usb_udc_connect_control does not check to see if the udc has already
been started. This causes gadget->ops->pullup to be called through
usb_gadget_connect when invoked from usb_udc_vbus_handler even before
usb_gadget_udc_start is called. Guard this by checking for udc->started
in usb_udc_connect_control before invoking usb_gadget_connect.
Guarding udc->vbus, udc->started, gadget->connect, gadget->deactivate
related functions with connect_lock. usb_gadget_connect_locked,
usb_gadget_disconnect_locked, usb_udc_connect_control_locked,
usb_gadget_udc_start_locked, usb_gadget_udc_stop_locked are called with
this lock held as they can be simulataneously invoked from different code
paths.
Adding an additional check to make sure udc is started(udc->started)
before pullup callback is invoked.
Bug: 276227797
Fixes: 628ef0d273 ("usb: udc: add usb_udc_vbus_handler")
Cc: stable@vger.kernel.org
Change-Id: Iee7ac5fdf880be5565b9f178708240d619141237
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://lore.kernel.org/r/20230407030741.3163220-1-badhri@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0db213ea8ehttps://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/ usb-next)
The mte_sync_page_tags() function sets PG_mte_tagged if it initializes
page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged
again. At best, this is redundant. However, it is possible for
mte_sync_page_tags() to return without having initialized tags for the
page, i.e. in the case where check_swap is true (non-compound page),
is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst,
we set PG_mte_tagged on a page with uninitialized tags. This can happen
if, for example, page migration causes a PTE for an untagged page to
be replaced. If the userspace program subsequently uses mprotect() to
enable PROT_MTE for that page, the uninitialized tags will be exposed
to userspace.
Fix it by removing the redundant call to set_page_mte_tagged().
Fixes: e059853d14 ("arm64: mte: Fix/clarify the PG_mte_tagged semantics")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Cc: <stable@vger.kernel.org> # 6.1
Link: https://linux-review.googlesource.com/id/Ib02d004d435b2ed87603b858ef7480f7b1463052
Link: https://lore.kernel.org/all/20230420214327.2357985-1-pcc@google.com/
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Bug: 263910115
Change-Id: Ib02d004d435b2ed87603b858ef7480f7b1463052
Consider the following sequence of events:
1) A page in a PROT_READ|PROT_WRITE VMA is faulted.
2) Page migration allocates a page with the KASAN allocator,
causing it to receive a non-match-all tag, and uses it
to replace the page faulted in 1.
3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1.
As a result of step 3, we are left with a non-match-all tag for a page
with tags accessible to userspace, which can lead to the same kind of
tag check faults that commit e74a684680 ("arm64: Reset KASAN tag in
copy_highpage with HW tags only") intended to fix.
The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED
is that they cannot have a non-match-all tag. As a result of step 2, the
invariant is broken. This means that the fix in the referenced commit
was incomplete and we also need to reset the tag for pages without
PG_mte_tagged.
Fixes: e5b8d92189 ("arm64: mte: reset the page tag in page->flags")
Cc: <stable@vger.kernel.org> # 5.15
Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff
Link: https://lore.kernel.org/all/20230420210945.2313627-1-pcc@google.com/
Signed-off-by: Peter Collingbourne <pcc@google.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Bug: 263910115
Change-Id: I7409cdd41acbcb215c2a7417c1e50d37b875beff
[pcc: resolved merge conflict]
These hooks will do the following works:
a) record the time of the process in various states
b) Make corresponding optimization strategies in different hooks
Bug: 205938967
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
Change-Id: Ia3c47bbf0aadd17337ce18fd910343b1b8c3ef93
(cherry picked from commit a61d61bab7)
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit b7a1174cc5dfc68cf769547b91958df407e55981)
add vendor hooks to compute new cpu freq for oem feature.
Bug: 280021175
Signed-off-by: xieliujie <xieliujie@oppo.com>
Change-Id: I2b8e1f76f3b9792148f153190b862face679ebbd
We want to use this hook to record the sleeping time due to Futex
Bug: 210947226
Signed-off-by: Liujie Xie <xieliujie@oppo.com>
Change-Id: I637f889dce42937116d10979e0c40fddf96cd1a2
(cherry picked from commit a7ab784f60)
Since these are unmapped from EL1, kmemleak will crash if it accesses
them.
Bug: 275004094
Signed-off-by: Keir Fraser <keirf@google.com>
Change-Id: Ieb15033c2dc21e6437a3a3c91a8b36e8dda31e98
Since host stage-2 mappings are created lazily, we cannot rely on the
pte in order to recover the target physical address when checking a
host-initiated memory transition.
Instead, move the addr_is_allowed_memory() check into the host callback
function where it is passed the physical address directly from the
walker.
Bug: 279739439
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I84bdc43eded79f1f5e5a489dbc0874604491e5c8
This reverts commit 99b704ae7a.
It breaks the current Android kernel abi. It will be brought back at
the next KABI break update.
Bug: 161946584
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie9a141414435aa17dc97ef1e1ec8c23dbe7816e8
This reverts commit 98762616db.
It breaks the current Android kernel abi. It will be brought back at
the next KABI break update.
Bug: 161946584
Change-Id: I4ed9d6760b8d2e26bad66d9af39d7819e7b464d9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 4ee882e0e1.
It breaks the current Android kernel abi. It will be brought back at
the next KABI break update.
Bug: 161946584
Change-Id: I6f6c769ebcd31248b16f792add4d206c8c1b5c19
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit e779884c71.
It breaks the current Android kernel abi. It will be brought back at
the next KABI break update.
Bug: 161946584
Change-Id: Ic6ccde7b57e525a742602d783457c810a1ca0930
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
To restore previous uclamp value, we still need store uclamp_req directly. Otherwise, saved_priority will store effective uclamp value and restore it to uclamp_req later.
Bug: 277389699
Change-Id: I7b3e357fcfc3bd955789e85d730713c384d0ade7
Signed-off-by: Chungkai Mei <chungkai@google.com>
We've recently added a .data section for the hypervisor, which kmemleak
is eager to parse. This clearly doesn't go well, so add the section to
kmemleak's block list.
Bug: 232768943
Bug: 235903024
Change-Id: Ib1ee0009ce05bf7b0ba5d53fc8ca0429ec592102
Signed-off-by: Quentin Perret <qperret@google.com>
[re-merge: Accidentally reverted while cutting android14-5.15]
Bug: 275004094
Signed-off-by: Keir Fraser <keirf@google.com>
* aosp/upstream-f2fs-stable-linux-5.15.y:
f2fs: remove unnessary comment in __may_age_extent_tree
f2fs: allocate node blocks for atomic write block replacement
f2fs: use cow inode data when updating atomic write
f2fs: remove power-of-two limitation of zoned device
f2fs: allocate trace path buffer from names_cache
f2fs: add has_enough_free_secs()
f2fs: relax sanity check if checkpoint is corrupted
f2fs: refactor f2fs_gc to call checkpoint in urgent condition
f2fs: remove folio_detach_private() in .invalidate_folio and .release_folio
f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio
f2fs: remove bulk remove_proc_entry() and unnecessary kobject_del()
f2fs: support iopoll method
f2fs: remove batched_trim_sections node description
f2fs: fix to check return value of inc_valid_block_count()
f2fs: fix to check return value of f2fs_do_truncate_blocks()
f2fs: fix passing relative address when discard zones
f2fs: fix potential corruption when moving a directory
f2fs: add radix_tree_preload_end in error case
f2fs: fix to recover quota data correctly
f2fs: fix to check readonly condition correctly
docs: f2fs: Correct instruction to disable checkpoint
f2fs: fix to keep consistent i_gc_rwsem lock order
f2fs: fix to drop all dirty pages during umount() if cp_error is set
f2fs: fix to avoid use-after-free for cached IPU bio
f2fs: remove unneeded in-memory i_crtime copy
f2fs: use f2fs_hw_is_readonly() instead of bdev_read_only()
f2fs: use common implementation of file type
f2fs: merge lz4hc_compress_pages() to lz4_compress_pages()
f2fs: convert to use sysfs_emit
f2fs: set default compress option only when sb_has_compression
f2fs: Fix system crash due to lack of free space in LFS
f2fs: remove struct victim_selection default_v_ops
f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block
f2fs: fix iostat lock protection
f2fs: fix align check for npo2
f2fs: add compression feature check for all compress mount opt
f2fs: convert is_extension_exist() to return bool type
f2fs: fix scheduling while atomic in decompression path
f2fs: preserve direct write semantics when buffering is forced
f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()
f2fs: remove else in f2fs_write_cache_pages()
f2fs: apply zone capacity to all zone type
f2fs: fix to handle filemap_fdatawrite() error in f2fs_ioc_decompress_file/f2fs_ioc_compress_file
f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show()
f2fs: Fix discard bug on zoned block devices with 2MiB zone size
f2fs: remove entire rb_entry sharing
f2fs: factor out discard_cmd usage from general rb_tree use
f2fs: factor out victim_entry usage from general rb_tree use
f2fs: fix uninitialized skipped_gc_rwsem
f2fs: handle dqget error in f2fs_transfer_project_quota()
f2fs: convert to use bitmap API
f2fs: export compress_percent and compress_watermark entries
f2fs: make f2fs_sync_inode_meta() static
f2fs: Fix f2fs_truncate_partial_nodes ftrace event
Bug: 273795759
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I260f4009b3bb6a0ffca20488d0ad0e41e92fb9d2
Set KMI_GENERATION=5 for 4/26 KMI update
1 function symbol(s) added
'unsigned long dmabuf_page_pool_get_size(struct dmabuf_page_pool*)'
function symbol changed from 'int pkvm_iommu_register(struct device*, u64, phys_addr_t, size_t, struct device*)' to 'int pkvm_iommu_register(struct device*, u64, phys_addr_t, size_t, struct device*, u8)'
CRC changed from 0x5b4f6732 to 0x884bf4b6
type changed from 'int(struct device*, u64, phys_addr_t, size_t, struct device*)' to 'int(struct device*, u64, phys_addr_t, size_t, struct device*, u8)'
parameter 6 of type 'u8' was added
function symbol 'int ___pskb_trim(struct sk_buff*, unsigned int)' changed
CRC changed from 0x7d722404 to 0x5078bf09
function symbol 'struct sk_buff* __alloc_skb(unsigned int, gfp_t, int, int)' changed
CRC changed from 0x7d394cb3 to 0x3065de54
function symbol 'struct sk_buff* __cfg80211_alloc_event_skb(struct wiphy*, struct wireless_dev*, enum nl80211_commands, enum nl80211_attrs, unsigned int, int, int, gfp_t)' changed
CRC changed from 0x3415238f to 0x7d26f3e2
... 719 omitted; 722 symbols have only CRC changes
type 'struct netns_ipv6' changed
member 'struct list_head mr6_tables' was added
member 'struct fib_rules_ops* mr6_rules_ops' was added
member 'struct mr_table* mrt6' was removed
9 members ('atomic_t dev_addr_genid' .. 'u64 android_kabi_reserved1') changed
offset changed by 128
Bug: 279074305
Change-Id: Iadf86cb97ff76e52a19de8ec4d12c46c35e712c5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
We need to pass some device specific flags that are detected from EL1
(as built-in sync device) to the hypervisor. The flags are defined
by the driver but hosted in the main iommu struct.
As we use SMCCC1.1 we only have 7 args, which were already used, so
mem_size is removed as it really not needed as all page donations
are 1 page. so passing the base address is enough.
Bug: 255266847
Change-Id: I14e6d2573d7a822334455999aa9fd6f01ac97450
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Enable support for multicast policy routing. This will allow border
router devices to run multiple routing tables simultaneously.
Bug: 233821827
Change-Id: Ib029f4db1c5bb9416c06813fa0b66c965fef8fd8
Signed-off-by: Carlos Llamas <cmllamas@google.com>
(cherry picked from commit c9e98bfeeeae4580143ec87b4f1f3ef8571dc331)
Update symbol list after making the DMA-BUF heap page-pool helper
library built-in.
Bug: 275698445
Change-Id: Ib20070b0e2fa45fd3f3b6e3bd2236f64ba77f5fd
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Update symbol list after making the DMA-BUF heap page-pool helper
Bug: 275698445
Change-Id: I676d44d7497cc33b552d1b6cbccbb89f4b4f088a
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Users of dmabuf_page_pool should not need to refer to its fields, so
hide them from the KMI. Add dmabuf_page_pool_get_size to fullfill the
needs of users. Update the system_heap to use the new API.
Bug: 264474028
Bug: 275698445
Change-Id: I848ff52e73a13568f561deeb6aea48f40dc0960b
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Changes in 5.15.109
ARM: dts: rockchip: fix a typo error for rk3288 spdif node
arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node
arm64: dts: meson-g12-common: specify full DMC range
arm64: dts: imx8mm-evk: correct pmic clock source
netfilter: br_netfilter: fix recent physdev match breakage
regulator: fan53555: Explicitly include bits header
regulator: fan53555: Fix wrong TCS_SLEW_MASK
net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
virtio_net: bugfix overflow inside xdp_linearize_page()
sfc: Split STATE_READY in to STATE_NET_DOWN and STATE_NET_UP.
sfc: Fix use-after-free due to selftest_work
netfilter: nf_tables: fix ifdef to also consider nf_tables=m
i40e: fix accessing vsi->active_filters without holding lock
i40e: fix i40e_setup_misc_vector() error handling
netfilter: nf_tables: validate catch-all set elements
netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements
bnxt_en: Do not initialize PTP on older P3/P4 chips
mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
bonding: Fix memory leak when changing bond type to Ethernet
net: rpl: fix rpl header size calculation
mlxsw: pci: Fix possible crash during initialization
spi: spi-rockchip: Fix missing unwind goto in rockchip_sfc_probe()
bpf: Fix incorrect verifier pruning due to missing register precision taints
e1000e: Disable TSO on i219-LM card to increase speed
f2fs: Fix f2fs_truncate_partial_nodes ftrace event
Input: i8042 - add quirk for Fujitsu Lifebook A574/H
platform/x86 (gigabyte-wmi): Add support for A320M-S2H V2
selftests: sigaltstack: fix -Wuninitialized
scsi: megaraid_sas: Fix fw_crash_buffer_show()
scsi: core: Improve scsi_vpd_inquiry() checks
net: dsa: b53: mmap: add phy ops
s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling
nvme-tcp: fix a possible UAF when failing to allocate an io queue
xen/netback: use same error messages for same errors
platform/x86: gigabyte-wmi: add support for X570S AORUS ELITE
rtmutex: Add acquire semantics for rtmutex lock acquisition slow path
iio: light: tsl2772: fix reading proximity-diodes from device tree
nilfs2: initialize unused bytes in segment summary blocks
memstick: fix memory leak if card device is never registered
kernel/sys.c: fix and improve control flow in __sys_setres[ug]id()
mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25
drm/i915: Fix fast wake AUX sync len
mm/khugepaged: check again on anon uffd-wp during isolation
mm: page_alloc: skip regions with hugetlbfs pages when allocating 1G pages
sched/uclamp: Fix fits_capacity() check in feec()
sched/uclamp: Make cpu_overutilized() use util_fits_cpu()
sched/uclamp: Cater for uclamp in find_energy_efficient_cpu()'s early exit condition
sched/fair: Detect capacity inversion
sched/fair: Consider capacity inversion in util_fits_cpu()
sched/uclamp: Fix a uninitialized variable warnings
sched/fair: Fixes for capacity inversion detection
MIPS: Define RUNTIME_DISCARD_EXIT in LD script
docs: futex: Fix kernel-doc references after code split-up preparation
purgatory: fix disabling debug info
fuse: fix attr version comparison in fuse_read_update_size()
fuse: always revalidate rename target dentry
fuse: fix deadlock between atomic O_TRUNC and page invalidation
udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
pwm: meson: Explicitly set .polarity in .get_state()
pwm: iqs620a: Explicitly set .polarity in .get_state()
pwm: hibvt: Explicitly set .polarity in .get_state()
counter: 104-quad-8: Fix race condition between FLAG and CNTR reads
iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger()
mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
ASoC: fsl_asrc_dma: fix potential null-ptr-deref
ASN.1: Fix check for strdup() success
soc: sifive: l2_cache: fix missing iounmap() in error path in sifive_l2_init()
soc: sifive: l2_cache: fix missing free_irq() in error path in sifive_l2_init()
soc: sifive: l2_cache: fix missing of_node_put() in sifive_l2_init()
Linux 5.15.109
Change-Id: I2165f73cd4b1056ffb268e8b6a12e71588309188
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 86a24e99c9 upstream.
dma_request_slave_channel() may return NULL which will lead to
NULL pointer dereference error in 'tmp_chan->private'.
Correct this behaviour by, first, switching from deprecated function
dma_request_slave_channel() to dma_request_chan(). Secondly, enable
sanity check for the resuling value of dma_request_chan().
Also, fix description that follows the enacted changes and that
concerns the use of dma_request_slave_channel().
Fixes: 706e2c8811 ("ASoC: fsl_asrc_dma: Reuse the dma channel if available in Back-End")
Co-developed-by: Natalia Petrova <n.petrova@fintech.ru>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
Link: https://lore.kernel.org/r/20230417133242.53339-1-n.zhandarovich@fintech.ru
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1007843a91 upstream.
syzbot is reporting circular locking dependency which involves
zonelist_update_seq seqlock [1], for this lock is checked by memory
allocation requests which do not need to be retried.
One deadlock scenario is kmalloc(GFP_ATOMIC) from an interrupt handler.
CPU0
----
__build_all_zonelists() {
write_seqlock(&zonelist_update_seq); // makes zonelist_update_seq.seqcount odd
// e.g. timer interrupt handler runs at this moment
some_timer_func() {
kmalloc(GFP_ATOMIC) {
__alloc_pages_slowpath() {
read_seqbegin(&zonelist_update_seq) {
// spins forever because zonelist_update_seq.seqcount is odd
}
}
}
}
// e.g. timer interrupt handler finishes
write_sequnlock(&zonelist_update_seq); // makes zonelist_update_seq.seqcount even
}
This deadlock scenario can be easily eliminated by not calling
read_seqbegin(&zonelist_update_seq) from !__GFP_DIRECT_RECLAIM allocation
requests, for retry is applicable to only __GFP_DIRECT_RECLAIM allocation
requests. But Michal Hocko does not know whether we should go with this
approach.
Another deadlock scenario which syzbot is reporting is a race between
kmalloc(GFP_ATOMIC) from tty_insert_flip_string_and_push_buffer() with
port->lock held and printk() from __build_all_zonelists() with
zonelist_update_seq held.
CPU0 CPU1
---- ----
pty_write() {
tty_insert_flip_string_and_push_buffer() {
__build_all_zonelists() {
write_seqlock(&zonelist_update_seq);
build_zonelists() {
printk() {
vprintk() {
vprintk_default() {
vprintk_emit() {
console_unlock() {
console_flush_all() {
console_emit_next_record() {
con->write() = serial8250_console_write() {
spin_lock_irqsave(&port->lock, flags);
tty_insert_flip_string() {
tty_insert_flip_string_fixed_flag() {
__tty_buffer_request_room() {
tty_buffer_alloc() {
kmalloc(GFP_ATOMIC | __GFP_NOWARN) {
__alloc_pages_slowpath() {
zonelist_iter_begin() {
read_seqbegin(&zonelist_update_seq); // spins forever because zonelist_update_seq.seqcount is odd
spin_lock_irqsave(&port->lock, flags); // spins forever because port->lock is held
}
}
}
}
}
}
}
}
spin_unlock_irqrestore(&port->lock, flags);
// message is printed to console
spin_unlock_irqrestore(&port->lock, flags);
}
}
}
}
}
}
}
}
}
write_sequnlock(&zonelist_update_seq);
}
}
}
This deadlock scenario can be eliminated by
preventing interrupt context from calling kmalloc(GFP_ATOMIC)
and
preventing printk() from calling console_flush_all()
while zonelist_update_seq.seqcount is odd.
Since Petr Mladek thinks that __build_all_zonelists() can become a
candidate for deferring printk() [2], let's address this problem by
disabling local interrupts in order to avoid kmalloc(GFP_ATOMIC)
and
disabling synchronous printk() in order to avoid console_flush_all()
.
As a side effect of minimizing duration of zonelist_update_seq.seqcount
being odd by disabling synchronous printk(), latency at
read_seqbegin(&zonelist_update_seq) for both !__GFP_DIRECT_RECLAIM and
__GFP_DIRECT_RECLAIM allocation requests will be reduced. Although, from
lockdep perspective, not calling read_seqbegin(&zonelist_update_seq) (i.e.
do not record unnecessary locking dependency) from interrupt context is
still preferable, even if we don't allow calling kmalloc(GFP_ATOMIC)
inside
write_seqlock(&zonelist_update_seq)/write_sequnlock(&zonelist_update_seq)
section...
Link: https://lkml.kernel.org/r/8796b95c-3da3-5885-fddd-6ef55f30e4d3@I-love.SAKURA.ne.jp
Fixes: 3d36424b3b ("mm/page_alloc: fix race condition between build_all_zonelists and page allocation")
Link: https://lkml.kernel.org/r/ZCrs+1cDqPWTDFNM@alley [2]
Reported-by: syzbot <syzbot+223c7461c58c58a4cb10@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=223c7461c58c58a4cb10 [1]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Petr Mladek <pmladek@suse.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Cc: John Ogness <john.ogness@linutronix.de>
Cc: Patrick Daly <quic_pdaly@quicinc.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4aa3b75c74 upstream.
The Counter (CNTR) register is 24 bits wide, but we can have an
effective 25-bit count value by setting bit 24 to the XOR of the Borrow
flag and Carry flag. The flags can be read from the FLAG register, but a
race condition exists: the Borrow flag and Carry flag are instantaneous
and could change by the time the count value is read from the CNTR
register.
Since the race condition could result in an incorrect 25-bit count
value, remove support for 25-bit count values from this driver;
hard-coded maximum count values are replaced by a LS7267_CNTR_MAX define
for consistency and clarity.
Fixes: 28e5d3bb03 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8")
Cc: <stable@vger.kernel.org> # 6.1.x
Cc: <stable@vger.kernel.org> # 6.2.x
Link: https://lore.kernel.org/r/20230312231554.134858-1-william.gray@linaro.org/
Signed-off-by: William Breathitt Gray <william.gray@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8caa81eb95 upstream.
The driver only supports normal polarity. Complete the implementation of
.get_state() by setting .polarity accordingly.
This fixes a regression that was possible since commit c73a310762
("pwm: Handle .get_state() failures") which stopped to zero-initialize
the state passed to the .get_state() callback. This was reported at
https://forum.odroid.com/viewtopic.php?f=177&t=46360 . While this was an
unintended side effect, the real issue is the driver's callback not
setting the polarity.
There is a complicating fact, that the .apply() callback fakes support
for inversed polarity. This is not (and cannot) be matched by
.get_state(). As fixing this isn't easy, only point it out in a comment
to prevent authors of other drivers from copying that approach.
Fixes: c375bcbaab ("pwm: meson: Read the full hardware state in meson_pwm_get_state()")
Reported-by: Munehisa Kamata <kamatam@amazon.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20230310191405.2606296-1-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6431b0f6ff upstream.
After commit d38afeec26 ("tcp/udp: Call inet6_destroy_sock()
in IPv6 sk->sk_destruct()."), we call inet6_destroy_sock() in
sk->sk_destruct() by setting inet6_sock_destruct() to it to make
sure we do not leak inet6-specific resources.
SCTP sets its own sk->sk_destruct() in the sctp_init_sock(), and
SCTPv6 socket reuses it as the init function.
To call inet6_sock_destruct() from SCTPv6 sk->sk_destruct(), we
set sctp_v6_destruct_sock() in a new init function.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1651951ebe upstream.
After commit d38afeec26 ("tcp/udp: Call inet6_destroy_sock()
in IPv6 sk->sk_destruct()."), we call inet6_destroy_sock() in
sk->sk_destruct() by setting inet6_sock_destruct() to it to make
sure we do not leak inet6-specific resources.
DCCP sets its own sk->sk_destruct() in the dccp_init_sock(), and
DCCPv6 socket shares it by calling the same init function via
dccp_v6_init_sock().
To call inet6_sock_destruct() from DCCPv6 sk->sk_destruct(), we
export it and set dccp_v6_sk_destruct() in the init function.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b5fc29233d upstream.
After commit d38afeec26 ("tcp/udp: Call inet6_destroy_sock()
in IPv6 sk->sk_destruct()."), we call inet6_destroy_sock() in
sk->sk_destruct() by setting inet6_sock_destruct() to it to make
sure we do not leak inet6-specific resources.
Now we can remove unnecessary inet6_destroy_sock() calls in
sk->sk_prot->destroy().
DCCP and SCTP have their own sk->sk_destruct() function, so we
change them separately in the following patches.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d38afeec26 upstream.
Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were
able to clean them up by calling inet6_destroy_sock() during the IPv6 ->
IPv4 conversion by IPV6_ADDRFORM. However, commit 03485f2adc ("udpv6:
Add lockless sendmsg() support") added a lockless memory allocation path,
which could cause a memory leak:
setsockopt(IPV6_ADDRFORM) sendmsg()
+-----------------------+ +-------+
- do_ipv6_setsockopt(sk, ...) - udpv6_sendmsg(sk, ...)
- sockopt_lock_sock(sk) ^._ called via udpv6_prot
- lock_sock(sk) before WRITE_ONCE()
- WRITE_ONCE(sk->sk_prot, &tcp_prot)
- inet6_destroy_sock() - if (!corkreq)
- sockopt_release_sock(sk) - ip6_make_skb(sk, ...)
- release_sock(sk) ^._ lockless fast path for
the non-corking case
- __ip6_append_data(sk, ...)
- ipv6_local_rxpmtu(sk, ...)
- xchg(&np->rxpmtu, skb)
^._ rxpmtu is never freed.
- goto out_no_dst;
- lock_sock(sk)
For now, rxpmtu is only the case, but not to miss the future change
and a similar bug fixed in commit e27326009a ("net: ping6: Fix
memleak in ipv6_renew_options()."), let's set a new function to IPv6
sk->sk_destruct() and call inet6_cleanup_sock() there. Since the
conversion does not change sk->sk_destruct(), we can guarantee that
we can clean up IPv6 resources finally.
We can now remove all inet6_destroy_sock() calls from IPv6 protocol
specific ->destroy() functions, but such changes are invasive to
backport. So they can be posted as a follow-up later for net-next.
Fixes: 03485f2adc ("udpv6: Add lockless sendmsg() support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 21985f4337 upstream.
Commit 4b340ae20d ("IPv6: Complete IPV6_DONTFRAG support") forgot
to add a change to free inet6_sk(sk)->rxpmtu while converting an IPv6
socket into IPv4 with IPV6_ADDRFORM. After conversion, sk_prot is
changed to udp_prot and ->destroy() never cleans it up, resulting in
a memory leak.
This is due to the discrepancy between inet6_destroy_sock() and
IPV6_ADDRFORM, so let's call inet6_destroy_sock() from IPV6_ADDRFORM
to remove the difference.
However, this is not enough for now because rxpmtu can be changed
without lock_sock() after commit 03485f2adc ("udpv6: Add lockless
sendmsg() support"). We will fix this case in the following patch.
Note we will rename inet6_destroy_sock() to inet6_cleanup_sock() and
remove unnecessary inet6_destroy_sock() calls in sk_prot->destroy()
in the future.
Fixes: 4b340ae20d ("IPv6: Complete IPV6_DONTFRAG support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2fdbb8dd01 upstream.
fuse_finish_open() will be called with FUSE_NOWRITE set in case of atomic
O_TRUNC open(), so commit 76224355db ("fuse: truncate pagecache on
atomic_o_trunc") replaced invalidate_inode_pages2() by truncate_pagecache()
in such a case to avoid the A-A deadlock. However, we found another A-B-B-A
deadlock related to the case above, which will cause the xfstests
generic/464 testcase hung in our virtio-fs test environment.
For example, consider two processes concurrently open one same file, one
with O_TRUNC and another without O_TRUNC. The deadlock case is described
below, if open(O_TRUNC) is already set_nowrite(acquired A), and is trying
to lock a page (acquiring B), open() could have held the page lock
(acquired B), and waiting on the page writeback (acquiring A). This would
lead to deadlocks.
open(O_TRUNC)
----------------------------------------------------------------
fuse_open_common
inode_lock [C acquire]
fuse_set_nowrite [A acquire]
fuse_finish_open
truncate_pagecache
lock_page [B acquire]
truncate_inode_page
unlock_page [B release]
fuse_release_nowrite [A release]
inode_unlock [C release]
----------------------------------------------------------------
open()
----------------------------------------------------------------
fuse_open_common
fuse_finish_open
invalidate_inode_pages2
lock_page [B acquire]
fuse_launder_page
fuse_wait_on_page_writeback [A acquire & release]
unlock_page [B release]
----------------------------------------------------------------
Besides this case, all calls of invalidate_inode_pages2() and
invalidate_inode_pages2_range() in fuse code also can deadlock with
open(O_TRUNC).
Fix by moving the truncate_pagecache() call outside the nowrite protected
region. The nowrite protection is only for delayed writeback
(writeback_cache) case, where inode lock does not protect against
truncation racing with writes on the server. Write syscalls racing with
page cache truncation still get the inode lock protection.
This patch also changes the order of filemap_invalidate_lock()
vs. fuse_set_nowrite() in fuse_open_common(). This new order matches the
order found in fuse_file_fallocate() and fuse_do_setattr().
Reported-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Tested-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Fixes: e4648309b8 ("fuse: truncate pending writes on O_TRUNC")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Yang Bo <yb203166@antfin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ccc031e26a upstream.
The previous commit df8629af29 ("fuse: always revalidate if exclusive
create") ensures that the dentries are revalidated on O_EXCL creates. This
commit complements it by also performing revalidation for rename target
dentries. Otherwise, a rename target file that only exists in kernel
dentry cache but not in the filesystem will result in EEXIST if
RENAME_NOREPLACE flag is used.
Signed-off-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Yang Bo <yb203166@antfin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
