d0782c9411
This is the merge of the upstream LTS release of 5.10.160 into the android12-5.10 branch. It contains the following commits:003c389455Merge 5.10.160 into android12-5.10-ltsa2428a8dcbLinux 5.10.16054c15f67cbASoC: ops: Correct bounds check for second channel on SX controls74b139c63fnvme-pci: clear the prp2 field when not used77ebf88e00ASoC: cs42l51: Correct PGA Volume minimum value4db1d19b74can: mcba_usb: Fix termination command argument683837f2f6can: sja1000: fix size of OCR_MODE_MASK define434b523671pinctrl: meditatek: Startup with the IRQs disabled5cb4abb0calibbpf: Use page size as max_entries when probing ring buffer map50b5f6d4d9ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()344739dc56ASoC: fsl_micfil: explicitly clear CHnF flagsa49c1a7307ASoC: fsl_micfil: explicitly clear software reset bit75454b4bbfio_uring: add missing item types for splice request17f386e6b7fuse: always revalidate if exclusive createeb6313c129nfp: fix use-after-free in area_cache_get()965d93fb39vfs: fix copy_file_range() averts filesystem freeze protectioned96733949vfs: fix copy_file_range() regression in cross-fs copies970862a96cx86/smpboot: Move rcu_cpu_starting() earlier32e45c58a0Merge "Merge 5.10.159 into android12-5.10-lts" into android12-5.10-ltsd31626cbeaANDROID: usb: gadget: uvc: remove duplicate code in unbind01ef2d0b53Merge 5.10.159 into android12-5.10-lts931578be69Linux 5.10.1594fd6f84e0acan: esd_usb: Allow REC and TEC to return to zerocf0e423106macsec: add missing attribute validation for offload6b03e41767net: mvneta: Fix an out of bounds check8208d7e56bipv6: avoid use-after-free in ip6_fragment()3d59adad12net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()a00444e25bxen/netback: fix build warning87277bdf2cethernet: aeroflex: fix potential skb leak in greth_init_rings()cc668fdddetipc: call tipc_lxc_xmit without holding node_read_lock4be43e46c3net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()8e3f9ac009ipv4: Fix incorrect route flushing when table ID 0 is used5211e5ff9dipv4: Fix incorrect route flushing when source address is deleted36e248269atipc: Fix potential OOB in tipc_link_proto_rcv()93aaa4bb72net: hisilicon: Fix potential use-after-free in hix5hd2_rx()296a50aa8bnet: hisilicon: Fix potential use-after-free in hisi_femac_rx()8d1aed7a11net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wqa5cfbc1995ip_gre: do not report erspan version on GRE interface696e34d54cnet: stmmac: fix "snps,axi-config" node property parsingca26f45083nvme initialize core quirks before calling nvme_init_subsystem27eb2d7a1bNFC: nci: Bounds check struct nfc_target arraysa2506b19d7i40e: Disallow ip4 and ip6 l4_4_bytes8329b65e34i40e: Fix for VF MAC address 0215f3ac53bi40e: Fix not setting default xps_cpus after reset146ebee8fcnet: mvneta: Prevent out of bounds read in mvneta_config_rss()e6860c889fxen-netfront: Fix NULL sring after live migration3d3b30718anet: encx24j600: Fix invalid logic in reading of MISTAT register51ba1820e7net: encx24j600: Add parentheses to fix precedence42c319635cmac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()4c693330ceselftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offloadbccda3ad07net: dsa: ksz: Check return valuee7b9504581Bluetooth: Fix not cleanup led when bt_init fails1717354d77Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn()80c69b31aavmxnet3: correctly report encapsulated LRO packet575a6266f6af_unix: Get user_ns from in_skb in unix_diag_get_exact().6c788c0a25drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420de918d9738igb: Allocate MSI-X vector when testing6595c9208de1000e: Fix TX dispatch condition5ee6413d3dgpio: amd8111: Fix PCI device reference count leakb9aca69a6cdrm/bridge: ti-sn65dsi86: Fix output polarity setting bugb46e8c50c3netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark0a8e66e375ca8210: Fix crash by zero initializing data27c71825ffieee802154: cc2520: Fix error return code in cc2520_hw_init()a0418d0a6bnetfilter: nft_set_pipapo: Actually validate intervals in fields after the first onecb283cca1drtc: mc146818-lib: fix signedness bug in mc146818_get_time()5c432383b6rtc: mc146818-lib: fix locking in mc146818_set_time5e26531d81rtc: cmos: Disable irq around direct invocation of cmos_interrupt()fccee93eb2mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb pagec42221efb1can: af_can: fix NULL pointer dereference in can_rcv_filterbc03f809daHID: core: fix shift-out-of-bounds in hid_report_raw_event959a23a4d1HID: hid-lg4ff: Add check for empty lbuf4dde75945aHID: usbhid: Add ALWAYS_POLL quirk for some mice11e95d85c3drm/shmem-helper: Avoid vm_open error paths6a4da05acddrm/shmem-helper: Remove errant put in error path007f561f59drm/vmwgfx: Don't use screen objects when SEV is active3cb78c3925KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field549b46f813Bluetooth: Fix crash when replugging CSR fake controllers380d183e99Bluetooth: btusb: Add debug message for CSR controllersf1cf856123mm/gup: fix gup_pud_range() for daxf1f7f36cf6memcg: fix possible use-after-free in memcg_write_event_control()32f01f0306media: v4l2-dv-timings.c: fix too strict blanking sanity checks043b2bc96cRevert "ARM: dts: imx7: Fix NAND controller size-cells"abfb8ae69bmedia: videobuf2-core: take mmap_lock in vb2_get_unmapped_area()83632fc414xen/netback: don't call kfree_skb() with interrupts disabled3eecd2bc10xen/netback: do some code cleanup49e07c0768xen/netback: Ensure protocol headers don't fall in the non-linear areadb44a9443ertc: mc146818: Reduce spinlock section in mc146818_set_time()17293d630frtc: cmos: Replace spin_lock_irqsave with spin_lock in hard IRQacfd8ef683rtc: cmos: avoid UIP when reading alarm time949bae0282rtc: cmos: avoid UIP when writing alarm time33ac73a41artc: mc146818-lib: extract mc146818_avoid_UIP8bb5fe5830rtc: mc146818-lib: fix RTC presence check775d4661f1rtc: Check return value from mc146818_get_time()b9a5c470e0rtc: mc146818-lib: change return values of mc146818_get_time()94eaf9966ertc: cmos: remove stale REVISIT commentsf5b51f8550rtc: mc146818: Dont test for bit 0-5 in Register D3736972360rtc: mc146818: Detect and handle broken RTCs7c7075c88drtc: mc146818: Prevent reading garbage7f445ca2e0mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths4a1cdb49d0mm/khugepaged: fix GUP-fast interaction by sending IPIcdfd3739b2mm/khugepaged: take the right locks for page table retraction1c0eec6a1dnet: usb: qmi_wwan: add u-blox 0x1342 compositiona8c5ffb4df9p/xen: check logical size for buffer sizeec36ebae36usb: dwc3: gadget: Disable GUSB2PHYCFG.SUSPHY for End Transferd9b53caf01fbcon: Use kzalloc() in fbcon_prepare_logo()8b130c770dregulator: twl6030: fix get status of twl6032 regulatorsf6f45e5383ASoC: soc-pcm: Add NULL check in BE reparenting688a45aff2btrfs: send: avoid unaligned encoded writes when attempting to clone range15c42ab8d4ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_eventd38e021416regulator: slg51000: Wait after asserting CS pin1331bcfcac9p/fd: Use P9_HDRSZ for header size96b43f36a5ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188ddf58f5939ASoC: wm8962: Wait for updated value of WM8962_CLOCKING1 registerdbd78abd69ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementationbb1866cf1eARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernelsb1f40a0cdfARM: dts: rockchip: rk3188: fix lcdc1-rgb24 node name5f9474d07barm64: dts: rockchip: fix ir-receiver node names060d58924aARM: dts: rockchip: fix ir-receiver node names3e0c466771arm: dts: rockchip: fix node name for hym8563 rtc3ada63a876arm64: dts: rockchip: keep I2S1 disabled for GPIO function on ROCK Pi 4 series202ee06349Revert "mmc: sdhci: Fix voltage switch delay"0b0939466fANDROID: gki_defconfig: add CONFIG_FUNCTION_ERROR_INJECTION5ab4c6b843Merge 5.10.158 into android12-5.10-lts592346d5dcLinux 5.10.158cc1b4718ccipc/sem: Fix dangling sem_array access in semtimedop raced072a10c81v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails9ba389863aproc: proc_skip_spaces() shouldn't think it is working on C strings4aa32aaef6proc: avoid integer type confusion in get_proc_long5f2f775605block: unhash blkdev part inode when the part is deleteda82869ac52Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()4e0d6c687cchar: tpm: Protect tpm_pm_suspend with locks5a6f935ef3Revert "clocksource/drivers/riscv: Events are stopped during CPU suspend"f075cf139fACPI: HMAT: Fix initiator registration for single-initiator systemsf3b76b4d38ACPI: HMAT: remove unnecessary variable initialization63e72417a1i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag setdf76136598i2c: npcm7xx: Fix error handling in npcm_i2c_init()7462cd2443x86/pm: Add enumeration check before spec MSRs save/restore setup5e3d4a68e2x86/tsx: Add a feature bit for TSX control MSR supportb7f7a0402eRevert "tty: n_gsm: avoid call of sleeping functions from atomic context"481f9ed8ebipv4: Fix route deletion when nexthop info is not specified0b5394229eipv4: Handle attempt to delete multipath route when fib_info contains an nh reference4919503426selftests: net: fix nexthop warning cleanup double ip typo7ca14c5f24selftests: net: add delete nexthop route warning testf09ac62f0eKconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled19d91d3798parisc: Increase FRAME_WARN to 2048 bytes on pariscfcf20da099xtensa: increase size of gcc stack frame checka1877001edparisc: Increase size of gcc stack frame checka5c65cd56aiommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()10ed7655a1iommu/vt-d: Fix PCI device refcount leak in has_external_pci()302edce1ddpinctrl: single: Fix potential division by zerob50c964189ASoC: ops: Fix bounds check for _sx controlsa2efc46524io_uring: don't hold uring_lock when calling io_run_task_work*be111ebd88tracing: Free buffers when a used dynamic event is removed648b92e576drm/i915: Never return 0 if not all requests retired8649c023c4drm/amdgpu: temporarily disable broken Clang builds due to blown stack-frame940b774069mmc: sdhci: Fix voltage switch delayed19662453mmc: sdhci-sprd: Fix no reset data and command after voltage switchef767907e7mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check46ee041cd6mmc: core: Fix ambiguous TRIM and DISCARD argb79be962b5mmc: mmc_test: Fix removal of debugfs filed4fc344c0dnet: stmmac: Set MAC's flow control register to reflect current settings549e24409apinctrl: intel: Save and restore pins in "direct IRQ" mode471fb7b735x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3e858917ab7nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()6ddf788400tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep"c099d12c55error-injection: Add prompt for function error injection26b6f927bbriscv: vdso: fix section overlapping under some conditions2b1d8f27e2net/mlx5: DR, Fix uninitialized var warningc40db1e5f3hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()f06e0cd01ehwmon: (coretemp) Check for null before removing sysfs attrsd93522d04fnet: ethernet: renesas: ravb: Fix promiscuous mode after system resumed176ee6c673sctp: fix memory leak in sctp_stream_outq_migrate()1c38c88accpacket: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE5f442e1d40net: tun: Fix use-after-free in tun_detach()5fa0fc5876afs: Fix fileserver probe RTT handling7ca81a161enet: hsr: Fix potential use-after-freea1ba595e35tipc: re-fetch skb cb after tipc_msg_validate4621bdfff5dsa: lan9303: Correct stat name45752af024net: ethernet: nixge: fix NULL dereferencee01c154237net/9p: Fix a potential socket leak in p9_socket_openb080d4668fnet: net_netdev: Fix error handling in ntb_netdev_init_module()fe6bc99c27net: phy: fix null-ptr-deref while probe() failed0184ede0ecwifi: mac8021: fix possible oob access in ieee80211_get_rate_duratione2ed90fd3awifi: cfg80211: don't allow multi-BSSID in S1G9e6b79a3cdwifi: cfg80211: fix buffer overflow in elem comparison6922948c2eaquantia: Do not purge addresses when setting the number of ringsfa59d49a49qlcnic: fix sleep-in-atomic-context bugs caused by msleepd753f554f2can: cc770: cc770_isa_probe(): add missing free_cc770dev()e74746bf04can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()0d2f9d95d9net/mlx5e: Fix use-after-free when reverting termination table2cb84ff349net/mlx5: Fix uninitialized variable bug in outlen_write()b775f37d94e100: Fix possible use after free in e100_xmit_prepare086f656e44e100: switch from 'pci_' to 'dma_' API971c55f076iavf: Fix error handling in iavf_init_module()d389a4c698iavf: remove redundant ret variablefd4960ea53fm10k: Fix error handling in fm10k_init_module()dd425cec79i40e: Fix error handling in i40e_init_module()f166c62cadixgbevf: Fix resource leak in ixgbevf_init_module()8f7047f418of: property: decrement node refcount in of_fwnode_get_reference_args()be006212bdbpf: Do not copy spin lock field from user in bpf_selem_alloc90907cd4d1hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails7649bba263hwmon: (i5500_temp) fix missing pci_disable_device()dddfc03f04hwmon: (ina3221) Fix shunt sum critical calculation984fcd3ec1hwmon: (ltc2947) fix temperature scaling8a549ab672libbpf: Handle size overflow for ringbuf mmapcc140c729cARM: at91: rm9200: fix usb device clock id592724b14dscripts/faddr2line: Fix regression in name resolution on ppc64le353c3aaaf3bpf, perf: Use subprog name when reporting subprog ksymbold48f6a5784iio: light: rpr0521: add missing Kconfig dependencies5eb114f55biio: health:afe4404: Fix oob read in afe4404_[read|write]_rawb1756af172iio: health: afe4403: Fix oob read in afe4403_read_raw01d7c41eacbtrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()d3f5be8246drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"00570fafc2drm/amdgpu: update drm_display_info correctly when the edid is read44b204730bdrm/display/dp_mst: Fix drm_dp_mst_add_affected_dsc_crtcs() return code1faf21bdd1btrfs: move QUOTA_ENABLED check to rescan_should_stop from btrfs_qgroup_rescan_worker6050872f9fspi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock7b020665d4btrfs: free btrfs_path before copying inodes to userspaced5b7a34379btrfs: sink iterator parameter to btrfs_ioctl_logical_to_inof3226d86f8Revert "xfrm: fix "disable_policy" on ipv4 early demux"982d7f3eb8Merge 5.10.157 into android12-5.10-lts37d3df60cbANDROID: CRC ABI fixups in ip.h and ipv6.hf4245f0538Linux 5.10.1574801672fb0fuse: lock inode unconditionally in fuse_fallocate()86f0082fb9drm/i915: fix TLB invalidation for Gen12 video and compute enginesfeb97cf45edrm/amdgpu: always register an MMU notifier for userptr596b7d55d7drm/amd/dc/dce120: Fix audio register mapping, stop triggering KASANc86c1a7037btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs()1581830c0ebtrfs: free btrfs_path before copying subvol info to userspace0bdb8f7ef8btrfs: free btrfs_path before copying fspath to userspace24a37ba2cbbtrfs: free btrfs_path before copying root refs to userspaceb56d6e5585genirq: Take the proposed affinity at face value if force==true9d90a2b98eirqchip/gic-v3: Always trust the managed affinity provided by the core codee0d2c59ee9genirq: Always limit the affinity to online CPUsf8f80d532fgenirq/msi: Shutdown managed interrupts with unsatifiable affinities3eb6b89a4ewifi: wilc1000: validate number of channels5a068535c0wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute905f886eaewifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute7c6535fb4dwifi: wilc1000: validate pairwise and authentication suite offsets64b7f9a7dddm integrity: clear the journal on suspendd306f73079dm integrity: flush the journal on suspend79d9a11679gpu: host1x: Avoid trying to use GART on Tegra20a7f30b5b8dnet: usb: qmi_wwan: add Telit 0x103a composition7e8eaa939etcp: configurable source port perturb table size0acc008cf9platform/x86: hp-wmi: Ignore Smart Experience App event0964b77babzonefs: fix zone report size in __zonefs_io_error()a5937dae66platform/x86: acer-wmi: Enable SW_TABLET_MODE on Switch V 10 (SW5-017)52fb7bcea0platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr()4fa717ba2dxen/platform-pci: add missing free_irq() in error pathf45a5a6c9fxen-pciback: Allow setting PCI_MSIX_FLAGS_MASKALL too9bbb587472Input: soc_button_array - add Acer Switch V 10 to dmi_use_low_level_irq[]4ea4316dffInput: soc_button_array - add use_low_level_irq module parameterc1620e996dInput: goodix - try resetting the controller when no config is setf4db050958serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios()7c3e39ccf5ASoC: Intel: bytcht_es8316: Add quirk for the Nanote UMPC-0136e0b97619Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI modeae9e0cc973binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0017de84253binder: Address corner cases in deferred copy and fixup2e3c27f241binder: fix pointer cast warningc9d3f25a7fbinder: defer copies of pre-patched txn data5204296fc7binder: read pre-translated fds from sender buffer23e9d815fabinder: avoid potential data leakage when copying txn22870431cdx86/ioremap: Fix page aligned size calculation in __ioremap_caller()3fdeacf087KVM: x86: remove exit_int_info warning in svm_handle_exit7e5cb13091KVM: x86: nSVM: leave nested mode on vCPU freed925dd3e44mm: vmscan: fix extreme overreclaim and swap floodsa4a62a23fagcov: clang: fix the buffer overflow issuee7f21d10e9nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirtyf06b7e6a77usb: dwc3: gadget: Clear ep descriptor lastcff7523ab8usb: dwc3: gadget: Return -ESHUTDOWN on ep disablea32635528dusb: dwc3: gadget: conditionally remove requestsca3a08e9d9ceph: fix NULL pointer dereference for req->r_session00c004c070ceph: Use kcalloc for allocating multiple elements69263bf781ceph: fix possible NULL pointer dereference for req->r_session8e137ace53ceph: put the requests/sessions when it fails to alloc memory38993788f4ceph: fix off by one bugs in unsafe_request_wait()8a31ae7f77ceph: flush the mdlog before waiting on unsafe reqs78b2f546f7ceph: flush mdlog before umountingd94ba7b3b7ceph: make iterate_sessions a global symbol9ac038d3c2ceph: make ceph_create_session_msg a global symbol8382cdf0abusb: cdns3: Add support for DRD CDNSP57112da86bmmc: sdhci-brcmstb: Fix SDHCI_RESET_ALL for CQHCIb5d770977bmmc: sdhci-brcmstb: Enable Clock Gating to save power049194538cmmc: sdhci-brcmstb: Re-organize flagsfbe955be26nios2: add FORCE for vmlinuz.gzc0a9c9973dinit/Kconfig: fix CC_HAS_ASM_GOTO_TIED_OUTPUT test with dash456e895fd0iio: core: Fix entry not deleted when iio_register_sw_trigger_type() failsfa9efcbfbfiio: light: apds9960: fix wrong register for gesture gainbd1b8041c2arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency86ba9c8595ext4: fix use-after-free in ext4_ext_shift_extents350e98a08ausb: dwc3: exynos: Fix remove() functiond21d26e65blib/vdso: use "grep -E" instead of "egrep"c0cf8bc259net: enetc: preserve TX ring priority across reconfigurationde4dd4f9b3net: enetc: cache accesses to &priv->si->hw1f080b8caanet: enetc: manage ENETC_F_QBV in priv->active_offloads only when enabled1d840c5d67s390/crashdump: fix TOD programmable field size11052f1188net: thunderx: Fix the ACPI memory leakb034fe2a08nfc: st-nci: fix memory leaks in EVT_TRANSACTIONe14583073fnfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION9cc863d523arcnet: fix potential memory leak in com20020_probe()4d2be0cf27net: arcnet: Fix RESET flag handlinge61b00374as390/dasd: fix no record found for raw_track_accessaeebb07499ipv4: Fix error return code in fib_table_insert()c0af4d005adccp/tcp: Reset saddr on failure after inet6?_hash_connect().b8e494240enetfilter: flowtable_offload: add missing lockingaf9de5cdcbdma-buf: fix racing conflict of dma_heap_add()c40b76dfa7bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending()f81e9c0510regulator: twl6030: re-add TWL6032_SUBCLASS32b944b9c4NFC: nci: fix memory leak in nci_rx_data_packet()68a7aec3f4net: sched: allow act_ct to be built without NF_NAT8e2664e12bsfc: fix potential memleak in __ef100_hard_start_xmit()6b638a16eaxfrm: Fix ignored return value in xfrm6_init()c7788361a6tipc: check skb_linearize() return value in tipc_disc_rcv()4058e3b74atipc: add an extra conn_get in tipc_conn_alloce87a077d09tipc: set con sock in tipc_conn_alloc891daa95b0net/mlx5: Fix handling of entry refcount when command is not issued to FWe06ff9f8fenet/mlx5: Fix FW tracer timestamp calculation5689eba90anetfilter: ipset: regression in ip_set_hash_ip.ce62e62ea91netfilter: ipset: Limit the maximal range of consecutive elements to add/delete8dca384970Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register()909186cf34Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work()f42802e14amacsec: Fix invalid error code set72be055615nfp: add port from netdev validation for EEPROM accessce41e03cacnfp: fill splittable of devlink_port_attrs correctly0b553ded34net: pch_gbe: fix pci device refcount leak while module exiting2c59ef9ab6net/qla3xxx: fix potential memleak in ql3xxx_send()a24d5f6c8bnet/mlx4: Check retval of mlx4_bitmap_initda86a63479net: ethernet: mtk_eth_soc: fix error handling in mtk_open()756534f7cfARM: dts: imx6q-prti6q: Fix ref/tcxo-clock-frequency properties290a71ff72ARM: mxs: fix memory leak in mxs_machine_init()5c97af75f5netfilter: conntrack: Fix data-races around ct mark459332f8db9p/fd: fix issue of list_del corruption in p9_fd_cancel()26bb8f6aaanet: pch_gbe: fix potential memleak in pch_gbe_tx_queue()398a860a44nfc/nci: fix race with opening and closing3535c632e6rxrpc: Fix race between conn bundle lookup and bundle removal [ZDI-CAN-15975]23c03ee0eerxrpc: Use refcount_t rather than atomic_tbddde342c6rxrpc: Allow list of in-use local UDP endpoints to be viewed in /proca2d5dba2fcnet: liquidio: simplify if expression8124a02e17ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrlb547bf71fatee: optee: fix possible memory leak in optee_register_device()b76c5a99f4bus: sunxi-rsb: Support atomic transfers0c059b7d2aregulator: core: fix UAF in destroy_regulator()fcb2d28636spi: dw-dma: decrease reference count in dw_spi_dma_init_mfld()0b6441abfaregulator: core: fix kobject release warning and memory leak in regulator_register()26d3d3ffa8scsi: storvsc: Fix handling of srb_status and capacity change eventsc34db0d6b8ASoC: soc-pcm: Don't zero TDM masks in __soc_pcm_open()4f6c7344abASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove164a5b50d1ASoC: hdac_hda: fix hda pcm buffer overflow issue7cfb4b8579ARM: dts: am335x-pcm-953: Define fixed regulators in root nodeb7000254c1af_key: Fix send_acquire race with pfkey_register51969d679bxfrm: replay: Fix ESN wrap around for GSO497653f6d2xfrm: fix "disable_policy" on ipv4 early demux836bbdfcf8MIPS: pic32: treat port as signed integerc0bb600f07RISC-V: vdso: Do not add missing symbols to version section in linker script81cc6d8400arm64/syscall: Include asm/ptrace.h in syscall_wrapper header.fa5f2c72d3block, bfq: fix null pointer dereference in bfq_bio_bfqg()d29bde8689drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 (SW5-017)f7ce6fb04escsi: scsi_debug: Make the READ CAPACITY response compliant with ZBC2574903ee2scsi: ibmvfc: Avoid path failures during live migration7fc62181c1platform/x86: touchscreen_dmi: Add info for the RCA Cambio W101 v2 2-in-1f54a11b6bfRevert "net: macsec: report real_dev features when HW offloading is enabled"f4b8c0710aselftests/bpf: Add verifier test for release_reference()361a165098spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run2c1ca23555wifi: mac80211: Fix ack frame idr leak when mesh has no route8d39913158wifi: airo: do not assign -1 to unsigned char8552e6048eaudit: fix undefined behavior in bit shift for AUDIT_BIT1c9eb641d1riscv: dts: sifive unleashed: Add PWM controlled LEDs92ae6facd1wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support2fcc593b50wifi: mac80211: fix memory free error when registering wiphy fail044bc6d3c2ceph: avoid putting the realm twice when decoding snaps failsd43219bb33ceph: do not update snapshot context when there is no new snapshot49c71b6814iio: pressure: ms5611: fixed value compensation bug879139bc7aiio: ms5611: Simplify IO callback parameters80c825e1e3nvme-pci: add NVME_QUIRK_BOGUS_NID for Micron Nitrof4066fb910nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH4f0cea018edrm/display: Don't assume dual mode adaptors support i2c sub-addressing347f1793b5bridge: switchdev: Fix memory leaks when changing VLAN protocol89a7f155e6bridge: switchdev: Notify about VLAN protocol changesf5cbd86ebfata: libata-core: do not issue non-internal commands once EH is pending4034d06a4data: libata-scsi: simplify __ata_scsi_queuecmd()03aabcb88ascsi: scsi_transport_sas: Fix error handling in sas_phy_add()d9b90a99f3Merge 5.10.156 into android12-5.10-lts25af5a11f1Merge 5.10.155 into android12-5.10-ltse5d2cd6ad8ANDROID: abi preservation for fscrypt change in 5.10.1545bc3ece380Revert "serial: 8250: Let drivers request full 16550A feature probing"f466ca1247Merge 5.10.154 into android12-5.10-lts6d46ef50b1Linux 5.10.1567be134eb69Revert "net: broadcom: Fix BCMGENET Kconfig"957732a09cntfs: check overflow when iterating ATTR_RECORDs6322dda483ntfs: fix out-of-bounds read in ntfs_attr_find()b825bfbbaantfs: fix use-after-free in ntfs_attr_find()294ef12dccmm: fs: initialize fsdata passed to write_begin/write_end interfacea8e2fc8f7b9p/trans_fd: always use O_NONBLOCK read/writea5da76df46gfs2: Switch from strlcpy to strscpy5fa30be7bagfs2: Check sb_bsize_shift after reading superblockf14858bc779p: trans_fd/p9_conn_cancel: drop client lock earlier4154b6afa2kcm: close race conditions on sk_receive_queue7deb7a9d33kcm: avoid potential race in kcm_tx_work35309be06btcp: cdg: allow tcp_cdg_release() to be called multiple timese929ec98c0macvlan: enforce a consistent minimal mtu95ebea5a15uapi/linux/stddef.h: Add include guards3f25add5ecInput: i8042 - fix leaking of platform device on module removal7d606ae1abkprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case89ece5ff7dscsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()75205f1b47scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus()6e9334436dnet: use struct_group to copy ip/ipv6 header addresses9fd7bdaffestddef: Introduce struct_group() helper macro47c3bdd955usbnet: smsc95xx: Fix deadlock on runtime resume8208c266fering-buffer: Include dropped pages in counting dirty patches36b5095b07net: fix a concurrency bug in l2tp_tunnel_register()023435a095nvme: ensure subsystem reset is single threadedb9a5ecf241nvme: restrict management ioctls to admin5e2f14d772perf/x86/intel/pt: Fix sampling using single range output62634b43d3misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()c1eb46a65bdocs: update mediator contact information in CoC doc4423866d31mmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put()440653a180mmc: sdhci-pci-o2micro: fix card detect fail issue caused by CD# debounce timeout8e70b14131mmc: core: properly select voltage range without power cycle05b0f6624dfirmware: coreboot: Register bus in module initdeda86a0d8iommu/vt-d: Set SRE bit only when hardware has SRS capd2c7d8f58escsi: zfcp: Fix double free of FSF request when qdio send failsdb744288afmaccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault()24cc679abbInput: iforce - invert valid length check when fetching device IDs5f4611fe01serial: 8250_lpss: Configure DMA also w/o DMA filter8679087e93serial: 8250: Flush DMA Rx on RLSIa5eaad87bfserial: 8250: Fall back to non-DMA Rx if IIR_RDI occursf59f5a269cdm ioctl: fix misbehavior if list_versions races with module loading67a75a9480iio: pressure: ms5611: changed hardcoded SPI speed to value limitedd95b85c508iio: adc: mp2629: fix potential array out of bound access46b8bc62c5iio: adc: mp2629: fix wrong comparison of channel8dddf2699diio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init()85d2a8b287iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger()85cc1a2fd8usb: typec: mux: Enter safe mode only when pins need to be reconfiguredefaab05520usb: chipidea: fix deadlock in ci_otg_del_timer143ba5c2d2usb: add NO_LPM quirk for Realforce 87U Keyboard249cef723fUSB: serial: option: add Fibocom FM160 0x0111 composition5c44c60358USB: serial: option: add u-blox LARA-L6 modem0e88a3cfa6USB: serial: option: add u-blox LARA-R6 00B modemde707957d9USB: serial: option: remove old LARA-R6 PID878227a3ddUSB: serial: option: add Sierra Wireless EM919125c652811dUSB: bcma: Make GPIO explicitly optionaleb3af3ea5bspeakup: fix a segfault caused by switching consoles8cbaf4ed53slimbus: stream: correct presence rate frequencies15155f7c0eRevert "usb: dwc3: disable USB core PHY management"100d1e53bbALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360c7dcc89482ALSA: hda/realtek: fix speakers for Samsung Galaxy Book Proa80369c8caALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open()28a54854a9tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit()bb70fcae41tracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit()315b149f08tracing: Fix wild-memory-access in register_synth_event()65ba7e7c24tracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event()5d4cc7bc1atracing/ring-buffer: Have polling block on watermark5fdebbeca5ring_buffer: Do not deactivate non-existant pages6a14828cadftrace: Fix null pointer dereference in ftrace_add_mod()6ed60c60ecftrace: Optimize the allocation for mcount entries9569eed79bftrace: Fix the possible incorrect kernel message5fc19c8313cifs: add check for returning value of SMB2_set_info_init0aeb0de528net: thunderbolt: Fix error handling in tbnet_init()e13ef43813cifs: Fix wrong return value checking when GETFLAGS9f00da9c86net/x25: Fix skb leak in x25_lapb_receive_frame()94822d2331net: ag71xx: call phylink_disconnect_phy if ag71xx_hw_enable() fail in ag71xx_open()3aeb13bc3dcifs: add check for returning value of SMB2_close_initc24013273eplatform/x86/intel: pmc: Don't unconditionally attach Intel PMC when virtualized9ed51414aedrbd: use after free in drbd_create_device()6b23a4b252net: ena: Fix error handling in ena_init()2d5a495501net: ionic: Fix error handling in ionic_init_module()bb9924a6edxen/pcpu: fix possible memory leak in register_pcpu()d6a561bd4cbnxt_en: Remove debugfs when pci_register_driver failed389738f5dbnet: caif: fix double disconnect client in chnl_net_open()fb5ee1560bnet: macvlan: Use built-in RCU list checking709aa1f73dmISDN: fix misuse of put_device() in mISDN_register_device()417f2d2edfnet: liquidio: release resources when liquidio driver open failed4cba73f2d6net: hinic: Fix error handling in hinic_module_init()083a2c9ef8mISDN: fix possible memory leak in mISDN_dsp_element_register()6b23993d5bnet: bgmac: Drop free_netdev() from bgmac_enet_remove()1f6a73b25dbpf: Initialize same number of free nodes for each pcpu_freelistef2ac07ab8ata: libata-transport: fix error handling in ata_tdev_add()7377a14598ata: libata-transport: fix error handling in ata_tlink_add()b5362dc163ata: libata-transport: fix error handling in ata_tport_add()ac471468f7ata: libata-transport: fix double ata_host_put() in ata_tport_add()ac4f404c25arm64: dts: imx8mn: Fix NAND controller size-cells30ece7dbeearm64: dts: imx8mm: Fix NAND controller size-cellsf68a9efd78ARM: dts: imx7: Fix NAND controller size-cells1d160dfb3fdrm: Fix potential null-ptr-deref in drm_vblank_destroy_worker()c47a823ea1drm/drv: Fix potential memory leak in drm_dev_init()c776a49d09drm/panel: simple: set bpc field for logic technologies displays777430aa4dpinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_mapbce3e6fe8bparport_pc: Avoid FIFO port location truncationa4b5423f88siox: fix possible memory leak in siox_device_add()0679f571d3arm64: Fix bit-shifting UB in the MIDR_CPU_MODEL() macro58636b5ff3block: sed-opal: kmalloc the cmd/resp bufferse27458b18bsctp: clear out_curr if all frag chunks of current msg are pruned0b4c259b63sctp: remove the unnecessary sinfo_stream check in sctp_prsctp_prune_unsent7360e7c29dASoC: soc-utils: Remove __exit for snd_soc_util_exit()e60f37a1d3bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()b8fe1a5aa7tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send0a3160f4ffserial: imx: Add missing .thaw_noirq hook7e1f908e65serial: 8250: omap: Flush PM QOS work on removed833cba201serial: 8250: omap: Fix unpaired pm_runtime_put_sync() in omap8250_remove()b0b6ea651eserial: 8250_omap: remove wait loop from Errata i202 workaroundf14c312c21serial: 8250: omap: Fix missing PM runtime calls for omap8250_set_mctrl()85cdbf04b4serial: 8250: Remove serial_rs485 sanitization from em485f5dedad405ASoC: tas2764: Fix set_tdm_slot in case of single slot9e82d78fbeASoC: tas2770: Fix set_tdm_slot in case of single slot8d21554ec7ASoC: core: Fix use-after-free in snd_soc_exit()38ca9bd336spi: stm32: Print summary 'callbacks suppressed' messagea180da5564drm/amdgpu: disable BACO on special BEIGE_GOBY cardf3adf0adf3drm/amd/pm: disable BACO entry/exit completely on several sienna cichlid cardsb0faeff69adrm/amd/pm: Read BIF STRAP also for BACO check6958556285drm/amd/pm: support power source switch on Sienna Cichlid7daab001a6mmc: sdhci-esdhc-imx: use the correct host caps for MMC_CAP_8_BIT_DATA65ac4d1807spi: intel: Use correct mask for flash and protected regions23793518a7mtd: spi-nor: intel-spi: Disable write protection only if askeda326fffdc7ALSA: hda/realtek: fix speakers and micmute on HP 855 G824839d027cASoC: codecs: jz4725b: Fix spelling mistake "Sourc" -> "Source", "Routee" -> "Route"bd48793240Bluetooth: L2CAP: Fix l2cap_global_chan_by_psmce75e90859btrfs: remove pointless and double ulist frees in error paths of qgroup tests16743c4bf3drm/imx: imx-tve: Fix return type of imx_tve_connector_mode_validdf2747f295i2c: i801: add lis3lv02d's I2C address for Vostro 5568959cb0fd69i2c: tegra: Allocate DMA memory for DMA engine6cb657722eNFSv4: Retry LOCK on OLD_STATEID during delegation returnf0187227e2drm/amd/display: Remove wrong pipe control lockbb3edbd092ASoC: rt1308-sdw: add the default value of some registersb1619f0307selftests/intel_pstate: fix build for ARCH=x86_64fdf6807606selftests/futex: fix build for clangc1f0defecbASoC: codecs: jz4725b: fix capture selector namingaeb7e8bc0dASoC: codecs: jz4725b: use right control for Capture Volumec87945c173ASoC: codecs: jz4725b: fix reported volume for Master ctl9aae00961aASoC: codecs: jz4725b: add missed Line In power control bit0b4d650f90spi: intel: Fix the offset to get the 64K erase opcode6910e7279fASoC: wm8962: Add an event handler for TEMP_HP and TEMP_SPKc7432616f6ASoC: mt6660: Keep the pm_runtime enables before component stuff in mt6660_i2c_probea47606064cASoC: wm8997: Revert "ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe"f8f254c8b5ASoC: wm5110: Revert "ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe"c73aa2cc41ASoC: wm5102: Revert "ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe"673a7341bdMerge 5.10.153 into android12-5.10-lts27b36ba7c2Merge 5.10.152 into android12-5.10-ltsbf759deb0fMerge 5.10.151 into android12-5.10-lts6b31c548a1ANDROID: fix up struct sk_buf ABI breakagebd66e91ad2ANDROID: fix up CRC issue with struct tcp_sock3905cfd1d6Revert "serial: 8250: Toggle IER bits on only after irq has been set up"41217963b1Linux 5.10.1550f544353feio_uring: kill goto error handling in io_sqpoll_wait_sq()154d744fbex86/cpu: Restore AMD's DE_CFG MSR after resumee7294b01demmc: sdhci-esdhc-imx: Convert the driver to DT-only534762e261net: tun: call napi_schedule_prep() to ensure we own a napi367bc0fa98dmaengine: at_hdmac: Check return code of dma_async_device_register85f97c97efdmaengine: at_hdmac: Fix impossible conditionf53a233eaadmaengine: at_hdmac: Don't allow CPU to reorder channel enablef451285522dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors6be4ab08c8dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardwarea35dd5dd98dmaengine: at_hdmac: Fix concurrency over the active list0f603bf553dmaengine: at_hdmac: Free the memset buf without holding the chan lock7f07cecc74dmaengine: at_hdmac: Fix concurrency over descriptor1582cc3b48dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all()9b69060a72dmaengine: at_hdmac: Protect atchan->status with the channel lockee35682261dmaengine: at_hdmac: Do not call the complete callback on device_terminate_all7078e935b4dmaengine: at_hdmac: Fix premature completion of desc in issue_pendingad4cbe8e9cdmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending24f9e93e50dmaengine: at_hdmac: Don't start transactions at tx_submit level4b51cce72admaengine: at_hdmac: Fix at_lli struct definitiond37dfb9357cert host tools: Stop complaining about deprecated OpenSSL functionsf8e0edeaa0can: j1939: j1939_send_one(): fix missing CAN header initialization0b692d41eemm/memremap.c: map FS_DAX device memory as decrypted03f9582a6audf: Fix a slab-out-of-bounds write bug in udf_find_entry()4ea3aa3b98mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI9c0accfa5abtrfs: selftests: fix wrong error check in btrfs_free_dummy_root()8fa0c22ef8platform/x86: hp_wmi: Fix rfkill causing soft blocked wifib5ee579fcbdrm/i915/dmabuf: fix sg_table handling in map_dma_buf4feedde548nilfs2: fix use-after-free bug of ns_writer on remount1d4ff73062nilfs2: fix deadlock in nilfs_count_free_blocks()344ddbd688ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure516f9f2300vmlinux.lds.h: Fix placement of '.data..decrypted' sectionf6896fb69dALSA: usb-audio: Add DSD support for Accuphase DAC-602032c2d32bALSA: usb-audio: Add quirk entry for M-Audio Microa414a6d6efALSA: hda/realtek: Add Positivo C6300 model quirk3a79f9568dALSA: hda: fix potential memleak in 'add_widget_node'380d64168dALSA: hda/ca0132: add quirk for EVGA Z390 DARK181cfff57bALSA: hda/hdmi - enable runtime pm for more AMD display audioea6787e482mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI0a8d4531a0mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI3f558930admmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCIb55e64d0a3mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI4631cb0406MIPS: jump_label: Fix compat branch range check475fd3991aarm64: efi: Fix handling of misaligned runtime regions and drop warning94ab8f88feriscv: fix reserved memory setup0cf9cb0614riscv: Separate memory init from paging initd7716240bcriscv: Enable CMA supportecf78af514riscv: vdso: fix build with llvme56d18a976riscv: process: fix kernel info leakage956e0216a1net: macvlan: fix memory leaks of macvlan_common_newlink59ec132386ethernet: tundra: free irq when alloc ring failed in tsi108_open()dd7beaec8bnet: mv643xx_eth: disable napi when init rxq or txq failed in mv643xx_eth_open()56d3b5531bethernet: s2io: disable napi when start nic failed in s2io_card_up()05b2228434net: atlantic: macsec: clear encryption keys from the stack1a4e495edfnet: phy: mscc: macsec: clear encryption keys when freeing a flow4ad684ba02cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in cxgb4vf_open()38aa7ed8c2net: cxgb3_main: disable napi when bind qsets failed in cxgb_up()fd52dd2d6enet: cpsw: disable napi in cpsw_ndo_open()3b27e20601net/mlx5e: E-Switch, Fix comparing termination table instanceeb6fa0ac2anet/mlx5: Allow async trigger completion execution on single CPU systemsbdd282bba7net: nixge: disable napi when enable interrupts failed in nixge_open()5333cf1b7fnet: marvell: prestera: fix memory leak in prestera_rxtx_switch_init()cf4853880eperf stat: Fix printing os->prefix in CSV metrics output3a4a3c3b1fdrivers: net: xgene: disable napi when register irq failed in xgene_enet_open()0b7ee3d50fdmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()6e2ffae69ddmaengine: pxa_dma: use platform_get_irq_optionalf31dd15858tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_headerfbb4e8e6dcnet: broadcom: Fix BCMGENET Kconfigcb6d639bb1net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable()d68fa77ee3can: af_can: fix NULL pointer dereference in can_rx_register()a033b86c7fipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network02f8dfee75tcp: prohibit TCP_REPAIR_OPTIONS if data was already sentf3aa8a7d95drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register()bcb3bb1069hamradio: fix issue of dev reference count leakage in bpq_device_event()bc4591a86bnet: lapbether: fix issue of dev reference count leakage in lapbeth_device_event()2bf8b1c111KVM: s390: pv: don't allow userspace to set the clock under PVa60cc64db7KVM: s390x: fix SCK lockingfcbd2b3368capabilities: fix undefined behavior in bit shift for CAP_TO_MASK8aae24b0ednet: fman: Unregister ethernet device on removale2c5ee3b62bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer38147073c9bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()3401f96402net: tun: Fix memory leaks of napi_get_fragsadaa0f180dmacsec: clear encryption keys from the stack after setting up offload9dc7503baemacsec: fix detection of RXSCs when toggling offloading7f4456f011macsec: fix secy->n_rx_sc accounting3b05d9073amacsec: delete new rxsc when offload fails50868de7dcnet: gso: fix panic on frag_list with mixed head alloc typescedd4f01f6bpf: Fix wrong reg type conversion in release_reference()9069db2579bpf: Add helper macro bpf_for_each_reg_in_vstate95b6ec7337bpf: Support for pointers beyond pkt_end.8597b59e3dHID: hyperv: fix possible memory leak in mousevsc_probe()8c80b2fca4bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILEcc21dc48a7bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queuese1e1218032wifi: cfg80211: fix memory leak in query_regdb_file()914cb94e73wifi: cfg80211: silence a sparse RCU warning72ea2fc299phy: stm32: fix an error code in probe925bf1ba76hwspinlock: qcom: correct MMIO max register for newer SoCs76eba54f0dfuse: fix readdir cache race7bcea6c5c9ANDROID: gki_defconfig: remove CONFIG_INIT_STACK_ALL_ZERO=yd2bc3376cdRevert "serial: 8250: Fix restoring termios speed after suspend"0b500f5b16Merge 5.10.150 into android12-5.10-ltsf5b40c0eb9Linux 5.10.154bf506e366dipc: remove memcg accounting for sops objects in do_semtimedop()c6678c8f4fwifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()a6c57adec5drm/i915/sdvo: Setup DDC fully before output initb86830cc95drm/i915/sdvo: Filter out invalid outputs more sensibly9f3b867808drm/rockchip: dsi: Force synchronous probe23f1fc7ce5ext4,f2fs: fix readahead of verity datae5cef906cbKVM: x86: emulator: update the emulation mode after CR0 writece9261acccKVM: x86: emulator: introduce emulator_recalc_and_set_modec8a2fd7a71KVM: x86: emulator: em_sysexit should update ctxt->modee0c7410378KVM: x86: Mask off reserved bits in CPUID.80000001H9302ebc1c2KVM: x86: Mask off reserved bits in CPUID.80000008Hcc40c5f3e9KVM: x86: Mask off reserved bits in CPUID.8000001AHbd64a88f36KVM: x86: Mask off reserved bits in CPUID.80000006H156451a67bext4: fix BUG_ON() when directory entry has invalid rec_len5370b965b7ext4: fix warning in 'ext4_da_release_space'c9598cf629parisc: Avoid printing the hardware path twice98f836e80dparisc: Export iosapic_serial_irq() symbol for serial port driver814af9a32bparisc: Make 8250_gsc driver dependend on CONFIG_PARISC29d106d086perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]98f6e7c337perf/x86/intel: Fix pebs event constraints for ICL3be2d66822efi: random: Use 'ACPI reclaim' memory for random seed83294f7c77efi: random: reduce seed size to 32 bytesf8e8cda869fuse: add file_modified() to fallocatecdf01c807ecapabilities: fix potential memleak on error path from vfs_getxattr_alloc()ff32d8a099tracing/histogram: Update document for KEYS_MAX size533bfacbactools/nolibc/string: Fix memcmp() implementationf100a02748kprobe: reverse kp->flags when arm_kprobe failedbef08acbe5tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd()2bf33b5ea4tcp/udp: Make early_demux back namespacified.ea5f2fd464ftrace: Fix use-after-free for dynamic ftrace_ops06de93a47cbtrfs: fix type of parameter generation in btrfs_get_dentrye33ce54cefcoresight: cti: Fix hang in cti_disable_hw()015ac18be7binder: fix UAF of alloc->vma in race with munmap()836686e1a0memcg: enable accounting of ipc resourcese4e4b24b42mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times818c36b988tcp/udp: Fix memory leak in ipv6_renew_options().29997a6fa6fscrypt: fix keyring memory leak on mount failure391cceee6dfscrypt: stop using keyrings subsystem for fscrypt_master_key092401142bfscrypt: simplify master key locking54c13d3520ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devicesa0e2577cf3block, bfq: protect 'bfqd->queued' by 'bfqd->lock'26ca2ac091Bluetooth: L2CAP: Fix attempting to access uninitialized memory6b6f94fb9aBluetooth: L2CAP: Fix accepting connection request for invalid SPSMbfd5e62f9ai2c: piix4: Fix adapter not be removed in piix4_remove()fc3e2fa0a5arm64: dts: juno: Add thermal critical trip pointsb743ecf29cfirmware: arm_scmi: Make Rx chan_setup fail on memory errors29e8e9bfc2firmware: arm_scmi: Suppress the driver's bind attributesd7b1e2cbe0ARM: dts: imx6qdl-gw59{10,13}: fix user pushbutton GPIO offset160d8904b2efi/tpm: Pass correct address to memblock_reservec40b4d604bi2c: xiic: Add platform module alias5bf8c7798bdrm/amdgpu: set vm_update_mode=0 as default for Sienna Cichlid in SRIOV case496eb203d0HID: saitek: add madcatz variant of MMO7 mouse device IDff06067b70scsi: core: Restrict legal sdev_state transitions via sysfs9edf20e5a1ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()be6e22f546media: meson: vdec: fix possible refcount leak in vdec_probe()c5fd54a65cmedia: dvb-frontends/drxk: initialize err to 07fdc58d8c2media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE1609231f86media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZEc46759e370media: rkisp1: Zero v4l2_subdev_format fields in when validating links3144ce5574media: rkisp1: Initialize color space on resizer sink and source pads6b24d9c2acs390/boot: add secure boot trailerefc6420d65xhci-pci: Set runtime PM as default policy on all xHC 1.2 or later devices37bb57908dmtd: parsers: bcm47xxpart: Fix halfblock reads85e458369cmtd: parsers: bcm47xxpart: print correct offset on read errorec54104febfbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cardsf8c86d7829video/fbdev/stifb: Implement the stifb_fillrect() functione975d7aecammc: sdhci-pci-core: Disable ES for ASUS BIOS on Jasper Lakeafeae13b8ammc: sdhci-pci: Avoid comma separated statementsa06721767cmmc: sdhci-esdhc-imx: Propagate ESDHC_FLAG_HS400* only on 8bit bus59400c9b0ddrm/msm/hdmi: fix IRQ lifetime8225bdaec5drm/msm/hdmi: Remove spurious IRQF_ONESHOT flag5dbb47ee89ipv6: fix WARNING in ip6_route_net_exit_late()1c89642e7fnet, neigh: Fix null-ptr-deref in neigh_table_clear()634f066d02net: mdio: fix undefined behavior in bit shift for __mdiobus_registerd9ec6e2fbdBluetooth: L2CAP: fix use-after-free in l2cap_conn_del()cb1c012099Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu0a0dead4adbtrfs: fix ulist leaks in error paths of qgroup self tests61e0612811btrfs: fix inode list leak during backref walking at find_parent_nodes()a52e24c7fcbtrfs: fix inode list leak during backref walking at resolve_indirect_refs()81204283eaisdn: mISDN: netjet: fix wrong check of device registratione77d213843mISDN: fix possible memory leak in mISDN_register_device()f06186e527rose: Fix NULL pointer dereference in rose_send_frame()2c8d81bdb2ipvs: fix WARNING in ip_vs_app_net_cleanup()931f56d59cipvs: fix WARNING in __ip_vs_cleanup_batch()d69328cdb9ipvs: use explicitly signed charsb2d7a92affnetfilter: nf_tables: release flow rule object from commit path3583826b44net: tun: fix bugs for oversize packet when napi frags enabled5960b9081bnet: sched: Fix use after free in red_enqueue()24f9c41435ata: pata_legacy: fix pdc20230_set_piomode()c85ee1c3cbnet: fec: fix improper use of NETDEV_TX_BUSY52438e734cnfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()0acfcd2aednfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()9ae2c9a91fnfc: nxp-nci: Fix potential memory leak in nxp_nci_send()eecea068bfNFC: nxp-nci: remove unnecessary labelse8c11ee2d0nfc: fdp: Fix potential memory leak in fdp_nci_send()31b83d6990nfc: fdp: drop ftrace-like debugging messages4e1e4485b2RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()d360e875c0RDMA/core: Fix null-ptr-deref in ib_core_cleanup()37a098fc9bnet: dsa: Fix possible memory leaks in dsa_loop_init()45aea4fbf6nfs4: Fix kmemleak when allocate slot failedf0f1c74fa6NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot10c554d722NFSv4.1: Handle RECLAIM_COMPLETE trunking errors4813dd737dNFSv4: Fix a potential state reclaim deadlock7c4260f8f1IB/hfi1: Correctly move list in sc_disable()87ac93c8ddRDMA/cma: Use output interface for net_dev check4dbb739eb2KVM: x86: Add compat handler for KVM_X86_SET_MSR_FILTERbb584caee8KVM: x86: Copy filter arg outside kvm_vm_ioctl_set_msr_filter()9faacf442dKVM: x86: Protect the unused bits in MSR exiting flags5bdbccc79cx86/topology: Fix duplicated core ID within a package6c31fc028ax86/topology: Fix multiple packages shown on a single-package systemf5ad52da14x86/topology: Set cpu_die_id only if DIE_TYPE found570fa3bcd2KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1)e5d7c6786bKVM: x86: Trace re-injected exceptions8364786152KVM: nVMX: Don't propagate vmcs12's PERF_GLOBAL_CTRL settings to vmcs02523e1dd9f8KVM: nVMX: Pull KVM L0's desired controls directly from vmcs01028fcabd8aserial: ar933x: Deassert Transmit Enable on ->rs485_config()e6da7808c9serial: 8250: Let drivers request full 16550A feature probing95aa34f721Linux 5.10.15326a2b9c468serial: Deassert Transmit Enable on probe in driver-specific way4a230f65d6serial: core: move RS485 configuration tasks from drivers into coreeb69c07ecacan: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global FIFO received5924531ddarm64/kexec: Test page size support with new TGRAN range valuesc911f03f8darm64/mm: Fix __enable_mmu() for new TGRAN range valuesd523384766scsi: sd: Revert "scsi: sd: Remove a local variable"52a43b8200arm64: Add AMPERE1 to the Spectre-BHB affected list9889ca7efanet: enetc: survive memory pressure without crashingfdba224ab0net/mlx5: Fix crash during sync firmware resetbbcc06933fnet/mlx5: Fix possible use-after-free in async command interface16376ba5cfnet/mlx5e: Do not increment ESN when updating IPsec ESN state0d88359092nh: fix scope used to find saddr when adding non gw nh3519b5ddacnet: ehea: fix possible memory leak in ehea_register_port()79631daa5aopenvswitch: switch from WARN to pr_warn00d6f33f67ALSA: aoa: Fix I2S device accountingce6fd1c382ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()97262705c0net: fec: limit register access on i.MX6ULdf67a8e625PM: domains: Fix handling of unavailable/disabled idle states1f262d8088net: ksz884x: fix missing pci_disable_device() on error in pcidev_init()6170b4579fi40e: Fix flow-type by setting GL_HASH_INSET registers9abae363afi40e: Fix VF hang when reset is triggered on another VF23d5599058i40e: Fix ethtool rx-flow-hash setting for X72244affe7edeipv6: ensure sane device mtu in tunnels905f05c0abmedia: vivid: set num_in/outputs to 0 if not supportedb6c7446d0amedia: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced'683015ae16media: v4l2-dv-timings: add sanity checks for blanking values147b8f1892media: vivid: dev->bitmap_cap wasn't freed in all cases1cf51d5158media: vivid: s_fbuf: add more sanity checks3221c2701dPM: hibernate: Allow hybrid sleep to work with s2idle0eb19ecbd0can: mcp251x: mcp251x_can_probe(): add missing unregister_candev() in error path6b2d07fc0bcan: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path1634d5d39ctcp: fix indefinite deferral of RTO with SACK reneging4f23cb2be5tcp: fix a signed-integer-overflow bug in tcp_add_backlog()49713d7c38tcp: minor optimization in tcp_add_backlog()aab883bd60net: lantiq_etop: don't free skb when returning NETDEV_TX_BUSYc3edc6e808net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failede2a28807b1kcm: annotate data-races around kcm->rx_waitc325f92d8dkcm: annotate data-races around kcm->rx_psockaf7879529eatlantic: fix deadlock at aq_nic_stopd7ccd49c4damd-xgbe: add the bit rate quirk for Molex cables17350734fdamd-xgbe: fix the SFP compliance codes check for DAC cablesb55d6ea965x86/unwind/orc: Fix unreliable stack dump with gcov0ce1ef3353net: hinic: fix the issue of double release MBOX callback of VF6603843c80net: hinic: fix the issue of CMDQ memory leaksbb01910763net: hinic: fix memory leak when reading function tablece605b68dbnet: hinic: fix incorrect assignment issue in hinic_set_interrupt_cfg()62f0a08e82net: netsec: fix error handling in netsec_register_mdio()32a3d4660btipc: fix a null-ptr-deref in tipc_topsrv_acceptfb94152aaeperf/x86/intel/lbr: Use setup_clear_cpu_cap() instead of clear_cpu_cap()bfce730886ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()2663b16c76ASoC: qcom: lpass-cpu: Mark HDMI TX parity register as volatilea527557299arc: iounmap() arg is volatile648ac633e7ASoC: qcom: lpass-cpu: mark HDMI TX registers as volatile6571f6ca8adrm/msm: Fix return type of mdp4_lvds_connector_mode_valid4953a989b7media: v4l2: Fix v4l2_i2c_subdev_set_name function documentation9d00384270net: ieee802154: fix error return code in dgram_bind()568e3812b1mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages935a8b6202mm/memory: add non-anonymous page check in the copy_present_page()49db6cb814xen/gntdev: Prevent leaking grantsa3f2cc11d6Xen/gntdev: don't ignore kernel unmapping error467230b9efs390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser()fe187c801as390/futex: add missing EX_TABLE entry to __futex_atomic_op()449070996cperf auxtrace: Fix address filter symbol name match for modules6f72a3977bkernfs: fix use-after-free in __kernfs_remove0bcd1ab3e8counter: microchip-tcb-capture: Handle Signal1 read and Synapse8bf037279bmmc: core: Fix kernel panic when remove non-standard SDIO card5684808b26mmc: sdhci_am654: 'select', not 'depends' REGMAP_MMIOb686ffc0acdrm/msm/dp: fix IRQ lifetime08c7375fa2drm/msm/hdmi: fix memory corruption with too many bridges21c4679af0drm/msm/dsi: fix memory corruption with too many bridges44a86d96fascsi: qla2xxx: Use transport-defined speed mask for supported_speedsc368f751damac802154: Fix LQI recording9ba2990f4eexec: Copy oldsighand->action under spin-lock7062153004fs/binfmt_elf: Fix memory leak in load_elf_binary()d9ddfeb01ffbdev: smscufx: Fix several use-after-free bugsf19f1a75d3iio: temperature: ltc2983: allocate iio channels onceaf236da855iio: light: tsl2583: Fix module unloading90ff5bef2btools: iio: iio_utils: fix digit calculation678d2cc204xhci: Remove device endpoints from bandwidth list when freeing the device3b250824b6xhci: Add quirk to reset host back to default state at shutdown63c7df3c81mtd: rawnand: marvell: Use correct logic for nand-keep-config228101fc83usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller2bc4f99ee2usb: bdc: change state when port disconnectede440957f9cusb: dwc3: gadget: Don't set IMI for no_interruptfb074d622cusb: dwc3: gadget: Stop processing more requests on IMIc29fcef579USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM4cc7a360ecALSA: rme9652: use explicitly signed char8959092300ALSA: au88x0: use explicitly signed char2bf5b16315ALSA: Use del_timer_sync() before freeing timerca1034bff8can: kvaser_usb: Fix possible completions during init_completion370be31cdecan: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb()7d51b4c67cLinux 5.10.15243d5109296udp: Update reuse->has_conns under reuseport_lock.a50ed2d287mm: /proc/pid/smaps_rollup: fix no vma's null-deref31b1570677blk-wbt: fix that 'rwb->wc' is always set to 1 in wbt_init()e2f9b62eadmmc: core: Add SD card quirk for broken discard3a260e9844Makefile.debug: re-enable debug info for .S files6ab2287b26x86/Kconfig: Drop check for -mabi=ms for CONFIG_EFI_STUB67dafece56ACPI: video: Force backlight native for more TongFang devicesdcaf631320hv_netvsc: Fix race between VF offering and VF association message from hostda54c5f4b5perf/x86/intel/pt: Relax address filter validation79c3482fberiscv: topology: fix default topology reportinga6e770733darm64: topology: move store_cpu_topology() to shared codecb1024d8a4arm64: dts: qcom: sc7180-trogdor: Fixup modem memory regionf687e2111bfcntl: fix potential deadlocks for &fown_struct.lockb1efc19644fcntl: make F_GETOWN(EX) return 0 on dead owner taskca4c498382perf: Skip and warn on unknown format 'configN' attrsdea47fefa6perf pmu: Validate raw event with sysfs exported format bits86e995f964riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb0e4c06ae7criscv: Add machine name to kernel boot log and stack dump output7fba4a389dmmc: sdhci-tegra: Use actual clock rate for SW tuning correction3c6a888e35xen/gntdev: Accommodate VMA splitting5232411f37xen: assume XENFEAT_gnttab_map_avail_bits being set for pv guestsea82edad0atracing: Do not free snapshot if tracer is on cmdlinebd6af07e79tracing: Simplify conditional compilation code in tracing_set_tracer()4e3a15ca24dmaengine: mxs: use platform_driver_register1da5d24970dmaengine: mxs-dma: Remove the unused .id_table1414e9bf3cdrm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb()d74196bb27iommu/vt-d: Clean up si_domain in the init_dmars() error pathef11e8ec00iommu/vt-d: Allow NVS regions in arch_rmrr_sanity_check()35c92435benet: phy: dp83822: disable MDI crossover status change interrupt7aa3d623c1net: sched: fix race condition in qdisc_graft()2974f3b330net: hns: fix possible memory leak in hnae_ae_register()3032e316e0sfc: include vport_id in filter spec hash and equal()ded86c4191net: sched: sfb: fix null pointer access issue when sfb_init() fails305aa36b62net: sched: delete duplicate cleanup of backlog and qlenae48bee283net: sched: cake: fix null pointer access issue when cake_init() fails2008ad08a2nvme-hwmon: kmalloc the NVME SMART log buffer770b7e3a2cnvme-hwmon: consistently ignore errors from nvme_hwmon_init67106ac272nvme-hwmon: Return error code when registration failsbc17f727b0nvme-hwmon: rework to avoid devm allocation191d71c635ionic: catch NULL pointer issue on reconfigff7ba76675net: hsr: avoid possible NULL deref in skb_clone()7286f87551cifs: Fix xid leak in cifs_ses_add_channel()2d08311aa3cifs: Fix xid leak in cifs_flock()bf49d4fe4acifs: Fix xid leak in cifs_copy_file_range()05cc22c008net: phy: dp83867: Extend RX strap quirk for SGMII mode118f412bednet/atm: fix proc_mpc_write incorrect return valuec8310a99e7sfc: Change VF mac via PF as first preference if available.39d10f0dfbHID: magicmouse: Do not set BTN_MOUSE on double reported5baf3d0ai40e: Fix DMA mappings leake558e14893tipc: fix an information leak in tipc_topsrv_kern_subscr1f4ed95ce6tipc: Fix recognition of trial periodfc8c6b8bb2ACPI: extlog: Handle multiple records57e157749abtrfs: fix processing of delayed tree block refs during backref walking590929ef69btrfs: fix processing of delayed data refs during backref walkingcc841a8a70r8152: add PID for the Lenovo OneLink+ Dock51b96ecaedarm64: errata: Remove AES hwcap for COMPAT tasks910ba49b33blk-wbt: call rq_qos_add() after wb_normal is initialized392536023dblock: wbt: Remove unnecessary invoking of wbt_update_limits in wbt_initab6aaa8210media: venus: dec: Handle the case where find_format failsbce5808fc9media: mceusb: set timeout to at least timeout provided6d725672ceKVM: arm64: vgic: Fix exit condition in scan_its_table()34db701dc6kvm: Add support for arch compat vm ioctlse55feb31dfcpufreq: qcom: fix memory leak in error path303d0f7614ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS6a2aadcb01ata: ahci-imx: Fix MODULE_ALIASd9f0159da0hwmon/coretemp: Handle large core ID value0fb04676c4x86/microcode/AMD: Apply the patch early on every logical thread6dcf1f0802i2c: qcom-cci: Fix ordering of pm_runtime_xx and i2c_add_adapter794ded0bc4cpufreq: qcom: fix writes in read-only memory region2723875e9dselinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()0d65f040fdocfs2: fix BUG when iput after ocfs2_mknod failsb838dcfda1ocfs2: clear dinode links count in case of errorc34d1b22feLinux 5.10.151ecad331211kbuild: Add skip_encoding_btf_enum64 option to paholec5006abb80kbuild: Unify options for BTF generation for vmlinux and modulesf5f413cb3ekbuild: skip per-CPU BTF generation for pahole v1.18-v1.2106481cd9f7kbuild: Quote OBJCOPY var to avoid a pahole call break the buildbbaea0f1cdbpf: Generate BTF_KIND_FLOAT when linking vmlinuxa10a57a224Linux 5.10.150243c8f42baRevert "drm/amdgpu: make sure to init common IP before gmc"8026d58b49gcov: support GCC 12.1 and newer compilerscbf2c43b36f2fs: fix wrong condition to trigger background checkpoint correctly7b19858803thermal: intel_powerclamp: Use first online CPU as control_cpuf039b43cbainet: fully convert sk->sk_rx_dst to RCU rules67de22cb0bext4: continue to expand file system when the target size doesn't reach357db159e9Revert "drm/amdgpu: use dirty framebuffer helper"98ab15bfdcRevert "drm/amdgpu: move nbio sdma_doorbell_range() into sdma code for vega"791489a5c5net/ieee802154: don't warn zero-sized raw_sendmsg()a96336a5f2Revert "net/ieee802154: reject zero-sized raw_sendmsg()"dc54ff9fc4net: ieee802154: return -EINVAL for unknown addr type45c3396675mm: hugetlb: fix UAF in hugetlb_handle_userfaultc378c479c5io_uring/af_unix: defer registered files gc to io_uring release67cbc8865aio_uring: correct pinned_vm accounting904f881b57arm64: topology: fix possible overflow in amu_fie_setup()b5dc2f2578perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc9b4e849777clk: bcm2835: Make peripheral PLLC criticalb8bbae3236usb: idmouse: fix an uninit-value in idmouse_opend5bb45f47bnvmet-tcp: add bounds check on Transfer Tagb79da0080dnvme: copy firmware_rev on each inite6cc39db24staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()3a5a34ed9dRevert "usb: storage: Add quirk for Samsung Fit flash"acf0006f2busb: musb: Fix musb_gadget.c rxstate overflow bug91271a3e77usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()782b3e71c9md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5ddbcca76435HID: roccat: Fix use-after-free in roccat_read()f00c049edesoundwire: intel: fix error handling on dai registration issuesf04a673d4asoundwire: cadence: Don't overwrite msg->buf during write commandsc263516c2cbcache: fix set_at_max_writeback_rate() for multiple attached devicesfcad2ac863ata: libahci_platform: Sanity check the DT child nodes number19c010ae44blk-throttle: prevent overflow while calculating wait time1b3cebeca9staging: vt6655: fix potential memory leak89f305a714power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()b2700f98b3nbd: Fix hung when signal interrupts nbd_start_device_ioctl()5942e5c63dscsi: 3w-9xxx: Avoid disabling device if failing to enable it48727117bdusb: host: xhci-plat: suspend/resume clks for brcmc13d0d2f5ausb: host: xhci-plat: suspend and resume clocks12d31182declk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_ratec2257c8a50media: cx88: Fix a null-ptr-deref bug in buffer_prepare()d9e2585c3bclk: zynqmp: Fix stack-out-of-bounds in strncpy`70f8b48d0bbtrfs: scrub: try to fix super block errors8f554dd23carm64: dts: imx8mq-librem5: Add bq25895 as max17055's power supply451ce2521ckselftest/arm64: Fix validatation termination record after EXTRA_CONTEXT017cabfb3fARM: dts: imx6sx: add missing properties for sram9d3ca48722ARM: dts: imx6sll: add missing properties for sram9735f2b62bARM: dts: imx6sl: add missing properties for sram2829b6ad30ARM: dts: imx6qp: add missing properties for sram0c3a0b3d5eARM: dts: imx6dl: add missing properties for sram2763a3b43aARM: dts: imx6q: add missing properties for sram82e0d91484ARM: dts: imx7d-sdb: config the max pressure for tsc2046166feb964fdrm/amd/display: Remove interface for periodic interrupt 11bb6f4a8dbdrm/dp: Don't rewrite link config when setting phy test patternbb91c06b0bmmc: sdhci-msm: add compatible string check for sdm6708a427a2283drm/meson: explicitly remove aggregate driver at module unload time1c7d957c5ddrm/amdgpu: fix initial connector audio value69130888b2ASoC: SOF: pci: Change DMI match info to support all Chrome platforms54f2585e2dplatform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloadinga9d6a7c9b6platform/chrome: cros_ec: Notify the PM of wake events during resumee29d20deafdrm: panel-orientation-quirks: Add quirk for Anbernic Win600bfdb391d57drm/vc4: vec: Fix timings for VEC modesb70f8abc1adrm: bridge: dw_hdmi: only trigger hotplug event on link changebbe2f6f903udmabuf: Set ubuf->sg = NULL if the creation of sg table fails0a4fddc95cdrm/amd/display: fix overflow on MIN_I64 definition3959e8faf8gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()c28a8082b2drm: Prevent drm_copy_field() to attempt copying a NULL pointere7d7018003drm: Use size_t type for len variable in drm_copy_field()3339a51bcddrm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc()484400d433r8152: Rate limit overflow messages0c108cf3adBluetooth: L2CAP: Fix user-after-free65029aaeddnet: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory4851303c85wifi: rt2x00: correctly set BBP register 86 for MT7620a016144479wifi: rt2x00: set SoC wmac clock register5aa0461d11wifi: rt2x00: set VGC gain for both chains of MT76208d9c00979awifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT762027ed98e8a9wifi: rt2x00: don't run Rt5592 IQ calibration on MT76203d67986e72can: bcm: check the result of can_send() in bcm_can_tx()7b674dce41Bluetooth: hci_sysfs: Fix attempting to call device_add multiple timese25ca9af8aBluetooth: L2CAP: initialize delayed works at l2cap_chan_create()b051d9bf98regulator: core: Prevent integer underflowe01d96494awifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()be81c44242xfrm: Update ipcomp_scratches with NULL when freed9661724f62wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()0958e487e8tcp: annotate data-race around tcp_md5sig_pool_populated129ca0db95openvswitch: Fix overreporting of drops in dropwatch4398e8a7fdopenvswitch: Fix double reporting of drops in dropwatche3c9b94734bpftool: Clear errno after libcap's checks50e45034c5wifi: brcmfmac: fix invalid address access when enabling SCAN log levelbbacfcde5fNFSD: fix use-after-free on source server when doing inter-server copy3de402a524NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data1f730d4ae6x86/entry: Work around Clang __bdos() bug513943bf87thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash708b9abe1bpowercap: intel_rapl: fix UBSAN shift-out-of-bounds issueb434edb0e9MIPS: BCM47XX: Cast memcmp() of function to (void *)6c61a37ea7ACPI: video: Add Toshiba Satellite/Portege Z830 quirk0dd025483frcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE()36d4ffbedfrcu: Back off upon fill_page_cache_func() allocation failure278d8ba2b2selftest: tpm2: Add Client.__del__() to close /dev/tpm* handleb60aa21e2ff2fs: fix to account FS_CP_DATA_IO correctly0b8230d44cf2fs: fix to avoid REQ_TIME and CP_TIME collisionecbd95958cf2fs: fix race condition on setting FI_NO_EXTENT flag110146ce8fACPI: APEI: do not add task_work to kernel thread to avoid memory leakdce07e87eethermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id3a720eb890crypto: cavium - prevent integer overflow loading firmware7bfa7d6773crypto: marvell/octeontx - prevent integer overflowscdd42eb468kbuild: rpm-pkg: fix breakage when V=1 is used6d1aef17e7kbuild: remove the target in signal traps when interrupted8d76dd5080tracing: kprobe: Make gen test module work in arm and riscvc6512a6f0ctracing: kprobe: Fix kprobe event gen test module on exit9e6ba62d41iommu/iova: Fix module config properly426d5bc089crypto: qat - fix DMA transfer directiona43babc059crypto: qat - use pre-allocated buffers in datapatha91af50850crypto: qat - fix use of 'dma_map_single'8a4ed09ed8crypto: inside-secure - Change swab to swab32d33935e666crypto: ccp - Release dma channels before dmaengine unrgistera1354bdd19crypto: akcipher - default implementation for setting a private key2fee0dbfaeiommu/omap: Fix buffer overflow in debugfscfde58a8e4cgroup/cpuset: Enable update_tasks_cpumask() on top_cpusetab2485eb5dhwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()d88b88514ecrypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr25f1342473crypto: sahara - don't sleep when in softirq2d285164fbpowerpc: Fix SPE Power ISA properties for e500v1 platforms2bde4e1e4fpowerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G57ae8bed908x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition6315998170powerpc/powernv: add missing of_node_put() in opal_export_attrs()434db6d17bpowerpc/pci_dn: Add missing of_node_put()718e2d8023powerpc/sysdev/fsl_msi: Add missing of_node_put()592d283a65powerpc/math_emu/efp: Include module.h44c26ceffamailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sgb1616599c9clk: ast2600: BCLK comes from EPLL6d01017247clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe9b65fd6513clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration9a6087a438clk: baikal-t1: Add SATA internal ref clock buffer5f143f3bc2clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent823fd52391clk: baikal-t1: Fix invalid xGMAC PTP clock divider2f19a1050eclk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD92f52770a7spmi: pmic-arb: correct duplicate APID to PPID mapping logica01c0c1600dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup()1dd5148445clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent6e58f2469emfd: sm501: Add check for platform_driver_register()3469dd8e22mfd: fsl-imx25: Fix check for platform_get_irq() errorsb425e03c96mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init()f7b4388636mfd: lp8788: Fix an error handling path in lp8788_probe()08d4051803mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()28868b940bmfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe()382a5fc49efsi: core: Check error number after calling ida_simple_geted8e6011b9clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical884a788f06scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()a9e5176eadscsi: libsas: Fix use-after-free bug in smp_execute_task_sg()8f740c11d8serial: 8250: Fix restoring termios speed after suspendab5a3e7144firmware: google: Test spinlock on panic path to avoid lockups95ac62e854staging: vt6655: fix some erroneous memory clean-up loops878f987166phy: qualcomm: call clk_disable_unprepare in the error handling9a56ade124tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown572fb97fceserial: 8250: Toggle IER bits on only after irq has been set up3fbfa5e3ccserial: 8250: Add an empty line and remove some useless {}71ffe5111fdrivers: serial: jsm: fix some leaks in probe7efdd91d54usb: gadget: function: fix dangling pnp_string in f_printer.ccc952e3bf6xhci: Don't show warning for reinit on known broken suspenddac769dd7dIB: Set IOVA/LENGTH on IB_MR in core/uverbs layers360386e11cRDMA/cm: Use SLID in the work completion as the DLID in responder sidea1263294b5md/raid5: Ensure stripe_fill happens on non-read IO with journal76694e9ce0md: Replace snprintf with scnprintf7bd5f3b4a8mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct()f5325f3202ata: fix ata_id_has_dipm()f5a6fa1877ata: fix ata_id_has_ncq_autosense()3c34a91c8aata: fix ata_id_has_devslp()fc61a0c820ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting()e3917c85f4RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall.3a9d7d8dcfmtd: rawnand: fsl_elbc: Fix none ECC modef87f720811mtd: devices: docg3: check the return value of devm_ioremap() in the probed06cc0e11ddyndbg: drop EXPORTed dynamic_debug_exec_queries1d65985589dyndbg: let query-modname override actual module namec0e206da44dyndbg: fix module.dyndbg handling5047bd3bd7dyndbg: fix static_branch manipulationaf12e209a9dmaengine: hisilicon: Add multi-thread support for a DMA channeld3fd838536dmaengine: hisilicon: Fix CQ head updated5065ca461dmaengine: hisilicon: Disable channels when unregister hisi_dmaf59861946ffpga: prevent integer overflow in dfl_feature_ioctl_set_irq()7ba19a60c7misc: ocxl: fix possible refcount leak in afu_ioctl()cf3bb86eddRDMA/rxe: Fix the error caused by qp->skcdce36a88dRDMA/rxe: Fix "kernel NULL pointer dereference" error2630cc8832media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init40aa0999a3media: meson: vdec: add missing clk_disable_unprepare on error in vdec_hevc_start()551b87976atty: xilinx_uartps: Fix the ignore_status28cdf6c6fbmedia: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop1f683bff1aHSI: omap_ssi_port: Fix dma_map_sg error check962f22e7f7HSI: omap_ssi: Fix refcount leak in ssi_probe70f0a0a27dclk: tegra20: Fix refcount leak in tegra20_clock_initc01bfd23ccclk: tegra: Fix refcount leak in tegra114_clock_initf487137a53clk: tegra: Fix refcount leak in tegra210_clock_init59e90c4d98clk: sprd: Hold reference returned by of_get_parent()57141b1dd6clk: berlin: Add of_node_put() for of_get_parent()dc190b46c6clk: qoriq: Hold reference returned by of_get_parent()baadc6f58fclk: oxnas: Hold reference returned by of_get_parent()b95f4f9054clk: meson: Hold reference returned by of_get_parent()beec2f0255usb: common: debug: Check non-standard control requests9d965a22f6usb: common: move function's kerneldoc next to its definition20b63631a3usb: common: add function to get interval expressed in us unitc1ef8c66a3usb: common: Parse for USB SSP genXxYffffb159e1usb: ch9: Add USB 3.2 SSP attributesaa7aada4b7iio: ABI: Fix wrong format of differential capacitance channel ABI.b9a0526cd0iio: inkern: only release the device node when done with it44ec4b04fciio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume513c72d76diio: adc: at91-sama5d2_adc: lock around oversampling and sample freqd259b90f0ciio: adc: at91-sama5d2_adc: check return status for pressure and touchbc2b97e177iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX5b9bb0cbd9ARM: dts: exynos: fix polarity of VBUS GPIO of Origen657de36c72arm64: ftrace: fix module PLTs with mcount40e966a404ARM: Drop CMDLINE_* dependency on ATAGS477dbf9d1bARM: dts: exynos: correct s5k6a3 reset polarity on Midas family5bbd3dd7f9soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA09c35f1520ia64: export memory_add_physaddr_to_nid to fix cxl build errore31c0e14cfARM: dts: kirkwood: lsxl: remove first ethernet portdf4f05b356ARM: dts: kirkwood: lsxl: fix serial line43faaedf3aARM: dts: turris-omnia: Fix mpp26 pin name and commentd5c2051898soc: qcom: smem_state: Add refcounting for the 'state->of_node'39781c98adsoc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()1d312c12c9memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()daaec4b3fememory: of: Fix refcount leak bug in of_get_ddr_timings()fde46754d5memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()2c442b0c06ALSA: hda/hdmi: Don't skip notification handling during PM operationf182de42d7ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe37e3e01c9aASoC: wm5102: Fix PM disable depth imbalance in wm5102_probefb23569699ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probec1b269dda1ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe71704c2e1bmmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()c940636d9cALSA: dmaengine: increment buffer pointer atomically4993c1511dASoC: da7219: Fix an error handling path in da7219_register_dai_clks()ef59819976drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa()598d8f7d86drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idxa9a60d6405ASoC: eureka-tlv320: Hold reference returned from of_find_xxx APIad0b8ed172mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()1f340e1c1cdrm/omap: dss: Fix refcount leak bugscbe37857ddALSA: hda: beep: Simplify keep-power-at-enable behaviorf0fb0817ebASoC: rsnd: Add check for rsnd_mod_power_on877e92e9b1drm/bridge: megachips: Fix a null pointer dereference bugc577b4e972drm: fix drm_mipi_dbi build errors804d8e59f3platform/x86: msi-laptop: Fix resource cleanupc21c08fab7platform/x86: msi-laptop: Fix old-ec check for backlight registeringb77755f58eASoC: tas2764: Fix mute/unmute2e6b64df54ASoC: tas2764: Drop conflicting set_bias_level power settingc2c6022e10ASoC: tas2764: Allow mono streams868fc93b61platform/chrome: fix memory corruption in ioctl84da5cdf43platform/chrome: fix double-free in chromeos_laptop_prepare()5e25bfcd12drm:pl111: Add of_node_put() when breaking out of for_each_available_child_of_node()ad06d6bed5drm/dp_mst: fix drm_dp_dpcd_read return value checks3f5889fd65drm/bridge: parade-ps8640: Fix regulator supply order45120fa5e5drm/mipi-dsi: Detach devices when removing the host050b650507drm/bridge: Avoid uninitialized variable warning7839f2b349drm: bridge: adv7511: fix CEC power down control register offset29f50bcf0fnet: mvpp2: fix mvpp2 debugfs leak6cb54f2162once: add DO_ONCE_SLOW() for sleepable contexts67cb80a9d2net/ieee802154: reject zero-sized raw_sendmsg()6cc0e2afc6bnx2x: fix potential memory leak in bnx2x_tpa_stop()da349221c4net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()d9e25dc053spi: Ensure that sg_table won't be used after being freed96a3ddb870tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limitedf65955340esctp: handle the error returned from sctp_auth_asoc_init_active_key2a1d036320mISDN: fix use-after-free bugs in l1oip timer handlersb4a5905fd2vhost/vsock: Use kvmalloc/kvfree for larger packets.d2b5dc3a53wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM17196f2f98spi: s3c64xx: Fix large transfers with DMAb284e1fe15netfilter: nft_fib: Fix for rpath check with VRF devicesb384e8fb16Bluetooth: hci_core: Fix not handling link timeouts propertly129f01116bi2c: mlxbf: support lock mechanism534909fe3cspi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe9da61e7b59spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe1ef5798638x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype6ed7b05a35x86/microcode/AMD: Track patch allocation size explicitly07299e52e5wifi: ath11k: fix number of VHT beamformee spatial streamsd7cc0d51ffBluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failureed403bcd97bpf: Ensure correct locking around vulnerable function find_vpid()2a1c29dc9bnet: fs_enet: Fix wrong check in do_pd_setup795954d751wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask226e6f2412wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration0a60ac7a0dbpf: btf: fix truncated last_member_type_id in btf_struct_resolve8398a45d3dspi: meson-spicc: do not rely on busy flag in pow2 clk ops351cf55595wifi: rtl8xxxu: Fix skb misuse in TX queue selection1e91179057spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime()7b83d11d48spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume()5576008305selftests/xsk: Avoid use-after-free on ctxc823df0679wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()ea1b6b5409Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend07194ccbb1Bluetooth: btusb: fix excessive stack usagecdadf95435Bluetooth: btusb: Fine-tune mt7663 mechanism.294395caacx86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register029a1de92cspi: mt7621: Fix an error message in mt7621_spi_probe()2afb93e4e4bpftool: Fix a wrong type cast in btf_dumper_int61905bbb61wifi: mac80211: allow bw change during channel switch in mesh7565207066leds: lm3601x: Don't use mutex after it was destroyed08faf07717wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()e060c4b9f3nfsd: Fix a memory leak in an error handling path730191a098objtool: Preserve special st_shndx indexes in elf_update_symbol84837738d4ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAEf1d6edeaa8ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd()da2aecef86MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create()0c667858c0MIPS: SGI-IP27: Free some unused memory3598445698sh: machvec: Use char[] for section boundaries6e4be747f1userfaultfd: open userfaultfds with O_RDONLY28d9b39733selinux: use "grep -E" instead of "egrep"d11e09953csmb3: must initialize two ACL struct fields to zeroabd13b2100drm/i915: Fix watermark calculations for gen12+ MC CCS modifierfd37286f39drm/i915: Fix watermark calculations for gen12+ RC CCS modifier5d6093c49cdrm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()57f1a89a8edrm/nouveau/kms/nv140-: Disable interlacingd0febad83estaging: greybus: audio_helper: remove unused and wrong debugfs usageceeb8d4a43KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS83fe0b009bKVM: nVMX: Unconditionally purge queued/injected events on nested "exit"085ca1d33bKVM: x86/emulator: Fix handing of POP SS to correctly set interruptibilitybda8120e5bmedia: cedrus: Set the platform driver data earlierdbdd3b1448efi: libstub: drop pointless get_memory_map() call68158654b5thunderbolt: Explicitly enable lane adapter hotplug events at startupfc08f84381tracing: Disable interrupt or preemption before acquiring arch_spinlock_t0cf6c09dafring-buffer: Fix race between reset page and reading page588f02f8b9ring-buffer: Add ring_buffer_wake_waiters()586f02c500ring-buffer: Check pending waiters when doing wake ups as well6617e5132cring-buffer: Have the shortest_full queue be the shortest not longest4a3bbd40e4ring-buffer: Allow splice to read previous partially read pagesf2ca4609d0ftrace: Properly unset FTRACE_HASH_FL_MOD846f041203livepatch: fix race between fork and KLP transition2189756eabext4: update 'state->fc_regions_size' after successful memory allocation2cfb769d60ext4: fix potential memory leak in ext4_fc_record_regions()c9ce7766dcext4: fix potential memory leak in ext4_fc_record_modified_inode()d575fb52c4ext4: fix miss release buffer head in ext4_fc_write_inode74d2a398d2ext4: place buffer head allocation before handle startfbb0e601bdext4: ext4_read_bh_lock() should submit IO if the buffer isn't uptodate0e1764ad71ext4: don't increase iversion counter for ea_inodes483831ad04ext4: fix check for block being out of directory sizeac66db1a43ext4: make ext4_lazyinit_thread freezablef34ab95162ext4: fix null-ptr-deref in ext4_write_infofb98cb61efext4: avoid crash when inline data creation follows DIO writee65506ff18jbd2: add miss release buffer head in fc_do_one_pass()1d4d16daecjbd2: fix potential use-after-free in jbd2_fc_wait_bufs7a33dde572jbd2: fix potential buffer head reference count leakeea3e455a3jbd2: wake up journal waiters in FIFO order, not LIFOba52e685d2hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zerobdcb1d7cf2hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZEROd621a87064hardening: Clarify Kconfig text for auto-var-init4a8e8bf280f2fs: fix to do sanity check on summary info73fb4bd2c0f2fs: fix to do sanity check on destination blkaddr during recovery12014eaf1bf2fs: increase the limit for reserve_root47b5ffe863btrfs: fix race between quota enable and quota rescan ioctle504729496fbdev: smscufx: Fix use-after-free in ufx_ops_open()9931bd05bbscsi: qedf: Populate sysfs attributes for vport102c4b6e8cpowerpc/boot: Explicitly disable usage of SPE instructions7db60fd46epowercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain9119a92ad9PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridgea3c08c0217mm/mmap: undo ->mmap() when arch_validate_flags() fails7d551b7d61block: fix inflight statistics of part00a12979089drm/udl: Restore display mode on resumef134f261d7drm/virtio: Check whether transferred 2D BO is shmem303436e301nvme-pci: set min_align_mask before calculating max_hw_sectors6a73e6edcbUM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK1a053f597friscv: Pass -mno-relax only on lld < 15.0.0d15dca1d46riscv: Make VM_WRITE imply VM_READd8c6f9b2e1riscv: Allow PROT_WRITE-only mmap()a6dcc6cfa2parisc: fbdev/stifb: Align graphics memory size to 4MB2ce9fab94bRISC-V: Make port I/O string accessors actually workffb571e123regulator: qcom_rpm: Fix circular deferral regression85909424a1hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API8ef0e1c0aeASoC: wcd934x: fix order of Slimbus unprepare/disable9b2c82af65ASoC: wcd9335: fix order of Slimbus unprepare/disable1c20d672e3platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure6b7ae4a904quota: Check next/prev free block number after reading from quota file5b1a56beb6HID: multitouch: Add memory barriersbfe60d7641fs: dlm: handle -EBUSY first in lock arg validation0b2d8e4db4fs: dlm: fix race between test_bit() and queue_work()057d5838c7mmc: sdhci-sprd: Fix minimum clock limit448fffc1aecan: kvaser_usb_leaf: Fix CAN state after restarta3776e09b3can: kvaser_usb_leaf: Fix TX queue out of sync after restart0f8c88978dcan: kvaser_usb_leaf: Fix overread with an invalid command5d1cb7bfadcan: kvaser_usb: Fix use of uninitialized completionb239a0993ausb: add quirks for Lenovo OneLink+ Dockafbbf305dbiio: pressure: dps310: Reset chip after timeout9daadd1d10iio: pressure: dps310: Refactor startup procedureae49d80400iio: adc: ad7923: fix channel readings for some variantsea4dcd3d6aiio: ltc2497: Fix reading conversion results30e1bd0d3eiio: dac: ad5593r: Fix i2c read protocol requirements9312e04b6ccifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message64f23e5430cifs: destage dirty pages before re-reading them for cache=none50d3d89537mtd: rawnand: atmel: Unmap streaming DMA mappingse8eb44eeeeALSA: hda/realtek: Add Intel Reference SSID to support headset keys4491fbd0a7ALSA: hda/realtek: Add quirk for ASUS GV601R laptop4285d06d12ALSA: hda/realtek: Correct pin configs for ASUS G533Z768cd2cd1aALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 55303e29645fbaALSA: usb-audio: Fix NULL dererence at error pathbc1d16d282ALSA: usb-audio: Fix potential memory leaksef1658bc48ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()026fcb6336ALSA: oss: Fix potential deadlock at unregistration Also update the .xml file to handle the few ABI changes in this merge that required an update due to private pointers changing types and ABI padding structures being used to preserve the ABI: Leaf changes summary: 4 artifacts changed (1 filtered out) Changed leaf types summary: 4 (1 filtered out) leaf types changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 0 Added function Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 'struct fscrypt_info at fscrypt_private.h:195:1' changed: type size hasn't changed there are data member changes: type 'key*' of 'fscrypt_info::ci_master_key' changed: pointer type changed from: 'key*' to: 'fscrypt_master_key*' 5197 impacted interfaces 'struct sk_buff at skbuff.h:717:1' changed: type size hasn't changed there are data member changes: data member u64 android_kabi_reserved1 at offset 1472 (in bits) became anonymous data member 'union {struct {__u8 scm_io_uring; __u8 android_kabi_reserved1_padding1; __u16 android_kabi_reserved1_padding2; __u32 android_kabi_reserved1_padding3;}; struct {u64 android_kabi_reserved1;}; union {};}' 5197 impacted interfaces 'struct super_block at fs.h:1450:1' changed: type size hasn't changed there are data member changes: type 'key*' of 'super_block::s_master_keys' changed: pointer type changed from: 'key*' to: 'fscrypt_keyring*' 5197 impacted interfaces 'struct tcp_sock at tcp.h:146:1' changed: type size hasn't changed one impacted interface Change-Id: I6f2a7b91e1df96bede8aafa944a04b3e08ed33a1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
3995 lines
107 KiB
C
3995 lines
107 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* mm/mmap.c
|
|
*
|
|
* Written by obz.
|
|
*
|
|
* Address space accounting code <alan@lxorguk.ukuu.org.uk>
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/backing-dev.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/vmacache.h>
|
|
#include <linux/shm.h>
|
|
#include <linux/mman.h>
|
|
#include <linux/pagemap.h>
|
|
#include <linux/swap.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/init.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/personality.h>
|
|
#include <linux/security.h>
|
|
#include <linux/hugetlb.h>
|
|
#include <linux/shmem_fs.h>
|
|
#include <linux/profile.h>
|
|
#include <linux/export.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/mempolicy.h>
|
|
#include <linux/rmap.h>
|
|
#include <linux/mmu_notifier.h>
|
|
#include <linux/mmdebug.h>
|
|
#include <linux/perf_event.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/khugepaged.h>
|
|
#include <linux/uprobes.h>
|
|
#include <linux/rbtree_augmented.h>
|
|
#include <linux/notifier.h>
|
|
#include <linux/memory.h>
|
|
#include <linux/printk.h>
|
|
#include <linux/userfaultfd_k.h>
|
|
#include <linux/moduleparam.h>
|
|
#include <linux/pkeys.h>
|
|
#include <linux/oom.h>
|
|
#include <linux/sched/mm.h>
|
|
|
|
#include <linux/uaccess.h>
|
|
#include <asm/cacheflush.h>
|
|
#include <asm/tlb.h>
|
|
#include <asm/mmu_context.h>
|
|
|
|
#define CREATE_TRACE_POINTS
|
|
#include <trace/events/mmap.h>
|
|
#undef CREATE_TRACE_POINTS
|
|
#include <trace/hooks/mm.h>
|
|
#include "internal.h"
|
|
|
|
#ifndef arch_mmap_check
|
|
#define arch_mmap_check(addr, len, flags) (0)
|
|
#endif
|
|
|
|
#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
|
|
const int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
|
|
const int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
|
|
int mmap_rnd_bits __read_mostly = CONFIG_ARCH_MMAP_RND_BITS;
|
|
#endif
|
|
#ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
|
|
const int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
|
|
const int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
|
|
int mmap_rnd_compat_bits __read_mostly = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
|
|
#endif
|
|
|
|
static bool ignore_rlimit_data;
|
|
core_param(ignore_rlimit_data, ignore_rlimit_data, bool, 0644);
|
|
|
|
static void unmap_region(struct mm_struct *mm,
|
|
struct vm_area_struct *vma, struct vm_area_struct *prev,
|
|
unsigned long start, unsigned long end);
|
|
|
|
/* description of effects of mapping type and prot in current implementation.
|
|
* this is due to the limited x86 page protection hardware. The expected
|
|
* behavior is in parens:
|
|
*
|
|
* map_type prot
|
|
* PROT_NONE PROT_READ PROT_WRITE PROT_EXEC
|
|
* MAP_SHARED r: (no) no r: (yes) yes r: (no) yes r: (no) yes
|
|
* w: (no) no w: (no) no w: (yes) yes w: (no) no
|
|
* x: (no) no x: (no) yes x: (no) yes x: (yes) yes
|
|
*
|
|
* MAP_PRIVATE r: (no) no r: (yes) yes r: (no) yes r: (no) yes
|
|
* w: (no) no w: (no) no w: (copy) copy w: (no) no
|
|
* x: (no) no x: (no) yes x: (no) yes x: (yes) yes
|
|
*/
|
|
pgprot_t protection_map[16] __ro_after_init = {
|
|
__P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
|
|
__S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
|
|
};
|
|
|
|
#ifndef CONFIG_ARCH_HAS_FILTER_PGPROT
|
|
static inline pgprot_t arch_filter_pgprot(pgprot_t prot)
|
|
{
|
|
return prot;
|
|
}
|
|
#endif
|
|
|
|
pgprot_t vm_get_page_prot(unsigned long vm_flags)
|
|
{
|
|
pgprot_t ret = __pgprot(pgprot_val(protection_map[vm_flags &
|
|
(VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
|
|
pgprot_val(arch_vm_get_page_prot(vm_flags)));
|
|
|
|
return arch_filter_pgprot(ret);
|
|
}
|
|
EXPORT_SYMBOL(vm_get_page_prot);
|
|
|
|
static pgprot_t vm_pgprot_modify(pgprot_t oldprot, unsigned long vm_flags)
|
|
{
|
|
return pgprot_modify(oldprot, vm_get_page_prot(vm_flags));
|
|
}
|
|
|
|
/* Update vma->vm_page_prot to reflect vma->vm_flags. */
|
|
void vma_set_page_prot(struct vm_area_struct *vma)
|
|
{
|
|
unsigned long vm_flags = vma->vm_flags;
|
|
pgprot_t vm_page_prot;
|
|
|
|
vm_page_prot = vm_pgprot_modify(vma->vm_page_prot, vm_flags);
|
|
if (vma_wants_writenotify(vma, vm_page_prot)) {
|
|
vm_flags &= ~VM_SHARED;
|
|
vm_page_prot = vm_pgprot_modify(vm_page_prot, vm_flags);
|
|
}
|
|
/* remove_protection_ptes reads vma->vm_page_prot without mmap_lock */
|
|
WRITE_ONCE(vma->vm_page_prot, vm_page_prot);
|
|
}
|
|
|
|
/*
|
|
* Requires inode->i_mapping->i_mmap_rwsem
|
|
*/
|
|
static void __remove_shared_vm_struct(struct vm_area_struct *vma,
|
|
struct file *file, struct address_space *mapping)
|
|
{
|
|
if (vma->vm_flags & VM_DENYWRITE)
|
|
allow_write_access(file);
|
|
if (vma->vm_flags & VM_SHARED)
|
|
mapping_unmap_writable(mapping);
|
|
|
|
flush_dcache_mmap_lock(mapping);
|
|
vma_interval_tree_remove(vma, &mapping->i_mmap);
|
|
flush_dcache_mmap_unlock(mapping);
|
|
}
|
|
|
|
/*
|
|
* Unlink a file-based vm structure from its interval tree, to hide
|
|
* vma from rmap and vmtruncate before freeing its page tables.
|
|
*/
|
|
void unlink_file_vma(struct vm_area_struct *vma)
|
|
{
|
|
struct file *file = vma->vm_file;
|
|
|
|
if (file) {
|
|
struct address_space *mapping = file->f_mapping;
|
|
i_mmap_lock_write(mapping);
|
|
__remove_shared_vm_struct(vma, file, mapping);
|
|
i_mmap_unlock_write(mapping);
|
|
}
|
|
}
|
|
|
|
static void __free_vma(struct vm_area_struct *vma)
|
|
{
|
|
if (vma->vm_file)
|
|
fput(vma->vm_file);
|
|
mpol_put(vma_policy(vma));
|
|
vm_area_free(vma);
|
|
}
|
|
|
|
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
|
void put_vma(struct vm_area_struct *vma)
|
|
{
|
|
if (atomic_dec_and_test(&vma->vm_ref_count))
|
|
__free_vma(vma);
|
|
}
|
|
#else
|
|
static inline void put_vma(struct vm_area_struct *vma)
|
|
{
|
|
__free_vma(vma);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Close a vm structure and free it, returning the next.
|
|
*/
|
|
static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
|
|
{
|
|
struct vm_area_struct *next = vma->vm_next;
|
|
|
|
might_sleep();
|
|
if (vma->vm_ops && vma->vm_ops->close)
|
|
vma->vm_ops->close(vma);
|
|
put_vma(vma);
|
|
return next;
|
|
}
|
|
|
|
static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
|
|
struct list_head *uf);
|
|
SYSCALL_DEFINE1(brk, unsigned long, brk)
|
|
{
|
|
unsigned long retval;
|
|
unsigned long newbrk, oldbrk, origbrk;
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *next;
|
|
unsigned long min_brk;
|
|
bool populate;
|
|
bool downgraded = false;
|
|
LIST_HEAD(uf);
|
|
|
|
if (mmap_write_lock_killable(mm))
|
|
return -EINTR;
|
|
|
|
origbrk = mm->brk;
|
|
|
|
#ifdef CONFIG_COMPAT_BRK
|
|
/*
|
|
* CONFIG_COMPAT_BRK can still be overridden by setting
|
|
* randomize_va_space to 2, which will still cause mm->start_brk
|
|
* to be arbitrarily shifted
|
|
*/
|
|
if (current->brk_randomized)
|
|
min_brk = mm->start_brk;
|
|
else
|
|
min_brk = mm->end_data;
|
|
#else
|
|
min_brk = mm->start_brk;
|
|
#endif
|
|
if (brk < min_brk)
|
|
goto out;
|
|
|
|
/*
|
|
* Check against rlimit here. If this check is done later after the test
|
|
* of oldbrk with newbrk then it can escape the test and let the data
|
|
* segment grow beyond its set limit the in case where the limit is
|
|
* not page aligned -Ram Gupta
|
|
*/
|
|
if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
|
|
mm->end_data, mm->start_data))
|
|
goto out;
|
|
|
|
newbrk = PAGE_ALIGN(brk);
|
|
oldbrk = PAGE_ALIGN(mm->brk);
|
|
if (oldbrk == newbrk) {
|
|
mm->brk = brk;
|
|
goto success;
|
|
}
|
|
|
|
/*
|
|
* Always allow shrinking brk.
|
|
* __do_munmap() may downgrade mmap_lock to read.
|
|
*/
|
|
if (brk <= mm->brk) {
|
|
int ret;
|
|
|
|
/*
|
|
* mm->brk must to be protected by write mmap_lock so update it
|
|
* before downgrading mmap_lock. When __do_munmap() fails,
|
|
* mm->brk will be restored from origbrk.
|
|
*/
|
|
mm->brk = brk;
|
|
ret = __do_munmap(mm, newbrk, oldbrk-newbrk, &uf, true);
|
|
if (ret < 0) {
|
|
mm->brk = origbrk;
|
|
goto out;
|
|
} else if (ret == 1) {
|
|
downgraded = true;
|
|
}
|
|
goto success;
|
|
}
|
|
|
|
/* Check against existing mmap mappings. */
|
|
next = find_vma(mm, oldbrk);
|
|
if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
|
|
goto out;
|
|
|
|
/* Ok, looks good - let it rip. */
|
|
if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
|
|
goto out;
|
|
mm->brk = brk;
|
|
|
|
success:
|
|
populate = newbrk > oldbrk && (mm->def_flags & VM_LOCKED) != 0;
|
|
if (downgraded)
|
|
mmap_read_unlock(mm);
|
|
else
|
|
mmap_write_unlock(mm);
|
|
userfaultfd_unmap_complete(mm, &uf);
|
|
if (populate)
|
|
mm_populate(oldbrk, newbrk - oldbrk);
|
|
return brk;
|
|
|
|
out:
|
|
retval = origbrk;
|
|
mmap_write_unlock(mm);
|
|
return retval;
|
|
}
|
|
|
|
static inline unsigned long vma_compute_gap(struct vm_area_struct *vma)
|
|
{
|
|
unsigned long gap, prev_end;
|
|
|
|
/*
|
|
* Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
|
|
* allow two stack_guard_gaps between them here, and when choosing
|
|
* an unmapped area; whereas when expanding we only require one.
|
|
* That's a little inconsistent, but keeps the code here simpler.
|
|
*/
|
|
gap = vm_start_gap(vma);
|
|
if (vma->vm_prev) {
|
|
prev_end = vm_end_gap(vma->vm_prev);
|
|
if (gap > prev_end)
|
|
gap -= prev_end;
|
|
else
|
|
gap = 0;
|
|
}
|
|
return gap;
|
|
}
|
|
|
|
#ifdef CONFIG_DEBUG_VM_RB
|
|
static unsigned long vma_compute_subtree_gap(struct vm_area_struct *vma)
|
|
{
|
|
unsigned long max = vma_compute_gap(vma), subtree_gap;
|
|
if (vma->vm_rb.rb_left) {
|
|
subtree_gap = rb_entry(vma->vm_rb.rb_left,
|
|
struct vm_area_struct, vm_rb)->rb_subtree_gap;
|
|
if (subtree_gap > max)
|
|
max = subtree_gap;
|
|
}
|
|
if (vma->vm_rb.rb_right) {
|
|
subtree_gap = rb_entry(vma->vm_rb.rb_right,
|
|
struct vm_area_struct, vm_rb)->rb_subtree_gap;
|
|
if (subtree_gap > max)
|
|
max = subtree_gap;
|
|
}
|
|
return max;
|
|
}
|
|
|
|
static int browse_rb(struct mm_struct *mm)
|
|
{
|
|
struct rb_root *root = &mm->mm_rb;
|
|
int i = 0, j, bug = 0;
|
|
struct rb_node *nd, *pn = NULL;
|
|
unsigned long prev = 0, pend = 0;
|
|
|
|
for (nd = rb_first(root); nd; nd = rb_next(nd)) {
|
|
struct vm_area_struct *vma;
|
|
vma = rb_entry(nd, struct vm_area_struct, vm_rb);
|
|
if (vma->vm_start < prev) {
|
|
pr_emerg("vm_start %lx < prev %lx\n",
|
|
vma->vm_start, prev);
|
|
bug = 1;
|
|
}
|
|
if (vma->vm_start < pend) {
|
|
pr_emerg("vm_start %lx < pend %lx\n",
|
|
vma->vm_start, pend);
|
|
bug = 1;
|
|
}
|
|
if (vma->vm_start > vma->vm_end) {
|
|
pr_emerg("vm_start %lx > vm_end %lx\n",
|
|
vma->vm_start, vma->vm_end);
|
|
bug = 1;
|
|
}
|
|
spin_lock(&mm->page_table_lock);
|
|
if (vma->rb_subtree_gap != vma_compute_subtree_gap(vma)) {
|
|
pr_emerg("free gap %lx, correct %lx\n",
|
|
vma->rb_subtree_gap,
|
|
vma_compute_subtree_gap(vma));
|
|
bug = 1;
|
|
}
|
|
spin_unlock(&mm->page_table_lock);
|
|
i++;
|
|
pn = nd;
|
|
prev = vma->vm_start;
|
|
pend = vma->vm_end;
|
|
}
|
|
j = 0;
|
|
for (nd = pn; nd; nd = rb_prev(nd))
|
|
j++;
|
|
if (i != j) {
|
|
pr_emerg("backwards %d, forwards %d\n", j, i);
|
|
bug = 1;
|
|
}
|
|
return bug ? -1 : i;
|
|
}
|
|
|
|
static void validate_mm_rb(struct rb_root *root, struct vm_area_struct *ignore)
|
|
{
|
|
struct rb_node *nd;
|
|
|
|
for (nd = rb_first(root); nd; nd = rb_next(nd)) {
|
|
struct vm_area_struct *vma;
|
|
vma = rb_entry(nd, struct vm_area_struct, vm_rb);
|
|
VM_BUG_ON_VMA(vma != ignore &&
|
|
vma->rb_subtree_gap != vma_compute_subtree_gap(vma),
|
|
vma);
|
|
}
|
|
}
|
|
|
|
static void validate_mm(struct mm_struct *mm)
|
|
{
|
|
int bug = 0;
|
|
int i = 0;
|
|
unsigned long highest_address = 0;
|
|
struct vm_area_struct *vma = mm->mmap;
|
|
|
|
while (vma) {
|
|
struct anon_vma *anon_vma = vma->anon_vma;
|
|
struct anon_vma_chain *avc;
|
|
|
|
if (anon_vma) {
|
|
anon_vma_lock_read(anon_vma);
|
|
list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
|
|
anon_vma_interval_tree_verify(avc);
|
|
anon_vma_unlock_read(anon_vma);
|
|
}
|
|
|
|
highest_address = vm_end_gap(vma);
|
|
vma = vma->vm_next;
|
|
i++;
|
|
}
|
|
if (i != mm->map_count) {
|
|
pr_emerg("map_count %d vm_next %d\n", mm->map_count, i);
|
|
bug = 1;
|
|
}
|
|
if (highest_address != mm->highest_vm_end) {
|
|
pr_emerg("mm->highest_vm_end %lx, found %lx\n",
|
|
mm->highest_vm_end, highest_address);
|
|
bug = 1;
|
|
}
|
|
i = browse_rb(mm);
|
|
if (i != mm->map_count) {
|
|
if (i != -1)
|
|
pr_emerg("map_count %d rb %d\n", mm->map_count, i);
|
|
bug = 1;
|
|
}
|
|
VM_BUG_ON_MM(bug, mm);
|
|
}
|
|
#else
|
|
#define validate_mm_rb(root, ignore) do { } while (0)
|
|
#define validate_mm(mm) do { } while (0)
|
|
#endif
|
|
|
|
RB_DECLARE_CALLBACKS_MAX(static, vma_gap_callbacks,
|
|
struct vm_area_struct, vm_rb,
|
|
unsigned long, rb_subtree_gap, vma_compute_gap)
|
|
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
|
#define mm_rb_write_lock(mm) write_lock(&(mm)->mm_rb_lock)
|
|
#define mm_rb_write_unlock(mm) write_unlock(&(mm)->mm_rb_lock)
|
|
#else
|
|
#define mm_rb_write_lock(mm) do { } while (0)
|
|
#define mm_rb_write_unlock(mm) do { } while (0)
|
|
#endif /* CONFIG_SPECULATIVE_PAGE_FAULT */
|
|
|
|
/*
|
|
* Update augmented rbtree rb_subtree_gap values after vma->vm_start or
|
|
* vma->vm_prev->vm_end values changed, without modifying the vma's position
|
|
* in the rbtree.
|
|
*/
|
|
static void vma_gap_update(struct vm_area_struct *vma)
|
|
{
|
|
/*
|
|
* As it turns out, RB_DECLARE_CALLBACKS_MAX() already created
|
|
* a callback function that does exactly what we want.
|
|
*/
|
|
vma_gap_callbacks_propagate(&vma->vm_rb, NULL);
|
|
}
|
|
|
|
static inline void vma_rb_insert(struct vm_area_struct *vma,
|
|
struct mm_struct *mm)
|
|
{
|
|
struct rb_root *root = &mm->mm_rb;
|
|
|
|
/* All rb_subtree_gap values must be consistent prior to insertion */
|
|
validate_mm_rb(root, NULL);
|
|
|
|
rb_insert_augmented(&vma->vm_rb, root, &vma_gap_callbacks);
|
|
}
|
|
|
|
static void __vma_rb_erase(struct vm_area_struct *vma, struct mm_struct *mm)
|
|
{
|
|
struct rb_root *root = &mm->mm_rb;
|
|
/*
|
|
* Note rb_erase_augmented is a fairly large inline function,
|
|
* so make sure we instantiate it only once with our desired
|
|
* augmented rbtree callbacks.
|
|
*/
|
|
mm_rb_write_lock(mm);
|
|
rb_erase_augmented(&vma->vm_rb, root, &vma_gap_callbacks);
|
|
mm_rb_write_unlock(mm); /* wmb */
|
|
|
|
/*
|
|
* Ensure the removal is complete before clearing the node.
|
|
* Matched by vma_has_changed()/handle_speculative_fault().
|
|
*/
|
|
RB_CLEAR_NODE(&vma->vm_rb);
|
|
}
|
|
|
|
static __always_inline void vma_rb_erase_ignore(struct vm_area_struct *vma,
|
|
struct mm_struct *mm,
|
|
struct vm_area_struct *ignore)
|
|
{
|
|
/*
|
|
* All rb_subtree_gap values must be consistent prior to erase,
|
|
* with the possible exception of
|
|
*
|
|
* a. the "next" vma being erased if next->vm_start was reduced in
|
|
* __vma_adjust() -> __vma_unlink()
|
|
* b. the vma being erased in detach_vmas_to_be_unmapped() ->
|
|
* vma_rb_erase()
|
|
*/
|
|
validate_mm_rb(&mm->mm_rb, ignore);
|
|
|
|
__vma_rb_erase(vma, mm);
|
|
}
|
|
|
|
static __always_inline void vma_rb_erase(struct vm_area_struct *vma,
|
|
struct mm_struct *mm)
|
|
{
|
|
vma_rb_erase_ignore(vma, mm, vma);
|
|
}
|
|
|
|
/*
|
|
* vma has some anon_vma assigned, and is already inserted on that
|
|
* anon_vma's interval trees.
|
|
*
|
|
* Before updating the vma's vm_start / vm_end / vm_pgoff fields, the
|
|
* vma must be removed from the anon_vma's interval trees using
|
|
* anon_vma_interval_tree_pre_update_vma().
|
|
*
|
|
* After the update, the vma will be reinserted using
|
|
* anon_vma_interval_tree_post_update_vma().
|
|
*
|
|
* The entire update must be protected by exclusive mmap_lock and by
|
|
* the root anon_vma's mutex.
|
|
*/
|
|
static inline void
|
|
anon_vma_interval_tree_pre_update_vma(struct vm_area_struct *vma)
|
|
{
|
|
struct anon_vma_chain *avc;
|
|
|
|
list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
|
|
anon_vma_interval_tree_remove(avc, &avc->anon_vma->rb_root);
|
|
}
|
|
|
|
static inline void
|
|
anon_vma_interval_tree_post_update_vma(struct vm_area_struct *vma)
|
|
{
|
|
struct anon_vma_chain *avc;
|
|
|
|
list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
|
|
anon_vma_interval_tree_insert(avc, &avc->anon_vma->rb_root);
|
|
}
|
|
|
|
static int find_vma_links(struct mm_struct *mm, unsigned long addr,
|
|
unsigned long end, struct vm_area_struct **pprev,
|
|
struct rb_node ***rb_link, struct rb_node **rb_parent)
|
|
{
|
|
struct rb_node **__rb_link, *__rb_parent, *rb_prev;
|
|
|
|
__rb_link = &mm->mm_rb.rb_node;
|
|
rb_prev = __rb_parent = NULL;
|
|
|
|
while (*__rb_link) {
|
|
struct vm_area_struct *vma_tmp;
|
|
|
|
__rb_parent = *__rb_link;
|
|
vma_tmp = rb_entry(__rb_parent, struct vm_area_struct, vm_rb);
|
|
|
|
if (vma_tmp->vm_end > addr) {
|
|
/* Fail if an existing vma overlaps the area */
|
|
if (vma_tmp->vm_start < end)
|
|
return -ENOMEM;
|
|
__rb_link = &__rb_parent->rb_left;
|
|
} else {
|
|
rb_prev = __rb_parent;
|
|
__rb_link = &__rb_parent->rb_right;
|
|
}
|
|
}
|
|
|
|
*pprev = NULL;
|
|
if (rb_prev)
|
|
*pprev = rb_entry(rb_prev, struct vm_area_struct, vm_rb);
|
|
*rb_link = __rb_link;
|
|
*rb_parent = __rb_parent;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* vma_next() - Get the next VMA.
|
|
* @mm: The mm_struct.
|
|
* @vma: The current vma.
|
|
*
|
|
* If @vma is NULL, return the first vma in the mm.
|
|
*
|
|
* Returns: The next VMA after @vma.
|
|
*/
|
|
static inline struct vm_area_struct *vma_next(struct mm_struct *mm,
|
|
struct vm_area_struct *vma)
|
|
{
|
|
if (!vma)
|
|
return mm->mmap;
|
|
|
|
return vma->vm_next;
|
|
}
|
|
|
|
/*
|
|
* munmap_vma_range() - munmap VMAs that overlap a range.
|
|
* @mm: The mm struct
|
|
* @start: The start of the range.
|
|
* @len: The length of the range.
|
|
* @pprev: pointer to the pointer that will be set to previous vm_area_struct
|
|
* @rb_link: the rb_node
|
|
* @rb_parent: the parent rb_node
|
|
*
|
|
* Find all the vm_area_struct that overlap from @start to
|
|
* @end and munmap them. Set @pprev to the previous vm_area_struct.
|
|
*
|
|
* Returns: -ENOMEM on munmap failure or 0 on success.
|
|
*/
|
|
static inline int
|
|
munmap_vma_range(struct mm_struct *mm, unsigned long start, unsigned long len,
|
|
struct vm_area_struct **pprev, struct rb_node ***link,
|
|
struct rb_node **parent, struct list_head *uf)
|
|
{
|
|
|
|
while (find_vma_links(mm, start, start + len, pprev, link, parent))
|
|
if (do_munmap(mm, start, len, uf))
|
|
return -ENOMEM;
|
|
|
|
return 0;
|
|
}
|
|
static unsigned long count_vma_pages_range(struct mm_struct *mm,
|
|
unsigned long addr, unsigned long end)
|
|
{
|
|
unsigned long nr_pages = 0;
|
|
struct vm_area_struct *vma;
|
|
|
|
/* Find first overlaping mapping */
|
|
vma = find_vma_intersection(mm, addr, end);
|
|
if (!vma)
|
|
return 0;
|
|
|
|
nr_pages = (min(end, vma->vm_end) -
|
|
max(addr, vma->vm_start)) >> PAGE_SHIFT;
|
|
|
|
/* Iterate over the rest of the overlaps */
|
|
for (vma = vma->vm_next; vma; vma = vma->vm_next) {
|
|
unsigned long overlap_len;
|
|
|
|
if (vma->vm_start > end)
|
|
break;
|
|
|
|
overlap_len = min(end, vma->vm_end) - vma->vm_start;
|
|
nr_pages += overlap_len >> PAGE_SHIFT;
|
|
}
|
|
|
|
return nr_pages;
|
|
}
|
|
|
|
void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
|
|
struct rb_node **rb_link, struct rb_node *rb_parent)
|
|
{
|
|
/* Update tracking information for the gap following the new vma. */
|
|
if (vma->vm_next)
|
|
vma_gap_update(vma->vm_next);
|
|
else
|
|
mm->highest_vm_end = vm_end_gap(vma);
|
|
|
|
/*
|
|
* vma->vm_prev wasn't known when we followed the rbtree to find the
|
|
* correct insertion point for that vma. As a result, we could not
|
|
* update the vma vm_rb parents rb_subtree_gap values on the way down.
|
|
* So, we first insert the vma with a zero rb_subtree_gap value
|
|
* (to be consistent with what we did on the way down), and then
|
|
* immediately update the gap to the correct value. Finally we
|
|
* rebalance the rbtree after all augmented values have been set.
|
|
*/
|
|
mm_rb_write_lock(mm);
|
|
rb_link_node(&vma->vm_rb, rb_parent, rb_link);
|
|
vma->rb_subtree_gap = 0;
|
|
vma_gap_update(vma);
|
|
vma_rb_insert(vma, mm);
|
|
mm_rb_write_unlock(mm);
|
|
}
|
|
|
|
static void __vma_link_file(struct vm_area_struct *vma)
|
|
{
|
|
struct file *file;
|
|
|
|
file = vma->vm_file;
|
|
if (file) {
|
|
struct address_space *mapping = file->f_mapping;
|
|
|
|
if (vma->vm_flags & VM_DENYWRITE)
|
|
put_write_access(file_inode(file));
|
|
if (vma->vm_flags & VM_SHARED)
|
|
mapping_allow_writable(mapping);
|
|
|
|
flush_dcache_mmap_lock(mapping);
|
|
vma_interval_tree_insert(vma, &mapping->i_mmap);
|
|
flush_dcache_mmap_unlock(mapping);
|
|
}
|
|
}
|
|
|
|
static void
|
|
__vma_link(struct mm_struct *mm, struct vm_area_struct *vma,
|
|
struct vm_area_struct *prev, struct rb_node **rb_link,
|
|
struct rb_node *rb_parent)
|
|
{
|
|
__vma_link_list(mm, vma, prev);
|
|
__vma_link_rb(mm, vma, rb_link, rb_parent);
|
|
}
|
|
|
|
static void vma_link(struct mm_struct *mm, struct vm_area_struct *vma,
|
|
struct vm_area_struct *prev, struct rb_node **rb_link,
|
|
struct rb_node *rb_parent)
|
|
{
|
|
struct address_space *mapping = NULL;
|
|
|
|
if (vma->vm_file) {
|
|
mapping = vma->vm_file->f_mapping;
|
|
i_mmap_lock_write(mapping);
|
|
}
|
|
|
|
__vma_link(mm, vma, prev, rb_link, rb_parent);
|
|
__vma_link_file(vma);
|
|
|
|
if (mapping)
|
|
i_mmap_unlock_write(mapping);
|
|
|
|
mm->map_count++;
|
|
validate_mm(mm);
|
|
}
|
|
|
|
/*
|
|
* Helper for vma_adjust() in the split_vma insert case: insert a vma into the
|
|
* mm's list and rbtree. It has already been inserted into the interval tree.
|
|
*/
|
|
static void __insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
|
|
{
|
|
struct vm_area_struct *prev;
|
|
struct rb_node **rb_link, *rb_parent;
|
|
|
|
if (find_vma_links(mm, vma->vm_start, vma->vm_end,
|
|
&prev, &rb_link, &rb_parent))
|
|
BUG();
|
|
__vma_link(mm, vma, prev, rb_link, rb_parent);
|
|
mm->map_count++;
|
|
}
|
|
|
|
static __always_inline void __vma_unlink(struct mm_struct *mm,
|
|
struct vm_area_struct *vma,
|
|
struct vm_area_struct *ignore)
|
|
{
|
|
vma_rb_erase_ignore(vma, mm, ignore);
|
|
__vma_unlink_list(mm, vma);
|
|
/* Kill the cache */
|
|
vmacache_invalidate(mm);
|
|
}
|
|
|
|
/*
|
|
* We cannot adjust vm_start, vm_end, vm_pgoff fields of a vma that
|
|
* is already present in an i_mmap tree without adjusting the tree.
|
|
* The following helper function should be used when such adjustments
|
|
* are necessary. The "insert" vma (if any) is to be inserted
|
|
* before we drop the necessary locks.
|
|
*/
|
|
int __vma_adjust(struct vm_area_struct *vma, unsigned long start,
|
|
unsigned long end, pgoff_t pgoff, struct vm_area_struct *insert,
|
|
struct vm_area_struct *expand, bool keep_locked)
|
|
{
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
struct vm_area_struct *next = vma->vm_next, *orig_vma = vma;
|
|
struct address_space *mapping = NULL;
|
|
struct rb_root_cached *root = NULL;
|
|
struct anon_vma *anon_vma = NULL;
|
|
struct file *file = vma->vm_file;
|
|
bool start_changed = false, end_changed = false;
|
|
long adjust_next = 0;
|
|
int remove_next = 0;
|
|
|
|
vm_write_begin(vma);
|
|
if (next)
|
|
vm_write_begin(next);
|
|
|
|
if (next && !insert) {
|
|
struct vm_area_struct *exporter = NULL, *importer = NULL;
|
|
|
|
if (end >= next->vm_end) {
|
|
/*
|
|
* vma expands, overlapping all the next, and
|
|
* perhaps the one after too (mprotect case 6).
|
|
* The only other cases that gets here are
|
|
* case 1, case 7 and case 8.
|
|
*/
|
|
if (next == expand) {
|
|
/*
|
|
* The only case where we don't expand "vma"
|
|
* and we expand "next" instead is case 8.
|
|
*/
|
|
VM_WARN_ON(end != next->vm_end);
|
|
/*
|
|
* remove_next == 3 means we're
|
|
* removing "vma" and that to do so we
|
|
* swapped "vma" and "next".
|
|
*/
|
|
remove_next = 3;
|
|
VM_WARN_ON(file != next->vm_file);
|
|
swap(vma, next);
|
|
} else {
|
|
VM_WARN_ON(expand != vma);
|
|
/*
|
|
* case 1, 6, 7, remove_next == 2 is case 6,
|
|
* remove_next == 1 is case 1 or 7.
|
|
*/
|
|
remove_next = 1 + (end > next->vm_end);
|
|
VM_WARN_ON(remove_next == 2 &&
|
|
end != next->vm_next->vm_end);
|
|
/* trim end to next, for case 6 first pass */
|
|
end = next->vm_end;
|
|
}
|
|
|
|
exporter = next;
|
|
importer = vma;
|
|
|
|
/*
|
|
* If next doesn't have anon_vma, import from vma after
|
|
* next, if the vma overlaps with it.
|
|
*/
|
|
if (remove_next == 2 && !next->anon_vma)
|
|
exporter = next->vm_next;
|
|
|
|
} else if (end > next->vm_start) {
|
|
/*
|
|
* vma expands, overlapping part of the next:
|
|
* mprotect case 5 shifting the boundary up.
|
|
*/
|
|
adjust_next = (end - next->vm_start);
|
|
exporter = next;
|
|
importer = vma;
|
|
VM_WARN_ON(expand != importer);
|
|
} else if (end < vma->vm_end) {
|
|
/*
|
|
* vma shrinks, and !insert tells it's not
|
|
* split_vma inserting another: so it must be
|
|
* mprotect case 4 shifting the boundary down.
|
|
*/
|
|
adjust_next = -(vma->vm_end - end);
|
|
exporter = vma;
|
|
importer = next;
|
|
VM_WARN_ON(expand != importer);
|
|
}
|
|
|
|
/*
|
|
* Easily overlooked: when mprotect shifts the boundary,
|
|
* make sure the expanding vma has anon_vma set if the
|
|
* shrinking vma had, to cover any anon pages imported.
|
|
*/
|
|
if (exporter && exporter->anon_vma && !importer->anon_vma) {
|
|
int error;
|
|
|
|
importer->anon_vma = exporter->anon_vma;
|
|
error = anon_vma_clone(importer, exporter);
|
|
if (error) {
|
|
if (next && next != vma)
|
|
vm_write_end(next);
|
|
vm_write_end(vma);
|
|
return error;
|
|
}
|
|
}
|
|
}
|
|
again:
|
|
vma_adjust_trans_huge(orig_vma, start, end, adjust_next);
|
|
|
|
if (file) {
|
|
mapping = file->f_mapping;
|
|
root = &mapping->i_mmap;
|
|
uprobe_munmap(vma, vma->vm_start, vma->vm_end);
|
|
|
|
if (adjust_next)
|
|
uprobe_munmap(next, next->vm_start, next->vm_end);
|
|
|
|
i_mmap_lock_write(mapping);
|
|
if (insert) {
|
|
/*
|
|
* Put into interval tree now, so instantiated pages
|
|
* are visible to arm/parisc __flush_dcache_page
|
|
* throughout; but we cannot insert into address
|
|
* space until vma start or end is updated.
|
|
*/
|
|
__vma_link_file(insert);
|
|
}
|
|
}
|
|
|
|
anon_vma = vma->anon_vma;
|
|
if (!anon_vma && adjust_next)
|
|
anon_vma = next->anon_vma;
|
|
if (anon_vma) {
|
|
VM_WARN_ON(adjust_next && next->anon_vma &&
|
|
anon_vma != next->anon_vma);
|
|
anon_vma_lock_write(anon_vma);
|
|
anon_vma_interval_tree_pre_update_vma(vma);
|
|
if (adjust_next)
|
|
anon_vma_interval_tree_pre_update_vma(next);
|
|
}
|
|
|
|
if (file) {
|
|
flush_dcache_mmap_lock(mapping);
|
|
vma_interval_tree_remove(vma, root);
|
|
if (adjust_next)
|
|
vma_interval_tree_remove(next, root);
|
|
}
|
|
|
|
if (start != vma->vm_start) {
|
|
WRITE_ONCE(vma->vm_start, start);
|
|
start_changed = true;
|
|
}
|
|
if (end != vma->vm_end) {
|
|
WRITE_ONCE(vma->vm_end, end);
|
|
end_changed = true;
|
|
}
|
|
WRITE_ONCE(vma->vm_pgoff, pgoff);
|
|
if (adjust_next) {
|
|
WRITE_ONCE(next->vm_start,
|
|
next->vm_start + adjust_next);
|
|
WRITE_ONCE(next->vm_pgoff,
|
|
next->vm_pgoff + (adjust_next >> PAGE_SHIFT));
|
|
}
|
|
|
|
if (file) {
|
|
if (adjust_next)
|
|
vma_interval_tree_insert(next, root);
|
|
vma_interval_tree_insert(vma, root);
|
|
flush_dcache_mmap_unlock(mapping);
|
|
}
|
|
|
|
if (remove_next) {
|
|
/*
|
|
* vma_merge has merged next into vma, and needs
|
|
* us to remove next before dropping the locks.
|
|
*/
|
|
if (remove_next != 3)
|
|
__vma_unlink(mm, next, next);
|
|
else
|
|
/*
|
|
* vma is not before next if they've been
|
|
* swapped.
|
|
*
|
|
* pre-swap() next->vm_start was reduced so
|
|
* tell validate_mm_rb to ignore pre-swap()
|
|
* "next" (which is stored in post-swap()
|
|
* "vma").
|
|
*/
|
|
__vma_unlink(mm, next, vma);
|
|
if (file)
|
|
__remove_shared_vm_struct(next, file, mapping);
|
|
} else if (insert) {
|
|
/*
|
|
* split_vma has split insert from vma, and needs
|
|
* us to insert it before dropping the locks
|
|
* (it may either follow vma or precede it).
|
|
*/
|
|
__insert_vm_struct(mm, insert);
|
|
} else {
|
|
if (start_changed)
|
|
vma_gap_update(vma);
|
|
if (end_changed) {
|
|
if (!next)
|
|
mm->highest_vm_end = vm_end_gap(vma);
|
|
else if (!adjust_next)
|
|
vma_gap_update(next);
|
|
}
|
|
}
|
|
|
|
if (anon_vma) {
|
|
anon_vma_interval_tree_post_update_vma(vma);
|
|
if (adjust_next)
|
|
anon_vma_interval_tree_post_update_vma(next);
|
|
anon_vma_unlock_write(anon_vma);
|
|
}
|
|
|
|
if (file) {
|
|
i_mmap_unlock_write(mapping);
|
|
uprobe_mmap(vma);
|
|
|
|
if (adjust_next)
|
|
uprobe_mmap(next);
|
|
}
|
|
|
|
if (remove_next) {
|
|
if (file)
|
|
uprobe_munmap(next, next->vm_start, next->vm_end);
|
|
if (next->anon_vma)
|
|
anon_vma_merge(vma, next);
|
|
mm->map_count--;
|
|
vm_write_end(next);
|
|
put_vma(next);
|
|
/*
|
|
* In mprotect's case 6 (see comments on vma_merge),
|
|
* we must remove another next too. It would clutter
|
|
* up the code too much to do both in one go.
|
|
*/
|
|
if (remove_next != 3) {
|
|
/*
|
|
* If "next" was removed and vma->vm_end was
|
|
* expanded (up) over it, in turn
|
|
* "next->vm_prev->vm_end" changed and the
|
|
* "vma->vm_next" gap must be updated.
|
|
*/
|
|
next = vma->vm_next;
|
|
if (next)
|
|
vm_write_begin(next);
|
|
} else {
|
|
/*
|
|
* For the scope of the comment "next" and
|
|
* "vma" considered pre-swap(): if "vma" was
|
|
* removed, next->vm_start was expanded (down)
|
|
* over it and the "next" gap must be updated.
|
|
* Because of the swap() the post-swap() "vma"
|
|
* actually points to pre-swap() "next"
|
|
* (post-swap() "next" as opposed is now a
|
|
* dangling pointer).
|
|
*/
|
|
next = vma;
|
|
}
|
|
if (remove_next == 2) {
|
|
remove_next = 1;
|
|
end = next->vm_end;
|
|
goto again;
|
|
}
|
|
else if (next)
|
|
vma_gap_update(next);
|
|
else {
|
|
/*
|
|
* If remove_next == 2 we obviously can't
|
|
* reach this path.
|
|
*
|
|
* If remove_next == 3 we can't reach this
|
|
* path because pre-swap() next is always not
|
|
* NULL. pre-swap() "next" is not being
|
|
* removed and its next->vm_end is not altered
|
|
* (and furthermore "end" already matches
|
|
* next->vm_end in remove_next == 3).
|
|
*
|
|
* We reach this only in the remove_next == 1
|
|
* case if the "next" vma that was removed was
|
|
* the highest vma of the mm. However in such
|
|
* case next->vm_end == "end" and the extended
|
|
* "vma" has vma->vm_end == next->vm_end so
|
|
* mm->highest_vm_end doesn't need any update
|
|
* in remove_next == 1 case.
|
|
*/
|
|
VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
|
|
}
|
|
}
|
|
if (insert && file)
|
|
uprobe_mmap(insert);
|
|
|
|
if (next && next != vma)
|
|
vm_write_end(next);
|
|
if (!keep_locked)
|
|
vm_write_end(vma);
|
|
|
|
validate_mm(mm);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* If the vma has a ->close operation then the driver probably needs to release
|
|
* per-vma resources, so we don't attempt to merge those.
|
|
*/
|
|
static inline int is_mergeable_vma(struct vm_area_struct *vma,
|
|
struct file *file, unsigned long vm_flags,
|
|
struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
|
|
const char __user *anon_name)
|
|
{
|
|
/*
|
|
* VM_SOFTDIRTY should not prevent from VMA merging, if we
|
|
* match the flags but dirty bit -- the caller should mark
|
|
* merged VMA as dirty. If dirty bit won't be excluded from
|
|
* comparison, we increase pressure on the memory system forcing
|
|
* the kernel to generate new VMAs when old one could be
|
|
* extended instead.
|
|
*/
|
|
if ((vma->vm_flags ^ vm_flags) & ~VM_SOFTDIRTY)
|
|
return 0;
|
|
if (vma->vm_file != file)
|
|
return 0;
|
|
if (vma->vm_ops && vma->vm_ops->close)
|
|
return 0;
|
|
if (!is_mergeable_vm_userfaultfd_ctx(vma, vm_userfaultfd_ctx))
|
|
return 0;
|
|
if (vma_get_anon_name(vma) != anon_name)
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
static inline int is_mergeable_anon_vma(struct anon_vma *anon_vma1,
|
|
struct anon_vma *anon_vma2,
|
|
struct vm_area_struct *vma)
|
|
{
|
|
/*
|
|
* The list_is_singular() test is to avoid merging VMA cloned from
|
|
* parents. This can improve scalability caused by anon_vma lock.
|
|
*/
|
|
if ((!anon_vma1 || !anon_vma2) && (!vma ||
|
|
list_is_singular(&vma->anon_vma_chain)))
|
|
return 1;
|
|
return anon_vma1 == anon_vma2;
|
|
}
|
|
|
|
/*
|
|
* Return true if we can merge this (vm_flags,anon_vma,file,vm_pgoff)
|
|
* in front of (at a lower virtual address and file offset than) the vma.
|
|
*
|
|
* We cannot merge two vmas if they have differently assigned (non-NULL)
|
|
* anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
|
|
*
|
|
* We don't check here for the merged mmap wrapping around the end of pagecache
|
|
* indices (16TB on ia32) because do_mmap() does not permit mmap's which
|
|
* wrap, nor mmaps which cover the final page at index -1UL.
|
|
*/
|
|
static int
|
|
can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
|
|
struct anon_vma *anon_vma, struct file *file,
|
|
pgoff_t vm_pgoff,
|
|
struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
|
|
const char __user *anon_name)
|
|
{
|
|
if (is_mergeable_vma(vma, file, vm_flags, vm_userfaultfd_ctx, anon_name) &&
|
|
is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
|
|
if (vma->vm_pgoff == vm_pgoff)
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Return true if we can merge this (vm_flags,anon_vma,file,vm_pgoff)
|
|
* beyond (at a higher virtual address and file offset than) the vma.
|
|
*
|
|
* We cannot merge two vmas if they have differently assigned (non-NULL)
|
|
* anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
|
|
*/
|
|
static int
|
|
can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
|
|
struct anon_vma *anon_vma, struct file *file,
|
|
pgoff_t vm_pgoff,
|
|
struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
|
|
const char __user *anon_name)
|
|
{
|
|
if (is_mergeable_vma(vma, file, vm_flags, vm_userfaultfd_ctx, anon_name) &&
|
|
is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
|
|
pgoff_t vm_pglen;
|
|
vm_pglen = vma_pages(vma);
|
|
if (vma->vm_pgoff + vm_pglen == vm_pgoff)
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Given a mapping request (addr,end,vm_flags,file,pgoff,anon_name),
|
|
* figure out whether that can be merged with its predecessor or its
|
|
* successor. Or both (it neatly fills a hole).
|
|
*
|
|
* In most cases - when called for mmap, brk or mremap - [addr,end) is
|
|
* certain not to be mapped by the time vma_merge is called; but when
|
|
* called for mprotect, it is certain to be already mapped (either at
|
|
* an offset within prev, or at the start of next), and the flags of
|
|
* this area are about to be changed to vm_flags - and the no-change
|
|
* case has already been eliminated.
|
|
*
|
|
* The following mprotect cases have to be considered, where AAAA is
|
|
* the area passed down from mprotect_fixup, never extending beyond one
|
|
* vma, PPPPPP is the prev vma specified, and NNNNNN the next vma after:
|
|
*
|
|
* AAAA AAAA AAAA
|
|
* PPPPPPNNNNNN PPPPPPNNNNNN PPPPPPNNNNNN
|
|
* cannot merge might become might become
|
|
* PPNNNNNNNNNN PPPPPPPPPPNN
|
|
* mmap, brk or case 4 below case 5 below
|
|
* mremap move:
|
|
* AAAA AAAA
|
|
* PPPP NNNN PPPPNNNNXXXX
|
|
* might become might become
|
|
* PPPPPPPPPPPP 1 or PPPPPPPPPPPP 6 or
|
|
* PPPPPPPPNNNN 2 or PPPPPPPPXXXX 7 or
|
|
* PPPPNNNNNNNN 3 PPPPXXXXXXXX 8
|
|
*
|
|
* It is important for case 8 that the vma NNNN overlapping the
|
|
* region AAAA is never going to extended over XXXX. Instead XXXX must
|
|
* be extended in region AAAA and NNNN must be removed. This way in
|
|
* all cases where vma_merge succeeds, the moment vma_adjust drops the
|
|
* rmap_locks, the properties of the merged vma will be already
|
|
* correct for the whole merged range. Some of those properties like
|
|
* vm_page_prot/vm_flags may be accessed by rmap_walks and they must
|
|
* be correct for the whole merged range immediately after the
|
|
* rmap_locks are released. Otherwise if XXXX would be removed and
|
|
* NNNN would be extended over the XXXX range, remove_migration_ptes
|
|
* or other rmap walkers (if working on addresses beyond the "end"
|
|
* parameter) may establish ptes with the wrong permissions of NNNN
|
|
* instead of the right permissions of XXXX.
|
|
*/
|
|
struct vm_area_struct *__vma_merge(struct mm_struct *mm,
|
|
struct vm_area_struct *prev, unsigned long addr,
|
|
unsigned long end, unsigned long vm_flags,
|
|
struct anon_vma *anon_vma, struct file *file,
|
|
pgoff_t pgoff, struct mempolicy *policy,
|
|
struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
|
|
const char __user *anon_name, bool keep_locked)
|
|
{
|
|
pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
|
|
struct vm_area_struct *area, *next;
|
|
int err;
|
|
|
|
/*
|
|
* We later require that vma->vm_flags == vm_flags,
|
|
* so this tests vma->vm_flags & VM_SPECIAL, too.
|
|
*/
|
|
if (vm_flags & VM_SPECIAL)
|
|
return NULL;
|
|
|
|
next = vma_next(mm, prev);
|
|
area = next;
|
|
if (area && area->vm_end == end) /* cases 6, 7, 8 */
|
|
next = next->vm_next;
|
|
|
|
/* verify some invariant that must be enforced by the caller */
|
|
VM_WARN_ON(prev && addr <= prev->vm_start);
|
|
VM_WARN_ON(area && end > area->vm_end);
|
|
VM_WARN_ON(addr >= end);
|
|
|
|
/*
|
|
* Can it merge with the predecessor?
|
|
*/
|
|
if (prev && prev->vm_end == addr &&
|
|
mpol_equal(vma_policy(prev), policy) &&
|
|
can_vma_merge_after(prev, vm_flags,
|
|
anon_vma, file, pgoff,
|
|
vm_userfaultfd_ctx,
|
|
anon_name)) {
|
|
/*
|
|
* OK, it can. Can we now merge in the successor as well?
|
|
*/
|
|
if (next && end == next->vm_start &&
|
|
mpol_equal(policy, vma_policy(next)) &&
|
|
can_vma_merge_before(next, vm_flags,
|
|
anon_vma, file,
|
|
pgoff+pglen,
|
|
vm_userfaultfd_ctx,
|
|
anon_name) &&
|
|
is_mergeable_anon_vma(prev->anon_vma,
|
|
next->anon_vma, NULL)) {
|
|
/* cases 1, 6 */
|
|
err = __vma_adjust(prev, prev->vm_start,
|
|
next->vm_end, prev->vm_pgoff, NULL,
|
|
prev, keep_locked);
|
|
} else /* cases 2, 5, 7 */
|
|
err = __vma_adjust(prev, prev->vm_start,
|
|
end, prev->vm_pgoff, NULL, prev,
|
|
keep_locked);
|
|
if (err)
|
|
return NULL;
|
|
khugepaged_enter_vma_merge(prev, vm_flags);
|
|
return prev;
|
|
}
|
|
|
|
/*
|
|
* Can this new request be merged in front of next?
|
|
*/
|
|
if (next && end == next->vm_start &&
|
|
mpol_equal(policy, vma_policy(next)) &&
|
|
can_vma_merge_before(next, vm_flags,
|
|
anon_vma, file, pgoff+pglen,
|
|
vm_userfaultfd_ctx,
|
|
anon_name)) {
|
|
if (prev && addr < prev->vm_end) /* case 4 */
|
|
err = __vma_adjust(prev, prev->vm_start,
|
|
addr, prev->vm_pgoff, NULL, next,
|
|
keep_locked);
|
|
else { /* cases 3, 8 */
|
|
err = __vma_adjust(area, addr, next->vm_end,
|
|
next->vm_pgoff - pglen, NULL, next,
|
|
keep_locked);
|
|
/*
|
|
* In case 3 area is already equal to next and
|
|
* this is a noop, but in case 8 "area" has
|
|
* been removed and next was expanded over it.
|
|
*/
|
|
area = next;
|
|
}
|
|
if (err)
|
|
return NULL;
|
|
khugepaged_enter_vma_merge(area, vm_flags);
|
|
return area;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Rough compatibility check to quickly see if it's even worth looking
|
|
* at sharing an anon_vma.
|
|
*
|
|
* They need to have the same vm_file, and the flags can only differ
|
|
* in things that mprotect may change.
|
|
*
|
|
* NOTE! The fact that we share an anon_vma doesn't _have_ to mean that
|
|
* we can merge the two vma's. For example, we refuse to merge a vma if
|
|
* there is a vm_ops->close() function, because that indicates that the
|
|
* driver is doing some kind of reference counting. But that doesn't
|
|
* really matter for the anon_vma sharing case.
|
|
*/
|
|
static int anon_vma_compatible(struct vm_area_struct *a, struct vm_area_struct *b)
|
|
{
|
|
return a->vm_end == b->vm_start &&
|
|
mpol_equal(vma_policy(a), vma_policy(b)) &&
|
|
a->vm_file == b->vm_file &&
|
|
!((a->vm_flags ^ b->vm_flags) & ~(VM_ACCESS_FLAGS | VM_SOFTDIRTY)) &&
|
|
b->vm_pgoff == a->vm_pgoff + ((b->vm_start - a->vm_start) >> PAGE_SHIFT);
|
|
}
|
|
|
|
/*
|
|
* Do some basic sanity checking to see if we can re-use the anon_vma
|
|
* from 'old'. The 'a'/'b' vma's are in VM order - one of them will be
|
|
* the same as 'old', the other will be the new one that is trying
|
|
* to share the anon_vma.
|
|
*
|
|
* NOTE! This runs with mm_sem held for reading, so it is possible that
|
|
* the anon_vma of 'old' is concurrently in the process of being set up
|
|
* by another page fault trying to merge _that_. But that's ok: if it
|
|
* is being set up, that automatically means that it will be a singleton
|
|
* acceptable for merging, so we can do all of this optimistically. But
|
|
* we do that READ_ONCE() to make sure that we never re-load the pointer.
|
|
*
|
|
* IOW: that the "list_is_singular()" test on the anon_vma_chain only
|
|
* matters for the 'stable anon_vma' case (ie the thing we want to avoid
|
|
* is to return an anon_vma that is "complex" due to having gone through
|
|
* a fork).
|
|
*
|
|
* We also make sure that the two vma's are compatible (adjacent,
|
|
* and with the same memory policies). That's all stable, even with just
|
|
* a read lock on the mm_sem.
|
|
*/
|
|
static struct anon_vma *reusable_anon_vma(struct vm_area_struct *old, struct vm_area_struct *a, struct vm_area_struct *b)
|
|
{
|
|
if (anon_vma_compatible(a, b)) {
|
|
struct anon_vma *anon_vma = READ_ONCE(old->anon_vma);
|
|
|
|
if (anon_vma && list_is_singular(&old->anon_vma_chain))
|
|
return anon_vma;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* find_mergeable_anon_vma is used by anon_vma_prepare, to check
|
|
* neighbouring vmas for a suitable anon_vma, before it goes off
|
|
* to allocate a new anon_vma. It checks because a repetitive
|
|
* sequence of mprotects and faults may otherwise lead to distinct
|
|
* anon_vmas being allocated, preventing vma merge in subsequent
|
|
* mprotect.
|
|
*/
|
|
struct anon_vma *find_mergeable_anon_vma(struct vm_area_struct *vma)
|
|
{
|
|
struct anon_vma *anon_vma = NULL;
|
|
|
|
/* Try next first. */
|
|
if (vma->vm_next) {
|
|
anon_vma = reusable_anon_vma(vma->vm_next, vma, vma->vm_next);
|
|
if (anon_vma)
|
|
return anon_vma;
|
|
}
|
|
|
|
/* Try prev next. */
|
|
if (vma->vm_prev)
|
|
anon_vma = reusable_anon_vma(vma->vm_prev, vma->vm_prev, vma);
|
|
|
|
/*
|
|
* We might reach here with anon_vma == NULL if we can't find
|
|
* any reusable anon_vma.
|
|
* There's no absolute need to look only at touching neighbours:
|
|
* we could search further afield for "compatible" anon_vmas.
|
|
* But it would probably just be a waste of time searching,
|
|
* or lead to too many vmas hanging off the same anon_vma.
|
|
* We're trying to allow mprotect remerging later on,
|
|
* not trying to minimize memory used for anon_vmas.
|
|
*/
|
|
return anon_vma;
|
|
}
|
|
|
|
/*
|
|
* If a hint addr is less than mmap_min_addr change hint to be as
|
|
* low as possible but still greater than mmap_min_addr
|
|
*/
|
|
static inline unsigned long round_hint_to_min(unsigned long hint)
|
|
{
|
|
hint &= PAGE_MASK;
|
|
if (((void *)hint != NULL) &&
|
|
(hint < mmap_min_addr))
|
|
return PAGE_ALIGN(mmap_min_addr);
|
|
return hint;
|
|
}
|
|
|
|
static inline int mlock_future_check(struct mm_struct *mm,
|
|
unsigned long flags,
|
|
unsigned long len)
|
|
{
|
|
unsigned long locked, lock_limit;
|
|
|
|
/* mlock MCL_FUTURE? */
|
|
if (flags & VM_LOCKED) {
|
|
locked = len >> PAGE_SHIFT;
|
|
locked += mm->locked_vm;
|
|
lock_limit = rlimit(RLIMIT_MEMLOCK);
|
|
lock_limit >>= PAGE_SHIFT;
|
|
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
|
|
return -EAGAIN;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
|
|
{
|
|
if (S_ISREG(inode->i_mode))
|
|
return MAX_LFS_FILESIZE;
|
|
|
|
if (S_ISBLK(inode->i_mode))
|
|
return MAX_LFS_FILESIZE;
|
|
|
|
if (S_ISSOCK(inode->i_mode))
|
|
return MAX_LFS_FILESIZE;
|
|
|
|
/* Special "we do even unsigned file positions" case */
|
|
if (file->f_mode & FMODE_UNSIGNED_OFFSET)
|
|
return 0;
|
|
|
|
/* Yes, random drivers might want more. But I'm tired of buggy drivers */
|
|
return ULONG_MAX;
|
|
}
|
|
|
|
static inline bool file_mmap_ok(struct file *file, struct inode *inode,
|
|
unsigned long pgoff, unsigned long len)
|
|
{
|
|
u64 maxsize = file_mmap_size_max(file, inode);
|
|
|
|
if (maxsize && len > maxsize)
|
|
return false;
|
|
maxsize -= len;
|
|
if (pgoff > maxsize >> PAGE_SHIFT)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* The caller must write-lock current->mm->mmap_lock.
|
|
*/
|
|
unsigned long do_mmap(struct file *file, unsigned long addr,
|
|
unsigned long len, unsigned long prot,
|
|
unsigned long flags, unsigned long pgoff,
|
|
unsigned long *populate, struct list_head *uf)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
vm_flags_t vm_flags;
|
|
int pkey = 0;
|
|
|
|
*populate = 0;
|
|
|
|
if (!len)
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* Does the application expect PROT_READ to imply PROT_EXEC?
|
|
*
|
|
* (the exception is when the underlying filesystem is noexec
|
|
* mounted, in which case we dont add PROT_EXEC.)
|
|
*/
|
|
if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
|
|
if (!(file && path_noexec(&file->f_path)))
|
|
prot |= PROT_EXEC;
|
|
|
|
/* force arch specific MAP_FIXED handling in get_unmapped_area */
|
|
if (flags & MAP_FIXED_NOREPLACE)
|
|
flags |= MAP_FIXED;
|
|
|
|
if (!(flags & MAP_FIXED))
|
|
addr = round_hint_to_min(addr);
|
|
|
|
/* Careful about overflows.. */
|
|
len = PAGE_ALIGN(len);
|
|
if (!len)
|
|
return -ENOMEM;
|
|
|
|
/* offset overflow? */
|
|
if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
|
|
return -EOVERFLOW;
|
|
|
|
/* Too many mappings? */
|
|
if (mm->map_count > sysctl_max_map_count)
|
|
return -ENOMEM;
|
|
|
|
/* Obtain the address to map to. we verify (or select) it and ensure
|
|
* that it represents a valid section of the address space.
|
|
*/
|
|
addr = get_unmapped_area(file, addr, len, pgoff, flags);
|
|
if (IS_ERR_VALUE(addr))
|
|
return addr;
|
|
|
|
if (flags & MAP_FIXED_NOREPLACE) {
|
|
struct vm_area_struct *vma = find_vma(mm, addr);
|
|
|
|
if (vma && vma->vm_start < addr + len)
|
|
return -EEXIST;
|
|
}
|
|
|
|
if (prot == PROT_EXEC) {
|
|
pkey = execute_only_pkey(mm);
|
|
if (pkey < 0)
|
|
pkey = 0;
|
|
}
|
|
|
|
/* Do simple checking here so the lower-level routines won't have
|
|
* to. we assume access permissions have been handled by the open
|
|
* of the memory object, so we don't do any here.
|
|
*/
|
|
vm_flags = calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) |
|
|
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
|
|
|
|
if (flags & MAP_LOCKED)
|
|
if (!can_do_mlock())
|
|
return -EPERM;
|
|
|
|
if (mlock_future_check(mm, vm_flags, len))
|
|
return -EAGAIN;
|
|
|
|
if (file) {
|
|
struct inode *inode = file_inode(file);
|
|
unsigned long flags_mask;
|
|
|
|
if (!file_mmap_ok(file, inode, pgoff, len))
|
|
return -EOVERFLOW;
|
|
|
|
flags_mask = LEGACY_MAP_MASK | file->f_op->mmap_supported_flags;
|
|
|
|
switch (flags & MAP_TYPE) {
|
|
case MAP_SHARED:
|
|
/*
|
|
* Force use of MAP_SHARED_VALIDATE with non-legacy
|
|
* flags. E.g. MAP_SYNC is dangerous to use with
|
|
* MAP_SHARED as you don't know which consistency model
|
|
* you will get. We silently ignore unsupported flags
|
|
* with MAP_SHARED to preserve backward compatibility.
|
|
*/
|
|
flags &= LEGACY_MAP_MASK;
|
|
fallthrough;
|
|
case MAP_SHARED_VALIDATE:
|
|
if (flags & ~flags_mask)
|
|
return -EOPNOTSUPP;
|
|
if (prot & PROT_WRITE) {
|
|
if (!(file->f_mode & FMODE_WRITE))
|
|
return -EACCES;
|
|
if (IS_SWAPFILE(file->f_mapping->host))
|
|
return -ETXTBSY;
|
|
}
|
|
|
|
/*
|
|
* Make sure we don't allow writing to an append-only
|
|
* file..
|
|
*/
|
|
if (IS_APPEND(inode) && (file->f_mode & FMODE_WRITE))
|
|
return -EACCES;
|
|
|
|
/*
|
|
* Make sure there are no mandatory locks on the file.
|
|
*/
|
|
if (locks_verify_locked(file))
|
|
return -EAGAIN;
|
|
|
|
vm_flags |= VM_SHARED | VM_MAYSHARE;
|
|
if (!(file->f_mode & FMODE_WRITE))
|
|
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
|
|
fallthrough;
|
|
case MAP_PRIVATE:
|
|
if (!(file->f_mode & FMODE_READ))
|
|
return -EACCES;
|
|
if (path_noexec(&file->f_path)) {
|
|
if (vm_flags & VM_EXEC)
|
|
return -EPERM;
|
|
vm_flags &= ~VM_MAYEXEC;
|
|
}
|
|
|
|
if (!file->f_op->mmap)
|
|
return -ENODEV;
|
|
if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
|
|
return -EINVAL;
|
|
break;
|
|
|
|
default:
|
|
return -EINVAL;
|
|
}
|
|
} else {
|
|
switch (flags & MAP_TYPE) {
|
|
case MAP_SHARED:
|
|
if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
|
|
return -EINVAL;
|
|
/*
|
|
* Ignore pgoff.
|
|
*/
|
|
pgoff = 0;
|
|
vm_flags |= VM_SHARED | VM_MAYSHARE;
|
|
break;
|
|
case MAP_PRIVATE:
|
|
/*
|
|
* Set pgoff according to addr for anon_vma.
|
|
*/
|
|
pgoff = addr >> PAGE_SHIFT;
|
|
break;
|
|
default:
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Set 'VM_NORESERVE' if we should not account for the
|
|
* memory use of this mapping.
|
|
*/
|
|
if (flags & MAP_NORESERVE) {
|
|
/* We honor MAP_NORESERVE if allowed to overcommit */
|
|
if (sysctl_overcommit_memory != OVERCOMMIT_NEVER)
|
|
vm_flags |= VM_NORESERVE;
|
|
|
|
/* hugetlb applies strict overcommit unless MAP_NORESERVE */
|
|
if (file && is_file_hugepages(file))
|
|
vm_flags |= VM_NORESERVE;
|
|
}
|
|
|
|
addr = mmap_region(file, addr, len, vm_flags, pgoff, uf);
|
|
if (!IS_ERR_VALUE(addr) &&
|
|
((vm_flags & VM_LOCKED) ||
|
|
(flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE))
|
|
*populate = len;
|
|
return addr;
|
|
}
|
|
|
|
unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
|
|
unsigned long prot, unsigned long flags,
|
|
unsigned long fd, unsigned long pgoff)
|
|
{
|
|
struct file *file = NULL;
|
|
unsigned long retval;
|
|
|
|
if (!(flags & MAP_ANONYMOUS)) {
|
|
audit_mmap_fd(fd, flags);
|
|
file = fget(fd);
|
|
if (!file)
|
|
return -EBADF;
|
|
if (is_file_hugepages(file)) {
|
|
len = ALIGN(len, huge_page_size(hstate_file(file)));
|
|
} else if (unlikely(flags & MAP_HUGETLB)) {
|
|
retval = -EINVAL;
|
|
goto out_fput;
|
|
}
|
|
} else if (flags & MAP_HUGETLB) {
|
|
struct user_struct *user = NULL;
|
|
struct hstate *hs;
|
|
|
|
hs = hstate_sizelog((flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);
|
|
if (!hs)
|
|
return -EINVAL;
|
|
|
|
len = ALIGN(len, huge_page_size(hs));
|
|
/*
|
|
* VM_NORESERVE is used because the reservations will be
|
|
* taken when vm_ops->mmap() is called
|
|
* A dummy user value is used because we are not locking
|
|
* memory so no accounting is necessary
|
|
*/
|
|
file = hugetlb_file_setup(HUGETLB_ANON_FILE, len,
|
|
VM_NORESERVE,
|
|
&user, HUGETLB_ANONHUGE_INODE,
|
|
(flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);
|
|
if (IS_ERR(file))
|
|
return PTR_ERR(file);
|
|
}
|
|
|
|
flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
|
|
|
|
retval = vm_mmap_pgoff(file, addr, len, prot, flags, pgoff);
|
|
out_fput:
|
|
if (file)
|
|
fput(file);
|
|
return retval;
|
|
}
|
|
|
|
SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
|
|
unsigned long, prot, unsigned long, flags,
|
|
unsigned long, fd, unsigned long, pgoff)
|
|
{
|
|
return ksys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
|
|
}
|
|
|
|
#ifdef __ARCH_WANT_SYS_OLD_MMAP
|
|
struct mmap_arg_struct {
|
|
unsigned long addr;
|
|
unsigned long len;
|
|
unsigned long prot;
|
|
unsigned long flags;
|
|
unsigned long fd;
|
|
unsigned long offset;
|
|
};
|
|
|
|
SYSCALL_DEFINE1(old_mmap, struct mmap_arg_struct __user *, arg)
|
|
{
|
|
struct mmap_arg_struct a;
|
|
|
|
if (copy_from_user(&a, arg, sizeof(a)))
|
|
return -EFAULT;
|
|
if (offset_in_page(a.offset))
|
|
return -EINVAL;
|
|
|
|
return ksys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
|
|
a.offset >> PAGE_SHIFT);
|
|
}
|
|
#endif /* __ARCH_WANT_SYS_OLD_MMAP */
|
|
|
|
/*
|
|
* Some shared mappings will want the pages marked read-only
|
|
* to track write events. If so, we'll downgrade vm_page_prot
|
|
* to the private version (using protection_map[] without the
|
|
* VM_SHARED bit).
|
|
*/
|
|
int vma_wants_writenotify(struct vm_area_struct *vma, pgprot_t vm_page_prot)
|
|
{
|
|
vm_flags_t vm_flags = vma->vm_flags;
|
|
const struct vm_operations_struct *vm_ops = vma->vm_ops;
|
|
|
|
/* If it was private or non-writable, the write bit is already clear */
|
|
if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
|
|
return 0;
|
|
|
|
/* The backer wishes to know when pages are first written to? */
|
|
if (vm_ops && (vm_ops->page_mkwrite || vm_ops->pfn_mkwrite))
|
|
return 1;
|
|
|
|
/* The open routine did something to the protections that pgprot_modify
|
|
* won't preserve? */
|
|
if (pgprot_val(vm_page_prot) !=
|
|
pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags)))
|
|
return 0;
|
|
|
|
/*
|
|
* Do we need to track softdirty? hugetlb does not support softdirty
|
|
* tracking yet.
|
|
*/
|
|
if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY) &&
|
|
!is_vm_hugetlb_page(vma))
|
|
return 1;
|
|
|
|
/* Specialty mapping? */
|
|
if (vm_flags & VM_PFNMAP)
|
|
return 0;
|
|
|
|
/* Can the mapping track the dirty pages? */
|
|
return vma->vm_file && vma->vm_file->f_mapping &&
|
|
mapping_can_writeback(vma->vm_file->f_mapping);
|
|
}
|
|
|
|
/*
|
|
* We account for memory if it's a private writeable mapping,
|
|
* not hugepages and VM_NORESERVE wasn't set.
|
|
*/
|
|
static inline int accountable_mapping(struct file *file, vm_flags_t vm_flags)
|
|
{
|
|
/*
|
|
* hugetlb has its own accounting separate from the core VM
|
|
* VM_HUGETLB may not be set yet so we cannot check for that flag.
|
|
*/
|
|
if (file && is_file_hugepages(file))
|
|
return 0;
|
|
|
|
return (vm_flags & (VM_NORESERVE | VM_SHARED | VM_WRITE)) == VM_WRITE;
|
|
}
|
|
|
|
unsigned long mmap_region(struct file *file, unsigned long addr,
|
|
unsigned long len, vm_flags_t vm_flags, unsigned long pgoff,
|
|
struct list_head *uf)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma, *prev, *merge;
|
|
int error;
|
|
struct rb_node **rb_link, *rb_parent;
|
|
unsigned long charged = 0;
|
|
|
|
/* Check against address space limit. */
|
|
if (!may_expand_vm(mm, vm_flags, len >> PAGE_SHIFT)) {
|
|
unsigned long nr_pages;
|
|
|
|
/*
|
|
* MAP_FIXED may remove pages of mappings that intersects with
|
|
* requested mapping. Account for the pages it would unmap.
|
|
*/
|
|
nr_pages = count_vma_pages_range(mm, addr, addr + len);
|
|
|
|
if (!may_expand_vm(mm, vm_flags,
|
|
(len >> PAGE_SHIFT) - nr_pages))
|
|
return -ENOMEM;
|
|
}
|
|
|
|
/* Clear old maps, set up prev, rb_link, rb_parent, and uf */
|
|
if (munmap_vma_range(mm, addr, len, &prev, &rb_link, &rb_parent, uf))
|
|
return -ENOMEM;
|
|
/*
|
|
* Private writable mapping: check memory availability
|
|
*/
|
|
if (accountable_mapping(file, vm_flags)) {
|
|
charged = len >> PAGE_SHIFT;
|
|
if (security_vm_enough_memory_mm(mm, charged))
|
|
return -ENOMEM;
|
|
vm_flags |= VM_ACCOUNT;
|
|
}
|
|
|
|
/*
|
|
* Can we just expand an old mapping?
|
|
*/
|
|
vma = vma_merge(mm, prev, addr, addr + len, vm_flags,
|
|
NULL, file, pgoff, NULL, NULL_VM_UFFD_CTX, NULL);
|
|
if (vma)
|
|
goto out;
|
|
|
|
/*
|
|
* Determine the object being mapped and call the appropriate
|
|
* specific mapper. the address has already been validated, but
|
|
* not unmapped, but the maps are removed from the list.
|
|
*/
|
|
vma = vm_area_alloc(mm);
|
|
if (!vma) {
|
|
error = -ENOMEM;
|
|
goto unacct_error;
|
|
}
|
|
|
|
vma->vm_start = addr;
|
|
vma->vm_end = addr + len;
|
|
vma->vm_flags = vm_flags;
|
|
vma->vm_page_prot = vm_get_page_prot(vm_flags);
|
|
vma->vm_pgoff = pgoff;
|
|
|
|
if (file) {
|
|
if (vm_flags & VM_DENYWRITE) {
|
|
error = deny_write_access(file);
|
|
if (error)
|
|
goto free_vma;
|
|
}
|
|
if (vm_flags & VM_SHARED) {
|
|
error = mapping_map_writable(file->f_mapping);
|
|
if (error)
|
|
goto allow_write_and_free_vma;
|
|
}
|
|
|
|
/* ->mmap() can change vma->vm_file, but must guarantee that
|
|
* vma_link() below can deny write-access if VM_DENYWRITE is set
|
|
* and map writably if VM_SHARED is set. This usually means the
|
|
* new file must not have been exposed to user-space, yet.
|
|
*/
|
|
vma->vm_file = get_file(file);
|
|
error = call_mmap(file, vma);
|
|
if (error)
|
|
goto unmap_and_free_vma;
|
|
|
|
/* Can addr have changed??
|
|
*
|
|
* Answer: Yes, several device drivers can do it in their
|
|
* f_op->mmap method. -DaveM
|
|
* Bug: If addr is changed, prev, rb_link, rb_parent should
|
|
* be updated for vma_link()
|
|
*/
|
|
WARN_ON_ONCE(addr != vma->vm_start);
|
|
|
|
addr = vma->vm_start;
|
|
|
|
/* If vm_flags changed after call_mmap(), we should try merge vma again
|
|
* as we may succeed this time.
|
|
*/
|
|
if (unlikely(vm_flags != vma->vm_flags && prev)) {
|
|
merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end, vma->vm_flags,
|
|
NULL, vma->vm_file, vma->vm_pgoff, NULL, NULL_VM_UFFD_CTX,
|
|
vma_get_anon_name(vma));
|
|
if (merge) {
|
|
/* ->mmap() can change vma->vm_file and fput the original file. So
|
|
* fput the vma->vm_file here or we would add an extra fput for file
|
|
* and cause general protection fault ultimately.
|
|
*/
|
|
fput(vma->vm_file);
|
|
vm_area_free(vma);
|
|
vma = merge;
|
|
/* Update vm_flags to pick up the change. */
|
|
vm_flags = vma->vm_flags;
|
|
goto unmap_writable;
|
|
}
|
|
}
|
|
|
|
vm_flags = vma->vm_flags;
|
|
} else if (vm_flags & VM_SHARED) {
|
|
error = shmem_zero_setup(vma);
|
|
if (error)
|
|
goto free_vma;
|
|
} else {
|
|
vma_set_anonymous(vma);
|
|
}
|
|
|
|
/* Allow architectures to sanity-check the vm_flags */
|
|
if (!arch_validate_flags(vma->vm_flags)) {
|
|
error = -EINVAL;
|
|
if (file)
|
|
goto close_and_free_vma;
|
|
else
|
|
goto free_vma;
|
|
}
|
|
|
|
vma_link(mm, vma, prev, rb_link, rb_parent);
|
|
/* Once vma denies write, undo our temporary denial count */
|
|
if (file) {
|
|
unmap_writable:
|
|
if (vm_flags & VM_SHARED)
|
|
mapping_unmap_writable(file->f_mapping);
|
|
if (vm_flags & VM_DENYWRITE)
|
|
allow_write_access(file);
|
|
}
|
|
file = vma->vm_file;
|
|
out:
|
|
perf_event_mmap(vma);
|
|
|
|
vm_write_begin(vma);
|
|
vm_stat_account(mm, vm_flags, len >> PAGE_SHIFT);
|
|
if (vm_flags & VM_LOCKED) {
|
|
if ((vm_flags & VM_SPECIAL) || vma_is_dax(vma) ||
|
|
is_vm_hugetlb_page(vma) ||
|
|
vma == get_gate_vma(current->mm))
|
|
WRITE_ONCE(vma->vm_flags,
|
|
vma->vm_flags & VM_LOCKED_CLEAR_MASK);
|
|
else
|
|
mm->locked_vm += (len >> PAGE_SHIFT);
|
|
}
|
|
|
|
if (file)
|
|
uprobe_mmap(vma);
|
|
|
|
/*
|
|
* New (or expanded) vma always get soft dirty status.
|
|
* Otherwise user-space soft-dirty page tracker won't
|
|
* be able to distinguish situation when vma area unmapped,
|
|
* then new mapped in-place (which must be aimed as
|
|
* a completely new data area).
|
|
*/
|
|
WRITE_ONCE(vma->vm_flags, vma->vm_flags | VM_SOFTDIRTY);
|
|
|
|
vma_set_page_prot(vma);
|
|
vm_write_end(vma);
|
|
|
|
trace_android_vh_mmap_region(vma, addr);
|
|
|
|
return addr;
|
|
|
|
close_and_free_vma:
|
|
if (vma->vm_ops && vma->vm_ops->close)
|
|
vma->vm_ops->close(vma);
|
|
unmap_and_free_vma:
|
|
vma->vm_file = NULL;
|
|
fput(file);
|
|
|
|
/* Undo any partial mapping done by a device driver. */
|
|
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
|
|
if (vm_flags & VM_SHARED)
|
|
mapping_unmap_writable(file->f_mapping);
|
|
allow_write_and_free_vma:
|
|
if (vm_flags & VM_DENYWRITE)
|
|
allow_write_access(file);
|
|
free_vma:
|
|
vm_area_free(vma);
|
|
unacct_error:
|
|
if (charged)
|
|
vm_unacct_memory(charged);
|
|
return error;
|
|
}
|
|
|
|
static unsigned long unmapped_area(struct vm_unmapped_area_info *info)
|
|
{
|
|
/*
|
|
* We implement the search by looking for an rbtree node that
|
|
* immediately follows a suitable gap. That is,
|
|
* - gap_start = vma->vm_prev->vm_end <= info->high_limit - length;
|
|
* - gap_end = vma->vm_start >= info->low_limit + length;
|
|
* - gap_end - gap_start >= length
|
|
*/
|
|
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma;
|
|
unsigned long length, low_limit, high_limit, gap_start, gap_end;
|
|
|
|
/* Adjust search length to account for worst case alignment overhead */
|
|
length = info->length + info->align_mask;
|
|
if (length < info->length)
|
|
return -ENOMEM;
|
|
|
|
/* Adjust search limits by the desired length */
|
|
if (info->high_limit < length)
|
|
return -ENOMEM;
|
|
high_limit = info->high_limit - length;
|
|
|
|
if (info->low_limit > high_limit)
|
|
return -ENOMEM;
|
|
low_limit = info->low_limit + length;
|
|
|
|
/* Check if rbtree root looks promising */
|
|
if (RB_EMPTY_ROOT(&mm->mm_rb))
|
|
goto check_highest;
|
|
vma = rb_entry(mm->mm_rb.rb_node, struct vm_area_struct, vm_rb);
|
|
if (vma->rb_subtree_gap < length)
|
|
goto check_highest;
|
|
|
|
while (true) {
|
|
/* Visit left subtree if it looks promising */
|
|
gap_end = vm_start_gap(vma);
|
|
if (gap_end >= low_limit && vma->vm_rb.rb_left) {
|
|
struct vm_area_struct *left =
|
|
rb_entry(vma->vm_rb.rb_left,
|
|
struct vm_area_struct, vm_rb);
|
|
if (left->rb_subtree_gap >= length) {
|
|
vma = left;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
|
|
check_current:
|
|
/* Check if current node has a suitable gap */
|
|
if (gap_start > high_limit)
|
|
return -ENOMEM;
|
|
if (gap_end >= low_limit &&
|
|
gap_end > gap_start && gap_end - gap_start >= length)
|
|
goto found;
|
|
|
|
/* Visit right subtree if it looks promising */
|
|
if (vma->vm_rb.rb_right) {
|
|
struct vm_area_struct *right =
|
|
rb_entry(vma->vm_rb.rb_right,
|
|
struct vm_area_struct, vm_rb);
|
|
if (right->rb_subtree_gap >= length) {
|
|
vma = right;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
/* Go back up the rbtree to find next candidate node */
|
|
while (true) {
|
|
struct rb_node *prev = &vma->vm_rb;
|
|
if (!rb_parent(prev))
|
|
goto check_highest;
|
|
vma = rb_entry(rb_parent(prev),
|
|
struct vm_area_struct, vm_rb);
|
|
if (prev == vma->vm_rb.rb_left) {
|
|
gap_start = vm_end_gap(vma->vm_prev);
|
|
gap_end = vm_start_gap(vma);
|
|
goto check_current;
|
|
}
|
|
}
|
|
}
|
|
|
|
check_highest:
|
|
/* Check highest gap, which does not precede any rbtree node */
|
|
gap_start = mm->highest_vm_end;
|
|
gap_end = ULONG_MAX; /* Only for VM_BUG_ON below */
|
|
if (gap_start > high_limit)
|
|
return -ENOMEM;
|
|
|
|
found:
|
|
/* We found a suitable gap. Clip it with the original low_limit. */
|
|
if (gap_start < info->low_limit)
|
|
gap_start = info->low_limit;
|
|
|
|
/* Adjust gap address to the desired alignment */
|
|
gap_start += (info->align_offset - gap_start) & info->align_mask;
|
|
|
|
VM_BUG_ON(gap_start + info->length > info->high_limit);
|
|
VM_BUG_ON(gap_start + info->length > gap_end);
|
|
return gap_start;
|
|
}
|
|
|
|
static unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma;
|
|
unsigned long length, low_limit, high_limit, gap_start, gap_end;
|
|
unsigned long addr = 0;
|
|
|
|
/* Adjust search length to account for worst case alignment overhead */
|
|
length = info->length + info->align_mask;
|
|
if (length < info->length)
|
|
return -ENOMEM;
|
|
|
|
trace_android_vh_get_from_fragment_pool(mm, info, &addr);
|
|
if (addr)
|
|
return addr;
|
|
|
|
/*
|
|
* Adjust search limits by the desired length.
|
|
* See implementation comment at top of unmapped_area().
|
|
*/
|
|
gap_end = info->high_limit;
|
|
if (gap_end < length)
|
|
return -ENOMEM;
|
|
high_limit = gap_end - length;
|
|
|
|
if (info->low_limit > high_limit)
|
|
return -ENOMEM;
|
|
low_limit = info->low_limit + length;
|
|
|
|
/* Check highest gap, which does not precede any rbtree node */
|
|
gap_start = mm->highest_vm_end;
|
|
if (gap_start <= high_limit)
|
|
goto found_highest;
|
|
|
|
/* Check if rbtree root looks promising */
|
|
if (RB_EMPTY_ROOT(&mm->mm_rb))
|
|
return -ENOMEM;
|
|
vma = rb_entry(mm->mm_rb.rb_node, struct vm_area_struct, vm_rb);
|
|
if (vma->rb_subtree_gap < length)
|
|
return -ENOMEM;
|
|
|
|
while (true) {
|
|
/* Visit right subtree if it looks promising */
|
|
gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
|
|
if (gap_start <= high_limit && vma->vm_rb.rb_right) {
|
|
struct vm_area_struct *right =
|
|
rb_entry(vma->vm_rb.rb_right,
|
|
struct vm_area_struct, vm_rb);
|
|
if (right->rb_subtree_gap >= length) {
|
|
vma = right;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
check_current:
|
|
/* Check if current node has a suitable gap */
|
|
gap_end = vm_start_gap(vma);
|
|
if (gap_end < low_limit)
|
|
return -ENOMEM;
|
|
if (gap_start <= high_limit &&
|
|
gap_end > gap_start && gap_end - gap_start >= length)
|
|
goto found;
|
|
|
|
/* Visit left subtree if it looks promising */
|
|
if (vma->vm_rb.rb_left) {
|
|
struct vm_area_struct *left =
|
|
rb_entry(vma->vm_rb.rb_left,
|
|
struct vm_area_struct, vm_rb);
|
|
if (left->rb_subtree_gap >= length) {
|
|
vma = left;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
/* Go back up the rbtree to find next candidate node */
|
|
while (true) {
|
|
struct rb_node *prev = &vma->vm_rb;
|
|
if (!rb_parent(prev))
|
|
return -ENOMEM;
|
|
vma = rb_entry(rb_parent(prev),
|
|
struct vm_area_struct, vm_rb);
|
|
if (prev == vma->vm_rb.rb_right) {
|
|
gap_start = vma->vm_prev ?
|
|
vm_end_gap(vma->vm_prev) : 0;
|
|
goto check_current;
|
|
}
|
|
}
|
|
}
|
|
|
|
found:
|
|
/* We found a suitable gap. Clip it with the original high_limit. */
|
|
if (gap_end > info->high_limit)
|
|
gap_end = info->high_limit;
|
|
|
|
found_highest:
|
|
/* Compute highest gap address at the desired alignment */
|
|
gap_end -= info->length;
|
|
gap_end -= (gap_end - info->align_offset) & info->align_mask;
|
|
|
|
VM_BUG_ON(gap_end < info->low_limit);
|
|
VM_BUG_ON(gap_end < gap_start);
|
|
return gap_end;
|
|
}
|
|
|
|
/*
|
|
* Search for an unmapped address range.
|
|
*
|
|
* We are looking for a range that:
|
|
* - does not intersect with any VMA;
|
|
* - is contained within the [low_limit, high_limit) interval;
|
|
* - is at least the desired size.
|
|
* - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
|
|
*/
|
|
unsigned long vm_unmapped_area(struct vm_unmapped_area_info *info)
|
|
{
|
|
unsigned long addr;
|
|
|
|
if (info->flags & VM_UNMAPPED_AREA_TOPDOWN)
|
|
addr = unmapped_area_topdown(info);
|
|
else
|
|
addr = unmapped_area(info);
|
|
|
|
trace_vm_unmapped_area(addr, info);
|
|
return addr;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vm_unmapped_area);
|
|
|
|
/* Get an address range which is currently unmapped.
|
|
* For shmat() with addr=0.
|
|
*
|
|
* Ugly calling convention alert:
|
|
* Return value with the low bits set means error value,
|
|
* ie
|
|
* if (ret & ~PAGE_MASK)
|
|
* error = ret;
|
|
*
|
|
* This function "knows" that -ENOMEM has the bits set.
|
|
*/
|
|
#ifndef HAVE_ARCH_UNMAPPED_AREA
|
|
unsigned long
|
|
arch_get_unmapped_area(struct file *filp, unsigned long addr,
|
|
unsigned long len, unsigned long pgoff, unsigned long flags)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma, *prev;
|
|
struct vm_unmapped_area_info info;
|
|
const unsigned long mmap_end = arch_get_mmap_end(addr);
|
|
|
|
if (len > mmap_end - mmap_min_addr)
|
|
return -ENOMEM;
|
|
|
|
if (flags & MAP_FIXED)
|
|
return addr;
|
|
|
|
if (addr) {
|
|
addr = PAGE_ALIGN(addr);
|
|
vma = find_vma_prev(mm, addr, &prev);
|
|
if (mmap_end - len >= addr && addr >= mmap_min_addr &&
|
|
(!vma || addr + len <= vm_start_gap(vma)) &&
|
|
(!prev || addr >= vm_end_gap(prev)))
|
|
return addr;
|
|
}
|
|
|
|
info.flags = 0;
|
|
info.length = len;
|
|
info.low_limit = mm->mmap_base;
|
|
info.high_limit = mmap_end;
|
|
info.align_mask = 0;
|
|
info.align_offset = 0;
|
|
return vm_unmapped_area(&info);
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* This mmap-allocator allocates new areas top-down from below the
|
|
* stack's low limit (the base):
|
|
*/
|
|
#ifndef HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
|
|
unsigned long
|
|
arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr,
|
|
unsigned long len, unsigned long pgoff,
|
|
unsigned long flags)
|
|
{
|
|
struct vm_area_struct *vma, *prev;
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_unmapped_area_info info;
|
|
const unsigned long mmap_end = arch_get_mmap_end(addr);
|
|
|
|
/* requested length too big for entire address space */
|
|
if (len > mmap_end - mmap_min_addr)
|
|
return -ENOMEM;
|
|
|
|
if (flags & MAP_FIXED)
|
|
return addr;
|
|
|
|
/* requesting a specific address */
|
|
if (addr) {
|
|
addr = PAGE_ALIGN(addr);
|
|
vma = find_vma_prev(mm, addr, &prev);
|
|
if (mmap_end - len >= addr && addr >= mmap_min_addr &&
|
|
(!vma || addr + len <= vm_start_gap(vma)) &&
|
|
(!prev || addr >= vm_end_gap(prev)))
|
|
return addr;
|
|
}
|
|
|
|
info.flags = VM_UNMAPPED_AREA_TOPDOWN;
|
|
info.length = len;
|
|
info.low_limit = max(PAGE_SIZE, mmap_min_addr);
|
|
info.high_limit = arch_get_mmap_base(addr, mm->mmap_base);
|
|
info.align_mask = 0;
|
|
info.align_offset = 0;
|
|
trace_android_vh_exclude_reserved_zone(mm, &info);
|
|
addr = vm_unmapped_area(&info);
|
|
|
|
/*
|
|
* A failed mmap() very likely causes application failure,
|
|
* so fall back to the bottom-up function here. This scenario
|
|
* can happen with large stack limits and large mmap()
|
|
* allocations.
|
|
*/
|
|
if (offset_in_page(addr)) {
|
|
VM_BUG_ON(addr != -ENOMEM);
|
|
info.flags = 0;
|
|
info.low_limit = TASK_UNMAPPED_BASE;
|
|
info.high_limit = mmap_end;
|
|
addr = vm_unmapped_area(&info);
|
|
}
|
|
|
|
trace_android_vh_include_reserved_zone(mm, &info, &addr);
|
|
|
|
return addr;
|
|
}
|
|
#endif
|
|
|
|
unsigned long
|
|
get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
|
|
unsigned long pgoff, unsigned long flags)
|
|
{
|
|
unsigned long (*get_area)(struct file *, unsigned long,
|
|
unsigned long, unsigned long, unsigned long);
|
|
|
|
unsigned long error = arch_mmap_check(addr, len, flags);
|
|
if (error)
|
|
return error;
|
|
|
|
/* Careful about overflows.. */
|
|
if (len > TASK_SIZE)
|
|
return -ENOMEM;
|
|
|
|
get_area = current->mm->get_unmapped_area;
|
|
if (file) {
|
|
if (file->f_op->get_unmapped_area)
|
|
get_area = file->f_op->get_unmapped_area;
|
|
} else if (flags & MAP_SHARED) {
|
|
/*
|
|
* mmap_region() will call shmem_zero_setup() to create a file,
|
|
* so use shmem's get_unmapped_area in case it can be huge.
|
|
* do_mmap() will clear pgoff, so match alignment.
|
|
*/
|
|
pgoff = 0;
|
|
get_area = shmem_get_unmapped_area;
|
|
}
|
|
|
|
addr = get_area(file, addr, len, pgoff, flags);
|
|
if (IS_ERR_VALUE(addr))
|
|
return addr;
|
|
|
|
if (addr > TASK_SIZE - len)
|
|
return -ENOMEM;
|
|
if (offset_in_page(addr))
|
|
return -EINVAL;
|
|
|
|
error = security_mmap_addr(addr);
|
|
return error ? error : addr;
|
|
}
|
|
|
|
EXPORT_SYMBOL(get_unmapped_area);
|
|
|
|
/* Look up the first VMA which satisfies addr < vm_end, NULL if none. */
|
|
static struct vm_area_struct *__find_vma(struct mm_struct *mm,
|
|
unsigned long addr)
|
|
{
|
|
struct rb_node *rb_node;
|
|
struct vm_area_struct *vma = NULL;
|
|
|
|
rb_node = mm->mm_rb.rb_node;
|
|
|
|
while (rb_node) {
|
|
struct vm_area_struct *tmp;
|
|
|
|
tmp = rb_entry(rb_node, struct vm_area_struct, vm_rb);
|
|
|
|
if (tmp->vm_end > addr) {
|
|
vma = tmp;
|
|
if (tmp->vm_start <= addr)
|
|
break;
|
|
rb_node = rb_node->rb_left;
|
|
} else
|
|
rb_node = rb_node->rb_right;
|
|
}
|
|
|
|
return vma;
|
|
}
|
|
|
|
struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
|
|
{
|
|
struct vm_area_struct *vma;
|
|
|
|
/* Check the cache first. */
|
|
vma = vmacache_find(mm, addr);
|
|
if (likely(vma))
|
|
return vma;
|
|
|
|
vma = __find_vma(mm, addr);
|
|
if (vma)
|
|
vmacache_update(addr, vma);
|
|
return vma;
|
|
}
|
|
EXPORT_SYMBOL(find_vma);
|
|
|
|
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
|
|
struct vm_area_struct *get_vma(struct mm_struct *mm, unsigned long addr)
|
|
{
|
|
struct vm_area_struct *vma = NULL;
|
|
|
|
read_lock(&mm->mm_rb_lock);
|
|
vma = __find_vma(mm, addr);
|
|
|
|
/*
|
|
* If there is a concurrent fast mremap, bail out since the entire
|
|
* PMD/PUD subtree may have been remapped.
|
|
*
|
|
* This is usually safe for conventional mremap since it takes the
|
|
* PTE locks as does SPF. However fast mremap only takes the lock
|
|
* at the PMD/PUD level which is ok as it is done with the mmap
|
|
* write lock held. But since SPF, as the term implies forgoes,
|
|
* taking the mmap read lock and also cannot take PTL lock at the
|
|
* larger PMD/PUD granualrity, since it would introduce huge
|
|
* contention in the page fault path; fall back to regular fault
|
|
* handling.
|
|
*/
|
|
if (vma && !atomic_inc_unless_negative(&vma->vm_ref_count))
|
|
vma = NULL;
|
|
read_unlock(&mm->mm_rb_lock);
|
|
|
|
return vma;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Same as find_vma, but also return a pointer to the previous VMA in *pprev.
|
|
*/
|
|
struct vm_area_struct *
|
|
find_vma_prev(struct mm_struct *mm, unsigned long addr,
|
|
struct vm_area_struct **pprev)
|
|
{
|
|
struct vm_area_struct *vma;
|
|
|
|
vma = find_vma(mm, addr);
|
|
if (vma) {
|
|
*pprev = vma->vm_prev;
|
|
} else {
|
|
struct rb_node *rb_node = rb_last(&mm->mm_rb);
|
|
|
|
*pprev = rb_node ? rb_entry(rb_node, struct vm_area_struct, vm_rb) : NULL;
|
|
}
|
|
return vma;
|
|
}
|
|
|
|
/*
|
|
* Verify that the stack growth is acceptable and
|
|
* update accounting. This is shared with both the
|
|
* grow-up and grow-down cases.
|
|
*/
|
|
static int acct_stack_growth(struct vm_area_struct *vma,
|
|
unsigned long size, unsigned long grow)
|
|
{
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
unsigned long new_start;
|
|
|
|
/* address space limit tests */
|
|
if (!may_expand_vm(mm, vma->vm_flags, grow))
|
|
return -ENOMEM;
|
|
|
|
/* Stack limit test */
|
|
if (size > rlimit(RLIMIT_STACK))
|
|
return -ENOMEM;
|
|
|
|
/* mlock limit tests */
|
|
if (vma->vm_flags & VM_LOCKED) {
|
|
unsigned long locked;
|
|
unsigned long limit;
|
|
locked = mm->locked_vm + grow;
|
|
limit = rlimit(RLIMIT_MEMLOCK);
|
|
limit >>= PAGE_SHIFT;
|
|
if (locked > limit && !capable(CAP_IPC_LOCK))
|
|
return -ENOMEM;
|
|
}
|
|
|
|
/* Check to ensure the stack will not grow into a hugetlb-only region */
|
|
new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
|
|
vma->vm_end - size;
|
|
if (is_hugepage_only_range(vma->vm_mm, new_start, size))
|
|
return -EFAULT;
|
|
|
|
/*
|
|
* Overcommit.. This must be the final test, as it will
|
|
* update security statistics.
|
|
*/
|
|
if (security_vm_enough_memory_mm(mm, grow))
|
|
return -ENOMEM;
|
|
|
|
return 0;
|
|
}
|
|
|
|
#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
|
|
/*
|
|
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
|
|
* vma is the last one with address > vma->vm_end. Have to extend vma.
|
|
*/
|
|
int expand_upwards(struct vm_area_struct *vma, unsigned long address)
|
|
{
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
struct vm_area_struct *next;
|
|
unsigned long gap_addr;
|
|
int error = 0;
|
|
|
|
if (!(vma->vm_flags & VM_GROWSUP))
|
|
return -EFAULT;
|
|
|
|
/* Guard against exceeding limits of the address space. */
|
|
address &= PAGE_MASK;
|
|
if (address >= (TASK_SIZE & PAGE_MASK))
|
|
return -ENOMEM;
|
|
address += PAGE_SIZE;
|
|
|
|
/* Enforce stack_guard_gap */
|
|
gap_addr = address + stack_guard_gap;
|
|
|
|
/* Guard against overflow */
|
|
if (gap_addr < address || gap_addr > TASK_SIZE)
|
|
gap_addr = TASK_SIZE;
|
|
|
|
next = vma->vm_next;
|
|
if (next && next->vm_start < gap_addr && vma_is_accessible(next)) {
|
|
if (!(next->vm_flags & VM_GROWSUP))
|
|
return -ENOMEM;
|
|
/* Check that both stack segments have the same anon_vma? */
|
|
}
|
|
|
|
/* We must make sure the anon_vma is allocated. */
|
|
if (unlikely(anon_vma_prepare(vma)))
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* vma->vm_start/vm_end cannot change under us because the caller
|
|
* is required to hold the mmap_lock in read mode. We need the
|
|
* anon_vma lock to serialize against concurrent expand_stacks.
|
|
*/
|
|
anon_vma_lock_write(vma->anon_vma);
|
|
|
|
/* Somebody else might have raced and expanded it already */
|
|
if (address > vma->vm_end) {
|
|
unsigned long size, grow;
|
|
|
|
size = address - vma->vm_start;
|
|
grow = (address - vma->vm_end) >> PAGE_SHIFT;
|
|
|
|
error = -ENOMEM;
|
|
if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
|
|
error = acct_stack_growth(vma, size, grow);
|
|
if (!error) {
|
|
/*
|
|
* vma_gap_update() doesn't support concurrent
|
|
* updates, but we only hold a shared mmap_lock
|
|
* lock here, so we need to protect against
|
|
* concurrent vma expansions.
|
|
* anon_vma_lock_write() doesn't help here, as
|
|
* we don't guarantee that all growable vmas
|
|
* in a mm share the same root anon vma.
|
|
* So, we reuse mm->page_table_lock to guard
|
|
* against concurrent vma expansions.
|
|
*/
|
|
spin_lock(&mm->page_table_lock);
|
|
if (vma->vm_flags & VM_LOCKED)
|
|
mm->locked_vm += grow;
|
|
vm_stat_account(mm, vma->vm_flags, grow);
|
|
anon_vma_interval_tree_pre_update_vma(vma);
|
|
vma->vm_end = address;
|
|
anon_vma_interval_tree_post_update_vma(vma);
|
|
if (vma->vm_next)
|
|
vma_gap_update(vma->vm_next);
|
|
else
|
|
mm->highest_vm_end = vm_end_gap(vma);
|
|
spin_unlock(&mm->page_table_lock);
|
|
|
|
perf_event_mmap(vma);
|
|
}
|
|
}
|
|
}
|
|
anon_vma_unlock_write(vma->anon_vma);
|
|
khugepaged_enter_vma_merge(vma, vma->vm_flags);
|
|
validate_mm(mm);
|
|
return error;
|
|
}
|
|
#endif /* CONFIG_STACK_GROWSUP || CONFIG_IA64 */
|
|
|
|
/*
|
|
* vma is the first one with address < vma->vm_start. Have to extend vma.
|
|
*/
|
|
int expand_downwards(struct vm_area_struct *vma,
|
|
unsigned long address)
|
|
{
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
struct vm_area_struct *prev;
|
|
int error = 0;
|
|
|
|
address &= PAGE_MASK;
|
|
if (address < mmap_min_addr)
|
|
return -EPERM;
|
|
|
|
/* Enforce stack_guard_gap */
|
|
prev = vma->vm_prev;
|
|
/* Check that both stack segments have the same anon_vma? */
|
|
if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
|
|
vma_is_accessible(prev)) {
|
|
if (address - prev->vm_end < stack_guard_gap)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
/* We must make sure the anon_vma is allocated. */
|
|
if (unlikely(anon_vma_prepare(vma)))
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* vma->vm_start/vm_end cannot change under us because the caller
|
|
* is required to hold the mmap_lock in read mode. We need the
|
|
* anon_vma lock to serialize against concurrent expand_stacks.
|
|
*/
|
|
anon_vma_lock_write(vma->anon_vma);
|
|
|
|
/* Somebody else might have raced and expanded it already */
|
|
if (address < vma->vm_start) {
|
|
unsigned long size, grow;
|
|
|
|
size = vma->vm_end - address;
|
|
grow = (vma->vm_start - address) >> PAGE_SHIFT;
|
|
|
|
error = -ENOMEM;
|
|
if (grow <= vma->vm_pgoff) {
|
|
error = acct_stack_growth(vma, size, grow);
|
|
if (!error) {
|
|
/*
|
|
* vma_gap_update() doesn't support concurrent
|
|
* updates, but we only hold a shared mmap_lock
|
|
* lock here, so we need to protect against
|
|
* concurrent vma expansions.
|
|
* anon_vma_lock_write() doesn't help here, as
|
|
* we don't guarantee that all growable vmas
|
|
* in a mm share the same root anon vma.
|
|
* So, we reuse mm->page_table_lock to guard
|
|
* against concurrent vma expansions.
|
|
*/
|
|
spin_lock(&mm->page_table_lock);
|
|
if (vma->vm_flags & VM_LOCKED)
|
|
mm->locked_vm += grow;
|
|
vm_stat_account(mm, vma->vm_flags, grow);
|
|
anon_vma_interval_tree_pre_update_vma(vma);
|
|
WRITE_ONCE(vma->vm_start, address);
|
|
WRITE_ONCE(vma->vm_pgoff, vma->vm_pgoff - grow);
|
|
anon_vma_interval_tree_post_update_vma(vma);
|
|
vma_gap_update(vma);
|
|
spin_unlock(&mm->page_table_lock);
|
|
|
|
perf_event_mmap(vma);
|
|
}
|
|
}
|
|
}
|
|
anon_vma_unlock_write(vma->anon_vma);
|
|
khugepaged_enter_vma_merge(vma, vma->vm_flags);
|
|
validate_mm(mm);
|
|
return error;
|
|
}
|
|
|
|
/* enforced gap between the expanding stack and other mappings. */
|
|
unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
|
|
|
|
static int __init cmdline_parse_stack_guard_gap(char *p)
|
|
{
|
|
unsigned long val;
|
|
char *endptr;
|
|
|
|
val = simple_strtoul(p, &endptr, 10);
|
|
if (!*endptr)
|
|
stack_guard_gap = val << PAGE_SHIFT;
|
|
|
|
return 1;
|
|
}
|
|
__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
|
|
|
|
#ifdef CONFIG_STACK_GROWSUP
|
|
int expand_stack(struct vm_area_struct *vma, unsigned long address)
|
|
{
|
|
return expand_upwards(vma, address);
|
|
}
|
|
|
|
struct vm_area_struct *
|
|
find_extend_vma(struct mm_struct *mm, unsigned long addr)
|
|
{
|
|
struct vm_area_struct *vma, *prev;
|
|
|
|
addr &= PAGE_MASK;
|
|
vma = find_vma_prev(mm, addr, &prev);
|
|
if (vma && (vma->vm_start <= addr))
|
|
return vma;
|
|
/* don't alter vm_end if the coredump is running */
|
|
if (!prev || expand_stack(prev, addr))
|
|
return NULL;
|
|
if (prev->vm_flags & VM_LOCKED)
|
|
populate_vma_page_range(prev, addr, prev->vm_end, NULL);
|
|
return prev;
|
|
}
|
|
#else
|
|
int expand_stack(struct vm_area_struct *vma, unsigned long address)
|
|
{
|
|
return expand_downwards(vma, address);
|
|
}
|
|
|
|
struct vm_area_struct *
|
|
find_extend_vma(struct mm_struct *mm, unsigned long addr)
|
|
{
|
|
struct vm_area_struct *vma;
|
|
unsigned long start;
|
|
|
|
addr &= PAGE_MASK;
|
|
vma = find_vma(mm, addr);
|
|
if (!vma)
|
|
return NULL;
|
|
if (vma->vm_start <= addr)
|
|
return vma;
|
|
if (!(vma->vm_flags & VM_GROWSDOWN))
|
|
return NULL;
|
|
start = vma->vm_start;
|
|
if (expand_stack(vma, addr))
|
|
return NULL;
|
|
if (vma->vm_flags & VM_LOCKED)
|
|
populate_vma_page_range(vma, addr, start, NULL);
|
|
return vma;
|
|
}
|
|
#endif
|
|
|
|
EXPORT_SYMBOL_GPL(find_extend_vma);
|
|
|
|
/*
|
|
* Ok - we have the memory areas we should free on the vma list,
|
|
* so release them, and do the vma updates.
|
|
*
|
|
* Called with the mm semaphore held.
|
|
*/
|
|
static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
|
|
{
|
|
unsigned long nr_accounted = 0;
|
|
|
|
/* Update high watermark before we lower total_vm */
|
|
update_hiwater_vm(mm);
|
|
do {
|
|
long nrpages = vma_pages(vma);
|
|
|
|
if (vma->vm_flags & VM_ACCOUNT)
|
|
nr_accounted += nrpages;
|
|
vm_stat_account(mm, vma->vm_flags, -nrpages);
|
|
vma = remove_vma(vma);
|
|
} while (vma);
|
|
vm_unacct_memory(nr_accounted);
|
|
validate_mm(mm);
|
|
}
|
|
|
|
/*
|
|
* Get rid of page table information in the indicated region.
|
|
*
|
|
* Called with the mm semaphore held.
|
|
*/
|
|
static void unmap_region(struct mm_struct *mm,
|
|
struct vm_area_struct *vma, struct vm_area_struct *prev,
|
|
unsigned long start, unsigned long end)
|
|
{
|
|
struct vm_area_struct *next = vma_next(mm, prev);
|
|
struct mmu_gather tlb;
|
|
struct vm_area_struct *cur_vma;
|
|
|
|
lru_add_drain();
|
|
tlb_gather_mmu(&tlb, mm, start, end);
|
|
update_hiwater_rss(mm);
|
|
unmap_vmas(&tlb, vma, start, end);
|
|
|
|
/*
|
|
* Ensure we have no stale TLB entries by the time this mapping is
|
|
* removed from the rmap.
|
|
* Note that we don't have to worry about nested flushes here because
|
|
* we're holding the mm semaphore for removing the mapping - so any
|
|
* concurrent flush in this region has to be coming through the rmap,
|
|
* and we synchronize against that using the rmap lock.
|
|
*/
|
|
for (cur_vma = vma; cur_vma; cur_vma = cur_vma->vm_next) {
|
|
if ((cur_vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) != 0) {
|
|
tlb_flush_mmu(&tlb);
|
|
break;
|
|
}
|
|
}
|
|
|
|
free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS,
|
|
next ? next->vm_start : USER_PGTABLES_CEILING);
|
|
tlb_finish_mmu(&tlb, start, end);
|
|
}
|
|
|
|
/*
|
|
* Create a list of vma's touched by the unmap, removing them from the mm's
|
|
* vma list as we go..
|
|
*/
|
|
static bool
|
|
detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
|
|
struct vm_area_struct *prev, unsigned long end)
|
|
{
|
|
struct vm_area_struct **insertion_point;
|
|
struct vm_area_struct *tail_vma = NULL;
|
|
|
|
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
|
|
vma->vm_prev = NULL;
|
|
do {
|
|
vma_rb_erase(vma, mm);
|
|
mm->map_count--;
|
|
tail_vma = vma;
|
|
vma = vma->vm_next;
|
|
} while (vma && vma->vm_start < end);
|
|
*insertion_point = vma;
|
|
if (vma) {
|
|
vma->vm_prev = prev;
|
|
vma_gap_update(vma);
|
|
} else
|
|
mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
|
|
tail_vma->vm_next = NULL;
|
|
|
|
/* Kill the cache */
|
|
vmacache_invalidate(mm);
|
|
|
|
/*
|
|
* Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or
|
|
* VM_GROWSUP VMA. Such VMAs can change their size under
|
|
* down_read(mmap_lock) and collide with the VMA we are about to unmap.
|
|
*/
|
|
if (vma && (vma->vm_flags & VM_GROWSDOWN))
|
|
return false;
|
|
if (prev && (prev->vm_flags & VM_GROWSUP))
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* __split_vma() bypasses sysctl_max_map_count checking. We use this where it
|
|
* has already been checked or doesn't make sense to fail.
|
|
*/
|
|
int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
|
|
unsigned long addr, int new_below)
|
|
{
|
|
struct vm_area_struct *new;
|
|
int err;
|
|
|
|
if (vma->vm_ops && vma->vm_ops->split) {
|
|
err = vma->vm_ops->split(vma, addr);
|
|
if (err)
|
|
return err;
|
|
}
|
|
|
|
new = vm_area_dup(vma);
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
if (new_below)
|
|
new->vm_end = addr;
|
|
else {
|
|
new->vm_start = addr;
|
|
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
|
|
}
|
|
|
|
err = vma_dup_policy(vma, new);
|
|
if (err)
|
|
goto out_free_vma;
|
|
|
|
err = anon_vma_clone(new, vma);
|
|
if (err)
|
|
goto out_free_mpol;
|
|
|
|
if (new->vm_file)
|
|
get_file(new->vm_file);
|
|
|
|
if (new->vm_ops && new->vm_ops->open)
|
|
new->vm_ops->open(new);
|
|
|
|
if (new_below)
|
|
err = vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
|
|
((addr - new->vm_start) >> PAGE_SHIFT), new);
|
|
else
|
|
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
|
|
|
|
/* Success. */
|
|
if (!err)
|
|
return 0;
|
|
|
|
/* Clean everything up if vma_adjust failed. */
|
|
if (new->vm_ops && new->vm_ops->close)
|
|
new->vm_ops->close(new);
|
|
if (new->vm_file)
|
|
fput(new->vm_file);
|
|
unlink_anon_vmas(new);
|
|
out_free_mpol:
|
|
mpol_put(vma_policy(new));
|
|
out_free_vma:
|
|
vm_area_free(new);
|
|
return err;
|
|
}
|
|
|
|
/*
|
|
* Split a vma into two pieces at address 'addr', a new vma is allocated
|
|
* either for the first part or the tail.
|
|
*/
|
|
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
|
|
unsigned long addr, int new_below)
|
|
{
|
|
if (mm->map_count >= sysctl_max_map_count)
|
|
return -ENOMEM;
|
|
|
|
return __split_vma(mm, vma, addr, new_below);
|
|
}
|
|
|
|
/* Munmap is split into 2 main parts -- this part which finds
|
|
* what needs doing, and the areas themselves, which do the
|
|
* work. This now handles partial unmappings.
|
|
* Jeremy Fitzhardinge <jeremy@goop.org>
|
|
*/
|
|
int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len,
|
|
struct list_head *uf, bool downgrade)
|
|
{
|
|
unsigned long end;
|
|
struct vm_area_struct *vma, *prev, *last;
|
|
|
|
if ((offset_in_page(start)) || start > TASK_SIZE || len > TASK_SIZE-start)
|
|
return -EINVAL;
|
|
|
|
len = PAGE_ALIGN(len);
|
|
end = start + len;
|
|
if (len == 0)
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* arch_unmap() might do unmaps itself. It must be called
|
|
* and finish any rbtree manipulation before this code
|
|
* runs and also starts to manipulate the rbtree.
|
|
*/
|
|
arch_unmap(mm, start, end);
|
|
|
|
/* Find the first overlapping VMA */
|
|
vma = find_vma(mm, start);
|
|
if (!vma)
|
|
return 0;
|
|
prev = vma->vm_prev;
|
|
/* we have start < vma->vm_end */
|
|
|
|
/* if it doesn't overlap, we have nothing.. */
|
|
if (vma->vm_start >= end)
|
|
return 0;
|
|
|
|
/*
|
|
* If we need to split any vma, do it now to save pain later.
|
|
*
|
|
* Note: mremap's move_vma VM_ACCOUNT handling assumes a partially
|
|
* unmapped vm_area_struct will remain in use: so lower split_vma
|
|
* places tmp vma above, and higher split_vma places tmp vma below.
|
|
*/
|
|
if (start > vma->vm_start) {
|
|
int error;
|
|
|
|
/*
|
|
* Make sure that map_count on return from munmap() will
|
|
* not exceed its limit; but let map_count go just above
|
|
* its limit temporarily, to help free resources as expected.
|
|
*/
|
|
if (end < vma->vm_end && mm->map_count >= sysctl_max_map_count)
|
|
return -ENOMEM;
|
|
|
|
error = __split_vma(mm, vma, start, 0);
|
|
if (error)
|
|
return error;
|
|
prev = vma;
|
|
}
|
|
|
|
/* Does it split the last one? */
|
|
last = find_vma(mm, end);
|
|
if (last && end > last->vm_start) {
|
|
int error = __split_vma(mm, last, end, 1);
|
|
if (error)
|
|
return error;
|
|
}
|
|
vma = vma_next(mm, prev);
|
|
|
|
if (unlikely(uf)) {
|
|
/*
|
|
* If userfaultfd_unmap_prep returns an error the vmas
|
|
* will remain splitted, but userland will get a
|
|
* highly unexpected error anyway. This is no
|
|
* different than the case where the first of the two
|
|
* __split_vma fails, but we don't undo the first
|
|
* split, despite we could. This is unlikely enough
|
|
* failure that it's not worth optimizing it for.
|
|
*/
|
|
int error = userfaultfd_unmap_prep(vma, start, end, uf);
|
|
if (error)
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* unlock any mlock()ed ranges before detaching vmas
|
|
*/
|
|
if (mm->locked_vm) {
|
|
struct vm_area_struct *tmp = vma;
|
|
while (tmp && tmp->vm_start < end) {
|
|
if (tmp->vm_flags & VM_LOCKED) {
|
|
mm->locked_vm -= vma_pages(tmp);
|
|
munlock_vma_pages_all(tmp);
|
|
}
|
|
|
|
tmp = tmp->vm_next;
|
|
}
|
|
}
|
|
|
|
/* Detach vmas from rbtree */
|
|
if (!detach_vmas_to_be_unmapped(mm, vma, prev, end))
|
|
downgrade = false;
|
|
|
|
if (downgrade)
|
|
mmap_write_downgrade(mm);
|
|
|
|
unmap_region(mm, vma, prev, start, end);
|
|
|
|
/* Fix up all other VM information */
|
|
remove_vma_list(mm, vma);
|
|
|
|
return downgrade ? 1 : 0;
|
|
}
|
|
|
|
int do_munmap(struct mm_struct *mm, unsigned long start, size_t len,
|
|
struct list_head *uf)
|
|
{
|
|
return __do_munmap(mm, start, len, uf, false);
|
|
}
|
|
|
|
static int __vm_munmap(unsigned long start, size_t len, bool downgrade)
|
|
{
|
|
int ret;
|
|
struct mm_struct *mm = current->mm;
|
|
LIST_HEAD(uf);
|
|
|
|
if (mmap_write_lock_killable(mm))
|
|
return -EINTR;
|
|
|
|
ret = __do_munmap(mm, start, len, &uf, downgrade);
|
|
/*
|
|
* Returning 1 indicates mmap_lock is downgraded.
|
|
* But 1 is not legal return value of vm_munmap() and munmap(), reset
|
|
* it to 0 before return.
|
|
*/
|
|
if (ret == 1) {
|
|
mmap_read_unlock(mm);
|
|
ret = 0;
|
|
} else
|
|
mmap_write_unlock(mm);
|
|
|
|
userfaultfd_unmap_complete(mm, &uf);
|
|
return ret;
|
|
}
|
|
|
|
int vm_munmap(unsigned long start, size_t len)
|
|
{
|
|
return __vm_munmap(start, len, false);
|
|
}
|
|
EXPORT_SYMBOL(vm_munmap);
|
|
|
|
SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
|
|
{
|
|
addr = untagged_addr(addr);
|
|
profile_munmap(addr);
|
|
return __vm_munmap(addr, len, true);
|
|
}
|
|
|
|
|
|
/*
|
|
* Emulation of deprecated remap_file_pages() syscall.
|
|
*/
|
|
SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
|
|
unsigned long, prot, unsigned long, pgoff, unsigned long, flags)
|
|
{
|
|
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma;
|
|
unsigned long populate = 0;
|
|
unsigned long ret = -EINVAL;
|
|
struct file *file;
|
|
|
|
pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.\n",
|
|
current->comm, current->pid);
|
|
|
|
if (prot)
|
|
return ret;
|
|
start = start & PAGE_MASK;
|
|
size = size & PAGE_MASK;
|
|
|
|
if (start + size <= start)
|
|
return ret;
|
|
|
|
/* Does pgoff wrap? */
|
|
if (pgoff + (size >> PAGE_SHIFT) < pgoff)
|
|
return ret;
|
|
|
|
if (mmap_write_lock_killable(mm))
|
|
return -EINTR;
|
|
|
|
vma = find_vma(mm, start);
|
|
|
|
if (!vma || !(vma->vm_flags & VM_SHARED))
|
|
goto out;
|
|
|
|
if (start < vma->vm_start)
|
|
goto out;
|
|
|
|
if (start + size > vma->vm_end) {
|
|
struct vm_area_struct *next;
|
|
|
|
for (next = vma->vm_next; next; next = next->vm_next) {
|
|
/* hole between vmas ? */
|
|
if (next->vm_start != next->vm_prev->vm_end)
|
|
goto out;
|
|
|
|
if (next->vm_file != vma->vm_file)
|
|
goto out;
|
|
|
|
if (next->vm_flags != vma->vm_flags)
|
|
goto out;
|
|
|
|
if (start + size <= next->vm_end)
|
|
break;
|
|
}
|
|
|
|
if (!next)
|
|
goto out;
|
|
}
|
|
|
|
prot |= vma->vm_flags & VM_READ ? PROT_READ : 0;
|
|
prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0;
|
|
prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0;
|
|
|
|
flags &= MAP_NONBLOCK;
|
|
flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE;
|
|
if (vma->vm_flags & VM_LOCKED) {
|
|
struct vm_area_struct *tmp;
|
|
flags |= MAP_LOCKED;
|
|
|
|
/* drop PG_Mlocked flag for over-mapped range */
|
|
for (tmp = vma; tmp->vm_start >= start + size;
|
|
tmp = tmp->vm_next) {
|
|
/*
|
|
* Split pmd and munlock page on the border
|
|
* of the range.
|
|
*/
|
|
vma_adjust_trans_huge(tmp, start, start + size, 0);
|
|
|
|
munlock_vma_pages_range(tmp,
|
|
max(tmp->vm_start, start),
|
|
min(tmp->vm_end, start + size));
|
|
}
|
|
}
|
|
|
|
file = get_file(vma->vm_file);
|
|
ret = do_mmap(vma->vm_file, start, size,
|
|
prot, flags, pgoff, &populate, NULL);
|
|
fput(file);
|
|
out:
|
|
mmap_write_unlock(mm);
|
|
if (populate)
|
|
mm_populate(ret, populate);
|
|
if (!IS_ERR_VALUE(ret))
|
|
ret = 0;
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* this is really a simplified "do_mmap". it only handles
|
|
* anonymous maps. eventually we may be able to do some
|
|
* brk-specific accounting here.
|
|
*/
|
|
static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma, *prev;
|
|
struct rb_node **rb_link, *rb_parent;
|
|
pgoff_t pgoff = addr >> PAGE_SHIFT;
|
|
int error;
|
|
unsigned long mapped_addr;
|
|
|
|
/* Until we need other flags, refuse anything except VM_EXEC. */
|
|
if ((flags & (~VM_EXEC)) != 0)
|
|
return -EINVAL;
|
|
flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
|
|
|
|
mapped_addr = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
|
|
if (IS_ERR_VALUE(mapped_addr))
|
|
return mapped_addr;
|
|
|
|
error = mlock_future_check(mm, mm->def_flags, len);
|
|
if (error)
|
|
return error;
|
|
|
|
/* Clear old maps, set up prev, rb_link, rb_parent, and uf */
|
|
if (munmap_vma_range(mm, addr, len, &prev, &rb_link, &rb_parent, uf))
|
|
return -ENOMEM;
|
|
|
|
/* Check against address space limits *after* clearing old maps... */
|
|
if (!may_expand_vm(mm, flags, len >> PAGE_SHIFT))
|
|
return -ENOMEM;
|
|
|
|
if (mm->map_count > sysctl_max_map_count)
|
|
return -ENOMEM;
|
|
|
|
if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
|
|
return -ENOMEM;
|
|
|
|
/* Can we just expand an old private anonymous mapping? */
|
|
vma = vma_merge(mm, prev, addr, addr + len, flags,
|
|
NULL, NULL, pgoff, NULL, NULL_VM_UFFD_CTX, NULL);
|
|
if (vma)
|
|
goto out;
|
|
|
|
/*
|
|
* create a vma struct for an anonymous mapping
|
|
*/
|
|
vma = vm_area_alloc(mm);
|
|
if (!vma) {
|
|
vm_unacct_memory(len >> PAGE_SHIFT);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
vma_set_anonymous(vma);
|
|
vma->vm_start = addr;
|
|
vma->vm_end = addr + len;
|
|
vma->vm_pgoff = pgoff;
|
|
vma->vm_flags = flags;
|
|
vma->vm_page_prot = vm_get_page_prot(flags);
|
|
vma_link(mm, vma, prev, rb_link, rb_parent);
|
|
out:
|
|
perf_event_mmap(vma);
|
|
mm->total_vm += len >> PAGE_SHIFT;
|
|
mm->data_vm += len >> PAGE_SHIFT;
|
|
if (flags & VM_LOCKED)
|
|
mm->locked_vm += (len >> PAGE_SHIFT);
|
|
vma->vm_flags |= VM_SOFTDIRTY;
|
|
return 0;
|
|
}
|
|
|
|
int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
unsigned long len;
|
|
int ret;
|
|
bool populate;
|
|
LIST_HEAD(uf);
|
|
|
|
len = PAGE_ALIGN(request);
|
|
if (len < request)
|
|
return -ENOMEM;
|
|
if (!len)
|
|
return 0;
|
|
|
|
if (mmap_write_lock_killable(mm))
|
|
return -EINTR;
|
|
|
|
ret = do_brk_flags(addr, len, flags, &uf);
|
|
populate = ((mm->def_flags & VM_LOCKED) != 0);
|
|
mmap_write_unlock(mm);
|
|
userfaultfd_unmap_complete(mm, &uf);
|
|
if (populate && !ret)
|
|
mm_populate(addr, len);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL(vm_brk_flags);
|
|
|
|
int vm_brk(unsigned long addr, unsigned long len)
|
|
{
|
|
return vm_brk_flags(addr, len, 0);
|
|
}
|
|
EXPORT_SYMBOL(vm_brk);
|
|
|
|
/* Release all mmaps. */
|
|
void exit_mmap(struct mm_struct *mm)
|
|
{
|
|
struct mmu_gather tlb;
|
|
struct vm_area_struct *vma;
|
|
unsigned long nr_accounted = 0;
|
|
|
|
/* mm's last user has gone, and its about to be pulled down */
|
|
mmu_notifier_release(mm);
|
|
|
|
if (unlikely(mm_is_oom_victim(mm))) {
|
|
/*
|
|
* Manually reap the mm to free as much memory as possible.
|
|
* Then, as the oom reaper does, set MMF_OOM_SKIP to disregard
|
|
* this mm from further consideration. Taking mm->mmap_lock for
|
|
* write after setting MMF_OOM_SKIP will guarantee that the oom
|
|
* reaper will not run on this mm again after mmap_lock is
|
|
* dropped.
|
|
*
|
|
* Nothing can be holding mm->mmap_lock here and the above call
|
|
* to mmu_notifier_release(mm) ensures mmu notifier callbacks in
|
|
* __oom_reap_task_mm() will not block.
|
|
*
|
|
* This needs to be done before calling munlock_vma_pages_all(),
|
|
* which clears VM_LOCKED, otherwise the oom reaper cannot
|
|
* reliably test it.
|
|
*/
|
|
(void)__oom_reap_task_mm(mm);
|
|
|
|
set_bit(MMF_OOM_SKIP, &mm->flags);
|
|
}
|
|
|
|
mmap_write_lock(mm);
|
|
if (mm->locked_vm) {
|
|
vma = mm->mmap;
|
|
while (vma) {
|
|
if (vma->vm_flags & VM_LOCKED)
|
|
munlock_vma_pages_all(vma);
|
|
vma = vma->vm_next;
|
|
}
|
|
}
|
|
|
|
arch_exit_mmap(mm);
|
|
|
|
vma = mm->mmap;
|
|
if (!vma) {
|
|
/* Can happen if dup_mmap() received an OOM */
|
|
mmap_write_unlock(mm);
|
|
return;
|
|
}
|
|
|
|
lru_add_drain();
|
|
flush_cache_mm(mm);
|
|
tlb_gather_mmu(&tlb, mm, 0, -1);
|
|
/* update_hiwater_rss(mm) here? but nobody should be looking */
|
|
/* Use -1 here to ensure all VMAs in the mm are unmapped */
|
|
unmap_vmas(&tlb, vma, 0, -1);
|
|
free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING);
|
|
tlb_finish_mmu(&tlb, 0, -1);
|
|
|
|
/* Walk the list again, actually closing and freeing it. */
|
|
while (vma) {
|
|
if (vma->vm_flags & VM_ACCOUNT)
|
|
nr_accounted += vma_pages(vma);
|
|
vma = remove_vma(vma);
|
|
cond_resched();
|
|
}
|
|
mm->mmap = NULL;
|
|
mmap_write_unlock(mm);
|
|
vm_unacct_memory(nr_accounted);
|
|
}
|
|
|
|
/* Insert vm structure into process list sorted by address
|
|
* and into the inode's i_mmap tree. If vm_file is non-NULL
|
|
* then i_mmap_rwsem is taken here.
|
|
*/
|
|
int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
|
|
{
|
|
struct vm_area_struct *prev;
|
|
struct rb_node **rb_link, *rb_parent;
|
|
|
|
if (find_vma_links(mm, vma->vm_start, vma->vm_end,
|
|
&prev, &rb_link, &rb_parent))
|
|
return -ENOMEM;
|
|
if ((vma->vm_flags & VM_ACCOUNT) &&
|
|
security_vm_enough_memory_mm(mm, vma_pages(vma)))
|
|
return -ENOMEM;
|
|
|
|
/*
|
|
* The vm_pgoff of a purely anonymous vma should be irrelevant
|
|
* until its first write fault, when page's anon_vma and index
|
|
* are set. But now set the vm_pgoff it will almost certainly
|
|
* end up with (unless mremap moves it elsewhere before that
|
|
* first wfault), so /proc/pid/maps tells a consistent story.
|
|
*
|
|
* By setting it to reflect the virtual start address of the
|
|
* vma, merges and splits can happen in a seamless way, just
|
|
* using the existing file pgoff checks and manipulations.
|
|
* Similarly in do_mmap and in do_brk_flags.
|
|
*/
|
|
if (vma_is_anonymous(vma)) {
|
|
BUG_ON(vma->anon_vma);
|
|
vma->vm_pgoff = vma->vm_start >> PAGE_SHIFT;
|
|
}
|
|
|
|
vma_link(mm, vma, prev, rb_link, rb_parent);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Copy the vma structure to a new location in the same mm,
|
|
* prior to moving page table entries, to effect an mremap move.
|
|
*/
|
|
struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
|
|
unsigned long addr, unsigned long len, pgoff_t pgoff,
|
|
bool *need_rmap_locks)
|
|
{
|
|
struct vm_area_struct *vma = *vmap;
|
|
unsigned long vma_start = vma->vm_start;
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
struct vm_area_struct *new_vma, *prev;
|
|
struct rb_node **rb_link, *rb_parent;
|
|
bool faulted_in_anon_vma = true;
|
|
|
|
/*
|
|
* If anonymous vma has not yet been faulted, update new pgoff
|
|
* to match new location, to increase its chance of merging.
|
|
*/
|
|
if (unlikely(vma_is_anonymous(vma) && !vma->anon_vma)) {
|
|
pgoff = addr >> PAGE_SHIFT;
|
|
faulted_in_anon_vma = false;
|
|
}
|
|
|
|
if (find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent))
|
|
return NULL; /* should never get here */
|
|
|
|
/* There is 3 cases to manage here in
|
|
* AAAA AAAA AAAA AAAA
|
|
* PPPP.... PPPP......NNNN PPPP....NNNN PP........NN
|
|
* PPPPPPPP(A) PPPP..NNNNNNNN(B) PPPPPPPPPPPP(1) NULL
|
|
* PPPPPPPPNNNN(2)
|
|
* PPPPNNNNNNNN(3)
|
|
*
|
|
* new_vma == prev in case A,1,2
|
|
* new_vma == next in case B,3
|
|
*/
|
|
new_vma = __vma_merge(mm, prev, addr, addr + len, vma->vm_flags,
|
|
vma->anon_vma, vma->vm_file, pgoff,
|
|
vma_policy(vma), vma->vm_userfaultfd_ctx,
|
|
vma_get_anon_name(vma), true);
|
|
if (new_vma) {
|
|
/*
|
|
* Source vma may have been merged into new_vma
|
|
*/
|
|
if (unlikely(vma_start >= new_vma->vm_start &&
|
|
vma_start < new_vma->vm_end)) {
|
|
/*
|
|
* The only way we can get a vma_merge with
|
|
* self during an mremap is if the vma hasn't
|
|
* been faulted in yet and we were allowed to
|
|
* reset the dst vma->vm_pgoff to the
|
|
* destination address of the mremap to allow
|
|
* the merge to happen. mremap must change the
|
|
* vm_pgoff linearity between src and dst vmas
|
|
* (in turn preventing a vma_merge) to be
|
|
* safe. It is only safe to keep the vm_pgoff
|
|
* linear if there are no pages mapped yet.
|
|
*/
|
|
VM_BUG_ON_VMA(faulted_in_anon_vma, new_vma);
|
|
*vmap = vma = new_vma;
|
|
}
|
|
*need_rmap_locks = (new_vma->vm_pgoff <= vma->vm_pgoff);
|
|
} else {
|
|
new_vma = vm_area_dup(vma);
|
|
if (!new_vma)
|
|
goto out;
|
|
new_vma->vm_start = addr;
|
|
new_vma->vm_end = addr + len;
|
|
new_vma->vm_pgoff = pgoff;
|
|
if (vma_dup_policy(vma, new_vma))
|
|
goto out_free_vma;
|
|
if (anon_vma_clone(new_vma, vma))
|
|
goto out_free_mempol;
|
|
if (new_vma->vm_file)
|
|
get_file(new_vma->vm_file);
|
|
if (new_vma->vm_ops && new_vma->vm_ops->open)
|
|
new_vma->vm_ops->open(new_vma);
|
|
/*
|
|
* As the VMA is linked right now, it may be hit by the
|
|
* speculative page fault handler. But we don't want it to
|
|
* to start mapping page in this area until the caller has
|
|
* potentially move the pte from the moved VMA. To prevent
|
|
* that we protect it right now, and let the caller unprotect
|
|
* it once the move is done.
|
|
*/
|
|
vm_write_begin(new_vma);
|
|
vma_link(mm, new_vma, prev, rb_link, rb_parent);
|
|
*need_rmap_locks = false;
|
|
}
|
|
return new_vma;
|
|
|
|
out_free_mempol:
|
|
mpol_put(vma_policy(new_vma));
|
|
out_free_vma:
|
|
vm_area_free(new_vma);
|
|
out:
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Return true if the calling process may expand its vm space by the passed
|
|
* number of pages
|
|
*/
|
|
bool may_expand_vm(struct mm_struct *mm, vm_flags_t flags, unsigned long npages)
|
|
{
|
|
if (mm->total_vm + npages > rlimit(RLIMIT_AS) >> PAGE_SHIFT)
|
|
return false;
|
|
|
|
if (is_data_mapping(flags) &&
|
|
mm->data_vm + npages > rlimit(RLIMIT_DATA) >> PAGE_SHIFT) {
|
|
/* Workaround for Valgrind */
|
|
if (rlimit(RLIMIT_DATA) == 0 &&
|
|
mm->data_vm + npages <= rlimit_max(RLIMIT_DATA) >> PAGE_SHIFT)
|
|
return true;
|
|
|
|
pr_warn_once("%s (%d): VmData %lu exceed data ulimit %lu. Update limits%s.\n",
|
|
current->comm, current->pid,
|
|
(mm->data_vm + npages) << PAGE_SHIFT,
|
|
rlimit(RLIMIT_DATA),
|
|
ignore_rlimit_data ? "" : " or use boot option ignore_rlimit_data");
|
|
|
|
if (!ignore_rlimit_data)
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
void vm_stat_account(struct mm_struct *mm, vm_flags_t flags, long npages)
|
|
{
|
|
mm->total_vm += npages;
|
|
|
|
if (is_exec_mapping(flags))
|
|
mm->exec_vm += npages;
|
|
else if (is_stack_mapping(flags))
|
|
mm->stack_vm += npages;
|
|
else if (is_data_mapping(flags))
|
|
mm->data_vm += npages;
|
|
}
|
|
|
|
static vm_fault_t special_mapping_fault(struct vm_fault *vmf);
|
|
|
|
/*
|
|
* Having a close hook prevents vma merging regardless of flags.
|
|
*/
|
|
static void special_mapping_close(struct vm_area_struct *vma)
|
|
{
|
|
}
|
|
|
|
static const char *special_mapping_name(struct vm_area_struct *vma)
|
|
{
|
|
return ((struct vm_special_mapping *)vma->vm_private_data)->name;
|
|
}
|
|
|
|
static int special_mapping_mremap(struct vm_area_struct *new_vma)
|
|
{
|
|
struct vm_special_mapping *sm = new_vma->vm_private_data;
|
|
|
|
if (WARN_ON_ONCE(current->mm != new_vma->vm_mm))
|
|
return -EFAULT;
|
|
|
|
if (sm->mremap)
|
|
return sm->mremap(sm, new_vma);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static const struct vm_operations_struct special_mapping_vmops = {
|
|
.close = special_mapping_close,
|
|
.fault = special_mapping_fault,
|
|
.mremap = special_mapping_mremap,
|
|
.name = special_mapping_name,
|
|
/* vDSO code relies that VVAR can't be accessed remotely */
|
|
.access = NULL,
|
|
};
|
|
|
|
static const struct vm_operations_struct legacy_special_mapping_vmops = {
|
|
.close = special_mapping_close,
|
|
.fault = special_mapping_fault,
|
|
};
|
|
|
|
static vm_fault_t special_mapping_fault(struct vm_fault *vmf)
|
|
{
|
|
struct vm_area_struct *vma = vmf->vma;
|
|
pgoff_t pgoff;
|
|
struct page **pages;
|
|
|
|
if (vma->vm_ops == &legacy_special_mapping_vmops) {
|
|
pages = vma->vm_private_data;
|
|
} else {
|
|
struct vm_special_mapping *sm = vma->vm_private_data;
|
|
|
|
if (sm->fault)
|
|
return sm->fault(sm, vmf->vma, vmf);
|
|
|
|
pages = sm->pages;
|
|
}
|
|
|
|
for (pgoff = vmf->pgoff; pgoff && *pages; ++pages)
|
|
pgoff--;
|
|
|
|
if (*pages) {
|
|
struct page *page = *pages;
|
|
get_page(page);
|
|
vmf->page = page;
|
|
return 0;
|
|
}
|
|
|
|
return VM_FAULT_SIGBUS;
|
|
}
|
|
|
|
static struct vm_area_struct *__install_special_mapping(
|
|
struct mm_struct *mm,
|
|
unsigned long addr, unsigned long len,
|
|
unsigned long vm_flags, void *priv,
|
|
const struct vm_operations_struct *ops)
|
|
{
|
|
int ret;
|
|
struct vm_area_struct *vma;
|
|
|
|
vma = vm_area_alloc(mm);
|
|
if (unlikely(vma == NULL))
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
vma->vm_start = addr;
|
|
vma->vm_end = addr + len;
|
|
|
|
vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND | VM_SOFTDIRTY;
|
|
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
|
|
|
|
vma->vm_ops = ops;
|
|
vma->vm_private_data = priv;
|
|
|
|
ret = insert_vm_struct(mm, vma);
|
|
if (ret)
|
|
goto out;
|
|
|
|
vm_stat_account(mm, vma->vm_flags, len >> PAGE_SHIFT);
|
|
|
|
perf_event_mmap(vma);
|
|
|
|
return vma;
|
|
|
|
out:
|
|
vm_area_free(vma);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
bool vma_is_special_mapping(const struct vm_area_struct *vma,
|
|
const struct vm_special_mapping *sm)
|
|
{
|
|
return vma->vm_private_data == sm &&
|
|
(vma->vm_ops == &special_mapping_vmops ||
|
|
vma->vm_ops == &legacy_special_mapping_vmops);
|
|
}
|
|
|
|
/*
|
|
* Called with mm->mmap_lock held for writing.
|
|
* Insert a new vma covering the given region, with the given flags.
|
|
* Its pages are supplied by the given array of struct page *.
|
|
* The array can be shorter than len >> PAGE_SHIFT if it's null-terminated.
|
|
* The region past the last page supplied will always produce SIGBUS.
|
|
* The array pointer and the pages it points to are assumed to stay alive
|
|
* for as long as this mapping might exist.
|
|
*/
|
|
struct vm_area_struct *_install_special_mapping(
|
|
struct mm_struct *mm,
|
|
unsigned long addr, unsigned long len,
|
|
unsigned long vm_flags, const struct vm_special_mapping *spec)
|
|
{
|
|
return __install_special_mapping(mm, addr, len, vm_flags, (void *)spec,
|
|
&special_mapping_vmops);
|
|
}
|
|
|
|
int install_special_mapping(struct mm_struct *mm,
|
|
unsigned long addr, unsigned long len,
|
|
unsigned long vm_flags, struct page **pages)
|
|
{
|
|
struct vm_area_struct *vma = __install_special_mapping(
|
|
mm, addr, len, vm_flags, (void *)pages,
|
|
&legacy_special_mapping_vmops);
|
|
|
|
return PTR_ERR_OR_ZERO(vma);
|
|
}
|
|
|
|
static DEFINE_MUTEX(mm_all_locks_mutex);
|
|
|
|
static void vm_lock_anon_vma(struct mm_struct *mm, struct anon_vma *anon_vma)
|
|
{
|
|
if (!test_bit(0, (unsigned long *) &anon_vma->root->rb_root.rb_root.rb_node)) {
|
|
/*
|
|
* The LSB of head.next can't change from under us
|
|
* because we hold the mm_all_locks_mutex.
|
|
*/
|
|
down_write_nest_lock(&anon_vma->root->rwsem, &mm->mmap_lock);
|
|
/*
|
|
* We can safely modify head.next after taking the
|
|
* anon_vma->root->rwsem. If some other vma in this mm shares
|
|
* the same anon_vma we won't take it again.
|
|
*
|
|
* No need of atomic instructions here, head.next
|
|
* can't change from under us thanks to the
|
|
* anon_vma->root->rwsem.
|
|
*/
|
|
if (__test_and_set_bit(0, (unsigned long *)
|
|
&anon_vma->root->rb_root.rb_root.rb_node))
|
|
BUG();
|
|
}
|
|
}
|
|
|
|
static void vm_lock_mapping(struct mm_struct *mm, struct address_space *mapping)
|
|
{
|
|
if (!test_bit(AS_MM_ALL_LOCKS, &mapping->flags)) {
|
|
/*
|
|
* AS_MM_ALL_LOCKS can't change from under us because
|
|
* we hold the mm_all_locks_mutex.
|
|
*
|
|
* Operations on ->flags have to be atomic because
|
|
* even if AS_MM_ALL_LOCKS is stable thanks to the
|
|
* mm_all_locks_mutex, there may be other cpus
|
|
* changing other bitflags in parallel to us.
|
|
*/
|
|
if (test_and_set_bit(AS_MM_ALL_LOCKS, &mapping->flags))
|
|
BUG();
|
|
down_write_nest_lock(&mapping->i_mmap_rwsem, &mm->mmap_lock);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* This operation locks against the VM for all pte/vma/mm related
|
|
* operations that could ever happen on a certain mm. This includes
|
|
* vmtruncate, try_to_unmap, and all page faults.
|
|
*
|
|
* The caller must take the mmap_lock in write mode before calling
|
|
* mm_take_all_locks(). The caller isn't allowed to release the
|
|
* mmap_lock until mm_drop_all_locks() returns.
|
|
*
|
|
* mmap_lock in write mode is required in order to block all operations
|
|
* that could modify pagetables and free pages without need of
|
|
* altering the vma layout. It's also needed in write mode to avoid new
|
|
* anon_vmas to be associated with existing vmas.
|
|
*
|
|
* A single task can't take more than one mm_take_all_locks() in a row
|
|
* or it would deadlock.
|
|
*
|
|
* The LSB in anon_vma->rb_root.rb_node and the AS_MM_ALL_LOCKS bitflag in
|
|
* mapping->flags avoid to take the same lock twice, if more than one
|
|
* vma in this mm is backed by the same anon_vma or address_space.
|
|
*
|
|
* We take locks in following order, accordingly to comment at beginning
|
|
* of mm/rmap.c:
|
|
* - all hugetlbfs_i_mmap_rwsem_key locks (aka mapping->i_mmap_rwsem for
|
|
* hugetlb mapping);
|
|
* - all i_mmap_rwsem locks;
|
|
* - all anon_vma->rwseml
|
|
*
|
|
* We can take all locks within these types randomly because the VM code
|
|
* doesn't nest them and we protected from parallel mm_take_all_locks() by
|
|
* mm_all_locks_mutex.
|
|
*
|
|
* mm_take_all_locks() and mm_drop_all_locks are expensive operations
|
|
* that may have to take thousand of locks.
|
|
*
|
|
* mm_take_all_locks() can fail if it's interrupted by signals.
|
|
*/
|
|
int mm_take_all_locks(struct mm_struct *mm)
|
|
{
|
|
struct vm_area_struct *vma;
|
|
struct anon_vma_chain *avc;
|
|
|
|
BUG_ON(mmap_read_trylock(mm));
|
|
|
|
mutex_lock(&mm_all_locks_mutex);
|
|
|
|
for (vma = mm->mmap; vma; vma = vma->vm_next) {
|
|
if (signal_pending(current))
|
|
goto out_unlock;
|
|
if (vma->vm_file && vma->vm_file->f_mapping &&
|
|
is_vm_hugetlb_page(vma))
|
|
vm_lock_mapping(mm, vma->vm_file->f_mapping);
|
|
}
|
|
|
|
for (vma = mm->mmap; vma; vma = vma->vm_next) {
|
|
if (signal_pending(current))
|
|
goto out_unlock;
|
|
if (vma->vm_file && vma->vm_file->f_mapping &&
|
|
!is_vm_hugetlb_page(vma))
|
|
vm_lock_mapping(mm, vma->vm_file->f_mapping);
|
|
}
|
|
|
|
for (vma = mm->mmap; vma; vma = vma->vm_next) {
|
|
if (signal_pending(current))
|
|
goto out_unlock;
|
|
if (vma->anon_vma)
|
|
list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
|
|
vm_lock_anon_vma(mm, avc->anon_vma);
|
|
}
|
|
|
|
return 0;
|
|
|
|
out_unlock:
|
|
mm_drop_all_locks(mm);
|
|
return -EINTR;
|
|
}
|
|
|
|
static void vm_unlock_anon_vma(struct anon_vma *anon_vma)
|
|
{
|
|
if (test_bit(0, (unsigned long *) &anon_vma->root->rb_root.rb_root.rb_node)) {
|
|
/*
|
|
* The LSB of head.next can't change to 0 from under
|
|
* us because we hold the mm_all_locks_mutex.
|
|
*
|
|
* We must however clear the bitflag before unlocking
|
|
* the vma so the users using the anon_vma->rb_root will
|
|
* never see our bitflag.
|
|
*
|
|
* No need of atomic instructions here, head.next
|
|
* can't change from under us until we release the
|
|
* anon_vma->root->rwsem.
|
|
*/
|
|
if (!__test_and_clear_bit(0, (unsigned long *)
|
|
&anon_vma->root->rb_root.rb_root.rb_node))
|
|
BUG();
|
|
anon_vma_unlock_write(anon_vma);
|
|
}
|
|
}
|
|
|
|
static void vm_unlock_mapping(struct address_space *mapping)
|
|
{
|
|
if (test_bit(AS_MM_ALL_LOCKS, &mapping->flags)) {
|
|
/*
|
|
* AS_MM_ALL_LOCKS can't change to 0 from under us
|
|
* because we hold the mm_all_locks_mutex.
|
|
*/
|
|
i_mmap_unlock_write(mapping);
|
|
if (!test_and_clear_bit(AS_MM_ALL_LOCKS,
|
|
&mapping->flags))
|
|
BUG();
|
|
}
|
|
}
|
|
|
|
/*
|
|
* The mmap_lock cannot be released by the caller until
|
|
* mm_drop_all_locks() returns.
|
|
*/
|
|
void mm_drop_all_locks(struct mm_struct *mm)
|
|
{
|
|
struct vm_area_struct *vma;
|
|
struct anon_vma_chain *avc;
|
|
|
|
BUG_ON(mmap_read_trylock(mm));
|
|
BUG_ON(!mutex_is_locked(&mm_all_locks_mutex));
|
|
|
|
for (vma = mm->mmap; vma; vma = vma->vm_next) {
|
|
if (vma->anon_vma)
|
|
list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
|
|
vm_unlock_anon_vma(avc->anon_vma);
|
|
if (vma->vm_file && vma->vm_file->f_mapping)
|
|
vm_unlock_mapping(vma->vm_file->f_mapping);
|
|
}
|
|
|
|
mutex_unlock(&mm_all_locks_mutex);
|
|
}
|
|
|
|
/*
|
|
* initialise the percpu counter for VM
|
|
*/
|
|
void __init mmap_init(void)
|
|
{
|
|
int ret;
|
|
|
|
ret = percpu_counter_init(&vm_committed_as, 0, GFP_KERNEL);
|
|
VM_BUG_ON(ret);
|
|
}
|
|
|
|
/*
|
|
* Initialise sysctl_user_reserve_kbytes.
|
|
*
|
|
* This is intended to prevent a user from starting a single memory hogging
|
|
* process, such that they cannot recover (kill the hog) in OVERCOMMIT_NEVER
|
|
* mode.
|
|
*
|
|
* The default value is min(3% of free memory, 128MB)
|
|
* 128MB is enough to recover with sshd/login, bash, and top/kill.
|
|
*/
|
|
static int init_user_reserve(void)
|
|
{
|
|
unsigned long free_kbytes;
|
|
|
|
free_kbytes = global_zone_page_state(NR_FREE_PAGES) << (PAGE_SHIFT - 10);
|
|
|
|
sysctl_user_reserve_kbytes = min(free_kbytes / 32, 1UL << 17);
|
|
return 0;
|
|
}
|
|
subsys_initcall(init_user_reserve);
|
|
|
|
/*
|
|
* Initialise sysctl_admin_reserve_kbytes.
|
|
*
|
|
* The purpose of sysctl_admin_reserve_kbytes is to allow the sys admin
|
|
* to log in and kill a memory hogging process.
|
|
*
|
|
* Systems with more than 256MB will reserve 8MB, enough to recover
|
|
* with sshd, bash, and top in OVERCOMMIT_GUESS. Smaller systems will
|
|
* only reserve 3% of free pages by default.
|
|
*/
|
|
static int init_admin_reserve(void)
|
|
{
|
|
unsigned long free_kbytes;
|
|
|
|
free_kbytes = global_zone_page_state(NR_FREE_PAGES) << (PAGE_SHIFT - 10);
|
|
|
|
sysctl_admin_reserve_kbytes = min(free_kbytes / 32, 1UL << 13);
|
|
return 0;
|
|
}
|
|
subsys_initcall(init_admin_reserve);
|
|
|
|
/*
|
|
* Reinititalise user and admin reserves if memory is added or removed.
|
|
*
|
|
* The default user reserve max is 128MB, and the default max for the
|
|
* admin reserve is 8MB. These are usually, but not always, enough to
|
|
* enable recovery from a memory hogging process using login/sshd, a shell,
|
|
* and tools like top. It may make sense to increase or even disable the
|
|
* reserve depending on the existence of swap or variations in the recovery
|
|
* tools. So, the admin may have changed them.
|
|
*
|
|
* If memory is added and the reserves have been eliminated or increased above
|
|
* the default max, then we'll trust the admin.
|
|
*
|
|
* If memory is removed and there isn't enough free memory, then we
|
|
* need to reset the reserves.
|
|
*
|
|
* Otherwise keep the reserve set by the admin.
|
|
*/
|
|
static int reserve_mem_notifier(struct notifier_block *nb,
|
|
unsigned long action, void *data)
|
|
{
|
|
unsigned long tmp, free_kbytes;
|
|
|
|
switch (action) {
|
|
case MEM_ONLINE:
|
|
/* Default max is 128MB. Leave alone if modified by operator. */
|
|
tmp = sysctl_user_reserve_kbytes;
|
|
if (0 < tmp && tmp < (1UL << 17))
|
|
init_user_reserve();
|
|
|
|
/* Default max is 8MB. Leave alone if modified by operator. */
|
|
tmp = sysctl_admin_reserve_kbytes;
|
|
if (0 < tmp && tmp < (1UL << 13))
|
|
init_admin_reserve();
|
|
|
|
break;
|
|
case MEM_OFFLINE:
|
|
free_kbytes = global_zone_page_state(NR_FREE_PAGES) << (PAGE_SHIFT - 10);
|
|
|
|
if (sysctl_user_reserve_kbytes > free_kbytes) {
|
|
init_user_reserve();
|
|
pr_info("vm.user_reserve_kbytes reset to %lu\n",
|
|
sysctl_user_reserve_kbytes);
|
|
}
|
|
|
|
if (sysctl_admin_reserve_kbytes > free_kbytes) {
|
|
init_admin_reserve();
|
|
pr_info("vm.admin_reserve_kbytes reset to %lu\n",
|
|
sysctl_admin_reserve_kbytes);
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
return NOTIFY_OK;
|
|
}
|
|
|
|
static struct notifier_block reserve_mem_nb = {
|
|
.notifier_call = reserve_mem_notifier,
|
|
};
|
|
|
|
static int __meminit init_reserve_notifier(void)
|
|
{
|
|
if (register_hotmemory_notifier(&reserve_mem_nb))
|
|
pr_err("Failed registering memory add/remove notifier for admin reserve\n");
|
|
|
|
return 0;
|
|
}
|
|
subsys_initcall(init_reserve_notifier);
|