3b1fc6f0f68a4d79f9aac4f338.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Change-Id: Ibae2a63d0d9287f4cbcae1e34b467bdf5c82576b
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit fcaf5d8a67.
It was perserving the ABI, but that is not needed anymore at this point
in time.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I97c5ce73a4a6b6bcfc009547bb557141d21d4dd4
The pKVM hypervisor uses the module_ops struct as a way to expose
services to loadable modules. It doesn't however allow fine-grained
definition of the license for each export, and doesn't have a way to
check the license of the loaded module (yet). As such, the assumption
is that said module is proprietary, and must NOT be allowed to use GPL
symbols.
Even though symbols such as __pkvm_load_el2_module are currently
exported as GPL, these exports only apply to the kernel part of the
module, which is usually only a proxy to load the hyp module, which
may be built separately.
Given the lack of license enforcement at load time, let's seek GPL
compliance by preventing the accidental export of GPL symbols to hyp
modules via pKVM's module_ops struct. To do so, add a build time check
for the absence of such symbols from the KVM nvhe code entirely.
In the future (Android 15+ and upstream), we should consider expanding
the pKVM module loader to allow finer grained licensing of exports.
This would allow exposing internal pKVM functions as GPL only for e.g.
selftests and such w/o risking exports to proprietary modules.
Bug: 263340138
Bug: 267430896
Change-Id: I09b81bfe322c0d2746c0349c5f217a5a76b6e33d
Signed-off-by: Quentin Perret <qperret@google.com>
... so it can be read by Bazel @kernel_toolchain_info
later.
Test: TH
Bug: 272164611
Change-Id: I04648f8fb28537544287797673810946dedb58f3
Signed-off-by: Yifan Hong <elsk@google.com>
In one of the SMMU faults (NULL Pointer derefernce) the following
race condition was observed and func->interfaces_nums was being
accessed for f_fs interface after it was unbinded resulting in a
crash.
Thread-1 Thread-2
ffs_func_req_match+0x68/0xc8
drain_workqueue+0xac
gsi_unbind[usb_f_gsi]+0x64
purge_configs_funcs+0xb4
configfs_composite_unbind+0xac
usb_gadget_remove_driver+0xac
usb_gadget_unregister_driver+0xd8
gadget_dev_desc_UDC_store+0x114
android_setup+0x164/0x2a8
dwc3_ep0_inspect_setup+0x100/0x440
dwc3_ep0_interrupt+0xac/0x300
dwc3_process_event_entry+0x80/0x724
dwc3_process_event_buf+0x80/0x434
dwc3_thread_interrupt+0x60/0x124
irq_thread_fn+0x54/0xe4
irq_thread+0x3a4/0x6ec
kthread+0x188/0x1ec
ret_from_fork+0x10/0x20
The events happened in order are as follows:
We got a setup packet for ffs interface and was passed to android
setup callback from ep0.c. As part of the delegate request, the
dwc->lock is released.
At this instant a composition switch occurred and as per traces
and crash dumps:
1. UDC Stop was done successfully. So run stop is set to '0'
2. Composite disconnect was done and ep disable for all ep's is done
gadget->connected = FALSE
3. Async callbacks disabled
dwc->aysnc_callbacks = FALSE
4. composite unbind is going on and the ffs interface in question is
unbinded
udc->driver != NULL
(as per crash dump indicating that unbind is in progress)
5. Purge configs was ongoing because as per crash dumps:
otg_desc[0] = NULL;
cdev->os_desc_req->buf is not NULL
(configfs_composite_unbind is going on, but composite_dev_cleanup
not yet done)
As per the traces:
23.794712: dwc3_event event=49216 ep0state=1 str=
23.794909: dwc3_ctrl_req bRequestType=161 bRequest=1 wValue=0
wIndex=2 wLength=4096
23.799740: usb_gadget_disconnect speed=5 max_speed=6 state=7
mA=0 deactivated=0 connected=0 ret=0
This indicated that android setup came first followed by composite
disconnect. Since the dwc->lock was released by delegate_request,
soft disconnect gets unblocked and runs parallel to composite setup.
After this, there is no check in path of composite setup
indicating unbind happened and bail out is necessary instead of
executing any function ops.
Protect composite_setup (as part of android_setup) in a spinlock
to block composite_disconnect/unbind running in parallel.
Moreover, in the configfs counterpart of android_setup (configfs_
composite_stetup), the composite_setup call is done with spinlock
held.
It is only the android_setup missing this lock.
Bug: 280548269
Fixes: 7a160e2b96 ("ANDROID: usb: gadget: configfs: Add Uevent to notify userspace")
Change-Id: Id245e9f72801541689fcb185ba0459824bfb3904
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
(cherry picked from commit 9ad803f257a8eb50a52c19a4cf33690cf1b85575)
cfg80211 & mac80211 are being converted to vendor modules.
To be consistent for both arm64 & x86_64 remove them
from protected to unprotected; so they can be converted
to vendor modules for x86_64 as well.
This also helps keep things simpler for virtual_device;
so it doesn't have to maintain seperate list for these
architectures w.r.t. these modules.
Bug: 281137343
Test: TH
Change-Id: Ica028593f30528c361a6ab30da8cb5be5187d067
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Add ramjiyani@ as per-file owner for:
android/abi_gki_protected_exports_*
android/gki_aarch64_protected_modules
android/gki_x86_64_protected_modules
Update required due to addition of multi arch support
caused renaming of these files with arch name in them.
Bug: 151893768
Test: TH
Change-Id: Ice5c054f90b3fc4f91bfe73f680082dc129c0310
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit 44d8047f1d ("binder: use standard functions to allocate fds"),
to release all the objects in the buffer when 'failed_at' is zero.
This introduced an issue when a transaction buffer is released without
any objects having been processed so far. In this case, 'failed_at' is
indeed zero yet it is misinterpreted as releasing the entire buffer.
This leads to use-after-free errors where nodes are incorrectly freed
and subsequently accessed. Such is the case in the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30
Read of size 8 at addr ffff4faf037cfc58 by task poc/474
CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
print_report+0xf8/0x5b8
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
binder_thread_read+0xc40/0x1f30
binder_ioctl+0xd9c/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Allocated by task 474:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xbc
kmalloc_trace+0x48/0x5c
binder_new_node+0x3c/0x3a4
binder_transaction+0x2b58/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Freed by task 475:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
__kasan_slab_free+0xe8/0x154
__kmem_cache_free+0x128/0x2bc
kfree+0x58/0x70
binder_dec_node_tmpref+0x178/0x1fc
binder_transaction_buffer_release+0x430/0x628
binder_transaction+0x1954/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
==================================================================
In order to avoid these issues, let's always calculate the intended
'failed_at' offset beforehand. This is renamed and wrapped in a helper
function to make it clear and convenient.
Fixes: 32e9f56a96 ("binder: don't detect sender/target during buffer cleanup")
Reported-by: Zi Fan Tan <zifantan@google.com>
Link: https://b.corp.google.com/issues/275041864
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 275041864
Link: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com
Change-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
trace_android_vh_binder_proc_transaction_entry:
We need change binder thread so that this work can be added in
proc->todo, if we found the binder thread, skip native logic.
trace_android_vh_binder_select_worklist_ilocked:
we need this because we can't change list point in ”trace_android_vh_binder_thread_read“,
otherwise, If a work has beed added in our own defined list before,
current may goto retry and loop again and again.
Bug: 219898723
Change-Id: Ifdb3429c9ddac521bc75c1d21740ee7cc4b8f143
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
(cherry picked from commit acefa91e51)
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit d26c0e1c409179ea74aaa89f748006bd76000cc3)
We want to add some hooks in the binder module so that we can reduce
block time until binder thread is available
Here are what new hooks do for:
1、android_vh_binder_looper_state_registered: choose a binder thread(do proc work) as a low-level thread.Only this thread has power to excute background binder transaction.
2、android_vh_binder_thread_read: let binder thread do works which come from
our list.
3、android_vh_binder_free_proc: free some pointers and variable.
4、android_vh_binder_thread_release: free the list that we create before.
5、android_vh_binder_has_work_ilocked: to check if our list has work.
6、android_vh_binder_read_done: because of we add hook in binder_has_work_ilocked,
7、android_vh_binder_preset: mark target proc's binder threads.
binder_has_work_ilocked may return true, so we try to wake up low-level thread immediately.
Bug: 212483521
Change-Id: Ic40f452cc4dcf8fc85422e23e6f1a7ad77547309
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
(cherry picked from commit 8d6074509e4ec7e10acf6ee78277ff8cd19e49d0)
Add hooks to apply oem's optimization of rwsem and mutex
Bug: 182237112
Signed-off-by: xieliujie <xieliujie@oppo.com>
(cherry picked from commit 80b4341d05)
Signed-off-by: xieliujie <xieliujie@oppo.com>
Change-Id: I36895c432e5b6d6bff8781b4a7872badb693284c
Signed-off-by: Carlos Llamas <cmllamas@google.com>
[cmllamas: completes the cherry-pick of original commit 80b4341d05
since commit 0902cc73b793 was only partial]
(cherry picked from commit d4528a28cb5be0c322031f333a6230fa3042931f)
We need pointers to proc and t, the current hooks in binder_proc_transaction
are unable to use.
Bug: 208910215
Change-Id: I730964f965a015e5f5a3e237d9b3bd084b5bd0d0
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
(cherry picked from commit cb7e10d31b)
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit 8968875ad63f4cda9f263e2a2a930524dd8fdbc7)
These hooks help us do the following things:
a) Record the number of mutex and rwsem optimistic spin.
b) Monitor the time of mutex and rwsem optimistic spin.
c) Make it possible if oems don't want mutex and rwsem to optimistic spin
for a long time.
Bug: 267565260
Change-Id: I2bee30fb17946be85e026213b481aeaeaee2459f
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
(cherry picked from commit d01f7e1269)
(cherry picked from commit 05b5ff11ad98c5896b352b4c376a84b63684e06c)
Adding the following symbols:
- __drmm_crtc_alloc_with_planes
Bug: 275278929
Change-Id: I5f6e650aa850eb2639abcf5c033e1ed43814d30f
Signed-off-by: Adrian Salido <salidoa@google.com>
Add the hook that vendor can design and bypass the suspend/resume.
When the bypass is set, skip the orignal suspend/resume methods.
In mobile, a co-processor can be used with USB audio, and ACPU may
be able to sleep in such condition to improve power consumption.
We will need vendor hook to support this.
Bug: 192774581
Signed-off-by: Puma Hsu <pumahsu@google.com>
Change-Id: Ic62a8a1e662bbe3fb0aa17af7491daace0b9f18a
(cherry picked from commit 98085b5dd8)
Add vendor hook android_vh_sound_check_support_cpu_suspend
to allow ACPU to suspend during USB playback/capture,
if this is supported.
Bug: 192206510
Change-Id: Ia8d4c335db27de5fcefab13cab653fd1ae34f691
Signed-off-by: JJ Lee <leejj@google.com>
(cherry picked from commit e8516fd3af)
Sync to android13-5.10. This vendor hook is declared already.
Bug: 245675204
Change-Id: Ib081b52542380d22317f225a50b553cda5f2634c
Signed-off-by: Rick Yiu <rickyiu@google.com>
Providing vendor hooks to record the start time of holding the lock, which
protects rwsem/mutex locking-process from being preemptedfor a short time
in some cases.
- android_vh_record_mutex_lock_starttime
- android_vh_record_rtmutex_lock_starttime
- android_vh_record_rwsem_lock_starttime
- android_vh_record_pcpu_rwsem_starttime
Bug: 241191475
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: I0e967a1e8b77c32a1ad588acd54028fae2f90c4e
(cherry picked from commit f7294947672eb6b786f3c16b49e71e6a239101ad)
This file is no longer useful after build.sh is deprecated.
The functionality of the list has been moved to
//common:kernel_aarch64 module_implicit_outs in Kleaf.
Bug: 257119427
Test: TH
Change-Id: Id7e2c9b09d8b4eb96a4f055ce5e01964f8b6361c
Signed-off-by: Yifan Hong <elsk@google.com>
Some boards need more than the default maximum of 4 uarts. This has no
impact unless 8250.nr_uarts is specified on the cmdline to increase
the number of runtime uarts from the GKI default of 0.
Bug: 280015873
Signed-off-by: Alistair Delva <adelva@google.com>
Change-Id: I5ba4e1dcce4f4e01b7d306fa3ab05319768eef00
Adding the following symbols:
- dmabuf_page_pool_get_size
Bug: 260174400
Change-Id: Iaa09256831aa65563fd5b8bc825a3f9d10722c4e
Signed-off-by: Robin Peng <robinpeng@google.com>
locks for each hlist in hash_table.
Hash_table in uid_sys_stat is protected by a global lock named id_lock,
which causes some lock competition issue. Actually, uid_lock can be split to
several file-grained locks for each hlist in hash_table, which avoid
the unnecessary lock competition when get different-uid process info.
Bug: 278138377
Signed-off-by: Peifeng Li <lipeifeng@oppo.com>
Change-Id: I04c564ce42b62d8cfb9ed29e99f310ba76244763
Context: https://lore.kernel.org/lkml/CAPTae5LbWVc4Bdiwe69cwwxEGfSYvRv=419dUGR1u8n-WUkYAA@mail.gmail.com/t/
Logs in /sys/kernel/debug/usb/tcpm* are key to debug issues related to
USB charging or data. However, tcpm logbuffer logs do not wraparound
once full. Whereas we want it to wrap around so that we capture relevant
info in the bugreport when the user collects one. There is sentiment in
upstream to get rid of the logbuffer altogether and move to tracing.
But trace events are not default enabled in Android, so that implies,
even if user can somehow enable the trace event, user would have to
repro the issue and collect the bugreport. That would cause
inconvenience to the end user. The vendor hooks is needed till upstream
either allows wrapping around logs (or) Android has a generic way to
default enable trace events which can be captured in bugreport.
bypass_log is set to true by the handler if logging into logbuffer is
not needed.
Bug: 189792358
Bug: 271294543
Change-Id: Icacfed2264b6c49b8e803c62f8bd820a146c169a
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
(cherry picked from commit bbc22694d4)
Add a vendor hook to modify the port Source Capabilities. If the caps
are changed and the port state is feasible, start a Power Negotiation
AMS to update the current contract to the new one.
Bug: 201006190
Bug: 206108037
Bug: 271294543
Signed-off-by: Kyle Tso <kyletso@google.com>
Change-Id: I8b524242353781cb39b3ba85c6a75bd5a204ebcf
(cherry picked from commit b499bac439)
Add a hook after receiving the source capabilities from the partner
port. Pass the address of the source capability array so that vendor
code is able to access them.
OOT bug:
Bug: 181629276
Bug: 169215197
Bug: 271294543
Signed-off-by: Kyle Tso <kyletso@google.com>
Change-Id: I11c4a7919c248690e63c3bfbebfa6b8d711175a6
(cherry picked from commit c8314fcb76)
linux/usb/pd.h has a bunch of timers for which the Type-C spec defines
a range of values. These values have to be tuned based on the latency
observed in a specific architecture. However, linux opensource sets
them to a specific value without providing a mechanism to set board
specific values. While a generic way is figured out, a vendor hook
is needed in the interim.
For instance, tCCDebounce can have a value between 100msec - 200msec.
Squashed <d98a1df78740eedcc4d3d4c8d44b39b73f81df2d>
"ANDROID: usb: typec: tcpm: Fixup the wait time for SNK_DISCOVERY"
OOT_bug:
Bug: 184308605
Bug: 168245874
Bug: 173252019
Bug: 271294543
Change-Id: I278b34654a7e48990b6ebe25fbe17e3aa4165098
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
(cherry picked from commit 081a88febb)
This hook is for addressing hardware anomalies where
TCPC_POWER_STATUS_VBUS_PRES bit can return 0 even before falling
below sSinkDisconnect threshold.
Handler has to set bypass to override the value that would otherwise
be returned by this function.
Handler can set vbus or clear vbus to indicate vbus present or absent
Squashed <89f633a9f41259a168473917674dd5cb1bfb991d>
"ANDROID: usb: typec: tcpci: Migrate restricted vendor hook"
OOT_bug:
Bug: 183149028
Bug: 168245874
Bug: 173252019
Bug: 271294543
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: I2ca994d49b37bf8600c5913b892fde9acd0dc896
(cherry picked from commit eeffe02c96)
Needed for controlling BC1.2 detection logic specific to the chip
architecture. Also, needed to implement additional logic to make debug
accessories specifically designed for Pixel work.
These are outside the purview of Type-C spec.
OOT_bug:
Bug: 169213252
Bug: 168245874
Bug: 173252019
Bug: 271294543
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Change-Id: I36fe75dddd8cd4e2054db01ed4fee7ea08dd8702
(cherry picked from commit b6325c997c)
* This is in preparation for migrating these
as `kernel_build` attributes. i.e. these will
be removed as a follow-up.
Bug: 236012223
Change-Id: I168c44fd76f9f2732caf8f5c00bec4ed8c96ee65
(cherry picked from commit ccc4fb8185b50958354d8d511823491030988131)
Signed-off-by: Ulises Mendez Martinez <umendez@google.com>
usb_udc_connect_control does not check to see if the udc has already
been started. This causes gadget->ops->pullup to be called through
usb_gadget_connect when invoked from usb_udc_vbus_handler even before
usb_gadget_udc_start is called. Guard this by checking for udc->started
in usb_udc_connect_control before invoking usb_gadget_connect.
Guarding udc->vbus, udc->started, gadget->connect, gadget->deactivate
related functions with connect_lock. usb_gadget_connect_locked,
usb_gadget_disconnect_locked, usb_udc_connect_control_locked,
usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are called with
this lock held as they can be simulataneously invoked from different code
paths.
Adding an additional check to make sure udc is started(udc->started)
before pullup callback is invoked.
Bug: 276227797
Fixes: 628ef0d273 ("usb: udc: add usb_udc_vbus_handler")
Cc: stable@vger.kernel.org
Change-Id: Iee7ac5fdf880be5565b9f178708240d619141237
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://lore.kernel.org/r/20230407030741.3163220-1-badhri@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0db213ea8ehttps://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/ usb-next)
The mte_sync_page_tags() function sets PG_mte_tagged if it initializes
page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged
again. At best, this is redundant. However, it is possible for
mte_sync_page_tags() to return without having initialized tags for the
page, i.e. in the case where check_swap is true (non-compound page),
is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst,
we set PG_mte_tagged on a page with uninitialized tags. This can happen
if, for example, page migration causes a PTE for an untagged page to
be replaced. If the userspace program subsequently uses mprotect() to
enable PROT_MTE for that page, the uninitialized tags will be exposed
to userspace.
Fix it by removing the redundant call to set_page_mte_tagged().
Fixes: e059853d14 ("arm64: mte: Fix/clarify the PG_mte_tagged semantics")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Cc: <stable@vger.kernel.org> # 6.1
Link: https://linux-review.googlesource.com/id/Ib02d004d435b2ed87603b858ef7480f7b1463052
Link: https://lore.kernel.org/all/20230420214327.2357985-1-pcc@google.com/
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Bug: 263910115
Change-Id: Ib02d004d435b2ed87603b858ef7480f7b1463052
