* keystone/mirror-android13-5.15-2023-05:
FROMGIT: pstore: Revert pmsg_lock back to a normal mutex
ANDROID: ABI: Add to QCOM symbols list
UPSTREAM: usb: dwc3: gadget: Return -ESHUTDOWN on ep disable
Change-Id: Ie5eac95d44774ac69bebf203be6e7b635652456d
Signed-off-by: keystone-kernel-automerger <keystone-kernel-automerger@google.com>
This reverts commit 76d62f24db07f22ccf9bc18ca793c27d4ebef721.
So while priority inversion on the pmsg_lock is an occasional
problem that an rt_mutex would help with, in uses where logging
is writing to pmsg heavily from multiple threads, the pmsg_lock
can be heavily contended.
After this change landed, it was reported that cases where the
mutex locking overhead was commonly adding on the order of 10s
of usecs delay had suddenly jumped to ~msec delay with rtmutex.
It seems the slight differences in the locks under this level
of contention causes the normal mutexes to utilize the spinning
optimizations, while the rtmutexes end up in the sleeping
slowpath (which allows additional threads to pile on trying
to take the lock).
In this case, it devolves to a worse case senerio where the lock
acquisition and scheduling overhead dominates, and each thread
is waiting on the order of ~ms to do ~us of work.
Obviously, having tons of threads all contending on a single
lock for logging is non-optimal, so the proper fix is probably
reworking pstore pmsg to have per-cpu buffers so we don't have
contention.
Additionally, Steven Rostedt has provided some furhter
optimizations for rtmutexes that improves the rtmutex spinning
path, but at least in my testing, I still see the test tripping
into the sleeping path on rtmutexes while utilizing the spinning
path with mutexes.
But in the short term, lets revert the change to the rt_mutex
and go back to normal mutexes to avoid a potentially major
performance regression. And we can work on optimizations to both
rtmutexes and finer-grained locking for pstore pmsg in the
future.
Cc: Wei Wang <wvw@google.com>
Cc: Midas Chien<midaschieh@google.com>
Cc: "Chunhui Li (李春辉)" <chunhui.li@mediatek.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Anton Vorontsov <anton@enomsg.org>
Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: kernel-team@android.com
Fixes: 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion")
Reported-by: "Chunhui Li (李春辉)" <chunhui.li@mediatek.com>
Signed-off-by: John Stultz <jstultz@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230308204043.2061631-1-jstultz@google.com
Bug: 271041816
Bug: 272453930
Bug: 290899184
Bug: 290908562
Bug: 290920906
(cherry picked from commit 5239a89b06d6b199f133bf0ffea421683187f257
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/pstore )
Change-Id: Iadf30bcbf5ba3895dd4af8c15c3a8aecf4301acb
Signed-off-by: John Stultz <jstultz@google.com>
(cherry picked from commit 3ff04317e4e3a49923f6aec6e0e42c64458ed672)
(cherry picked from commit c27abae938)
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
[ Upstream commit ba81043753fffbc2ad6e0c5ff2659f12ac2f46b4 ]
There is a lock inversion and rwsem read-lock recursion in the devfreq
target callback which can lead to deadlocks.
Specifically, ufshcd_devfreq_scale() already holds a clk_scaling_lock
read lock when toggling the write booster, which involves taking the
dev_cmd mutex before taking another clk_scaling_lock read lock.
This can lead to a deadlock if another thread:
1) tries to acquire the dev_cmd and clk_scaling locks in the correct
order, or
2) takes a clk_scaling write lock before the attempt to take the
clk_scaling read lock a second time.
Fix this by dropping the clk_scaling_lock before toggling the write booster
as was done before commit 0e9d4ca43b ("scsi: ufs: Protect some contexts
from unexpected clock scaling").
While the devfreq callbacks are already serialised, add a second
serialising mutex to handle the unlikely case where a callback triggered
through the devfreq sysfs interface is racing with a request to disable
clock scaling through the UFS controller 'clkscale_enable' sysfs
attribute. This could otherwise lead to the write booster being left
disabled after having disabled clock scaling.
Also take the new mutex in ufshcd_clk_scaling_allow() to make sure that any
pending write booster update has completed on return.
Note that this currently only affects Qualcomm platforms since commit
87bd05016a64 ("scsi: ufs: core: Allow host driver to disable wb toggling
during clock scaling").
The lock inversion (i.e. 1 above) was reported by lockdep as:
======================================================
WARNING: possible circular locking dependency detected
6.1.0-next-20221216 #211 Not tainted
------------------------------------------------------
kworker/u16:2/71 is trying to acquire lock:
ffff076280ba98a0 (&hba->dev_cmd.lock){+.+.}-{3:3}, at: ufshcd_query_flag+0x50/0x1c0
but task is already holding lock:
ffff076280ba9cf0 (&hba->clk_scaling_lock){++++}-{3:3}, at: ufshcd_devfreq_scale+0x2b8/0x380
which lock already depends on the new lock.
[ +0.011606]
the existing dependency chain (in reverse order) is:
-> #1 (&hba->clk_scaling_lock){++++}-{3:3}:
lock_acquire+0x68/0x90
down_read+0x58/0x80
ufshcd_exec_dev_cmd+0x70/0x2c0
ufshcd_verify_dev_init+0x68/0x170
ufshcd_probe_hba+0x398/0x1180
ufshcd_async_scan+0x30/0x320
async_run_entry_fn+0x34/0x150
process_one_work+0x288/0x6c0
worker_thread+0x74/0x450
kthread+0x118/0x120
ret_from_fork+0x10/0x20
-> #0 (&hba->dev_cmd.lock){+.+.}-{3:3}:
__lock_acquire+0x12a0/0x2240
lock_acquire.part.0+0xcc/0x220
lock_acquire+0x68/0x90
__mutex_lock+0x98/0x430
mutex_lock_nested+0x2c/0x40
ufshcd_query_flag+0x50/0x1c0
ufshcd_query_flag_retry+0x64/0x100
ufshcd_wb_toggle+0x5c/0x120
ufshcd_devfreq_scale+0x2c4/0x380
ufshcd_devfreq_target+0xf4/0x230
devfreq_set_target+0x84/0x2f0
devfreq_update_target+0xc4/0xf0
devfreq_monitor+0x38/0x1f0
process_one_work+0x288/0x6c0
worker_thread+0x74/0x450
kthread+0x118/0x120
ret_from_fork+0x10/0x20
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hba->clk_scaling_lock);
lock(&hba->dev_cmd.lock);
lock(&hba->clk_scaling_lock);
lock(&hba->dev_cmd.lock);
*** DEADLOCK ***
Fixes: 0e9d4ca43b ("scsi: ufs: Protect some contexts from unexpected clock scaling")
Cc: stable@vger.kernel.org # 5.12
Cc: Can Guo <quic_cang@quicinc.com>
Tested-by: Andrew Halaney <ahalaney@redhat.com>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20230116161201.16923-1-johan+linaro@kernel.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit b03f7ed9af)
Change-Id: I58d89f72e77838f54a8659f4e6511d79df920bfa
Bug: 286803489
Bug: 288060701
Bug: 289755802
[ reworked lock to be global to preserve the abi - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Sivasri Kumar, Vanka <quic_svanka@quicinc.com>
(cherry picked from commit 461379cd3e)
ISOC transfers expect a certain cadence of requests being queued. Not
keeping up with the expected rate of requests results in missed ISOC
transfers (EXDEV). The application layer may or may not produce video
frames to match this expectation, so uvc gadget driver must handle cases
where the application is not queuing up buffers fast enough to fulfill
ISOC requirements.
Currently, uvc gadget driver waits for new video buffer to become available
before queuing up usb requests. With this patch the gadget driver queues up
0 length usb requests whenever there are no video buffers available. The
USB controller's complete callback is used as the limiter for how quickly
the 0 length packets will be queued. Video buffers are still queued as
soon as they become available.
Link: https://lore.kernel.org/CAMHf4WKbi6KBPQztj9FA4kPvESc1fVKrC8G73-cs6tTeQby9=w@mail.gmail.com/
Signed-off-by: Avichal Rakesh <arakesh@google.com>
Link: https://lore.kernel.org/r/20230508231103.1621375-1-arakesh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c3ff12a92bd7072170978b8b41c2fa41b038139a)
Bug: 271684194
Bug: 289627714
Signed-off-by: Avichal Rakesh <arakesh@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:39cc781d6f7542117b07de2fd052e91cc21b66b5)
Change-Id: I3eed9b415f80ccea9c69b0d96593da8493dbf6bb
(cherry picked from commit 27903582a2)
* keystone/mirror-android13-5.15-2023-05: (44 commits)
UPSTREAM: usb: dwc3: debugfs: Resume dwc3 before accessing registers
UPSTREAM: kvm: initialize all of the kvm_debugregs structure before sending it to userspace
UPSTREAM: netfilter: nf_tables: deactivate anonymous set from preparation phase
UPSTREAM: usb: dwc3: gadget: Refactor EP0 forced stall/restart into a separate API
FROMGIT: locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers
BACKPORT: UPSTREAM: usb: dwc3: gadget: Execute gadget stop after halting the controller
ANDROID: irqchip/irq-gic-v3: Fixed gic_suspend() stub for !CONFIG_PM
ANDROID: ABI: Update symbol list for the symbols used by the unisoc for A13-k5.15
UPSTREAM: usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive
BACKPORT: FROMLIST: thermal/core/power_allocator: avoid thermal cdev can not be reset
Revert "ANDROID: uid_sys_stat: split the global lock uid_lock to the fine-grained"
BACKPORT: FROMGIT: wifi: cfg80211/mac80211: report link ID on control port RX
FROMLIST: binder: fix UAF caused by faulty buffer cleanup
ANDROID: usb: gadget: configfs: Protect composite_setup in a spinlock
ANDROID: ABI: update allowed list for galaxy
ANDROID: GKI: Increase max 8250 uarts
BACKPORT: f2fs: give priority to select unpinned section for foreground GC
UPSTREAM: f2fs: check pinfile in gc_data_segment() in advance
ANDROID: GKI: add missing vendor hook symbols
ANDROID: GKI: reorder symbols within ABI files
...
Change-Id: I93d8bfb6cd8d8a10080e20a1c09fa6c335d727b1
[ Upstream commit ba81043753fffbc2ad6e0c5ff2659f12ac2f46b4 ]
There is a lock inversion and rwsem read-lock recursion in the devfreq
target callback which can lead to deadlocks.
Specifically, ufshcd_devfreq_scale() already holds a clk_scaling_lock
read lock when toggling the write booster, which involves taking the
dev_cmd mutex before taking another clk_scaling_lock read lock.
This can lead to a deadlock if another thread:
1) tries to acquire the dev_cmd and clk_scaling locks in the correct
order, or
2) takes a clk_scaling write lock before the attempt to take the
clk_scaling read lock a second time.
Fix this by dropping the clk_scaling_lock before toggling the write booster
as was done before commit 0e9d4ca43b ("scsi: ufs: Protect some contexts
from unexpected clock scaling").
While the devfreq callbacks are already serialised, add a second
serialising mutex to handle the unlikely case where a callback triggered
through the devfreq sysfs interface is racing with a request to disable
clock scaling through the UFS controller 'clkscale_enable' sysfs
attribute. This could otherwise lead to the write booster being left
disabled after having disabled clock scaling.
Also take the new mutex in ufshcd_clk_scaling_allow() to make sure that any
pending write booster update has completed on return.
Note that this currently only affects Qualcomm platforms since commit
87bd05016a64 ("scsi: ufs: core: Allow host driver to disable wb toggling
during clock scaling").
The lock inversion (i.e. 1 above) was reported by lockdep as:
======================================================
WARNING: possible circular locking dependency detected
6.1.0-next-20221216 #211 Not tainted
------------------------------------------------------
kworker/u16:2/71 is trying to acquire lock:
ffff076280ba98a0 (&hba->dev_cmd.lock){+.+.}-{3:3}, at: ufshcd_query_flag+0x50/0x1c0
but task is already holding lock:
ffff076280ba9cf0 (&hba->clk_scaling_lock){++++}-{3:3}, at: ufshcd_devfreq_scale+0x2b8/0x380
which lock already depends on the new lock.
[ +0.011606]
the existing dependency chain (in reverse order) is:
-> #1 (&hba->clk_scaling_lock){++++}-{3:3}:
lock_acquire+0x68/0x90
down_read+0x58/0x80
ufshcd_exec_dev_cmd+0x70/0x2c0
ufshcd_verify_dev_init+0x68/0x170
ufshcd_probe_hba+0x398/0x1180
ufshcd_async_scan+0x30/0x320
async_run_entry_fn+0x34/0x150
process_one_work+0x288/0x6c0
worker_thread+0x74/0x450
kthread+0x118/0x120
ret_from_fork+0x10/0x20
-> #0 (&hba->dev_cmd.lock){+.+.}-{3:3}:
__lock_acquire+0x12a0/0x2240
lock_acquire.part.0+0xcc/0x220
lock_acquire+0x68/0x90
__mutex_lock+0x98/0x430
mutex_lock_nested+0x2c/0x40
ufshcd_query_flag+0x50/0x1c0
ufshcd_query_flag_retry+0x64/0x100
ufshcd_wb_toggle+0x5c/0x120
ufshcd_devfreq_scale+0x2c4/0x380
ufshcd_devfreq_target+0xf4/0x230
devfreq_set_target+0x84/0x2f0
devfreq_update_target+0xc4/0xf0
devfreq_monitor+0x38/0x1f0
process_one_work+0x288/0x6c0
worker_thread+0x74/0x450
kthread+0x118/0x120
ret_from_fork+0x10/0x20
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hba->clk_scaling_lock);
lock(&hba->dev_cmd.lock);
lock(&hba->clk_scaling_lock);
lock(&hba->dev_cmd.lock);
*** DEADLOCK ***
Fixes: 0e9d4ca43b ("scsi: ufs: Protect some contexts from unexpected clock scaling")
Cc: stable@vger.kernel.org # 5.12
Cc: Can Guo <quic_cang@quicinc.com>
Tested-by: Andrew Halaney <ahalaney@redhat.com>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20230116161201.16923-1-johan+linaro@kernel.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit b03f7ed9af)
Change-Id: I58d89f72e77838f54a8659f4e6511d79df920bfa
Bug: 286803489
Bug: 288060701
[ reworked lock to be global to preserve the abi - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Sivasri Kumar, Vanka <quic_svanka@quicinc.com>
Since host stage-2 mappings are created lazily, we cannot rely on the
pte in order to recover the target physical address when checking a
host-initiated memory transition.
Instead, move the addr_is_allowed_memory() check into the host callback
function where it is passed the physical address directly from the
walker.
Bug: 279739439
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I84bdc43eded79f1f5e5a489dbc0874604491e5c8
(cherry picked from commit b35a061824)
Signed-off-by: Lee Jones <joneslee@google.com>
We will soon need to fetch part of the page state outside of invalid
PTE entries, so provide the input address to the get_page_state()
helper.
Bug: 264070847
Change-Id: I02e0c7538a15cad8e63591bfab67c6de125631fe
Signed-off-by: Quentin Perret <qperret@google.com>
Bug: 279739439
[willdeacon@: Dropped hunks modifying non-existent code]
Signed-off-by: Will Deacon <willdeacon@google.com>
(cherry picked from commit 53625a846a)
Signed-off-by: Lee Jones <joneslee@google.com>
This reverts commit 4f35cec760 and does so
in an abi-safe way.
This is done by adding the new fields only to the end of the structure
and this structure is only passed around to other functions as a
pointer, the internal structure layout is only touched by the core
kernel, so adding it to the end is safe.
Bug: 260678056
Bug: 253167854
Change-Id: Ib1d45625cbc2e0b21330ca3dc2aa7aff34666d31
Signed-off-by: Lee Jones <joneslee@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 4158b1508f)
Enable PAGE_POISONING and slub_debug, excluding store_user for zs_handle
and zspage. These are helpful in debugging use-after-free, memory corruption issues.
Bug: 284241849
Change-Id: I6c17a0ce7040762f8295ff06f79975aaab7d7905
Signed-off-by: Vijayanand Jitta <quic_vjitta@quicinc.com>
* keystone/mirror-android13-5.15-2023-04:
ANDROID: GKI: Update symbol list for mtk
ANDROID: GKI: Update symbol list for mtk
Change-Id: Iaa1528f0a4cdc68161c63f89d7df8fb99825a334
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit 44d8047f1d ("binder: use standard functions to allocate fds"),
to release all the objects in the buffer when 'failed_at' is zero.
This introduced an issue when a transaction buffer is released without
any objects having been processed so far. In this case, 'failed_at' is
indeed zero yet it is misinterpreted as releasing the entire buffer.
This leads to use-after-free errors where nodes are incorrectly freed
and subsequently accessed. Such is the case in the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30
Read of size 8 at addr ffff4faf037cfc58 by task poc/474
CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
print_report+0xf8/0x5b8
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
binder_thread_read+0xc40/0x1f30
binder_ioctl+0xd9c/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Allocated by task 474:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xbc
kmalloc_trace+0x48/0x5c
binder_new_node+0x3c/0x3a4
binder_transaction+0x2b58/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Freed by task 475:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
__kasan_slab_free+0xe8/0x154
__kmem_cache_free+0x128/0x2bc
kfree+0x58/0x70
binder_dec_node_tmpref+0x178/0x1fc
binder_transaction_buffer_release+0x430/0x628
binder_transaction+0x1954/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
==================================================================
In order to avoid these issues, let's always calculate the intended
'failed_at' offset beforehand. This is renamed and wrapped in a helper
function to make it clear and convenient.
Fixes: 32e9f56a96d8 ("binder: don't detect sender/target during buffer cleanup")
Reported-by: Zi Fan Tan <zifantan@google.com>
Link: https://b.corp.google.com/issues/275041864
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 275041864
Link: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com
Change-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Lee Jones <joneslee@google.com>
When the dwc3 device is runtime suspended, various required clocks are in
disabled state and it is not guaranteed that access to any registers would
work. Depending on the SoC glue, a register read could be as benign as
returning 0 or be fatal enough to hang the system.
In order to prevent such scenarios of fatal errors, make sure to resume
dwc3 then allow the function to proceed.
Fixes: 72246da40f ("usb: Introduce DesignWare USB3 DRD Driver")
Cc: stable@vger.kernel.org #3.2: 30332eeefe: debugfs: regset32: Add Runtime PM support
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 282654910
(cherry picked from commit 614ce6a2ea50068b45339257891e51e639ac9001 usb-linus)
Change-Id: Ie89d818b2d77681075cc517184ad1a5fa755dd88
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
3 function symbol(s) added
'int __bitmap_subset(const unsigned long int *, const unsigned long int *, unsigned int)'
'unsigned int _bcd2bin(unsigned char)'
'unsigned char _bin2bcd(unsigned int)'
Bug: 278138288
Bug: 282843714
Signed-off-by: Seiya Wang <seiya.wang@mediatek.com>
Change-Id: I60af2c89defb28a3d4f8daf4fba9f7dc22ec8a8a
(cherry picked from commit e269893a9b)
commit c1592a89942e9678f7d9c8030efa777c0d57edab upstream.
Toggle deleted anonymous sets as inactive in the next generation, so
users cannot perform any update on it. Clear the generation bitmask
in case the transaction is aborted.
The following KASAN splat shows a set element deletion for a bound
anonymous set that has been already removed in the same transaction.
[ 64.921510] ==================================================================
[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890
[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253
[ 64.931120] Call Trace:
[ 64.932699] <TASK>
[ 64.934292] dump_stack_lvl+0x33/0x50
[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.937551] kasan_report+0xda/0x120
[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables]
[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60
[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables]
[ 64.945710] ? kasan_set_track+0x21/0x30
[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink]
[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
Bug: 282877000
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I536b7fbec55a5b37a57546023891a3dcfeb2c24b
Several sequences utilize the same routine for forcing the control endpoint
back into the SETUP phase. This is required, because those operations need
to ensure that EP0 is back in the default state.
Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20230420212759.29429-2-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 280741172
Bug: 277690231
Change-Id: I9b468a021b04e765b074d9b48f46c6e828022705
(cherry picked from commit 8f40fc0808137c157dd408d2632e63bfca2aecdb usb-linus)
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
(cherry picked from commit 15e99e4bfa52797c066ae4fec1babd3f3b60f093)
Apparently despite it being marked inline, the compiler
may not inline __down_read_common() which makes it difficult
to identify the cause of lock contention, as the blocked
function in traceevents will always be listed as
__down_read_common().
So this patch adds __always_inline annotation to the common
function (as well as the inlined helper callers) to force it to
be inlined so the blocking function will be listed (via Wchan)
in traceevents.
Fixes: c995e638cc ("locking/rwsem: Fold __down_{read,write}*()")
Reported-by: Tim Murray <timmurray@google.com>
Signed-off-by: John Stultz <jstultz@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Waiman Long <longman@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20230503023351.2832796-1-jstultz@google.com
Bug: 277817995
(cherry picked from commit 92cc5d00a431e96e5a49c0b97e5ad4fa7536bd4b
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git locking/urgent)
Change-Id: Ifad7ed7fe9f2d5a9eb0cfe7c35e45c0e86bc3ad4
Signed-off-by: John Stultz <jstultz@google.com>
Do not call gadget stop until the poll for controller halt is
completed. DEVTEN is cleared as part of gadget stop, so the intention to
allow ep0 events to continue while waiting for controller halt is not
happening.
Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20230420212759.29429-2-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 280741172
Bug: 277690231
[ugoswami: Modified the function dwc3_gadget_run_stop to remove dependency from cleanup patch.]
(cherry picked from commit 39674be56fba1cd3a03bf4617f523a35f85fd2c1 usb-linus)
Change-Id: I2a8a42e938a680cefc0d1a56274caf155a4f99cd
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
(cherry picked from commit 45902380021d3fe742f9e6d49337ad3746f00d64)
When CONFIG_PM is not enabled, we will be getting a an unused function
warning:
drivers/irqchip/irq-gic-v3.c:1388:12: warning: 'gic_suspend' defined but not used [-Wunused-function]
static int gic_suspend(void) { return 0; }
^~~~~~~~~~~
Fixes: 9d0ccb89bc ("ANDROID: irqchip/irq-gic-v3: Add vendor hook for gic suspend")
Reported-by: Anand Gore <anand.gore@broadcom.com>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Change-Id: Iaae683f0871122eb424fbf4460ad551a67f91456
Update symbol list for the symbols used by the unisoc in abi_gki_aarch64_unisoc.
Bug: 281967634
Change-Id: Ia073c8853f4af467e115a89554862d9d3012ddcc
Signed-off-by: xinyi.yuan <xinyi.yuan@unisoc.com>
It was observed that there are hosts that may complete pending SETUP
transactions before the stop active transfers and controller halt occurs,
leading to lingering endxfer commands on DEPs on subsequent pullup/gadget
start iterations.
dwc3_gadget_ep_disable name=ep8in flags=0x3009 direction=1
dwc3_gadget_ep_disable name=ep4in flags=1 direction=1
dwc3_gadget_ep_disable name=ep3out flags=1 direction=0
usb_gadget_disconnect deactivated=0 connected=0 ret=0
The sequence shows that the USB gadget disconnect (dwc3_gadget_pullup(0))
routine completed successfully, allowing for the USB gadget to proceed with
a USB gadget connect. However, if this occurs the system runs into an
issue where:
BUG: spinlock already unlocked on CPU
spin_bug+0x0
dwc3_remove_requests+0x278
dwc3_ep0_out_start+0xb0
__dwc3_gadget_start+0x25c
This is due to the pending endxfers, leading to gadget start (w/o lock
held) to execute the remove requests, which will unlock the dwc3
spinlock as part of giveback.
To mitigate this, resolve the pending endxfers on the pullup disable
path by re-locating the SETUP phase check after stop active transfers, since
that is where the DWC3_EP_DELAY_STOP is potentially set. This also allows
for handling of a host that may be unresponsive by using the completion
timeout to trigger the stall and restart for EP0.
Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Fixes: c96683798e27 ("usb: dwc3: ep0: Don't prepare beyond Setup stage")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Link: https://lore.kernel.org/r/20230413195742.11821-2-quic_wcheng@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 280741172
Bug: 277690231
(cherry picked from commit 02435a739b81ae24aff5d6e930efef9458e2af3c usb-linus)
Change-Id: Ifa9aeab01a4f45feaae59c2d393e6712f5370f08
Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
(cherry picked from commit 5dd4405fee1bf7505d4211c083c695a2cf7adaea)
Commit 0952177f2a ("thermal/core/power_allocator: Update once
cooling devices when temp is low") adds a update flag to avoid
the thermal event is triggered when there is no need, and
thermal cdev would be update once when temperature is low.
But when the trips are writable, and switch_on_temp is set
to be a higher value, the cooling device state may not be
reset to 0, because last_temperature is smaller than the
switch_on_temp.
For example:
First:
switch_on_temp=70 control_temp=85;
Then userspace change the trip_temp:
switch_on_temp=45 control_temp=55 cur_temp=54
Then userspace reset the trip_temp:
switch_on_temp=70 control_temp=85 cur_temp=57 last_temp=54
At this time, the cooling device state should be reset to 0.
However, because cur_temp(57) < switch_on_temp(70)
last_temp(54) < switch_on_temp(70) ----> update = false,
update is false, the cooling device state can not be reset.
This patch adds a function thermal_cdev_needs_update() to
renew the update flag value only when the trips are writable,
so that thermal cdev->state can be reset after switch_on_temp
changed from low to high.
Fixes: 0952177f2a ("thermal/core/power_allocator: Update once cooling devices when temp is low")
Signed-off-by: Di Shen <di.shen@unisoc.com>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Bug: 280955449
Link: https://lore.kernel.org/all/20230320095620.7480-1-di.shen@unisoc.com/
Link: https://lore.kernel.org/all/6055bc39-5c00-d12f-b5c3-fa21a9649d63@arm.com/
Change-Id: I4fc510da0cf16a10b3dc449db3c4cd12233d4e23
Signed-off-by: Di Shen <di.shen@unisoc.com>
[ resolved minor conflict in drivers/thermal/gov_power_allocator.c ]
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit 44d8047f1d ("binder: use standard functions to allocate fds"),
to release all the objects in the buffer when 'failed_at' is zero.
This introduced an issue when a transaction buffer is released without
any objects having been processed so far. In this case, 'failed_at' is
indeed zero yet it is misinterpreted as releasing the entire buffer.
This leads to use-after-free errors where nodes are incorrectly freed
and subsequently accessed. Such is the case in the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30
Read of size 8 at addr ffff4faf037cfc58 by task poc/474
CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
print_report+0xf8/0x5b8
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
binder_thread_read+0xc40/0x1f30
binder_ioctl+0xd9c/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Allocated by task 474:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xbc
kmalloc_trace+0x48/0x5c
binder_new_node+0x3c/0x3a4
binder_transaction+0x2b58/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Freed by task 475:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
__kasan_slab_free+0xe8/0x154
__kmem_cache_free+0x128/0x2bc
kfree+0x58/0x70
binder_dec_node_tmpref+0x178/0x1fc
binder_transaction_buffer_release+0x430/0x628
binder_transaction+0x1954/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
==================================================================
In order to avoid these issues, let's always calculate the intended
'failed_at' offset beforehand. This is renamed and wrapped in a helper
function to make it clear and convenient.
Fixes: 32e9f56a96d8 ("binder: don't detect sender/target during buffer cleanup")
Reported-by: Zi Fan Tan <zifantan@google.com>
Link: https://b.corp.google.com/issues/275041864
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 275041864
Link: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com
Change-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In one of the SMMU faults (NULL Pointer derefernce) the following
race condition was observed and func->interfaces_nums was being
accessed for f_fs interface after it was unbinded resulting in a
crash.
Thread-1 Thread-2
ffs_func_req_match+0x68/0xc8
drain_workqueue+0xac
gsi_unbind[usb_f_gsi]+0x64
purge_configs_funcs+0xb4
configfs_composite_unbind+0xac
usb_gadget_remove_driver+0xac
usb_gadget_unregister_driver+0xd8
gadget_dev_desc_UDC_store+0x114
android_setup+0x164/0x2a8
dwc3_ep0_inspect_setup+0x100/0x440
dwc3_ep0_interrupt+0xac/0x300
dwc3_process_event_entry+0x80/0x724
dwc3_process_event_buf+0x80/0x434
dwc3_thread_interrupt+0x60/0x124
irq_thread_fn+0x54/0xe4
irq_thread+0x3a4/0x6ec
kthread+0x188/0x1ec
ret_from_fork+0x10/0x20
The events happened in order are as follows:
We got a setup packet for ffs interface and was passed to android
setup callback from ep0.c. As part of the delegate request, the
dwc->lock is released.
At this instant a composition switch occurred and as per traces
and crash dumps:
1. UDC Stop was done successfully. So run stop is set to '0'
2. Composite disconnect was done and ep disable for all ep's is done
gadget->connected = FALSE
3. Async callbacks disabled
dwc->aysnc_callbacks = FALSE
4. composite unbind is going on and the ffs interface in question is
unbinded
udc->driver != NULL
(as per crash dump indicating that unbind is in progress)
5. Purge configs was ongoing because as per crash dumps:
otg_desc[0] = NULL;
cdev->os_desc_req->buf is not NULL
(configfs_composite_unbind is going on, but composite_dev_cleanup
not yet done)
As per the traces:
23.794712: dwc3_event event=49216 ep0state=1 str=
23.794909: dwc3_ctrl_req bRequestType=161 bRequest=1 wValue=0
wIndex=2 wLength=4096
23.799740: usb_gadget_disconnect speed=5 max_speed=6 state=7
mA=0 deactivated=0 connected=0 ret=0
This indicated that android setup came first followed by composite
disconnect. Since the dwc->lock was released by delegate_request,
soft disconnect gets unblocked and runs parallel to composite setup.
After this, there is no check in path of composite setup
indicating unbind happened and bail out is necessary instead of
executing any function ops.
Protect composite_setup (as part of android_setup) in a spinlock
to block composite_disconnect/unbind running in parallel.
Moreover, in the configfs counterpart of android_setup (configfs_
composite_stetup), the composite_setup call is done with spinlock
held.
It is only the android_setup missing this lock.
Bug: 280548269
Fixes: 7a160e2b96 ("ANDROID: usb: gadget: configfs: Add Uevent to notify userspace")
Change-Id: Id245e9f72801541689fcb185ba0459824bfb3904
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Some boards need more than the default maximum of 4 uarts. This has no
impact unless 8250.nr_uarts is specified on the cmdline to increase
the number of runtime uarts from the GKI default of 0.
Bug: 280015873
Signed-off-by: Alistair Delva <adelva@google.com>
Change-Id: I5ba4e1dcce4f4e01b7d306fa3ab05319768eef00
Previously, during foreground GC, if victims contain data of pinned file,
it will fail migration of the data, and meanwhile i_gc_failures of that
pinned file may increase, and when it exceeds threshold, GC will unpin
the file, result in breaking pinfile's semantics.
In order to mitigate such condition, let's record and skip section which
has pinned file's data and give priority to select unpinned one.
Bug: 279387798
Signed-off-by: Chao Yu <chao.yu@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit bf123c9ddf34b3b6d0bb9b46f64478daf01b4f1f)
[drosen: Resolved trivial conflict in fs/f2fs/gc.c ]
Change-Id: Id18929506ff9ecadd48ae48f6734205a65af0bd8
In order to skip migrating section which contains data of pinned
file in advance.
Bug: 278486610
Signed-off-by: Chao Yu <chao.yu@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Chao Yu <chao@kernel.org>
(cherry picked from commit 3c4b4e198e7723f00c0f3a078144173fd591d6d8)
Change-Id: Ia5d0fa83376afd60cb9dec1ef2e377fedfd905f5
