Sep
15
2 days ago
Activity icon
issue

Flamefire issue comment whatawurst/android_kernel_sony_msm8998

Flamefire
Flamefire

Merge tag 'LA.UM.7.2.r2-09300-8x98.0'

Merge tag 'LA.UM.7.2.r2-09300-8x98.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0

via

  • git subtree pull --prefix drivers/staging/qcacld-3.0/ https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 LA.UM.7.2.r2-09300-8x98.0
  • git subtree pull --prefix drivers/staging/qca-wifi-host-cmn https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn LA.UM.7.2.r2-09300-8x98.0
  • git subtree pull --prefix drivers/staging/fw-api/ https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/fw-api LA.UM.7.2.r2-09300-8x98.0

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn

CC @bananafunction for review

Flamefire
Flamefire

Great. Please ping me in those PR(s) as I'm building of my forks ATM

Sep
14
3 days ago
push

derfelot push whatawurst/android_kernel_sony_msm8998

derfelot
derfelot

UPSTREAM: netfilter: x_tables: fix pointer leaks to userspace

Several netfilter matches and targets put kernel pointers into info objects, but don't set usersize in descriptors. This leads to kernel pointer leaks if a match/target is set and then read back to userspace.

Properly set usersize for these matches/targets.

Found with manual code inspection.

Bug: 120612905 Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") Signed-off-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Hridya Valsaraju hridya@google.com (cherry picked from commit 1e98ffea5a8935ec040ab72299e349cb44b8defd)

Change-Id: I49071d0d767e692480760442c2fa567e462b4103

derfelot
derfelot

ANDROID: xt_quota2: remove trailing junk which might have a digit in it

Make sure string only contains the characters specified by userspace.

Fix cherry-picked from xtables-extensions project

Signed-off-by: Sam Liddicott sam@liddicott.com Bug: 196046570 Test: passed netd test suites Fixes: 10cda83af99d ("ANDROID: netfilter: xt_quota2: adding the original quota2 from xtables-addons") Signed-off-by: Todd Kjos tkjos@google.com (cherry picked from https://git.code.sf.net/p/xtables-addons/xtables-addons bc2bcc383c70b293bd816c29523a952ca8736fb5) Change-Id: I965448564906e5fbf0fe6d6414f44d9e257ea195

derfelot
derfelot

ANDROID: xt_quota2: set usersize in xt_match registration object

Explicitly set what is visible to userspace

Bug: 196046570 Test: passed netd test suites Signed-off-by: Todd Kjos tkjos@google.com Change-Id: Iacec0ef8ae290e01f1b60508d8abcd40a3653c83

derfelot
derfelot

Merge pull request #44 from Flamefire/android-quota

Cherry picks from Google Android kernel

commit sha: 1ae10f4a77c396b73b93362d2d7cb345f5e4b62e

push time in 2 days ago
push

derfelot push whatawurst/android_kernel_sony_msm8998

derfelot
derfelot

proc: faster /proc/*/status

top(1) opens the following files for every PID:

/proc/*/stat
/proc/*/statm
/proc/*/status

This patch switches /proc/*/status away from seq_printf(). The result is 13.5% speedup.

Benchmark is open("/proc/self/status")+read+close 1.000.000 million times.

			BEFORE

$ perf stat -r 10 taskset -c 3 ./proc-self-status

Performance counter stats for 'taskset -c 3 ./proc-self-status' (10 runs):

  10748.474301      task-clock (msec)         #    0.954 CPUs utilized            ( +-  0.91% )
            12      context-switches          #    0.001 K/sec                    ( +-  1.09% )
             1      cpu-migrations            #    0.000 K/sec
           104      page-faults               #    0.010 K/sec                    ( +-  0.45% )
37,424,127,876      cycles                    #    3.482 GHz                      ( +-  0.04% )
 8,453,010,029      stalled-cycles-frontend   #   22.59% frontend cycles idle     ( +-  0.12% )
 3,747,609,427      stalled-cycles-backend    #  10.01% backend cycles idle       ( +-  0.68% )
65,632,764,147      instructions              #    1.75  insn per cycle
                                              #    0.13  stalled cycles per insn  ( +-  0.00% )
13,981,324,775      branches                  # 1300.773 M/sec                    ( +-  0.00% )
   138,967,110      branch-misses             #    0.99% of all branches          ( +-  0.18% )

  11.263885428 seconds time elapsed                                          ( +-  0.04% )
  ^^^^^^^^^^^^

			AFTER

$ perf stat -r 10 taskset -c 3 ./proc-self-status

Performance counter stats for 'taskset -c 3 ./proc-self-status' (10 runs):

   9010.521776      task-clock (msec)         #    0.925 CPUs utilized            ( +-  1.54% )
            11      context-switches          #    0.001 K/sec                    ( +-  1.54% )
             1      cpu-migrations            #    0.000 K/sec                    ( +- 11.11% )
           103      page-faults               #    0.011 K/sec                    ( +-  0.60% )
32,352,310,603      cycles                    #    3.591 GHz                      ( +-  0.07% )
 7,849,199,578      stalled-cycles-frontend   #   24.26% frontend cycles idle     ( +-  0.27% )
 3,269,738,842      stalled-cycles-backend    #  10.11% backend cycles idle       ( +-  0.73% )
56,012,163,567      instructions              #    1.73  insn per cycle
                                              #    0.14  stalled cycles per insn  ( +-  0.00% )
11,735,778,795      branches                  # 1302.453 M/sec                    ( +-  0.00% )
    98,084,459      branch-misses             #    0.84% of all branches          ( +-  0.28% )

   9.741247736 seconds time elapsed                                          ( +-  0.07% )
   ^^^^^^^^^^^

Link: http://lkml.kernel.org/r/20160806125608.GB1187@p183.telecom.by Signed-off-by: Alexey Dobriyan adobriyan@gmail.com Cc: Joe Perches joe@perches.com Cc: Andi Kleen andi@firstfloor.org Cc: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Change-Id: I97f5017503ec1ed13bc635fbd96506b13b98e36f

derfelot
derfelot

seq/proc: modify seq_put_decimal_[u]ll to take a const char *, not char

Allow some seq_puts removals by taking a string instead of a single char.

[akpm@linux-foundation.org: update vmstat_show(), per Joe] Link: http://lkml.kernel.org/r/667e1cf3d436de91a5698170a1e98d882905e956.1470704995.git.joe@perches.com Signed-off-by: Joe Perches joe@perches.com Cc: Joe Perches joe@perches.com Cc: Andi Kleen andi@firstfloor.org Cc: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Change-Id: Iff69c72cb3ed6a73fe0348f65f22bfe3d1ee00c7

derfelot
derfelot

ANDROID: cpufreq: times: optimize proc files

The majority of the time spent reading /proc/uid_time_in_state is due to seq_printf calls. Use the faster seq_put_* variations instead.

Also skip empty hash buckets in uid_seq_next for a further performance improvement.

Bug: 111216804 Test: Read /proc/uid_time_in_state and confirm output is sane Test: Compare read times to confirm performance improvement Change-Id: If8783b498ed73d2ddb186a49438af41ac5ab9957 Signed-off-by: Connor O'Brien connoro@google.com

derfelot
derfelot

diag: Prevent resource leakage of task structure

The task structure with reference count incremented while dci client is registered should be updated with reference count decremented in failure case of registration.

Change-Id: I093229d83dca2699e0343224756895eff0915e38 Signed-off-by: Manoj Prabhu B bmanoj@codeaurora.org CVE-2020-11160

derfelot
derfelot

msm:ADSPRPC :Fix to avoid Use after free in fastrpc_internal_munmap

Added a check to validate map before freeing it to avoid Use after free scenario.

Change-Id: Ic723a4fe964a4909119663500018f2a07976105b Signed-off-by: Vamsi krishna Gattupalli vgattupa@codeaurora.org CVE-2021-1927

derfelot
derfelot

Revert "scsi: ufs: Release clock if DMA map fails"

  • Reason for revert: "scsi: ufs: add support for hibern8 on idle"
  • (ab18ee44ce262018da8bf4c18b8e642e152dac89) added ufshcd_release_all(hba) already

This reverts commit 992203a7c0d58bfb160a2a648134773583132117.

Change-Id: Icafaa40c367d1a3cfae0ef88abb8c97613d1405d

derfelot
derfelot

Update cpu_time_stat for changed API

Change-Id: I12366a069c479ca0ea6f7aecf00f208c9edffbd6

derfelot
derfelot

Merge pull request #46 from Flamefire/lineage-misc-fixes

Lineage misc fixes

commit sha: c89e0e6bc0c5cd269459d2d8b5cc28b2f56fe848

push time in 2 days ago
push

derfelot push whatawurst/android_kernel_sony_msm8998

derfelot
derfelot

futex: Rename free_pi_state() to put_pi_state()

[ Upstream commit 29e9ee5d48c35d6cf8afe09bdf03f77125c9ac11 ]

free_pi_state() is confusing as it is in fact only freeing/caching the pi state when the last reference is gone. Rename it to put_pi_state() which reflects better what it is doing.

Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Peter Zijlstra peterz@infradead.org Cc: Darren Hart darren@dvhart.com Cc: Davidlohr Bueso dave@stgolabs.net Cc: Bhuvanesh_Surachari@mentor.com Cc: Andy Lowe Andy_Lowe@mentor.com Link: http://lkml.kernel.org/r/20151219200607.259636467@linutronix.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex: Cleanup refcounting

[ Upstream commit bf92cf3a5100f5a0d5f9834787b130159397cb22 ]

Add a put_pit_state() as counterpart for get_pi_state() so the refcounting becomes consistent.

Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104151.801778516@infradead.org Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex,rt_mutex: Introduce rt_mutex_init_waiter()

[ Upstream commit 50809358dd7199aa7ce232f6877dd09ec30ef374 ]

Since there's already two copies of this code, introduce a helper now before adding a third one.

Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104151.950039479@infradead.org Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex: Pull rt_mutex_futex_unlock() out from under hb->lock

[ Upstream commit 16ffa12d742534d4ff73e8b3a4e81c1de39196f0 ]

There's a number of 'interesting' problems, all caused by holding hb->lock while doing the rt_mutex_unlock() equivalient.

Notably:

  • a PI inversion on hb->lock; and,

  • a SCHED_DEADLINE crash because of pointer instability.

The previous changes:

  • changed the locking rules to cover {uval,pi_state} with wait_lock.

  • allow to do rt_mutex_futex_unlock() without dropping wait_lock; which in turn allows to rely on wait_lock atomicity completely.

  • simplified the waiter conundrum.

It's now sufficient to hold rtmutex::wait_lock and a reference on the pi_state to protect the state consistency, so hb->lock can be dropped before calling rt_mutex_futex_unlock().

Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104151.900002056@infradead.org Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()

[ Upstream commit cfafcd117da0216520568c195cb2f6cd1980c4bb ]

By changing futex_lock_pi() to use rt_mutex_*_proxy_lock() all wait_list modifications are done under both hb->lock and wait_lock.

This closes the obvious interleave pattern between futex_lock_pi() and futex_unlock_pi(), but not entirely so. See below:

Before:

futex_lock_pi() futex_unlock_pi() unlock hb->lock

			  lock hb->lock
			  unlock hb->lock

			  lock rt_mutex->wait_lock
			  unlock rt_mutex_wait_lock
			    -EAGAIN

lock rt_mutex->wait_lock list_add unlock rt_mutex->wait_lock

schedule()

lock rt_mutex->wait_lock list_del unlock rt_mutex->wait_lock

			  <idem>
			    -EAGAIN

lock hb->lock

After:

futex_lock_pi() futex_unlock_pi()

lock hb->lock lock rt_mutex->wait_lock list_add unlock rt_mutex->wait_lock unlock hb->lock

schedule() lock hb->lock unlock hb->lock lock hb->lock lock rt_mutex->wait_lock list_del unlock rt_mutex->wait_lock

			  lock rt_mutex->wait_lock
			  unlock rt_mutex_wait_lock
			    -EAGAIN

unlock hb->lock

It does however solve the earlier starvation/live-lock scenario which got introduced with the -EAGAIN since unlike the before scenario; where the -EAGAIN happens while futex_unlock_pi() doesn't hold any locks; in the after scenario it happens while futex_unlock_pi() actually holds a lock, and then it is serialized on that lock.

Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104152.062785528@infradead.org Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex: Futex_unlock_pi() determinism

[ Upstream commit bebe5b514345f09be2c15e414d076b02ecb9cce8 ]

The problem with returning -EAGAIN when the waiter state mismatches is that it becomes very hard to proof a bounded execution time on the operation. And seeing that this is a RT operation, this is somewhat important.

While in practise; given the previous patch; it will be very unlikely to ever really take more than one or two rounds, proving so becomes rather hard.

However, now that modifying wait_list is done while holding both hb->lock and wait_lock, the scenario can be avoided entirely by acquiring wait_lock while still holding hb-lock. Doing a hand-over, without leaving a hole.

Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104152.112378812@infradead.org Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

rtmutex: Make wait_lock irq safe

[ Upstream commit b4abf91047cf054f203dcfac97e1038388826937 ]

Sasha reported a lockdep splat about a potential deadlock between RCU boosting rtmutex and the posix timer it_lock.

CPU0 CPU1

rtmutex_lock(&rcu->rt_mutex) spin_lock(&rcu->rt_mutex.wait_lock) local_irq_disable() spin_lock(&timer->it_lock) spin_lock(&rcu->mutex.wait_lock) --> Interrupt spin_lock(&timer->it_lock)

This is caused by the following code sequence on CPU1

 rcu_read_lock()
 x = lookup();
 if (x)
 	spin_lock_irqsave(&x->it_lock);
 rcu_read_unlock();
 return x;

We could fix that in the posix timer code by keeping rcu read locked across the spinlocked and irq disabled section, but the above sequence is common and there is no reason not to support it.

Taking rt_mutex.wait_lock irq safe prevents the deadlock.

Reported-by: Sasha Levin sasha.levin@oracle.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Peter Zijlstra peterz@infradead.org Cc: Paul McKenney paulmck@linux.vnet.ibm.com Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex: Handle transient "ownerless" rtmutex state correctly

[ Upstream commit 9f5d1c336a10c0d24e83e40b4c1b9539f7dba627 ]

Gratian managed to trigger the BUG_ON(!newowner) in fixup_pi_state_owner(). This is one possible chain of events leading to this:

Task Prio Operation T1 120 lock(F) T2 120 lock(F) -> blocks (top waiter) T3 50 (RT) lock(F) -> boosts T1 and blocks (new top waiter) XX timeout/ -> wakes T2 signal T1 50 unlock(F) -> wakes T3 (rtmutex->owner == NULL, waiter bit is set) T2 120 cleanup -> try_to_take_mutex() fails because T3 is the top waiter and the lower priority T2 cannot steal the lock. -> fixup_pi_state_owner() sees newowner == NULL -> BUG_ON()

The comment states that this is invalid and rt_mutex_real_owner() must return a non NULL owner when the trylock failed, but in case of a queued and woken up waiter rt_mutex_real_owner() == NULL is a valid transient state. The higher priority waiter has simply not yet managed to take over the rtmutex.

The BUG_ON() is therefore wrong and this is just another retry condition in fixup_pi_state_owner().

Drop the locks, so that T3 can make progress, and then try the fixup again.

Gratian provided a great analysis, traces and a reproducer. The analysis is to the point, but it confused the hell out of that tglx dude who had to page in all the futex horrors again. Condensed version is above.

[ tglx: Wrote comment and changelog ]

Fixes: c1e2f0eaf015 ("futex: Avoid violating the 10th rule of futex") Reported-by: Gratian Crisan gratian.crisan@ni.com Signed-off-by: Mike Galbraith efault@gmx.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87a6w6x7bb.fsf@ni.com Link: https://lore.kernel.org/r/87sg9pkvf7.fsf@nanos.tec.linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex: Avoid freeing an active timer

[ Upstream commit 97181f9bd57405b879403763284537e27d46963d ]

Alexander reported a hrtimer debug_object splat:

ODEBUG: free active (active state 0) object type: hrtimer hint: hrtimer_wakeup (kernel/time/hrtimer.c:1423)

debug_object_free (lib/debugobjects.c:603) destroy_hrtimer_on_stack (kernel/time/hrtimer.c:427) futex_lock_pi (kernel/futex.c:2740) do_futex (kernel/futex.c:3399) SyS_futex (kernel/futex.c:3447 kernel/futex.c:3415) do_syscall_64 (arch/x86/entry/common.c:284) entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:249)

Which was caused by commit:

cfafcd117da0 ("futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()")

... losing the hrtimer_cancel() in the shuffle. Where previously the hrtimer_cancel() was done by rt_mutex_slowlock() we now need to do it manually.

Reported-by: Alexander Levin alexander.levin@verizon.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Fixes: cfafcd117da0 ("futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()") Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1704101802370.2906@nanos Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock()

[ Upstream commit 04dc1b2fff4e96cb4142227fbdc63c8871ad4ed9 ]

Markus reported that the glibc/nptl/tst-robustpi8 test was failing after commit:

cfafcd117da0 ("futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()")

The following trace shows the problem:

ld-linux-x86-64-2161 [019] .... 410.760971: SyS_futex: 00007ffbeb76b028: 80000875 op=FUTEX_LOCK_PI ld-linux-x86-64-2161 [019] ...1 410.760972: lock_pi_update_atomic: 00007ffbeb76b028: curval=80000875 uval=80000875 newval=80000875 ret=0 ld-linux-x86-64-2165 [011] .... 410.760978: SyS_futex: 00007ffbeb76b028: 80000875 op=FUTEX_UNLOCK_PI ld-linux-x86-64-2165 [011] d..1 410.760979: do_futex: 00007ffbeb76b028: curval=80000875 uval=80000875 newval=80000871 ret=0 ld-linux-x86-64-2165 [011] .... 410.760980: SyS_futex: 00007ffbeb76b028: 80000871 ret=0000 ld-linux-x86-64-2161 [019] .... 410.760980: SyS_futex: 00007ffbeb76b028: 80000871 ret=ETIMEDOUT

Task 2165 does an UNLOCK_PI, assigning the lock to the waiter task 2161 which then returns with -ETIMEDOUT. That wrecks the lock state, because now the owner isn't aware it acquired the lock and removes the pending robust list entry.

If 2161 is killed, the robust list will not clear out this futex and the subsequent acquire on this futex will then (correctly) result in -ESRCH which is unexpected by glibc, triggers an internal assertion and dies.

Task 2161 Task 2165

rt_mutex_wait_proxy_lock() timeout(); /* T2161 is still queued in the waiter list */ return -ETIMEDOUT;

			futex_unlock_pi()
			spin_lock(hb->lock);
			rtmutex_unlock()
			  remove_rtmutex_waiter(T2161);
			   mark_lock_available();
			/* Make the next waiter owner of the user space side */
			futex_uval = 2161;
			spin_unlock(hb->lock);

spin_lock(hb->lock); rt_mutex_cleanup_proxy_lock() if (rtmutex_owner() !== current) ... return FAIL; .... return -ETIMEOUT;

This means that rt_mutex_cleanup_proxy_lock() needs to call try_to_take_rt_mutex() so it can take over the rtmutex correctly which was assigned by the waker. If the rtmutex is owned by some other task then this call is harmless and just confirmes that the waiter is not able to acquire it.

While there, fix what looks like a merge error which resulted in rt_mutex_cleanup_proxy_lock() having two calls to fixup_rt_mutex_waiters() and rt_mutex_wait_proxy_lock() not having any. Both should have one, since both potentially touch the waiter list.

Fixes: 38d589f2fd08 ("futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()") Reported-by: Markus Trippelsdorf markus@trippelsdorf.de Bug-Spotted-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Florian Weimer fweimer@redhat.com Cc: Darren Hart dvhart@infradead.org Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: Markus Trippelsdorf markus@trippelsdorf.de Link: http://lkml.kernel.org/r/20170519154850.mlomgdsd26drq5j6@hirez.programming.kicks-ass.net Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

rcu: Update documentation of rcu_read_unlock()

[ Upstream commit ec84b27f9b3b569f9235413d1945a2006b97b0aa ]

Since commit b4abf91047cf ("rtmutex: Make wait_lock irq safe") the explanation in rcu_read_unlock() documentation about irq unsafe rtmutex wait_lock is no longer valid.

Remove it to prevent kernel developers reading the documentation to rely on it.

Suggested-by: Eric W. Biederman ebiederm@xmission.com Signed-off-by: Anna-Maria Gleixner anna-maria@linutronix.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Reviewed-by: Paul E. McKenney paulmck@linux.vnet.ibm.com Acked-by: "Eric W. Biederman" ebiederm@xmission.com Cc: bigeasy@linutronix.de Link: https://lkml.kernel.org/r/20180525090507.22248-2-anna-maria@linutronix.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Acked-by: Joe Korty joe.korty@concurrent-rt.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

Linux 4.4.280

Link: https://lore.kernel.org/r/20210808072217.322468704@linuxfoundation.org Tested-by: Guenter Roeck linux@roeck-us.net Tested-by: Linux Kernel Functional Testing lkft@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

ALSA: seq: Fix racy deletion of subscriber

commit 97367c97226aab8b298ada954ce12659ee3ad2a4 upstream.

It turned out that the current implementation of the port subscription is racy. The subscription contains two linked lists, and we have to add to or delete from both lists. Since both connection and disconnection procedures perform the same order for those two lists (i.e. src list, then dest list), when a deletion happens during a connection procedure, the src list may be deleted before the dest list addition completes, and this may lead to a use-after-free or an Oops, even though the access to both lists are protected via mutex.

The simple workaround for this race is to change the access order for the disconnection, namely, dest list, then src list. This assures that the connection has been established when disconnecting, and also the concurrent deletion can be avoided.

Reported-and-tested-by: folkert folkert@vanheusden.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210801182754.GP890690@belle.intranet.vanheusden.com Link: https://lore.kernel.org/r/20210803114312.2536-1-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

derfelot
derfelot

scsi: sr: Return correct event when media event code is 3

[ Upstream commit 5c04243a56a7977185b00400e59ca7e108004faf ]

Media event code 3 is defined in the MMC-6 spec as follows:

"MediaRemoval: The media has been removed from the specified slot, and the Drive is unable to access the media without user intervention. This applies to media changers only."

This indicated that treating the condition as an EJECT_REQUEST was appropriate. However, doing so had the unfortunate side-effect of causing the drive tray to be physically ejected on resume. Instead treat the event as a MEDIA_CHANGE request.

Fixes: 7dd753ca59d6 ("scsi: sr: Return appropriate error code when disk is ejected") Link: https://bugzilla.kernel.org/show_bug.cgi?id=213759 Link: https://lore.kernel.org/r/20210726114913.6760-1-limanyi@uniontech.com Signed-off-by: Li Manyi limanyi@uniontech.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org

derfelot
derfelot

media: videobuf2-core: dequeue if start_streaming fails

[ Upstream commit c592b46907adbeb81243f7eb7a468c36692658b8 ]

If a vb2_queue sets q->min_buffers_needed then when the number of queued buffers reaches q->min_buffers_needed, vb2_core_qbuf() will call the start_streaming() callback. If start_streaming() returns an error, then that error was just returned by vb2_core_qbuf(), but the buffer was still queued. However, userspace expects that if VIDIOC_QBUF fails, the buffer is returned dequeued.

So if start_streaming() fails, then remove the buffer from the queue, thus avoiding this unwanted side-effect.

Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Tested-by: Kieran Bingham kieran.bingham@ideasonboard.com Fixes: b3379c6201bb ("[media] vb2: only call start_streaming if sufficient buffers are queued") Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org

derfelot
derfelot

net: natsemi: Fix missing pci_disable_device() in probe and remove

[ Upstream commit 7fe74dfd41c428afb24e2e615470832fa997ff14 ]

Replace pci_enable_device() with pcim_enable_device(), pci_disable_device() and pci_release_regions() will be called in release automatically.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org

derfelot
derfelot

mips: Fix non-POSIX regexp

[ Upstream commit 28bbbb9875a35975904e46f9b06fa689d051b290 ]

When cross compiling a MIPS kernel on a BSD based HOSTCC leads to errors like

SYNC include/config/auto.conf.cmd - due to: .config egrep: empty (sub)expression UPD include/config/kernel.release HOSTCC scripts/dtc/dtc.o - due to target missing

It turns out that egrep uses this egrep pattern:

	(|MINOR_|PATCHLEVEL_)

This is not valid syntax or gives undefined results according to POSIX 9.5.3 ERE Grammar

https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html

It seems to be silently accepted by the Linux egrep implementation while a BSD host complains.

Such patterns can be replaced by a transformation like

"(|p1|p2)" -> "(p1|p2)?"

Fixes: 48c35b2d245f ("[MIPS] There is no GNUC_MAJOR") Signed-off-by: H. Nikolaus Schaller hns@goldelico.com Signed-off-by: Masahiro Yamada masahiroy@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org

derfelot
derfelot

bnx2x: fix an error code in bnx2x_nic_load()

[ Upstream commit fb653827c758725b149b5c924a5eb50ab4812750 ]

Set the error code if bnx2x_alloc_fw_stats_mem() fails. The current code returns success.

Fixes: ad5afc89365e ("bnx2x: Separate VF and PF logic") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org

derfelot
derfelot

net: pegasus: fix uninit-value in get_interrupt_interval

[ Upstream commit af35fc37354cda3c9c8cc4961b1d24bdc9d27903 ]

Syzbot reported uninit value pegasus_probe(). The problem was in missing error handling.

get_interrupt_interval() internally calls read_eprom_word() which can fail in some cases. For example: failed to receive usb control message. These cases should be handled to prevent uninit value bug, since read_eprom_word() will not initialize passed stack variable in case of internal failure.

Fail log:

BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline] BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152 CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0 ... Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x24c/0x2e0 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197 get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline] pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152 ....

Local variable ----data.i@pegasus_probe created at: get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline] pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152 get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline] pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152

Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Pavel Skripkin paskripkin@gmail.com Link: https://lore.kernel.org/r/20210804143005.439-1-paskripkin@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org

derfelot
derfelot

net: vxge: fix use-after-free in vxge_device_unregister

[ Upstream commit 942e560a3d3862dd5dee1411dbdd7097d29b8416 ]

Smatch says: drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);

Since vdev pointer is netdev private data accessing it after free_netdev() call can cause use-after-free bug. Fix it by moving free_netdev() call at the end of the function

Fixes: 6cca200362b4 ("vxge: cleanup probe error paths") Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Pavel Skripkin paskripkin@gmail.com Reviewed-by: Jesse Brandeburg jesse.brandeburg@intel.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org

commit sha: 9b3a9a3966e30fd467e74aef56ff7f6ecbfa616b

push time in 2 days ago
pull request

derfelot pull request whatawurst/android_kernel_sony_msm8998

derfelot
derfelot

Kernel 4.4.283 update

Merged the new tag

push

derfelot push whatawurst/android_kernel_sony_msm8998

derfelot
derfelot

Merge f5421bd1a8234dc7d9a95fc4fdaa5ae41befa8e4 on remote branch

Change-Id: Ia7af33c78332c6ddb6d324743cd604b61e443bed

derfelot
derfelot

Merge cac1fc5e5a665df80170c0d74ea33269ae75ded7 on remote branch

Change-Id: Ib6798496d64b031368ed889d09cf2078f4e13b4f

derfelot
derfelot

Merge 382e54f122beaf93fd990d974bb77774c34acb3c on remote branch

Change-Id: Ie380f8ead79a9c279bc11fa62c1425946898d048

derfelot
derfelot

Merge 4f7147b112720eb53aa088b2e40a57c07e2827d7 on remote branch

Change-Id: I107343e272b7adf94a3147e253cd17f10c612b29

derfelot
derfelot

Merge f93a7f538e10faeb969e6a96cf68982ae5364087 on remote branch

Change-Id: Ie7dff735d8a76859ca19d5bac65205d3167daea2

derfelot
derfelot

Merge 21a2827a62cebcc49e4a606bfadce3c6110a514f on remote branch

Change-Id: Icb250a9ad822486bab9437b1eebdfcaf7e0f1431

derfelot
derfelot

Merge ab9f60b51d5e33daaaf95bff8fa07ce604a18223 on remote branch

Change-Id: If112ddd2ea16ef0c3db2d60e5b9cb1ddeb84189c

derfelot
derfelot

Merge 0da2b18f8a49ca2c93c9cb6428546b3729f7af0f on remote branch

Change-Id: I20981cf57a198ede6a9940f4c20c01d11af042a2

derfelot
derfelot

Merge 1083615c2ba0f9f973cc778082f842775e55e19b on remote branch

Change-Id: I661a7ddb411565378bf526f7b960ea536c23eb74

derfelot
derfelot

Merge bdca97fb188e7c1b0c829dfa2978e5a8e4ddcd5b on remote branch

Change-Id: I17eabc85b2fb2e99ca391efa4abbbf97c0fe374e

derfelot
derfelot

Merge ece8bc124d708f8bc5a83de3d0b721a04e018cb5 on remote branch

Change-Id: I0189009585bf7b889df4ae90bae2272766082628

derfelot
derfelot

Merge 3f97d298ee0c3a76e1de529cf15680086c26b975 on remote branch

Change-Id: I8092ee9905dfc83a25abc1b223cd76fb670a5d08

derfelot
derfelot

Merge a4c2a161be312c852c4e0b649d6ebf731a9a6f86 on remote branch

Change-Id: I759d284b8ec4bc521247b938f519366984c34964

derfelot
derfelot

qcacld-3.0: Avoid NULL pointer dereference for frag_indication

Avoid NULL pointer dereference for frag indication in T2H msg.

Change-Id: I9c1baf682fc0b52cbf70a4fbcca5be7585c3d02a CRs-Fixed: 2501146

derfelot
derfelot

Merge a8dbcb2407602e74ba4ddc21fc2b63619f8c06b2 on remote branch

Change-Id: Ie50db9ac76a06672346b80850adc34de5ff6e2fe

derfelot
derfelot

Merge a97a917c1a361a11d8b40490aaf0d885e1dd1632 on remote branch

Change-Id: I03112b21430880707be1ec1b728d66c7beb14de4

derfelot
derfelot

Merge d625fb696695fa3587c4985f3974e8a9ea40d920 on remote branch

Change-Id: Id315245c4c63cbf33241233661abe5a854a3cb5b

derfelot
derfelot

Merge 9e1c106692a7facb611754274b7d5720718cf99f on remote branch

Change-Id: I4c427986875d7526aab6d0997215ae9d5032a16e

derfelot
derfelot

Merge 700a1204af197134f49fdbe3a536acb3603407cc on remote branch

Change-Id: I0a6e626595cc5f62a3a37b337d56aa216c7eb0eb

derfelot
derfelot

Merge 220041f19e8b30674ed8dd18b3f574cfbc71f7f1 on remote branch

Change-Id: I34d1e358c0c74de5c71d4a8e50d2d856bd61b724

commit sha: bb7798cbca68b0a79bcc6b8554ac7209f5b70fa3

push time in 2 days ago
pull request

derfelot pull request whatawurst/android_kernel_sony_msm8998

derfelot
derfelot

Merge tag 'LA.UM.7.2.r2-09300-8x98.0'

Merge tag 'LA.UM.7.2.r2-09300-8x98.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0

via

  • git subtree pull --prefix drivers/staging/qcacld-3.0/ https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 LA.UM.7.2.r2-09300-8x98.0
  • git subtree pull --prefix drivers/staging/qca-wifi-host-cmn https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn LA.UM.7.2.r2-09300-8x98.0
  • git subtree pull --prefix drivers/staging/fw-api/ https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/fw-api LA.UM.7.2.r2-09300-8x98.0

https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn

CC @bananafunction for review