AoC is only controlled by TZ.

However, SysMMU has an emulation feature that can be misused to read
from arbitrary memory locations, and with SysMMU under the control of
the kernel, we need to configure S2MPU to block such potentially
malicious transactions.

Add the AoC S2MPU with the new flag “deny-all” which would mainly
unmap the S2MPU interface and configure it to deny all traffic.

Bug: 342511931
Change-Id: I38a1a2af556eaca83be3bd93db1b5dd400034255
Signed-off-by: Mostafa Saleh <smostafa@google.com>

Add "deny-all" propery for S2MPUs, this has the same purpose as other
branches but implemented in a slightly different way.

Mainly, we want to ensure that this device is not accessible from
host and in deny-all state, at probe the device is set to deny state
and then all PM calls are blocked so the hypervisor would never touch
any of its MMIO
But they are registered with the hypervisor so they are not accessible
from host.

Bug: 342511931
Change-Id: Id8a38b38310ec950841074b288797041355a3ec7
Signed-off-by: Mostafa Saleh <smostafa@google.com>

Assigns device data to `s3c_wdt[cluster_index]` only when probe function
completes. Several functions of s3c2410_wdt use the existence of
`s3c_wdt[*]` to decide whether the device data is ready to be accessed.
This causes an invalid access issue as long as the probe function puts
device data to `s3c_wdt[cluster_index]` before completely preparing the
content. Fixes the issue by rearranging the assignment order.

Bug: 342585125
Change-Id: Idb4c3b71fb2e0518725c697db01e708aa0c7c86b
Signed-off-by: Woody Lin <woodylin@google.com>
(cherry picked from commit d7bd15571d51e658a081d98dfbcc17e3aa104585)

Merge android13-5.10-2024-05 ab/11971276 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
28a6e1ad ANDROID: 16K: Only check basename of linker context

Bug: 330767927
Bug: 299190787 (ACK)
Bug: 330767927 (ACK)
Bug: 335584973 (ACK)
Bug: 336226035 (ACK)
Bug: 345872992 (ACK)
Bug: 347106837 (ACK)
Change-Id: I0e651fe0318d2e6b66d2281cc327767c2faa5b49
Signed-off-by: Pindar Yang <pindaryang@google.com>

Depending on the platform binary being executed, the linker
(interpreter) requested can be one of:

    1) /system/bin/bootstrap/linker64
    2) /system/bin/linker64
    3) /apex/com.android.runtime/bin/linker64

Relax the check to the basename (linker64), instead of the path.

Bug: 330767927
Bug: 335584973
Bug: 347106837
Change-Id: I4a1f95b7cecd126f85ad8cefd9ff10d272947f9e
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit 38965378)

[ Upstream commit 97af84a6 ]

When touching unix_sk(sk)->inflight, we are always under
spin_lock(&unix_gc_lock).

Let's convert unix_sk(sk)->inflight to the normal unsigned long.

Bug: 336226035
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240123170856.41348-3-kuniyu@amazon.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 47d8ac01 ("af_unix: Fix garbage collector racing against connect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 301fdbaa0bba4653570f07789909939f977a7620)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I0d965d5f2a863d798c06de9f21d0467f256b538e

Pixel MM Metrics:
   add the missing symbol 'seq_put_decimal_ll' and re-do update list

Bug: 299190787
Bug: 345872992
Test: local build
Change-Id: I005ccfa15cee8252bc51242460bbab9b7d0eb2ab
Signed-off-by: Robin Hsu <robinhsu@google.com>
(cherry-pick from commit 8b3b0f2a)

Merge android13-5.10-2024-05 ab/11918793 into android13-gs-pixel-5.10-24Q3 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
dc586962 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 299190787 (ACK)
Bug: 343363380 (ACK)
Bug: 343727534 (ACK)
Bug: 344531723 (ACK)
Change-Id: I073af721f6ca4d418c690bdd6612568730c5b3cd
Signed-off-by: Pindar Yang <pindaryang@google.com>

ref_info of mfc_dec is allocated as size of MFC_MAX_BUFFERS(32),
but the error condition in mfc_dec_dqbuf check the limitation of buf index
as MFC_MAX_DPBS. This can be make the OOB issue so it is fixed.

Bug: 337803567
Test: video playback

Change-Id: I608e2253381d39bbf334d43cb7702551ad3ffb37
Signed-off-by: Seungchul Kim <sc377.kim@samsung.com>
Signed-off-by: wenchangliu <wenchangliu@google.com>

[automerger skipped] Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ] am: 83d992bc -s ours

am skip reason: contains skip directive

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2839550



Change-Id: I19631324e65be7ee899774c9945d505f9e6d43c5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge android13-5.10-2024-01 ab/11920634 into android13-gs-pixel-5.10-24Q2 [ DO NOT MERGE ANYWHERE ]

Merge SHA:
12f33888 ANDROID: ABI fixup for abi break in struct dst_ops

Bug: 343727534
Bug: 340128979 (ACK)
Bug: 343727534 (ACK)
Bug: 344562971 (ACK)
Change-Id: I1e0f407578e010015b21265b563bb264ae405074
Merged-In: I3736ae2a7ac2172cb9a0454636be1d4122fcbb1b
Signed-off-by: Pindar Yang <pindaryang@google.com>

In commit 92f1655a ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters.  But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.

However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required.  To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.

Bug: 343727534
Bug: 344562971
Fixes: 92f1655a ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Bug: 343727534
Bug: 344562971
Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 92f1655a)
[Lee: Trivial/unrelated conflict - no change to the patch]
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I293734dca1b81fcb712e1de294f51e96a405f7e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Robin Peng <robinpeng@google.com>

In commit 92f1655a ("net: fix __dst_negative_advice() race") the
struct dst_ops callback negative_advice is callback changes function
parameters.  But as this pointer is part of a structure that is tracked
in the ABI checker, the tool triggers when this is changed.

However, the callback pointer is internal to the networking stack, so
changing the function type is safe, so needing to preserve this is not
required.  To do so, switch the function pointer type back to the old
one so that the checking tools pass, AND then do a hard cast of the
function pointer to the new type when assigning and calling the
function.

Bug: 343727534
Bug: 344531723
Fixes: 92f1655a ("net: fix __dst_negative_advice() race")
Change-Id: I48d4ab4bbd29f8edc8fbd7923828b7f78a23e12e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 51e48339)

__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.

RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).

Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.

Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.

Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.

Many thanks to Clement Lecigne for tracking this issue.

This old bug became visible after the blamed commit, using UDP sockets.

Bug: 343727534
Bug: 344531723
Fixes: a87cb3e4 ("net: Facility to report route quality of connected sockets")
Reported-by: Clement Lecigne <clecigne@google.com>
Diagnosed-by: Clement Lecigne <clecigne@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 92f1655a)
[Lee: Trivial/unrelated conflict - no change to the patch]
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I293734dca1b81fcb712e1de294f51e96a405f7e4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
(cherry picked from commit 3856ad0c)

export function for sysfs node formating

Bug: 299190787
Bug: 343363380
Change-Id: I71e6a0815efa8df99d036bf457b8a0081999f3de
Signed-off-by: Robin Hsu <robinhsu@google.com>
(cherry picked from commit 402051fc)

Bug: 322889657
Bug: 338404349
Test: build pass
Change-Id: I9de35415228fb0fe5111cb8cc3ebb43b4c3bbf3e
Signed-off-by: Boyu Zhang <boyuzhang@google.com>

Test: pwm behavior works as expected during suspend and resume.
Bug: 332793240
Change-Id: Ibaa8e5e03ca6c449ce15572aaa85fdafb8448826
Signed-off-by: Chungjui Fan <chungjuifan@google.com>

To eventually get rid of all legacy drivers convert this driver to the
modern world implementing .apply(). The commit which brings these
changes is `5ec803ed` on the uplink
kernel.

Bug: 332793240
Change-Id: I385f487c474ca2d52a9f3bb4e8afc3843eb4d9f8
Signed-off-by: Karan Bhagoji <karan.rb@samsung.com>
Signed-off-by: Hyunki Koo <hyunki00.koo@samsung.com>

- clean up number of secure instance when init fail
- turn off mfc power when core instnace number is 1

Bug: 339129143
Test: play secure playback
Change-Id: I045c5300cb7196b013e59014a05d1bb2743f4664
Signed-off-by: wenchangliu <wenchangliu@google.com>
(cherry picked from commit f46e54677931700bf710b309dbb90737cc23fdb5)

Merge SHA:
7e9c226b ANDROID: Initialize android13-5.10-2024-05

Bug: 338118915
Bug: 327600007 (ACK)
Bug: 328266487 (ACK)
Bug: 329803029 (ACK)
Bug: 330117029 (ACK)
Bug: 330767927 (ACK)
Bug: 337902282 (ACK)
Change-Id: Iaf908ef6c5623387cbfcdb5bb36d15c8bc41cc61
Signed-off-by: Pindar Yang <pindaryang@google.com>

commit 0c9ae0b8 upstream.

core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

Bug: 340128979
Fixes: 57c5f4df ("uio: fix crash after the device is unregistered")
Cc: stable <stable@kernel.org>
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5e0be122)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Id6e67948d146997c2861db5f634e8eeafa32a53f

Bug: 337902282
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: Ie4fe7b26aaf90be57dcc18467ef9c8dedac0c1ed

Merge SHA:
42fe3e15 UPSTREAM: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

Bug: 300854197
Bug: 320661088 (ACK)
Bug: 329205787 (ACK)
Bug: 330876672 (ACK)
Bug: 331214192 (ACK)
Bug: 332803585 (ACK)
Bug: 332996726 (ACK)
Change-Id: I26cb0956a55574e16c7a62042a898ca44df47de8
Signed-off-by: Pindar Yang <pindaryang@google.com>

When all allowed cpus of a task are fully busy such that there is
no cpu with spare capacity > 0 and all are group_overutilize, we
will keep the last cpu as most_spare_cap_cpu. If there are no
other candidates, it will use the most_spare_cap_cpu as default
target. This may cause many tasks wake up on the same cpu.

To solve it, we add min_load_cpu as another default target if there
is no cpu with spare capacity > 0.

Bug: 335875684
Change-Id: I96d104ea6867cef9599b20e54c5c3e9d2b741d0e
Signed-off-by: Rick Yiu <rickyiu@google.com>

i2c recovery need to toggle gpio pins and set i2c pins to gpio.
Pinctrl isn't aware of this change and cannot set back to default.
Change state to recovery before making the change and set back to
default after recovery.

Print slave address when error happens.

Bug: 326506937
Test: Trigger i2c recovery and make sure i2c bus pinctrl is
      set back to default.

Change-Id: I7e29db694da0e52edc9a058da733127b51857d07
Signed-off-by: Zheng Pan <zhengpan@google.com>
(cherry picked from commit ec57fa228b92bd577003d4b682a8dde79b8300af)

If the kernel is built CONFIG_CFI_CLANG=y, reading smaps
may cause a panic. This is due to a failed CFI check; which
is triggered becuase the signature of the function pointer for
printing smaps padding VMAs does not match exactly with that
for show_smap().

Fix this by casting the function pointer to the expected type
based on whether printing maps or smaps padding.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: I65564a547dacbc4131f8557344c8c96e51f90cd5
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

In some cases a VMA with padding representation may be split, and
therefore the padding flags must be updated accordingly.

There are 3 cases to handle:

Given:
    | DDDDPPPP |

where:
    - D represents 1 page of data;
    - P represents 1 page of padding;
    - | represents the boundaries (start/end) of the VMA

1) Split exactly at the padding boundary

    | DDDDPPPP | --> | DDDD | PPPP |

    - Remove padding flags from the first VMA.
    - The second VMA is all padding

2) Split within the padding area

    | DDDDPPPP | --> | DDDDPP | PP |

    - Subtract the length of the second VMA from the first VMA's
      padding.
    - The second VMA is all padding, adjust its padding length (flags)

3) Split within the data area

    | DDDDPPPP | --> | DD | DDPPPP |

    - Remove padding flags from the first VMA.
    - The second VMA is has the same padding as from before the split.

To simplify the semantics merging of padding VMAs is not allowed.

If a split produces a VMA that is entirely padding, show_[s]maps()
only outputs the padding VMA entry (as the data entry is of length 0).

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: Ie2628ced5512e2c7f8af25fabae1f38730c8bb1a
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Some file systems like F2FS use a custom filemap_fault ops. Remove this
check, as checking vm_file is sufficient.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: Id6a584d934f06650c0a95afd1823669fc77ba2c2
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Only preform padding advise from the execution context on bionic's
dynamic linker. This ensures that madvise() doesn't have unwanted
side effects.

Also rearrange the order of fail checks in madvise_vma_pad_pages()
in order of ascending cost.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: I3e05b8780c6eda78007f86b613f8c11dd18ac28f
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

In has been found that some in-field apps depend on the output of
/proc/*/maps to determine the address ranges of other operations.

With the extension of LOAD segments VMAs to be contiguous in memory,
the apps may perform operations on an area that is not backed by the
underlying file, which results in a SIGBUS. Other apps have crashed
with yet unindentified reasons.

To avoid breaking in-field apps, maintain the output of /proc/*/[s]maps
with PROT_NONE VMAs for the padding pages of LOAD segmetns instead of
showing the segment extensions.

NOTE: This does not allocate actual backing VMAs for the shown
      PROT_NONE mappings.

This approach maintains 2 possible assumptions that userspace (apps)
could be depending on:
   1) That LOAD segment mappings are "contiguous" (not speparated by
      unrelated mappings) in memory.
   2) That no virtual address space is available between mappings of
      consecutive LOAD segments for the same ELF.

For example the output of /proc/*/[s]maps before and after this change
is shown below. Segments maintain PROT_NONE gaps ("[page size compat]")
for app compatiblity but these are not backed by actual slab VMA memory.

Maps Before:

7fb03604d000-7fb036051000 r--p 00000000 fe:09 21935719                   /system/lib64/libnetd_client.so
7fb036051000-7fb036055000 r-xp 00004000 fe:09 21935719                   /system/lib64/libnetd_client.so
7fb036055000-7fb036059000 r--p 00008000 fe:09 21935719                   /system/lib64/libnetd_client.so
7fb036059000-7fb03605a000 rw-p 0000c000 fe:09 21935719                   /system/lib64/libnetd_client.so

Maps After:

7fc707390000-7fc707393000 r--p 00000000 fe:09 21935719                   /system/lib64/libnetd_client.so
7fc707393000-7fc707394000 ---p 00000000 00:00 0                          [page size compat]
7fc707394000-7fc707398000 r-xp 00004000 fe:09 21935719                   /system/lib64/libnetd_client.so
7fc707398000-7fc707399000 r--p 00008000 fe:09 21935719                   /system/lib64/libnetd_client.so
7fc707399000-7fc70739c000 ---p 00000000 00:00 0                          [page size compat]
7fc70739c000-7fc70739d000 rw-p 0000c000 fe:09 21935719                   /system/lib64/libnetd_client.so

Smaps Before:

7fb03604d000-7fb036051000 r--p 00000000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                 16 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                  16 kB
Pss:                   0 kB
Pss_Dirty:             0 kB
Shared_Clean:         16 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           16 kB
Anonymous:             0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd mr mw me
7fb036051000-7fb036055000 r-xp 00004000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                 16 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                  16 kB
Pss:                   0 kB
Pss_Dirty:             0 kB
Shared_Clean:         16 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           16 kB
Anonymous:             0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd ex mr mw me
7fb036055000-7fb036059000 r--p 00008000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                 16 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   4 kB
Pss:                   4 kB
Pss_Dirty:             4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd mr mw me ac
7fb036059000-7fb03605a000 rw-p 0000c000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                  4 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   4 kB
Pss:                   4 kB
Pss_Dirty:             4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd wr mr mw me ac

Smaps After:

7fc707390000-7fc707393000 r--p 00000000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                 12 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                  12 kB
Pss:                   0 kB
Shared_Clean:         12 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           12 kB
Anonymous:             0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd mr mw me ??
7fc707393000-7fc707394000 ---p 00000000 00:00 0                          [page size compat]
Size:                  4 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: mr mw me
7fc707394000-7fc707398000 r-xp 00004000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                 16 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                  16 kB
Pss:                   0 kB
Shared_Clean:         16 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:           16 kB
Anonymous:             0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd ex mr mw me
7fc707398000-7fc707399000 r--p 00008000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                  4 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd mr mw me ac ?? ??
7fc707399000-7fc70739c000 ---p 00000000 00:00 0                          [page size compat]
Size:                 12 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   0 kB
Pss:                   0 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         0 kB
Referenced:            0 kB
Anonymous:             0 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: mr mw me ac
7fc70739c000-7fc70739d000 rw-p 0000c000 fe:09 21935719                   /system/lib64/libnetd_client.so
Size:                  4 kB
KernelPageSize:        4 kB
MMUPageSize:           4 kB
Rss:                   4 kB
Pss:                   4 kB
Shared_Clean:          0 kB
Shared_Dirty:          0 kB
Private_Clean:         0 kB
Private_Dirty:         4 kB
Referenced:            4 kB
Anonymous:             4 kB
LazyFree:              0 kB
AnonHugePages:         0 kB
ShmemPmdMapped:        0 kB
FilePmdMapped:         0 kB
Shared_Hugetlb:        0 kB
Private_Hugetlb:       0 kB
Swap:                  0 kB
SwapPss:               0 kB
Locked:                0 kB
THPeligible:    0
VmFlags: rd wr mr mw me ac

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: I12bf2c106fafc74a500d79155b81dde5db42661e
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Userspace apps often analyze memory consumption by the use of mm
rss_stat counters -- via the kmem/rss_stat trace event or from
/proc/<pid>/statm.

rss_stat counters are only updated when the PTEs are updated. What this
means is that pages can be present in the page cache from readahead but
not visible to userspace (not attributed to the app) as there is no
corresponding VMA (PTEs) for the respective page cache pages.

A side effect of the loader now extending ELF LOAD segments to be
contiguously mapped in the virtual address space, means that the VMA is
extended to cover the padding pages.

When filesystems, such as f2fs and ext4, that implement
vm_ops->map_pages() attempt to perform a do_fault_around() the extent of
the fault around is restricted by the area of the enclosing VMA. Since
the loader extends LOAD segment VMAs to be contiguously mapped, the extent
of the fault around is also increased. The result of which, is that the
PTEs corresponding to the padding pages are updated and reflected in the
rss_stat counters.

It is not common that userspace application developers be aware of this
nuance in the kernel's memory accounting. To avoid apparent regressions
in memory usage to userspace, restrict the fault around range to only
valid data pages (i.e. exclude the padding pages at the end of the VMA).

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: I2c7a39ec1b040be2b9fb47801f95042f5dbf869d
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

When performing LOAD segment extension, the dynamic linker knows what
portion of the VMA is padding. In order for the kernel to implement
mitigations that ensure app compatibility, the extent of the padding
must be made available to the kernel.

To achieve this, reuse MADV_DONTNEED on single VMAs to hint the padding
range to the kernel. This information is then stored in vm_flag bits.
This allows userspace (dynamic linker) to set the padding pages on the
VMA without a need for new out-of-tree UAPI.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: I3421de32ab38ad3cb0fbce73ecbd8f7314287cde
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

The dynamic linker may extend ELF LOAD segment mappings to be contiguous
in memory when loading a 16kB compatible ELF on a 4kB page-size system.
This is done to reduce the use of unreclaimable VMA slab memory for the
otherwise necessary "gap" VMAs. The extended portion of the mapping
(VMA) can be viewed as "padding", meaning that the mapping in that range
corresponds to an area of the file that does not contain contents of the
respective segments (maybe zero's depending on how the ELF is built).

For some compatibility mitigations, the region of a VMA corresponding to
these padding sections need to be known.

In order to represent such regions without adding addtional overhead or
breaking ABI, some upper bits of vm_flags are used.

Add the VMA padding pages representation and the necessary APIs to
manipulate it.

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: Ieb9fa98e30ec9b0bec62256624f14e3ed6062a75
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Migrating from 4kB to 16kB page-size in Android requires first making
the platform page-agnostic, which involves increasing Android-ELFs'
max-page-size (p_align) from 4kB to 16kB.

Increasing the ELF max-page-size was found to cause compatibility issues
in apps that use obfuscation or depend on the ELF segments being mapped
based on 4kB-alignment.

Working around these compatibility issues involves both kernel and
userspace (dynamic linker) changes.

Introduce a knob for userspace (dynamic linker) to determine whether the
kernel supports the mitigations needed for page-size migration compatibility.

The knob also allows for userspace to turn on or off these mitigations
by writing 1 or 0 to /sys/kernel/mm/pgsize_miration/enabled:

    echo 1 > /sys/kernel/mm//pgsize_miration/enabled  # Enable
    echo 0 > /sys/kernel/mm//pgsize_miration/enabled  # Disable

Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Change-Id: I9ac1d15d397b8226b27827ecffa30502da91e10e
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

Bug: 337391620
Test: Boot to home
Change-Id: I291cb0a9bd341bd971d2851e159d08be5af038cf
Signed-off-by: Jack Diver <diverj@google.com>
(cherry picked from commit e9099db65673b55c45f758c58c923da3e926b96c)

The min bit count is enabled when CBR & under 100 kbps case only for
VT call requirement. We don't need to enable it when the target bitrate
is less than 100 kbps for CBR mode.

Bug: 334875485
Test: WebRTC codec test
Change-Id: I688d200c21c9c57ba7d90b3aac84946e031ef738
Signed-off-by: wenchangliu <wenchangliu@google.com>

Pindar Yang authored 1 year ago and William McVicker committed 11 months ago

Merge SHA:
9f408f56 Merge tag 'android13-5.10.209_r00' into android13-5.10

Bug: 300854197
Bug: 146449535 (ACK)
Bug: 161946584 (ACK)
Bug: 320478828 (ACK)
Bug: 320714627 (ACK)
Bug: 322282717 (ACK)
Bug: 322762567 (ACK)
Bug: 325477234 (ACK)
Change-Id: I465a7f3f352d54b77626bad4e604c8088be53b61
Signed-off-by: Pindar Yang <pindaryang@google.com>

This reverts commit 29ae50fb.

Reason for revert: issue patches (b/332647634#comment1) aren't merged into 24Q3 branch, so let's revert this patch on 24Q3 branch, and let the fix keep at mainline

Bug: 332647634
Signed-off-by: Jason Chiu <jasoncschiu@google.com>
Change-Id: I568c3e3f71c2c9348dc0877c5aed6b74d8f6e0a8
Merged-In: I353f145d5e724c9cea4ff6363d740934352f7ae1

also, update index of METRICS_BL2_WARMBOOT_START to 0xE
to avoid overlap

Bug: 332647634
Change-Id: I4dfb8d502988a08744175d8573db41eabb0f2b9e
Signed-off-by: Jason Chiu <jasoncschiu@google.com>