Bug: 177075428
Test: incfs_test passes
atest GtsIncrementalInstallTestCases has only 8 failures
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I73accfc1982aec1cd7947996c25a23e4a97cfdac
Bug: 174692664
Test: incfs_test passes, incremental installs work with ag/13082306
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ib1c924bbaff759f58f7d83bad8e23d7224ba7ed9
Add config settings to enable wifi via modules on db845c
Bug: 146449535
Change-Id: I81892c4cc48db7839fe99aa5fb0b0a0782cab321
Signed-off-by: John Stultz <john.stultz@linaro.org>
commit ef8576789e869b7584684ae81126a465eb1deeb6 upstream.
Add a node describing the watchdog found in the application subsystem.
Reviewed-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
(cherry picked from commit ef8576789e869b7584684ae81126a465eb1deeb6)
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I835d512c13c392e356c5190e865c0617e97041c2
The redistributable firmware should work on any engineering device, so
lets push this to qcom/sdm845, rather than qcom/db845c. Also specify the
path for the modem firmware.
Reviewed-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20191113203951.3704428-1-bjorn.andersson@linaro.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
(cherry picked from commit 82b1cc447a2c7c5121ce34f15f9840110ee3499f)
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: Ica785dd7faee17dce933379dbb6ada32a3697bdb
commit b70b3a36ec33a2c8d3292f3b33fe2047a8f57b9a upstream.
Unless we sleep for a while before transitioning the MSA memory to WLAN
the MPSS.AT.4.0.c2-01184-SDM845_GEN_PACK-1 firmware triggers a security
violation fairly reliably. Unforutnately recovering from this failure
always results in the entire system freezing.
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
(cherry picked from commit b70b3a36ec33a2c8d3292f3b33fe2047a8f57b9a)
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: Ie44e86d404f1897b7cc349a03972178374fef89c
If a client comes up early in the boot process (perhaps was a built-in
driver), qmi_handle_init() will likely fail with a EAFNOSUPPORT since the
underlying ipc router hasn't init'd and registered the address family.
This should not be a fatal error since chances are, the router will come
up later, so recode the error to EPROBE_DEFER so that clients will retry
later.
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Link: https://lore.kernel.org/r/20191106230511.1290-1-jeffrey.l.hugo@gmail.com
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
(cherry picked from commit 52af26e33e700158e6549f1465fcf9da099fabfa)
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I26a0dabe9b1f3b8e9cc793f7f52ee8f658ecdce3
Add the following symbols to QCOM allowed-list:
-- pcie_bus_configure_settings
Bug: 180475310
Change-Id: I49ed1ada673a9199370344cf2b89d7369f92d3f2
Signed-off-by: Tony Truong <truong@codeaurora.org>
This merges the 5.4.86 upstream LTS release into the android11-5.4
branch so that all devices can get the needed important security and
other bugfixes that are in here. All devices must upgrade to remain
properly secure from known issues.
Bug: 180469075
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I1041e0d08d55a3eb2e0f49b7d2384960f48d9b11
Update the android/abi_gki_aarch64_qcom with recent symbol additions.
No need to update the .xml file, as no new symbol addition.
Bug: 180426964
Signed-off-by: Raviteja Tamatam <travitej@codeaurora.org>
Change-Id: I301d36b0385756d6cfd5924c2655d5b728637a24
CONFIG_KASAN_PANIC_ON_WARN was added in a custom patch for Pixel kernels,
which would make KASAN panic the kernel after the first report regardless
of whether the panic_on_warn parameter is set. (Coincidentally, that patch
also would break instrumentation mode selection for KASAN.)
As that patch was never applied to the common kernel,
CONFIG_KASAN_PANIC_ON_WARN doesn't exist here. This change drops the
non-existent CONFIG_KASAN_PANIC_ON_WARN from build.config.gki_kasan.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Change-Id: I9f42bb5f3515f18e2a5774241ea73a59d8883955
On a device like a cellphone which is constantly suspending
and resuming CLOCK_MONOTONIC is not particularly useful for
keeping track of or reacting to external network events.
Instead you want to use CLOCK_BOOTTIME.
Hence add bpf_ktime_get_boot_ns() as a mirror of bpf_ktime_get_ns()
based around CLOCK_BOOTTIME instead of CLOCK_MONOTONIC.
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
(cherry picked from commit 71d19214776e61b33da48f7c1b46e522c7f78221)
Change-Id: Ifd62c410dcc5112fd1a473a7e1f70231ca514bc0
Update the android/abi_gki_aarch64_qcom with recent symbol additions.
Simple change and no need to update the .xml file, as no new symbol
addition.
Bug: 179747683
Signed-off-by: Neeraja P <neerp@codeaurora.org>
Signed-off-by: Kamal Agrawal <kamaagra@codeaurora.org>
Change-Id: I1d5252ed623f83611a5b064a8e0e33e4f0d188c5
Export clk_hw_register_composite() to support user built as module.
ERROR: modpost: "clk_hw_register_composite" [drivers/clk/imx/mxc-clk.ko]
undefined!
(cherry picked from commit d7d7518fdcc8f43da69fb40073273e77f24be24f)
[Jindong: Resolved minor conflict in drivers/clk/clk-composite.c ]
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
Change-Id: I54496d44d4bf6599af3a3ec9c40c02556d55cf17
Several symbols in DesignWare PCI Core driver are used
to support PCIe controller work at Endpoint Mode.
Export them to support such driver built as module.
Bug: 159736148
Signed-off-by: Jindong Yue <jindong.yue@nxp.com>
Change-Id: I2c77bfbfbec750ecdf21f0cd1bbb20fe339a2f0c
commit 34b1a1ce1458f50ef27c54e28eb9b1947012907a upstream
fixup_pi_state_owner() tries to ensure that the state of the rtmutex,
pi_state and the user space value related to the PI futex are consistent
before returning to user space. In case that the user space value update
faults and the fault cannot be resolved by faulting the page in via
fault_in_user_writeable() the function returns with -EFAULT and leaves
the rtmutex and pi_state owner state inconsistent.
A subsequent futex_unlock_pi() operates on the inconsistent pi_state and
releases the rtmutex despite not owning it which can corrupt the RB tree of
the rtmutex and cause a subsequent kernel stack use after free.
It was suggested to loop forever in fixup_pi_state_owner() if the fault
cannot be resolved, but that results in runaway tasks which is especially
undesired when the problem happens due to a programming error and not due
to malice.
As the user space value cannot be fixed up, the proper solution is to make
the rtmutex and the pi_state consistent so both have the same owner. This
leaves the user space value out of sync. Any subsequent operation on the
futex will fail because the 10th rule of PI futexes (pi_state owner and
user space value are consistent) has been violated.
As a consequence this removes the inept attempts of 'fixing' the situation
in case that the current task owns the rtmutex when returning with an
unresolvable fault by unlocking the rtmutex which left pi_state::owner and
rtmutex::owner out of sync in a different and only slightly less dangerous
way.
Fixes: 1b7558e457 ("futexes: fix fault handling in futex_lock_pi")
Reported-by: gzobqq@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 34b1a1ce1458f50ef27c54e28eb9b1947012907a)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iabd44dad5d4b8385b8a20e44d18308708cc3b701
commit f2dac39d93987f7de1e20b3988c8685523247ae2 upstream
Too many gotos already and an upcoming fix would make it even more
unreadable.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f2dac39d93987f7de1e20b3988c8685523247ae2)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I5a97587c0f696d4f4b849f7f106990a5587fa402
commit 6ccc84f917d33312eb2846bd7b567639f585ad6d upstream
No point in open coding it. This way it gains the extra sanity checks.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 6ccc84f917d33312eb2846bd7b567639f585ad6d)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic34513518cd4996b3eb4cb82b669d727be522597
commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697 upstream
Nothing uses the argument. Remove it as preparation to use
pi_state_update_owner().
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I126088d93c5f05db654e508dfd4195e5c1696164
commit c5cade200ab9a2a3be9e7f32a752c8d86b502ec7 upstream
Updating pi_state::owner is done at several places with the same
code. Provide a function for it and use that at the obvious places.
This is also a preparation for a bug fix to avoid yet another copy of the
same code or alternatively introducing a completely unpenetratable mess of
gotos.
Originally-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c5cade200ab9a2a3be9e7f32a752c8d86b502ec7)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I17a67806a035338a55b27eea673d707fc4d8c529
commit 04b79c55201f02ffd675e1231d731365e335c307 upstream
If that unexpected case of inconsistent arguments ever happens then the
futex state is left completely inconsistent and the printk is not really
helpful. Replace it with a warning and make the state consistent.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 04b79c55201f02ffd675e1231d731365e335c307)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I32bd64130d9414f65155ecd80646d01eb4374a60
commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 upstream
In case that futex_lock_pi() was aborted by a signal or a timeout and the
task returned without acquiring the rtmutex, but is the designated owner of
the futex due to a concurrent futex_unlock_pi() fixup_owner() is invoked to
establish consistent state. In that case it invokes fixup_pi_state_owner()
which in turn tries to acquire the rtmutex again. If that succeeds then it
does not propagate this success to fixup_owner() and futex_lock_pi()
returns -EINTR or -ETIMEOUT despite having the futex locked.
Return success from fixup_pi_state_owner() in all cases where the current
task owns the rtmutex and therefore the futex and propagate it correctly
through fixup_owner(). Fixup the other callsite which does not expect a
positive return value.
Fixes: c1e2f0eaf0 ("futex: Avoid violating the 10th rule of futex")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6dfb7407620fdf8293edbfbe54463f0c8ff63a57
commit 757fed1d0898b893d7daa84183947c70f27632f3 upstream.
This reverts commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2.
syzbot report a double-free bug. The following case can cause this bug.
- mm/slab_common.c: create_cache(): if the __kmem_cache_create() fails,
it does:
out_free_cache:
kmem_cache_free(kmem_cache, s);
- but __kmem_cache_create() - at least for slub() - will have done
sysfs_slab_add(s)
-> sysfs_create_group() .. fails ..
-> kobject_del(&s->kobj); .. which frees s ...
We can't remove the kmem_cache_free() in create_cache(), because other
error cases of __kmem_cache_create() do not free this.
So, revert the commit dde3c6b72a16 ("mm/slub: fix a memory leak in
sysfs_slab_add()") to fix this.
Reported-by: syzbot+d0bd96b4696c1ef67991@syzkaller.appspotmail.com
Fixes: dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()")
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 757fed1d0898b893d7daa84183947c70f27632f3)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3743749e527dddde63620ac16a0db66c475ac404
commit 1e106aa3509b86738769775969822ffc1ec21bf4 upstream.
The exit_pi_state_list() function calls put_pi_state() with IRQs disabled
and is not expecting that IRQs will be enabled inside the function.
Use the _irqsave() variant so that IRQs are restored to the original state
instead of being enabled unconditionally.
Fixes: 153fbd1226 ("futex: Fix more put_pi_state() vs. exit_pi_state_list() races")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20201106085205.GA1159983@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2192d905df)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I10bc011b54ffc6d66c0a499ecebfa5b2d96d58ce
commit 9f5d1c336a10c0d24e83e40b4c1b9539f7dba627 upstream.
Gratian managed to trigger the BUG_ON(!newowner) in fixup_pi_state_owner().
This is one possible chain of events leading to this:
Task Prio Operation
T1 120 lock(F)
T2 120 lock(F) -> blocks (top waiter)
T3 50 (RT) lock(F) -> boosts T1 and blocks (new top waiter)
XX timeout/ -> wakes T2
signal
T1 50 unlock(F) -> wakes T3 (rtmutex->owner == NULL, waiter bit is set)
T2 120 cleanup -> try_to_take_mutex() fails because T3 is the top waiter
and the lower priority T2 cannot steal the lock.
-> fixup_pi_state_owner() sees newowner == NULL -> BUG_ON()
The comment states that this is invalid and rt_mutex_real_owner() must
return a non NULL owner when the trylock failed, but in case of a queued
and woken up waiter rt_mutex_real_owner() == NULL is a valid transient
state. The higher priority waiter has simply not yet managed to take over
the rtmutex.
The BUG_ON() is therefore wrong and this is just another retry condition in
fixup_pi_state_owner().
Drop the locks, so that T3 can make progress, and then try the fixup again.
Gratian provided a great analysis, traces and a reproducer. The analysis is
to the point, but it confused the hell out of that tglx dude who had to
page in all the futex horrors again. Condensed version is above.
[ tglx: Wrote comment and changelog ]
Fixes: c1e2f0eaf0 ("futex: Avoid violating the 10th rule of futex")
Reported-by: Gratian Crisan <gratian.crisan@ni.com>
Signed-off-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/87a6w6x7bb.fsf@ni.com
Link: https://lore.kernel.org/r/87sg9pkvf7.fsf@nanos.tec.linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2716e78a64)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9ab0878641624448cacb1951506b5accb4c92a00
[ Upstream commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 ]
If should_futex_fail() returns true in futex_wake_pi(), then the 'ret'
variable is set to -EFAULT and then immediately overwritten. So the failure
injection is non-functional.
Fix it by actually leaving the function and returning -EFAULT.
The Fixes tag is kinda blury because the initial commit which introduced
failure injection was already sloppy, but the below mentioned commit broke
it completely.
[ tglx: Massaged changelog ]
Fixes: 6b4f4bc9cb ("locking/futex: Allow low-level atomic operations to return -EAGAIN")
Signed-off-by: Mateusz Nosek <mateusznosek0@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 2db7590371)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I22198b7a65630cb5649f3e889810783b147bfada
Adds ANDROID_OEM_DATA and ANDROID_OEM_DATA_ARRAY macros
to add OEM-specific fields to kernel data structures
to enable value-added features implemented in vendor modules.
Fields defined with these macros must not be used by
SoC vendors who must use the ANDROID_VENDOR_DATA* macros
to add vendor fields.
Bug: 156285741
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I93a8a182a17854cc4f0a86835e833bf9b00ea0b8
Add support for matching the new PMUs. For now, this just wires them up
as generic PMUv3 such that people writing DTs for new SoCs can do the
right thing, and at least have architectural and raw events be usable.
We can come back and fill in event maps for sysfs and/or perf tools at
a later date.
Change-Id: I0c0839f6fff87934e97708176f783514bdee7f58
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
(cherry picked from commit 29cc4ceeac1274ab8363a11b81ebd99f3b023985
git://git.kernel.org/pub/scm/linux/kernel/git/will/linux.git for-next/perf)
Bug: 176519087
Link: https://lore.kernel.org/linux-arm-kernel/20200225190125.GA2781@bogus/T/#mdaa003324f263cc9541d412f7ba6b9519d6603fe
Signed-off-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
Change-Id: I335d4c9a9bfcfcfeb18b096cfe660209d3b62820
xhci-mtk needs XHCI_MTK_HOST quirk functions in add_endpoint() and
drop_endpoint() to handle its own sw bandwidth management.
It stores bandwidth data into an internal table every time
add_endpoint() is called, and drops those in drop_endpoint().
But when bandwidth allocation fails at one endpoint, all earlier
allocation from the same interface could still remain at the table.
This patch moves bandwidth management codes to check_bandwidth() and
reset_bandwidth() path. To do so, this patch also adds those functions
to xhci_driver_overrides and lets mtk-xhci to release all failed
endpoints in reset_bandwidth() path.
Fixes: 08e469de87 ("usb: xhci-mtk: supports bandwidth scheduling with multi-TT")
Signed-off-by: Ikjoon Jang <ikjn@chromium.org>
Link: https://lore.kernel.org/r/20210113180444.v6.1.Id0d31b5f3ddf5e734d2ab11161ac5821921b1e1e@changeid
Cc: stable <stable@vger.kernel.org>
(cherry picked from commit 1d69f9d901ef14d81c3b004e3282b8cc7b456280
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-linus)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I211875090c3b8080292a415fdb182fd4b8ac9729
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
We add a vendor hook for util to freq calculation in schedutil,
so we need to do corresponding change for energy calculation.
android_vh_em_pd_energy
adjust energy calculation
Bug: 178021064
Signed-off-by: Yun Hsiang <yun.hsiang@mediatek.com>
Change-Id: Iae772cf07881602eea3f27aeb75fba753e7c2635
Currently, the frequency is calculated by max freq * 1.25 * util / max cap.
Add a vendor hook to adjust the frequency when the calculation
overestimate.
android_vh_map_util_freq
adjust util to freq calculation
Bug: 177845438
Signed-off-by: Yun Hsiang <yun.hsiang@mediatek.com>
Change-Id: I9aa9079f00af7d3380b19f2fe21b75cddd107d15
In the Scudo memory allocator [1] we would like to be able to detect
use-after-free vulnerabilities involving large allocations by issuing
mprotect(PROT_NONE) on the memory region used for the allocation when it
is deallocated. Later on, after the memory region has been "quarantined"
for a sufficient period of time we would like to be able to use it for
another allocation by issuing mprotect(PROT_READ|PROT_WRITE).
Before this patch, after removing the write protection, any writes to the
memory region would result in page faults and entering the copy-on-write
code path, even in the usual case where the pages are only referenced by a
single PTE, harming performance unnecessarily. Make it so that any pages
in anonymous mappings that are only referenced by a single PTE are
immediately made writable during the mprotect so that we can avoid the
page faults.
This program shows the critical syscall sequence that we intend to use in
the allocator:
#include <string.h>
#include <sys/mman.h>
enum { kSize = 131072 };
int main(int argc, char **argv) {
char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
for (int i = 0; i != 100000; ++i) {
memset(addr, i, kSize);
mprotect((void *)addr, kSize, PROT_NONE);
mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE);
}
}
The effect of this patch on the above program was measured on a
DragonBoard 845c by taking the median real time execution time of 10 runs.
Before: 3.19s
After: 0.79s
The effect was also measured using one of the microbenchmarks that
we normally use to benchmark the allocator [2], after modifying it
to make the appropriate mprotect calls [3]. With an allocation size
of 131072 bytes to trigger the allocator's "large allocation" code
path the per-iteration time was measured as follows:
Before: 33364ns
After: 6886ns
This patch means that we do more work during the mprotect call itself
in exchange for less work when the pages are accessed. In the worst
case, the pages are not accessed at all. The effect of this patch in
such cases was measured using the following program:
#include <string.h>
#include <sys/mman.h>
enum { kSize = 131072 };
int main(int argc, char **argv) {
char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
memset(addr, 1, kSize);
for (int i = 0; i != 100000; ++i) {
#ifdef PAGE_FAULT
memset(addr + (i * 4096) % kSize, i, 4096);
#endif
mprotect((void *)addr, kSize, PROT_NONE);
mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE);
}
}
With PAGE_FAULT undefined (0 pages touched after removing write
protection) the median real time execution time of 100 runs was measured
as follows:
Before: 0.325928s
After: 0.365493s
With PAGE_FAULT defined (1 page touched) the measurements were
as follows:
Before: 0.441516s
After: 0.380251s
So it seems that even with a single page fault the new approach is faster.
I saw similar results if I adjusted the programs to use a larger mapping
size. With kSize = 1048576 I get these numbers with PAGE_FAULT undefined:
Before: 1.563078s
After: 1.607476s
i.e. around 3%.
And these with PAGE_FAULT defined:
Before: 1.684663s
After: 1.683272s
i.e. about the same.
What I think we may conclude from these results is that for smaller
mappings the advantage of the previous approach, although measurable, is
wiped out by a single page fault. I think we may expect that there should
be at least one access resulting in a page fault (under the previous
approach) after making the pages writable, since the program presumably
made the pages writable for a reason.
For larger mappings we may guesstimate that the new approach wins if the
density of future page faults is > 0.4%. But for the mappings that are
large enough for density to matter (not just the absolute number of page
faults) it doesn't seem like the increase in mprotect latency would be
very large relative to the total mprotect execution time.
Link: https://lkml.kernel.org/r/20201230004134.1185017-1-pcc@google.com
Link: https://linux-review.googlesource.com/id/I98d75ef90e20330c578871c87494d64b1df3f1b8
Link: [1] https://source.android.com/devices/tech/debug/scudo
Link: [2] https://cs.android.com/android/platform/superproject/+/master:bionic/benchmarks/stdlib_benchmark.cpp;l=53;drc=e8693e78711e8f45ccd2b610e4dbe0b94d551cc9
Link: [3] https://github.com/pcc/llvm-project/commit/scudo-mprotect-secondary
Signed-off-by: Peter Collingbourne <pcc@google.com>
[pcc: resolved minor conflict]
Cc: Kostya Kortchinsky <kostyak@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
(cherry picked from commit 2a9e75c907fa2de626d77dd4051fc038f0dbaf52
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git akpm)
Bug: 135772972
Change-Id: I98d75ef90e20330c578871c87494d64b1df3f1b8
Vendor hooks required explicitly defining macros or inline functions
to handle the non-GKI build case (!CONFIG_ANDROID_VENDOR_HOOKS). Added
support for generating them automatically so the macros are no longer
required.
Both models are now supported so we can transition.
Bug: 177416721
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I01acc389d315a5d509b0c48116854342a42e1058
If get_acc_dev() fails to obtain a reference to the current device,
acc_disconnect() will attempt to put_acc_dev() with the resulting NULL
pointer, leading to a crash:
| Unable to handle kernel NULL pointer dereference at virtual address 00000074
| [...]
| [<c0abb288>] (acc_disconnect) from [<c0a91a38>] (android_disconnect+0x1c/0x7c)
| [<c0a91a38>] (android_disconnect) from [<c0a93958>] (usb_gadget_udc_reset+0x10/0x34)
| [<c0a93958>] (usb_gadget_udc_reset) from [<c0a4a9c4>] (dwc3_gadget_reset_interrupt+0x88/0x4fc)
| [<c0a4a9c4>] (dwc3_gadget_reset_interrupt) from [<c0a491f8>] (dwc3_process_event_buf+0x60/0x3e4)
| [<c0a491f8>] (dwc3_process_event_buf) from [<c0a49180>] (dwc3_thread_interrupt+0x24/0x3c)
| [<c0a49180>] (dwc3_thread_interrupt) from [<c02b3404>] (irq_thread_fn+0x1c/0x58)
| [<c02b3404>] (irq_thread_fn) from [<c02b326c>] (irq_thread+0x1ec/0x2f4)
| [<c02b326c>] (irq_thread) from [<c0260804>] (kthread+0x1a8/0x1ac)
| [<c0260804>] (kthread) from [<c0200138>] (ret_from_fork+0x14/0x3c)
Follow the pattern used elsewhere, and return early if we fail to obtain
a reference.
Bug: 173789633
Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I37a2bff5bc1b6b8269788d08191181763bf0e896
Signed-off-by: Giuliano Procida <gprocida@google.com>
Using bitfields for shared variables is a "bad idea", as they require
a non-atomic read-modify-write to be generated by the compiler, which can
cause updates to unrelated bits in the same word to disappear.
Ensure the 'online' and 'disconnected' members of 'struct acc_dev' are
placed in separate variables by declaring them each as 'int'.
Bug: 173789633
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: Ia6031d82a764e83b2cc3502fbe5fb273511da752
Signed-off-by: Giuliano Procida <gprocida@google.com>
Tearing down and freeing the 'acc_dev' structure when there is
potentially asynchronous work queued involving its member fields is
likely to lead to use-after-free issues.
Cancel any pending work before freeing the structure.
Bug: 173789633
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I68a91274aea18034637b738d558d043ac74fadf4
Signed-off-by: Giuliano Procida <gprocida@google.com>
If acc_setup() is called when there is already an allocated instance,
misc_register() will fail but the error path leaves a dangling pointer
to freed memory in the global 'acc_dev' state.
Fix this by ensuring that the refcount is zero before we start, and then
using a cmpxchg() from NULL to serialise any concurrent initialisers.
Bug: 173789633
Signed-off-by: Will Deacon <willdeacon@google.com>
Change-Id: I2c26289dcce7dbc493964516c49b05d04aaa6839
Signed-off-by: Giuliano Procida <gprocida@google.com>
