From 39435ab3a6550990d5954eecd7731032400c47d3 Mon Sep 17 00:00:00 2001 From: Ryun Park Date: Tue, 26 Apr 2022 11:34:07 +0900 Subject: [PATCH 01/16] ANDROID: ABI: Update allowed list for galaxy ======================================================== Leaf changes summary: 11 artifacts changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 8 Added functions Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 3 Added variables 8 Added functions: [A] 'function void* __devm_alloc_percpu(device*, size_t, size_t)' [A] 'function int blkdev_fsync(file*, loff_t, loff_t, int)' [A] 'function gen_pool* devm_gen_pool_create(device*, int, int, const char*)' [A] 'function loff_t fixed_size_llseek(file*, loff_t, int, loff_t)' [A] 'function long long unsigned int get_random_u64()' [A] 'function void kmsg_dump_rewind(kmsg_dumper*)' [A] 'function long long unsigned int nsec_to_clock_t(long long unsigned int)' [A] 'function int unregister_die_notifier(notifier_block*)' 3 Added variables: [A] 'tracepoint __tracepoint_android_vh_printk_store' [A] 'tracepoint __tracepoint_android_vh_show_regs' [A] 'kernel_cpustat kernel_cpustat' ======================================================== Bug: 230403356 Change-Id: I4bae75a029d1a0ed0d0648dbbbd832185e7546bc Signed-off-by: Ryun Park --- android/abi_gki_aarch64.xml | 78 +++++++++++++++++++++++++++++++--- android/abi_gki_aarch64_galaxy | 41 +++++++++++++----- 2 files changed, 101 insertions(+), 18 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 01cb47c74fef..98f91038389e 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -64,6 +64,7 @@ + @@ -488,6 +489,7 @@ + @@ -1024,6 +1026,7 @@ + @@ -1694,6 +1697,7 @@ + @@ -1808,6 +1812,7 @@ + @@ -2384,6 +2389,7 @@ + @@ -2764,6 +2770,7 @@ + @@ -4337,6 +4344,7 @@ + @@ -4857,7 +4865,9 @@ + + @@ -4928,6 +4938,7 @@ + @@ -28343,7 +28354,7 @@ - + @@ -28631,7 +28642,7 @@ - + @@ -55580,6 +55591,8 @@ + + @@ -56128,6 +56141,12 @@ + + + + + + @@ -108155,7 +108174,7 @@ - + @@ -145183,6 +145202,13 @@ + + + + + + + @@ -146812,6 +146838,10 @@ + + + + @@ -147183,6 +147213,13 @@ + + + + + + + @@ -147366,7 +147403,7 @@ - + @@ -149785,6 +149822,9 @@ + + + @@ -150558,6 +150598,10 @@ + + + + @@ -150913,6 +150957,10 @@ + + + + @@ -151104,6 +151152,9 @@ + + + @@ -151112,6 +151163,11 @@ + + + + + @@ -151154,6 +151210,7 @@ + @@ -165057,6 +165114,13 @@ + + + + + + + @@ -168808,7 +168872,7 @@ - + @@ -168816,7 +168880,7 @@ - + @@ -168824,7 +168888,7 @@ - + diff --git a/android/abi_gki_aarch64_galaxy b/android/abi_gki_aarch64_galaxy index db6e276ab3a6..5e5ddaccee68 100644 --- a/android/abi_gki_aarch64_galaxy +++ b/android/abi_gki_aarch64_galaxy @@ -1,4 +1,6 @@ [abi_symbol_list] + LZ4_decompress_safe + PDE_DATA ___ratelimit __alloc_disk_node __alloc_pages_nodemask @@ -40,6 +42,7 @@ __cpuhp_setup_state_cpuslocked __dev_kfree_skb_any __dev_kfree_skb_irq + __devm_alloc_percpu __devm_iio_device_register __devm_irq_alloc_descs __devm_of_phy_provider_register @@ -150,9 +153,9 @@ __srcu_read_unlock __stack_chk_fail __stack_chk_guard - __sw_hweight8 __sw_hweight32 __sw_hweight64 + __sw_hweight8 __sync_dirty_buffer __task_pid_nr_ns __tasklet_hi_schedule @@ -162,7 +165,9 @@ __tracepoint_android_vh_ipi_stop __tracepoint_android_vh_is_fpsimd_save __tracepoint_android_vh_kfree_skb + __tracepoint_android_vh_printk_store __tracepoint_android_vh_ptype_head + __tracepoint_android_vh_show_regs __tracepoint_android_vh_wq_lockup_pool __tracepoint_device_pm_callback_end __tracepoint_device_pm_callback_start @@ -286,6 +291,7 @@ blk_rq_unmap_user blk_stat_enable_accounting blk_verify_command + blkdev_fsync blkdev_get_by_dev blkdev_get_by_path blkdev_put @@ -590,6 +596,7 @@ devm_extcon_register_notifier devm_free_irq devm_fwnode_get_index_gpiod_from_child + devm_gen_pool_create devm_gpio_request devm_gpio_request_one devm_gpiochip_add_data @@ -609,6 +616,7 @@ devm_kmalloc devm_kmemdup devm_kstrdup + devm_kstrdup_const devm_led_classdev_register_ext devm_nvmem_cell_get devm_nvmem_device_get @@ -727,8 +735,8 @@ dmaengine_unmap_put dmam_alloc_attrs dmam_free_coherent - do_exit do_SAK + do_exit do_wait_intr down down_interruptible @@ -1011,6 +1019,7 @@ find_vpid finish_wait firmware_request_nowarn + fixed_size_llseek flush_dcache_page flush_delayed_work flush_work @@ -1055,8 +1064,10 @@ generic_file_splice_read generic_handle_irq generic_mii_ioctl + generic_perform_write generic_read_dir generic_shutdown_super + generic_write_checks genl_register_family genl_unregister_family genlmsg_put @@ -1068,6 +1079,7 @@ get_pid_task get_random_bytes get_random_u32 + get_random_u64 get_task_exe_file get_task_mm get_task_pid @@ -1101,6 +1113,7 @@ gpio_to_desc gpiochip_add_data_with_key gpiochip_add_pin_range + gpiochip_find gpiochip_generic_free gpiochip_generic_request gpiochip_get_data @@ -1110,10 +1123,10 @@ gpiochip_remove gpiochip_set_nested_irqchip gpiochip_unlock_as_irq + gpiod_cansleep gpiod_direction_input gpiod_direction_output gpiod_direction_output_raw - gpiod_cansleep gpiod_get_optional gpiod_get_raw_value gpiod_get_raw_value_cansleep @@ -1223,9 +1236,9 @@ iio_read_channel_processed iio_read_channel_raw import_iovec + in6_pton in_aton in_egroup_p - in6_pton init_dummy_netdev init_net init_srcu_struct @@ -1309,6 +1322,7 @@ ion_heap_unmap_kernel ion_query_heaps_kernel iounmap + iov_iter_kvec iput ipv6_stub irq_chip_ack_parent @@ -1362,14 +1376,15 @@ iterate_dir iterate_fd jiffies + jiffies64_to_msecs jiffies_64_to_clock_t jiffies_to_msecs jiffies_to_usecs - jiffies64_to_msecs kasprintf kern_path kernel_bind kernel_connect + kernel_cpustat kernel_getsockname kernel_kobj kernel_read @@ -1401,6 +1416,8 @@ kmem_cache_free kmemdup kmemdup_nul + kmsg_dump_get_line + kmsg_dump_rewind kobject_add kobject_create_and_add kobject_del @@ -1478,7 +1495,6 @@ lockref_get lookup_one_len loops_per_jiffy - LZ4_decompress_safe map_vm_area match_int match_token @@ -1593,6 +1609,7 @@ ns_to_timespec ns_to_timespec64 ns_to_timeval + nsec_to_clock_t nsecs_to_jiffies nvmem_cell_get nvmem_cell_put @@ -1770,7 +1787,6 @@ pci_write_config_dword pcie_capability_read_word pcim_enable_device - PDE_DATA perf_trace_buf_alloc perf_trace_run_bpf_submit pfn_valid @@ -1940,6 +1956,7 @@ regmap_bulk_write regmap_field_read regmap_field_update_bits_base + regmap_mmio_detach_clk regmap_multi_reg_write regmap_multi_reg_write_bypassed regmap_raw_read @@ -1979,7 +1996,6 @@ regulatory_set_wiphy_regd_sync_rtnl release_firmware release_sock - regmap_mmio_detach_clk remap_pfn_range remap_vmalloc_range remove_proc_entry @@ -2023,6 +2039,8 @@ rpmsg_trysend rpmsg_unregister_device rps_needed + rt_mutex_lock + rt_mutex_unlock rtc_class_close rtc_class_open rtc_read_time @@ -2033,8 +2051,6 @@ rtnl_is_locked rtnl_lock rtnl_unlock - rt_mutex_lock - rt_mutex_unlock runqueues save_stack_trace save_stack_trace_tsk @@ -2532,6 +2548,8 @@ unlock_rename unmap_mapping_range unregister_chrdev_region + unregister_console + unregister_die_notifier unregister_filesystem unregister_inet6addr_notifier unregister_inetaddr_notifier @@ -2722,7 +2740,6 @@ usbnet_write_cmd_nopm user_path_at_empty usleep_range - v4l_bound_align_image v4l2_ctrl_find v4l2_ctrl_g_ctrl v4l2_ctrl_get_name @@ -2764,6 +2781,7 @@ v4l2_subdev_call_wrappers v4l2_subdev_init v4l2_type_names + v4l_bound_align_image vabits_actual vb2_buffer_done vb2_common_vm_ops @@ -2810,6 +2828,7 @@ vfs_create vfs_fallocate vfs_fsync + vfs_fsync_range vfs_getattr vfs_getxattr vfs_link From 4177a169eb2711d7d47bf00a3b9673a2f7690f5a Mon Sep 17 00:00:00 2001 From: Miklos Szeredi Date: Mon, 7 Mar 2022 16:30:44 +0100 Subject: [PATCH 02/16] BACKPORT: fuse: fix pipe buffer lifetime for direct_io commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 upstream. In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the userspace filesystem should no longer have access to the pipe buffer. Fix by copying pages coming from the user address space to new pipe buffers. Bug: 226679409 Reported-by: Jann Horn Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I57a98e96e36bb97ce3e7b1ebf88917c6c8b0247d --- fs/fuse/dev.c | 12 +++++++++++- fs/fuse/file.c | 1 + fs/fuse/fuse_i.h | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index e63a67e4f9fa..94e580358e76 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -934,7 +934,17 @@ static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep, while (count) { if (cs->write && cs->pipebufs && page) { - return fuse_ref_page(cs, page, offset, count); + /* + * Can't control lifetime of pipe buffers, so always + * copy user pages. + */ + if (cs->req->args->user_pages) { + err = fuse_copy_fill(cs); + if (err) + return err; + } else { + return fuse_ref_page(cs, page, offset, count); + } } else if (!cs->len) { if (cs->move_pages && page && offset == 0 && count == PAGE_SIZE) { diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 5cf13196ce69..efb2a4871291 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1433,6 +1433,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii, (PAGE_SIZE - ret) & (PAGE_SIZE - 1); } + ap->args.user_pages = true; if (write) ap->args.in_pages = 1; else diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index 05498bbd82f6..ab1d15e6f15d 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -248,6 +248,7 @@ struct fuse_args { bool nocreds:1; bool in_pages:1; bool out_pages:1; + bool user_pages:1; bool out_argvar:1; bool page_zeroing:1; bool page_replace:1; From 353ca06c86a6cb6e85972076dfe36a753ff3ded6 Mon Sep 17 00:00:00 2001 From: Xie Yongji Date: Tue, 26 Oct 2021 22:40:15 +0800 Subject: [PATCH 03/16] BACKPORT: virtio-blk: Use blk_validate_block_size() to validate block size The block layer can't support a block size larger than page size yet. And a block size that's too small or not a power of two won't work either. If a misconfigured device presents an invalid block size in configuration space, it will result in the kernel crash something like below: [ 506.154324] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 506.160416] RIP: 0010:create_empty_buffers+0x24/0x100 [ 506.174302] Call Trace: [ 506.174651] create_page_buffers+0x4d/0x60 [ 506.175207] block_read_full_page+0x50/0x380 [ 506.175798] ? __mod_lruvec_page_state+0x60/0xa0 [ 506.176412] ? __add_to_page_cache_locked+0x1b2/0x390 [ 506.177085] ? blkdev_direct_IO+0x4a0/0x4a0 [ 506.177644] ? scan_shadow_nodes+0x30/0x30 [ 506.178206] ? lru_cache_add+0x42/0x60 [ 506.178716] do_read_cache_page+0x695/0x740 [ 506.179278] ? read_part_sector+0xe0/0xe0 [ 506.179821] read_part_sector+0x36/0xe0 [ 506.180337] adfspart_check_ICS+0x32/0x320 [ 506.180890] ? snprintf+0x45/0x70 [ 506.181350] ? read_part_sector+0xe0/0xe0 [ 506.181906] bdev_disk_changed+0x229/0x5c0 [ 506.182483] blkdev_get_whole+0x6d/0x90 [ 506.183013] blkdev_get_by_dev+0x122/0x2d0 [ 506.183562] device_add_disk+0x39e/0x3c0 [ 506.184472] virtblk_probe+0x3f8/0x79b [virtio_blk] [ 506.185461] virtio_dev_probe+0x15e/0x1d0 [virtio] So let's use a block layer helper to validate the block size. Signed-off-by: Xie Yongji Acked-by: Michael S. Tsirkin Link: https://lore.kernel.org/r/20211026144015.188-5-xieyongji@bytedance.com Signed-off-by: Jens Axboe (cherry picked from commit 57a13a5b8157d9a8606490aaa1b805bafe6c37e1) [keirf@: Implement missing error path] Bug: 226679849 Signed-off-by: Keir Fraser Change-Id: I78cde1101baf8da2f68d0b9f942a0f1ec89fb30e (cherry picked from commit 588affc843da96cda1747b4caa8fcd9bd8796d3c) --- drivers/block/virtio_blk.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 5eb383670837..d87456175270 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -938,9 +938,17 @@ static int virtblk_probe(struct virtio_device *vdev) err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE, struct virtio_blk_config, blk_size, &blk_size); - if (!err) + if (!err) { + err = blk_validate_block_size(blk_size); + if (err) { + dev_err(&vdev->dev, + "virtio_blk: invalid block size: 0x%x\n", + blk_size); + goto out_cleanup_disk; + } + blk_queue_logical_block_size(q, blk_size); - else + } else blk_size = queue_logical_block_size(q); /* Use topology information if available */ @@ -1001,6 +1009,8 @@ static int virtblk_probe(struct virtio_device *vdev) device_add_disk(&vdev->dev, vblk->disk, virtblk_attr_groups); return 0; +out_cleanup_disk: + blk_cleanup_queue(vblk->disk->queue); out_free_tags: blk_mq_free_tag_set(&vblk->tag_set); out_put_disk: From 45e2b6a26f7fe5e2efbcc804c8574ddd3049a8a8 Mon Sep 17 00:00:00 2001 From: Xie Yongji Date: Tue, 26 Oct 2021 22:40:12 +0800 Subject: [PATCH 04/16] BACKPORT: block: Add a helper to validate the block size commit 570b1cac477643cbf01a45fa5d018430a1fddbce upstream. There are some duplicated codes to validate the block size in block drivers. This limitation actually comes from block layer, so this patch tries to add a new block layer helper for that. Bug: 226679849 Signed-off-by: Xie Yongji Link: https://lore.kernel.org/r/20211026144015.188-2-xieyongji@bytedance.com Signed-off-by: Jens Axboe Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman Change-Id: I869a720a18f85fac878459f719cae6a7183a8745 --- include/linux/blkdev.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index e5ee34f292b4..56998391eaa2 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -60,6 +60,14 @@ struct keyslot_manager; */ #define BLKCG_MAX_POLS 5 +static inline int blk_validate_block_size(unsigned int bsize) +{ + if (bsize < 512 || bsize > PAGE_SIZE || !is_power_of_2(bsize)) + return -EINVAL; + + return 0; +} + typedef void (rq_end_io_fn)(struct request *, blk_status_t); /* From 850a2f987ca409e74ef1b9331b2907ea09f75611 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sat, 12 Mar 2022 15:29:58 -0800 Subject: [PATCH 05/16] BACKPORT: net/packet: fix slab-out-of-bounds access in packet_recvmsg() [ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ] syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH and mmap operations, tpacket_rcv() is queueing skbs with garbage in skb->cb[], triggering a too big copy [1] Presumably, users of af_packet using mmap() already gets correct metadata from the mapped buffer, we can simply make sure to clear 12 bytes that might be copied to user space later. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fdfd5954c29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame: ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 this frame has 1 object: [32, 160) 'addr' Memory state around the buggy address: ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 ^ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 ================================================================== Bug: 224546354 Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") Signed-off-by: Eric Dumazet Reported-by: syzbot Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin Signed-off-by: Lee Jones Change-Id: I37e4a05a8d81b2645bc65db002e644b40d1a984d --- net/packet/af_packet.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 852bbbbe341f..1a7857d5e10a 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2256,8 +2256,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, copy_skb = skb_get(skb); skb_head = skb->data; } - if (copy_skb) + if (copy_skb) { + memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0, + sizeof(PACKET_SKB_CB(copy_skb)->sa.ll)); skb_set_owner_r(copy_skb, sk); + } } snaplen = po->rx_ring.frame_size - macoff; if ((int)snaplen < 0) { @@ -3403,6 +3406,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, sock_recv_ts_and_drops(msg, sk, skb); if (msg->msg_name) { + const size_t max_len = min(sizeof(skb->cb), + sizeof(struct sockaddr_storage)); int copy_len; /* If the address length field is there to be filled @@ -3425,6 +3430,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, msg->msg_namelen = sizeof(struct sockaddr_ll); } } + if (WARN_ON_ONCE(copy_len > max_len)) { + copy_len = max_len; + msg->msg_namelen = copy_len; + } memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); } From d2ed4cfcd5a5d837db53466e1aeaefb1c545d4e8 Mon Sep 17 00:00:00 2001 From: Elliot Berman Date: Wed, 27 Apr 2022 12:55:25 -0700 Subject: [PATCH 06/16] ANDROID: Add flag to indicate compiling against ACK Add a flag: __ANDROID_COMMON_KERNEL__ which out-of-tree vendor drivers can use to check if they are compiling against an Android Common Kernel. These out-of-tree vendor drivers can use this flag + LINUX_KERNEL_VERSION to determine if a feature has been backported. Bug: 229953929 Change-Id: I832344d63f3639479784753edfb7ac405068312f Signed-off-by: Elliot Berman --- build.config.common | 1 + 1 file changed, 1 insertion(+) diff --git a/build.config.common b/build.config.common index bdfcee55a9b2..e981c0e879d3 100644 --- a/build.config.common +++ b/build.config.common @@ -9,6 +9,7 @@ DEPMOD=depmod CLANG_PREBUILT_BIN=prebuilts-master/clang/host/linux-x86/clang-r416183b/bin BUILDTOOLS_PREBUILT_BIN=build/build-tools/path/linux-x86 +KCFLAGS=-D__ANDROID_COMMON_KERNEL__ EXTRA_CMDS='' STOP_SHIP_TRACEPRINTK=1 IN_KERNEL_MODULES=1 From 2586f0405bc8ffd741d8cd5fd3fe8034e201a215 Mon Sep 17 00:00:00 2001 From: Lecopzer Chen Date: Fri, 29 Apr 2022 16:37:36 +0800 Subject: [PATCH 07/16] ANDROID: fix KCFLAGS override by __ANDROID_COMMON_KERNEL__ Our test build is broken by KCFLAGS overrided in build.config.comm. Since Linux Makefile supports 'export KCFLAGS=XXX' to customize the KCFLAGS, and we should keep this functionality. Bug: 230818006 Fixes: d2ed4cfcd5a5 ("ANDROID: Add flag to indicate compiling against ACK") Signed-off-by: Lecopzer Chen Change-Id: I9425d79697bc1fe816ce82d523f91631dee6b8f4 --- build.config.common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.config.common b/build.config.common index e981c0e879d3..f671676545c0 100644 --- a/build.config.common +++ b/build.config.common @@ -9,7 +9,7 @@ DEPMOD=depmod CLANG_PREBUILT_BIN=prebuilts-master/clang/host/linux-x86/clang-r416183b/bin BUILDTOOLS_PREBUILT_BIN=build/build-tools/path/linux-x86 -KCFLAGS=-D__ANDROID_COMMON_KERNEL__ +KCFLAGS="${KCFLAGS} -D__ANDROID_COMMON_KERNEL__" EXTRA_CMDS='' STOP_SHIP_TRACEPRINTK=1 IN_KERNEL_MODULES=1 From 9adbfa635e99a79daf01f56c0a6f4b78d942ec5c Mon Sep 17 00:00:00 2001 From: Lina Wang Date: Thu, 5 May 2022 13:48:49 +0800 Subject: [PATCH 08/16] FROMGIT: net: fix wrong network header length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When clatd starts with ebpf offloaing, and NETIF_F_GRO_FRAGLIST is enable, several skbs are gathered in skb_shinfo(skb)->frag_list. The first skb's ipv6 header will be changed to ipv4 after bpf_skb_proto_6_to_4, network_header\transport_header\mac_header have been updated as ipv4 acts, but other skbs in frag_list didnot update anything, just ipv6 packets. udp_queue_rcv_skb will call skb_segment_list to traverse other skbs in frag_list and make sure right udp payload is delivered to user space. Unfortunately, other skbs in frag_list who are still ipv6 packets are updated like the first skb and will have wrong transport header length. e.g.before bpf_skb_proto_6_to_4,the first skb and other skbs in frag_list has the same network_header(24)& transport_header(64), after bpf_skb_proto_6_to_4, ipv6 protocol has been changed to ipv4, the first skb's network_header is 44,transport_header is 64, other skbs in frag_list didnot change.After skb_segment_list, the other skbs in frag_list has different network_header(24) and transport_header(44), so there will be 20 bytes different from original,that is difference between ipv6 header and ipv4 header. Just change transport_header to be the same with original. Actually, there are two solutions to fix it, one is traversing all skbs and changing every skb header in bpf_skb_proto_6_to_4, the other is modifying frag_list skb's header in skb_segment_list. Considering efficiency, adopt the second one--- when the first skb and other skbs in frag_list has different network_header length, restore them to make sure right udp payload is delivered to user space. Signed-off-by: Lina Wang Signed-off-by: David S. Miller (cherry picked from commit cf3ab8d4a797960b4be20565abb3bcd227b18a68 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master) Bug: 218157620 Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: I36f2f329ec1a56bb0742141a7fa482cafa183ad3 --- net/core/skbuff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 8f515391a4ae..bd51b795f7b1 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3680,7 +3680,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, unsigned int delta_len = 0; struct sk_buff *tail = NULL; struct sk_buff *nskb, *tmp; - int err; + int len_diff, err; skb_push(skb, -skb_network_offset(skb) + offset); @@ -3720,9 +3720,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, skb_push(nskb, -skb_network_offset(nskb) + offset); skb_release_head_state(nskb); + len_diff = skb_network_header_len(nskb) - skb_network_header_len(skb); __copy_skb_header(nskb, skb); skb_headers_offset_update(nskb, skb_headroom(nskb) - skb_headroom(skb)); + nskb->transport_header += len_diff; skb_copy_from_linear_data_offset(skb, -tnl_hlen, nskb->data - tnl_hlen, offset + tnl_hlen); From 7f04e0c309811e762872a7ce71fba9cb359dd2c0 Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Mon, 9 May 2022 15:17:10 +0100 Subject: [PATCH 09/16] BACKPORT: staging: ion: Prevent incorrect reference counting behavour Supply additional check in order to prevent unexpected results. Bug: 205573273 Fixes: b892bf75b2034 ("ion: Switch ion to use dma-buf") Suggested-by: Dan Carpenter Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman [Lee: Patch now applies to ion_buffer.c instead of ion.c] Change-Id: Ia6afdd9ca502caa9cad6619d438fc6c8e8457679 (cherry picked from commit 27da8d16e4f0a0ef37da356599eb36adec542643) --- drivers/staging/android/ion/ion_buffer.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/android/ion/ion_buffer.c b/drivers/staging/android/ion/ion_buffer.c index e22330f844c3..9dfb94e37554 100644 --- a/drivers/staging/android/ion/ion_buffer.c +++ b/drivers/staging/android/ion/ion_buffer.c @@ -249,6 +249,9 @@ void *ion_buffer_kmap_get(struct ion_buffer *buffer) void *vaddr; if (buffer->kmap_cnt) { + if (buffer->kmap_cnt == INT_MAX) + return ERR_PTR(-EOVERFLOW); + buffer->kmap_cnt++; return buffer->vaddr; } From 0840b18507033ee3b18c9ab053a44a16479bfd26 Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Fri, 11 Mar 2022 14:19:59 +0000 Subject: [PATCH 10/16] ANDROID: dm-bow: Protect Ranges fetched and erased from the RB tree Bug: 195565510 Signed-off-by: Lee Jones Change-Id: Ic8134eb902aa7d929e3121b2f69b1d258f570652 (cherry picked from commit 98c15b2bad1a277da43c65c642f8c3c3ee07bacc) --- drivers/md/dm-bow.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/md/dm-bow.c b/drivers/md/dm-bow.c index 62a1203589b2..ee4359fe6bfa 100644 --- a/drivers/md/dm-bow.c +++ b/drivers/md/dm-bow.c @@ -599,6 +599,7 @@ static void dm_bow_dtr(struct dm_target *ti) struct bow_context *bc = (struct bow_context *) ti->private; struct kobject *kobj; + mutex_lock(&bc->ranges_lock); while (rb_first(&bc->ranges)) { struct bow_range *br = container_of(rb_first(&bc->ranges), struct bow_range, node); @@ -606,6 +607,8 @@ static void dm_bow_dtr(struct dm_target *ti) rb_erase(&br->node, &bc->ranges); kfree(br); } + mutex_unlock(&bc->ranges_lock); + if (bc->workqueue) destroy_workqueue(bc->workqueue); if (bc->bufio) @@ -1182,6 +1185,7 @@ static void dm_bow_tablestatus(struct dm_target *ti, char *result, return; } + mutex_lock(&bc->ranges_lock); for (i = rb_first(&bc->ranges); i; i = rb_next(i)) { struct bow_range *br = container_of(i, struct bow_range, node); @@ -1189,11 +1193,11 @@ static void dm_bow_tablestatus(struct dm_target *ti, char *result, readable_type[br->type], (unsigned long long)br->sector); if (result >= end) - return; + goto unlock; result += scnprintf(result, end - result, "\n"); if (result >= end) - return; + goto unlock; if (br->type == TRIMMED) ++trimmed_range_count; @@ -1215,19 +1219,22 @@ static void dm_bow_tablestatus(struct dm_target *ti, char *result, if (!rb_next(i)) { scnprintf(result, end - result, "\nERROR: Last range not of type TOP"); - return; + goto unlock; } if (br->sector > range_top(br)) { scnprintf(result, end - result, "\nERROR: sectors out of order"); - return; + goto unlock; } } if (trimmed_range_count != trimmed_list_length) scnprintf(result, end - result, "\nERROR: not all trimmed ranges in trimmed list"); + +unlock: + mutex_unlock(&bc->ranges_lock); } static void dm_bow_status(struct dm_target *ti, status_type_t type, From f896faff41a88bab7c23a57081e3d21ade5011e9 Mon Sep 17 00:00:00 2001 From: Srinivasarao Pathipati Date: Wed, 11 May 2022 14:59:07 +0530 Subject: [PATCH 11/16] ANDROID: ABI: Update allowed list for QCOM Update the android/abi_gki_aarch64_qcom with API kill_anon_super. Bug: 230828747 Change-Id: I5abe6a5a27f343997ef8a83beb3b0adee796a23c Signed-off-by: Srinivasarao Pathipati --- android/abi_gki_aarch64_qcom | 1 + 1 file changed, 1 insertion(+) diff --git a/android/abi_gki_aarch64_qcom b/android/abi_gki_aarch64_qcom index d84202f3fd64..750745a41893 100644 --- a/android/abi_gki_aarch64_qcom +++ b/android/abi_gki_aarch64_qcom @@ -1309,6 +1309,7 @@ kfree kfree_skb kfree_skb_list + kill_anon_super kill_fasync kill_litter_super kimage_vaddr From 09c810c77de75cd5dd1f7126a78595012d97db84 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Mon, 7 Mar 2022 13:11:39 +0100 Subject: [PATCH 12/16] BACKPORT: esp: Fix possible buffer overflow in ESP transformation commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream. The maximum message size that can be send is bigger than the maximum site that skb_page_frag_refill can allocate. So it is possible to write beyond the allocated buffer. Fix this by doing a fallback to COW in that case. v2: Avoid get get_order() costs as suggested by Linus Torvalds. Bug: 227452856 Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Reported-by: valis Signed-off-by: Steffen Klassert Signed-off-by: Tadeusz Struk Signed-off-by: Greg Kroah-Hartman Change-Id: I2c7f97914138271e7788adfcebbd0b2b8b43cdcb Signed-off-by: Lee Jones --- include/net/esp.h | 2 ++ include/net/sock.h | 1 + net/ipv4/esp4.c | 5 +++++ net/ipv6/esp6.c | 5 +++++ 4 files changed, 13 insertions(+) diff --git a/include/net/esp.h b/include/net/esp.h index 117652eb6ea3..465e38890ee9 100644 --- a/include/net/esp.h +++ b/include/net/esp.h @@ -4,6 +4,8 @@ #include +#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) + struct ip_esp_hdr; static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) diff --git a/include/net/sock.h b/include/net/sock.h index 6614449474ab..281c766129ad 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2604,6 +2604,7 @@ extern int sysctl_optmem_max; extern __u32 sysctl_wmem_default; extern __u32 sysctl_rmem_default; +#define SKB_FRAG_PAGE_ORDER get_order(32768) DECLARE_STATIC_KEY_FALSE(net_high_order_alloc_disable_key); static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 86c836fa2145..94e17790769b 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -277,6 +277,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * struct page *page; struct sk_buff *trailer; int tailen = esp->tailen; + unsigned int allocsz; /* this is non-NULL only with UDP Encapsulation */ if (x->encap) { @@ -286,6 +287,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * return err; } + allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); + if (allocsz > ESP_SKB_FRAG_MAXSIZE) + goto cow; + if (!skb_cloned(skb)) { if (tailen <= skb_tailroom(skb)) { nfrags = 1; diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 12570a73def8..06a172aa18c6 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -230,6 +230,11 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info struct page *page; struct sk_buff *trailer; int tailen = esp->tailen; + unsigned int allocsz; + + allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); + if (allocsz > ESP_SKB_FRAG_MAXSIZE) + goto cow; if (!skb_cloned(skb)) { if (tailen <= skb_tailroom(skb)) { From 7d33bb909e4e5ad9856c5784f9e03e90ac7c77e2 Mon Sep 17 00:00:00 2001 From: Hangyu Hua Date: Fri, 11 Mar 2022 16:06:14 +0800 Subject: [PATCH 13/16] BACKPORT: can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path commit 3d3925ff6433f98992685a9679613a2cc97f3ce2 upstream. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes original skb and can_free_echo_skb() deletes the cloned skb. Bug: 228694483 Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") Link: https://lore.kernel.org/all/20220311080614.45229-1-hbh25y@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: I3c9191dd936d82e7c692fad33919b766e69ed7b5 --- drivers/net/can/usb/usb_8dev.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c index c43e98bb6e2d..b514b2eaa318 100644 --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -670,9 +670,20 @@ static netdev_tx_t usb_8dev_start_xmit(struct sk_buff *skb, atomic_inc(&priv->active_tx_urbs); err = usb_submit_urb(urb, GFP_ATOMIC); - if (unlikely(err)) - goto failed; - else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS) + if (unlikely(err)) { + can_free_echo_skb(netdev, context->echo_index); + + usb_unanchor_urb(urb); + usb_free_coherent(priv->udev, size, buf, urb->transfer_dma); + + atomic_dec(&priv->active_tx_urbs); + + if (err == -ENODEV) + netif_device_detach(netdev); + else + netdev_warn(netdev, "failed tx_urb %d\n", err); + stats->tx_dropped++; + } else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS) /* Slow down tx path */ netif_stop_queue(netdev); @@ -691,19 +702,6 @@ nofreecontext: return NETDEV_TX_BUSY; -failed: - can_free_echo_skb(netdev, context->echo_index); - - usb_unanchor_urb(urb); - usb_free_coherent(priv->udev, size, buf, urb->transfer_dma); - - atomic_dec(&priv->active_tx_urbs); - - if (err == -ENODEV) - netif_device_detach(netdev); - else - netdev_warn(netdev, "failed tx_urb %d\n", err); - nomembuf: usb_free_urb(urb); From 1ae6fd7e6f22372c78b602295d219688ca1c1664 Mon Sep 17 00:00:00 2001 From: Aran Dalton Date: Sat, 7 May 2022 16:22:37 +0800 Subject: [PATCH 14/16] ANDROID: ABI: Added symbols for allwinner Leaf changes summary: 1 artifact changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 1 Added function: [A] 'function void devm_extcon_dev_free(device*, extcon_dev*)' Bug: 231769124 Change-Id: I962814563554a960d45adb18def5987aaff25c65 Signed-off-by: Aran Dalton --- android/abi_gki_aarch64.xml | 10 ++++++++-- android/abi_gki_aarch64_sunxi | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml index 98f91038389e..418e0aa0fdcb 100644 --- a/android/abi_gki_aarch64.xml +++ b/android/abi_gki_aarch64.xml @@ -1020,6 +1020,7 @@ + @@ -67826,6 +67827,11 @@ + + + + + @@ -173625,7 +173631,7 @@ - + @@ -173789,7 +173795,7 @@ - + diff --git a/android/abi_gki_aarch64_sunxi b/android/abi_gki_aarch64_sunxi index 890759b51caf..c79db94302e6 100644 --- a/android/abi_gki_aarch64_sunxi +++ b/android/abi_gki_aarch64_sunxi @@ -308,3 +308,6 @@ dev_pm_opp_put_prop_name dev_pm_opp_put_supported_hw dev_pm_opp_set_prop_name + +# required by disp.ko + devm_extcon_dev_free From 12bf063cb90b8fc9d8f40140352c03dc13351ed3 Mon Sep 17 00:00:00 2001 From: Hangyu Hua Date: Mon, 28 Feb 2022 16:36:39 +0800 Subject: [PATCH 15/16] BACKPORT: can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path commit c70222752228a62135cee3409dccefd494a24646 upstream. There is no need to call dev_kfree_skb() when usb_submit_urb() fails beacause can_put_echo_skb() deletes the original skb and can_free_echo_skb() deletes the cloned skb. Bug: 228694391 Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") Cc: stable@vger.kernel.org Cc: Sebastian Haas Signed-off-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman Signed-off-by: Lee Jones Change-Id: Ia678a0b249eae6e80823461f18eb315ec5385eab --- drivers/net/can/usb/ems_usb.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c index 249d2fba28c7..6458da9c13b9 100644 --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -823,7 +823,6 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne usb_unanchor_urb(urb); usb_free_coherent(dev->udev, size, buf, urb->transfer_dma); - dev_kfree_skb(skb); atomic_dec(&dev->active_tx_urbs); From e7792e2790f3b4440efa89e07a892556207a4078 Mon Sep 17 00:00:00 2001 From: Sachin Gupta Date: Tue, 17 May 2022 17:37:55 +0530 Subject: [PATCH 16/16] BACKPORT: scsi: ufs: Resume ufs host before accessing ufs device As a part of sysfs reading of descriptors/attributes/flags, query commands should only be executed when hba's power runtime status is active. To guarantee this, add pm_runtime_get/put_sync() to those paths where query commands are sent. Bug: 232878917 Link: https://lore.kernel.org/r/f712a4f7bdb0ae32e0d83634731e7aaa1b3a6cdd.1585009663.git.asutoshd@codeaurora.org Change-Id: I56b89be3ac850794b874a7b46295a8d12ef4ea02 (cherry picked from commit 0c2039dc1591bb9a3b887753b37946f09f4bf208) [sachgupt: Resolved minor conflict in drivers/scsi/ufs/ufs-sysfs.c] Signed-off-by: Nitin Rawat Signed-off-by: Sachin Gupta --- drivers/scsi/ufs/ufs-sysfs.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/drivers/scsi/ufs/ufs-sysfs.c b/drivers/scsi/ufs/ufs-sysfs.c index 443e9119743e..49b167f97e7b 100644 --- a/drivers/scsi/ufs/ufs-sysfs.c +++ b/drivers/scsi/ufs/ufs-sysfs.c @@ -211,8 +211,11 @@ static ssize_t ufs_sysfs_read_desc_param(struct ufs_hba *hba, if (param_size > 8) return -EINVAL; + pm_runtime_get_sync(hba->dev); ret = ufshcd_read_desc_param(hba, desc_id, desc_index, param_offset, desc_buf, param_size); + pm_runtime_put_sync(hba->dev); + if (ret) return -EINVAL; switch (param_size) { @@ -578,6 +581,7 @@ static ssize_t _name##_show(struct device *dev, \ desc_buf = kzalloc(QUERY_DESC_MAX_SIZE, GFP_ATOMIC); \ if (!desc_buf) \ return -ENOMEM; \ + pm_runtime_get_sync(hba->dev); \ ret = ufshcd_query_descriptor_retry(hba, \ UPIU_QUERY_OPCODE_READ_DESC, QUERY_DESC_IDN_DEVICE, \ 0, 0, desc_buf, &desc_len); \ @@ -594,6 +598,7 @@ static ssize_t _name##_show(struct device *dev, \ goto out; \ ret = snprintf(buf, PAGE_SIZE, "%s\n", desc_buf); \ out: \ + pm_runtime_put_sync(hba->dev); \ kfree(desc_buf); \ return ret; \ } \ @@ -630,14 +635,18 @@ static ssize_t _name##_show(struct device *dev, \ struct device_attribute *attr, char *buf) \ { \ bool flag; \ + int ret; \ u8 index = 0; \ struct ufs_hba *hba = dev_get_drvdata(dev); \ if (ufshcd_is_wb_flags(QUERY_FLAG_IDN##_uname)) \ index = ufshcd_wb_get_query_index(hba); \ - if (ufshcd_query_flag(hba, UPIU_QUERY_OPCODE_READ_FLAG, \ - QUERY_FLAG_IDN##_uname, index, &flag)) \ + pm_runtime_get_sync(hba->dev); \ + ret = ufshcd_query_flag(hba, UPIU_QUERY_OPCODE_READ_FLAG, \ + QUERY_FLAG_IDN##_uname, index, &flag); \ + pm_runtime_put_sync(hba->dev); \ + if (ret) \ return -EINVAL; \ - return sprintf(buf, "%s\n", flag ? "true" : "false"); \ + return sprintf(buf, "%s\n", flag ? "true" : "false"); \ } \ static DEVICE_ATTR_RO(_name) @@ -686,10 +695,14 @@ static ssize_t _name##_show(struct device *dev, \ struct ufs_hba *hba = dev_get_drvdata(dev); \ u32 value; \ u8 index = 0; \ + int ret; \ if (ufshcd_is_wb_attrs(QUERY_ATTR_IDN##_uname)) \ index = ufshcd_wb_get_query_index(hba); \ - if (ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_READ_ATTR, \ - QUERY_ATTR_IDN##_uname, index, 0, &value)) \ + pm_runtime_get_sync(hba->dev); \ + ret = ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_READ_ATTR, \ + QUERY_ATTR_IDN##_uname, index, 0, &value); \ + pm_runtime_put_sync(hba->dev); \ + if (ret) \ return -EINVAL; \ return sprintf(buf, "0x%08X\n", value); \ } \ @@ -822,10 +835,15 @@ static ssize_t dyn_cap_needed_attribute_show(struct device *dev, struct scsi_device *sdev = to_scsi_device(dev); struct ufs_hba *hba = shost_priv(sdev->host); u8 lun = ufshcd_scsi_to_upiu_lun(sdev->lun); + int ret; - if (ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_READ_ATTR, - QUERY_ATTR_IDN_DYN_CAP_NEEDED, lun, 0, &value)) + pm_runtime_get_sync(hba->dev); + ret = ufshcd_query_attr(hba, UPIU_QUERY_OPCODE_READ_ATTR, + QUERY_ATTR_IDN_DYN_CAP_NEEDED, lun, 0, &value); + pm_runtime_put_sync(hba->dev); + if (ret) return -EINVAL; + return sprintf(buf, "0x%08X\n", value); } static DEVICE_ATTR_RO(dyn_cap_needed_attribute);