Fix a merge issue where eventfd_signal_mask() was added twice which
resulted in kernelci issues when !CONFIG_EVENTFD:
include/linux/eventfd.h:76:19: error: redefinition of ‘eventfd_signal_mask’
Fixes: 4ef66581d7 ("eventfd: provide a eventfd_signal_mask() helper")
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Ifdd212e857c2ff76c75283e77b9978e51a96d178
Fix the cleanup logic in the driver probe failure code flow.
Change-Id: I08436bed13803b00803faf8bce25afa54aef9e6f
Signed-off-by: Rakesh Kota <quic_kotarake@quicinc.com>
Minidump ramdump collection appends dump data of
previous CDSP SSR dump elf to current elf. To avoid this
buffer cleaned up and data node removed after taking dump.
Change-Id: Ic412bf5c51769b1d69cd678a0a67225281d4bfcd
Acked-by: Ansa Ahmed <ansa@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
When there is no host attached ep driver is creating a huge boot
delay about 35sec, as our driver is waiting for the host to deassert
PERST in response to WAKE. All this waiting happening in the driver
probe context. So it's delaying our driver probe completion and
thus affecting the overall kernel bootup.
To avoid this scenario, offloading the link training part to a
worker thread context.
Change-Id: Iafd1c797ac7e51baab9b8758c4ead8c9d563336a
Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
* refs/heads/tmp-026be06:
UPSTREAM: ext4: refuse to create ea block when umounted
UPSTREAM: ext4: optimize ea_inode block expansion
UPSTREAM: ext4: allocate extended attribute value in vmalloc area
UPSTREAM: usb: gadget: composite: Draw 100mA current if not configured
UPSTREAM: usb: dwc3: gadget: Change condition for processing suspend event
ANDROID: GKI: update xiaomi symbol list
UPSTREAM: net/sched: tcindex: update imperfect hash filters respecting rcu
FROMGIT: KVM: arm64: Ignore kvm-arm.mode if !is_hyp_mode_available()
UPSTREAM: KVM: arm64: Allow KVM to be disabled from the command line
ANDROID: ABI: Cuttlefish Symbol update
Revert "ANDROID: dma-ops: Add restricted vendor hook"
UPSTREAM: io_uring: ensure that io_init_req() passes in the right issue_flags
FROMGIT: usb: gadget: configfs: Restrict symlink creation is UDC already binded
UPSTREAM: io_uring: add missing lock in io_get_file_fixed
ANDROID: ABI: Update oplus symbol list
ANDROID: vendor_hooks: Add hooks for mutex and rwsem optimistic spin
ANDROID: dma-buf: heaps: Don't lock unused dmabuf_page_pool mutex
ANDROID: mm/filemap: Fix missing put_page() for speculative page fault
UPSTREAM: KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
UPSTREAM: net: qrtr: combine nameservice into main module
ANDROID: GKI: Update symbol list for mtk
FROMLIST: rcu-tasks: Fix build error
ANDROID: incremental fs: Move throttling to outside page lock
ANDROID: incremental fs: Fix race between truncate and write last block
UPSTREAM: usb: gadget: u_serial: Add null pointer check in gserial_resume
Revert "ANDROID: GKI: loadavg: Export for get_avenrun"
ANDROID: ABI: Update allowed list for QCOM
ANDROID: Update symbol list for mtk
UPSTREAM: ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
UPSTREAM: net_sched: reject TCF_EM_SIMPLE case for complex ematch module
UPSTREAM: io_uring/rw: remove leftover debug statement
UPSTREAM: io_uring/rw: ensure kiocb_end_write() is always called
UPSTREAM: io_uring: fix double poll leak on repolling
UPSTREAM: io_uring: Clean up a false-positive warning from GCC 9.3.0
UPSTREAM: io_uring/net: fix fast_iov assignment in io_setup_async_msg()
UPSTREAM: io_uring: io_kiocb_update_pos() should not touch file for non -1 offset
UPSTREAM: io_uring/rw: defer fsnotify calls to task context
UPSTREAM: io_uring: do not recalculate ppos unnecessarily
UPSTREAM: io_uring: update kiocb->ki_pos at execution time
UPSTREAM: io_uring: remove duplicated calls to io_kiocb_ppos
UPSTREAM: io_uring: ensure that cached task references are always put on exit
UPSTREAM: io_uring: fix CQ waiting timeout handling
UPSTREAM: io_uring: lock overflowing for IOPOLL
UPSTREAM: io_uring: check for valid register opcode earlier
UPSTREAM: io_uring: fix async accept on O_NONBLOCK sockets
UPSTREAM: io_uring: allow re-poll if we made progress
UPSTREAM: io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG)
UPSTREAM: io_uring: add flag for disabling provided buffer recycling
UPSTREAM: io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly
UPSTREAM: io_uring: improve send/recv error handling
UPSTREAM: io_uring: don't gate task_work run on TIF_NOTIFY_SIGNAL
BACKPORT: iommu: Avoid races around device probe
UPSTREAM: io_uring/io-wq: only free worker if it was allocated for creation
UPSTREAM: io_uring/io-wq: free worker if task_work creation is canceled
UPSTREAM: io_uring: Fix unsigned 'res' comparison with zero in io_fixup_rw_res()
UPSTREAM: um: Increase stack frame size threshold for signal.c
Conflicts:
net/qrtr/Makefile
net/qrtr/af_qrtr.c
Change-Id: I84acecd94e0545c7423d04428e22526c6237c371
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>
If blk_crypto_evict_key() sees that the key is still in-use (due to a
bug) or that ->keyslot_evict failed, it currently just returns while
leaving the key linked into the keyslot management structures.
However, blk_crypto_evict_key() is only called in contexts such as inode
eviction where failure is not an option. So actually the caller
proceeds with freeing the blk_crypto_key regardless of the return value
of blk_crypto_evict_key().
These two assumptions don't match, and the result is that there can be a
use-after-free in blk_crypto_reprogram_all_keys() after one of these
errors occurs. (Note, these errors *shouldn't* happen; we're just
talking about what happens if they do anyway.)
Fix this by making blk_crypto_evict_key() unlink the key from the
keyslot management structures even on failure.
Also improve some comments.
Fixes: 1b26283970 ("block: Keyslot Manager for Inline Encryption")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Bug: 270098322
(cherry picked from commit 5c7cb94452901a93e90c2230632e2c12a681bc92
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git/log/?h=for-next)
Change-Id: I4e8983ad7db94ea8cd422743196da8854adda552
Signed-off-by: Eric Biggers <ebiggers@google.com>
blk_crypto_evict_key() is only called in contexts such as inode eviction
where failure is not an option. So there is nothing the caller can do
with errors except log them. (dm-table.c does "use" the error code, but
only to pass on to upper layers, so it doesn't really count.)
Just make blk_crypto_evict_key() return void and log errors itself.
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Bug: 270098322
(cherry picked from commit 70493a63ba04f754f7a7dd53a4fcc82700181490
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git/log/?h=for-next)
Change-Id: I8b9c7a74473e21fb740f021ac9f2fff95f986aa4
Signed-off-by: Eric Biggers <ebiggers@google.com>
Once all I/O using a blk_crypto_key has completed, filesystems can call
blk_crypto_evict_key(). However, the block layer currently doesn't call
blk_crypto_put_keyslot() until the request is being freed, which happens
after upper layers have been told (via bio_endio()) the I/O has
completed. This causes a race condition where blk_crypto_evict_key()
can see 'slot_refs != 0' without there being an actual bug.
This makes __blk_crypto_evict_key() hit the
'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without
doing anything, eventually causing a use-after-free in
blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only
been seen when per-file keys are being used with fscrypt.)
There are two options to fix this: either release the keyslot before
bio_endio() is called on the request's last bio, or make
__blk_crypto_evict_key() ignore slot_refs. Let's go with the first
solution, since it preserves the ability to report bugs (via
WARN_ON_ONCE) where a key is evicted while still in-use.
Fixes: a892c8d52c ("block: Inline encryption support for blk-mq")
Cc: stable@vger.kernel.org
Reviewed-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Bug: 270098322
(cherry picked from commit 9cd1e566676bbcb8a126acd921e4e194e6339603
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git/log/?h=for-next)
Change-Id: Ic2c2426db7693a06901c7893d481471f30de03b2
Signed-off-by: Eric Biggers <ebiggers@google.com>
Postamble packets are executed in privileged mode by gpu. So we should keep
them in a privileged scratch buffer to block userspace access. For
targets with APRIV feature support, we can mark the preemption scratch
buffer as privileged too to avoid similar issues in future.
Change-Id: Ifda360dda251083f38dfde80ce1b5dc83daae902
Signed-off-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
Signed-off-by: Kaushal Sanadhya <quic_ksanadhy@quicinc.com>
Allow fully disabling CPU nodes using status = "fail".
This allows a bootloader to change the number of available CPUs (for
example when a common DTS is used for SoC variants with different numbers
of cores) without deleting the nodes altogether, which could require
additional fixups to avoid dangling phandle references.
Unknown status values (everything that is not "okay"/"ok", "disabled" or
"fail"/"fail-...") will continue to be interpreted like "disabled",
meaning that the CPU can be enabled during boot.
References:
- https://www.spinics.net/lists/devicetree-spec/msg01007.html
- https://github.com/devicetree-org/dt-schema/pull/61
Bug: 275500667
Change-Id: I0d0028c1d5f529c43f184556ac661c50fe026741
Link: https://lore.kernel.org/all/CAL_Jsq+1LsTBdVaODVfmB0eme2jMpNL4VgKk-OM7rQWyyF0Jbw@mail.gmail.com/
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Tested-by: Sai Prakash Ranjan <quic_saipraka@quicinc.com>
Reviewed-by: Frank Rowand <frank.rowand@sony.com>
Link: https://lore.kernel.org/r/20211122114536.2981-1-matthias.schiffer@ew.tq-group.com
Signed-off-by: Rob Herring <robh@kernel.org>
(cherry picked from commit 4fdd0736a3b1634613d1d2eeb3328d27522052fb)
Signed-off-by: Komal Bajaj <quic_kbajaj@quicinc.com>
[ Upstream commit b94335f899542a0da5fafc38af8edcaf90195843 ]
bigben_probe() does not validate that the output report has the
needed report values in the first field.
A malicious device registering a report with one field and a single
value causes an head OOB write in bigben_worker() when
accessing report_field->value[1] to report_field->value[7].
Use hid_validate_values() which takes care of all the needed checks.
Bug: 268589017
Fixes: 256a90ed9e ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230211-bigben-oob-v1-1-d2849688594c@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I575c5d4c8a63a2065752a45c47b23cf725cc57ae
[ Upstream commit 76ca8da989c7d97a7f76c75d475fe95a584439d7 ]
Use spinlocks to deal with workers introducing a wrapper
bigben_schedule_work(), and several spinlock checks.
Otherwise, bigben_set_led() may schedule bigben->worker after the
structure has been freed, causing a use-after-free.
Bug: 268589017
Fixes: 4eb1b01de5 ("HID: hid-bigbenff: fix race condition for scheduled work during removal")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ia3f47b68264f6c492597b0b0603f6822dc624f2b
[ Upstream commit 27d2a2fd844ec7da70d19fabb482304fd1e0595b ]
bigben_worker() checks report_field to be non-NULL.
The check has been added in commit
918aa1ef104d ("HID: bigbenff: prevent null pointer dereference")
to prevent a NULL pointer crash.
However, the true root cause was a missing check for output
reports, patched in commit
c7bf714f8755 ("HID: check empty report_list in bigben_probe()"),
where the type-confused report list_entry was overlapping with
a NULL pointer, which was then causing the crash.
Bug: 268589017
Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ide36490e2e4482f6cf9af931bef052f172419e31
[ Upstream commit 9fefb6201c4f8dd9f58c581b2a66e5cde2895ea2 ]
bigben driver has a worker that may access data concurrently.
Proct the accesses using a spinlock.
Bug: 268589017
Fixes: 256a90ed9e ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad")
Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-1-7860c5763c38@diag.uniroma1.it
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I8b7a34cba4c79c26f3d1912c97a83820d88bd5a4
Add driver for AP72200 buck-boost regulator by vendor
"Diodes Incorporated" so that it can output a specified
voltage between 2.6 to 5.14 V, which can be set via
"regulator-min-voltage" DT property.
Change-Id: If18aae6814e3e5a62f1ec2f611dacac7b035f9f0
Signed-off-by: Umang Chheda <quic_uchheda@quicinc.com>
Enable early console for debug builds for Anorak target.
Also remove malformed early option 'earlycon' from build.config.anorak.
Change-Id: Ia9b50ebcff976fa56d00fc452c7c36986370e1d0
Signed-off-by: Hrishabh Rajput <quic_hrishabh@quicinc.com>
Include VA-Minidump support in hwsched path by dumping some
of the global hfi mem alloc entries and hfi mem globals.
Change-Id: Ic0b91079c5e389f991f42a6115fca7c9968b6737
Signed-off-by: SIVA MULLATI <quic_smullati@quicinc.com>
In the process of switching USB config from rndis to other config,
if the hardware does not support the ->pullup callback, or the
hardware encounters a low probability fault, both of them may cause
the ->pullup callback to fail, which will then cause a system panic
(use after free).
The gadget drivers sometimes need to be unloaded regardless of the
hardware's behavior.
Analysis as follows:
=======================================================================
(1) write /config/usb_gadget/g1/UDC "none"
gether_disconnect+0x2c/0x1f8
rndis_disable+0x4c/0x74
composite_disconnect+0x74/0xb0
configfs_composite_disconnect+0x60/0x7c
usb_gadget_disconnect+0x70/0x124
usb_gadget_unregister_driver+0xc8/0x1d8
gadget_dev_desc_UDC_store+0xec/0x1e4
(2) rm /config/usb_gadget/g1/configs/b.1/f1
rndis_deregister+0x28/0x54
rndis_free+0x44/0x7c
usb_put_function+0x14/0x1c
config_usb_cfg_unlink+0xc4/0xe0
configfs_unlink+0x124/0x1c8
vfs_unlink+0x114/0x1dc
(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
panic+0x1fc/0x3d0
do_page_fault+0xa8/0x46c
do_mem_abort+0x3c/0xac
el1_sync_handler+0x40/0x78
0xffffff801138f880
rndis_close+0x28/0x34
eth_stop+0x74/0x110
dev_close_many+0x48/0x194
rollback_registered_many+0x118/0x814
unregister_netdev+0x20/0x30
gether_cleanup+0x1c/0x38
rndis_attr_release+0xc/0x14
kref_put+0x74/0xb8
configfs_rmdir+0x314/0x374
If gadget->ops->pullup() return an error, function rndis_close() will be
called, then it will causes a use-after-free problem.
=======================================================================
Fixes: 0a55187a1e ("USB: gadget core: Issue ->disconnect() callback from usb_gadget_disconnect()")
Signed-off-by: Jiantao Zhang <water.zhangjiantao@huawei.com>
Signed-off-by: TaoXue <xuetao09@huawei.com>
Link: https://lore.kernel.org/r/20221121130805.10735-1-water.zhangjiantao@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 273510696
Bug: 275027942
Change-Id: I702f324c5852d3b2448081b092fef464f8691989
(cherry picked from commit afdc12887f2b2ecf20d065a7d81ad29824155083)
[ray: Resolved minor conflict in drivers/usb/gadget/udc/core.c]
Signed-off-by: Ray Chi <raychi@google.com>
Gsi has two channels tx and rx, currently in SW defined as
two array of channels. In process events we are reading channel
id from event rings, with this channel id we are accessing
channel array elements. Error scenarios or corner cases we
are getting channel id more than 2, and we are accessing channel
array with received channel id which is causing out of memory
range access, hence we are seeing kernel panic with BRK handler.
To solve this added channel id check in process events.
Change-Id: I3200e1a2e282b4cefa0ff73569ffaf4149c2eca1
Signed-off-by: Anil Veshala Veshala <quic_aveshala@quicinc.com>
The subdevice list should be populated in a particular order as
the state notifications have a priority. This change re-orders
the subdevice add calls to ensure higher priority subdevices are
present at the start of the list.
This change is inline with
commit c9f2092072 ("remoteproc: qcom: pas: Fix subdevice add order").
Change-Id: Ic65a55e4b926f631af96644ad500833412a46d3d
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
This change blocks access to channel name string,
in case channel name string length is more than permissible limits.
Change-Id: I48442f236b589f3691df6a37d3d86458347b4c9c
Signed-off-by: rakegand <quic_rakegand@quicinc.com>
Enabling some perf counter groups needs sending commands
to GPU. Add support to send these commands via HFI for
HW-Sched to enable these perfcounters.
Change-Id: I3441c024cf3a4bc56998d27153201e6cf9236d26
Signed-off-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
Signed-off-by: Hareesh Gundu <quic_hareeshg@quicinc.com>
