2 function symbol(s) added
  'struct drm_private_state* drm_atomic_get_new_private_obj_state(struct drm_atomic_state*, struct drm_private_obj*)'
  'uint64_t drm_format_info_min_pitch(const struct drm_format_info*, int, unsigned int)'

Bug: 319070243
Change-Id: I54d8e1c1ff2ecbddd54d61724577ddad1cbfde08
Signed-off-by: Qinglin Li <qinglin.li@amlogic.com>

commit 4b7de801 upstream.

Lee pointed out issue found by syscaller [0] hitting BUG in prog array
map poke update in prog_array_map_poke_run function due to error value
returned from bpf_arch_text_poke function.

There's race window where bpf_arch_text_poke can fail due to missing
bpf program kallsym symbols, which is accounted for with check for
-EINVAL in that BUG_ON call.

The problem is that in such case we won't update the tail call jump
and cause imbalance for the next tail call update check which will
fail with -EBUSY in bpf_arch_text_poke.

I'm hitting following race during the program load:

  CPU 0                             CPU 1

  bpf_prog_load
    bpf_check
      do_misc_fixups
        prog_array_map_poke_track

                                    map_update_elem
                                      bpf_fd_array_map_update_elem
                                        prog_array_map_poke_run

                                          bpf_arch_text_poke returns -EINVAL

    bpf_prog_kallsyms_add

After bpf_arch_text_poke (CPU 1) fails to update the tail call jump, the next
poke update fails on expected jump instruction check in bpf_arch_text_poke
with -EBUSY and triggers the BUG_ON in prog_array_map_poke_run.

Similar race exists on the program unload.

Fixing this by moving the update to bpf_arch_poke_desc_update function which
makes sure we call __bpf_arch_text_poke that skips the bpf address check.

Each architecture has slightly different approach wrt looking up bpf address
in bpf_arch_text_poke, so instead of splitting the function or adding new
'checkip' argument in previous version, it seems best to move the whole
map_poke_run update as arch specific code.

  [0] https://syzkaller.appspot.com/bug?extid=97a4fe20470e9bc30810



Bug: 309551558
Fixes: ebf7d1f5 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
Reported-by:  <syzbot+97a4fe20470e9bc30810@syzkaller.appspotmail.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Cc: Lee Jones <lee@kernel.org>
Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/bpf/20231206083041.1306660-2-jolsa@kernel.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 13578b4e)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I1291f0589e84f627ee44d07acb24196fab166c29

9 function symbol(s) added
  'int nf_log_buf_add(struct nf_log_buf *, const char *, ...)'
  'void nf_log_buf_close(struct nf_log_buf *)'
  'struct nf_log_buf * nf_log_buf_open()'
  'int nf_log_register(u_int8_t, struct nf_logger *)'
  'int nf_log_set(struct net *, u_int8_t, const struct nf_logger *)'
  'void nf_log_unregister(struct nf_logger *)'
  'void nf_log_unset(struct net *, const struct nf_logger *)'
  'int nf_logger_find_get(int, enum nf_log_type)'
  'void nf_logger_put(int, enum nf_log_type)'

Bug: 316040982

Change-Id: Icd40e3750160b579b1eea3710ac6c855585b2b4c
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

2 function symbol(s) added
  'void arp_send(int, int, __be32, struct net_device *, __be32, const unsigned char *, const unsigned char *, const unsigned char *)'
  'void nf_log_packet(struct net *, u_int8_t, unsigned int, const struct sk_buff *, const struct net_device *, const struct net_device *, const struct nf_loginfo *, const char *, ...)'

1 variable symbol(s) added
  'int sysctl_nf_log_all_netns'

Bug: 316040982

Change-Id: Ie421b63df849c8ae5cafd18c890cc6e641a70fa3
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

18 function symbol(s) added
  'void __audit_log_nfcfg(const char *, u8, unsigned int, enum audit_nfcfgop, gfp_t)'
  'int nf_register_sockopt(struct nf_sockopt_ops *)'
  'void nf_unregister_sockopt(struct nf_sockopt_ops *)'
  'void * vmalloc_node(unsigned long int, int)'
  'int xt_check_match(struct xt_mtchk_param *, unsigned int, u16, bool)'
  'int xt_check_target(struct xt_tgchk_param *, unsigned int, u16, bool)'
  'int xt_compat_add_offset(u_int8_t, unsigned int, int)'
  'int xt_compat_calc_jump(u_int8_t, unsigned int)'
  'void xt_compat_flush_offsets(u_int8_t)'
  'int xt_compat_init_offsets(u8, unsigned int)'
  'void xt_compat_lock(u_int8_t)'
  'int xt_compat_match_offset(const struct xt_match *)'
  'int xt_compat_target_offset(const struct xt_target *)'
  'void xt_compat_unlock(u_int8_t)'
  'int xt_data_to_user(void *, void *, int, int, int)'
  'struct xt_match * xt_find_match(u8, const char *, u8)'
  'struct xt_match * xt_request_find_match(uint8_t, const char *, uint8_t)'
  'struct xt_target * xt_request_find_target(u8, const char *, u8)'

1 variable symbol(s) added
  'u32 audit_enabled'

Bug: 316040982

Change-Id: I5d3bb3ad453ac4c231f7c23531d84a96673b1487
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

35 function symbol(s) added
  'int __skb_vlan_pop(struct sk_buff *, u16 *)'
  'struct flow_rule * flow_rule_alloc(unsigned int)'
  'void * idr_get_next_ul(struct idr *, unsigned long int *)'
  'clock_t jiffies_to_clock_t(unsigned long int)'
  'int radix_tree_tagged(const struct xarray *, unsigned int)'
  'int skb_eth_pop(struct sk_buff *)'
  'int skb_eth_push(struct sk_buff *, const unsigned char *, const unsigned char *)'
  'void skb_flow_dissect_ct(const struct sk_buff *, struct flow_dissector *, void *, u16 *, size_t, bool, u16)'
  'void skb_flow_dissect_hash(const struct sk_buff *, struct flow_dissector *, void *)'
  'void skb_flow_dissect_meta(const struct sk_buff *, struct flow_dissector *, void *)'
  'void skb_flow_dissect_tunnel_info(const struct sk_buff *, struct flow_dissector *, void *)'
  'void skb_flow_dissector_init(struct flow_dissector *, const struct flow_dissector_key *, unsigned int)'
  'int skb_vlan_pop(struct sk_buff *)'
  'int skb_vlan_push(struct sk_buff *, __be16, u16)'
  'void tc_cleanup_flow_action(struct flow_action *)'
  'int tc_setup_cb_add(struct tcf_block *, struct tcf_proto *, enum tc_setup_type, void *, bool, u32 *, unsigned int *, bool)'
  'int tc_setup_cb_call(struct tcf_block *, enum tc_setup_type, void *, bool, bool)'
  'int tc_setup_cb_destroy(struct tcf_block *, struct tcf_proto *, enum tc_setup_type, void *, bool, u32 *, unsigned int *, bool)'
  'int tc_setup_cb_reoffload(struct tcf_block *, struct tcf_proto *, bool, flow_setup_cb_t *, enum tc_setup_type, void *, void *, u32 *, unsigned int *)'
  'int tc_setup_flow_action(struct flow_action *, const struct tcf_exts *)'
  'int tcf_action_check_ctrlact(int, struct tcf_proto *, struct tcf_chain * *, struct netlink_ext_ack *)'
  'struct tcf_chain * tcf_action_set_ctrlact(struct tc_action *, int, struct tcf_chain *)'
  'void tcf_action_update_stats(struct tc_action *, u64, u64, u64, bool)'
  'void tcf_chain_put_by_act(struct tcf_chain *)'
  'unsigned int tcf_exts_num_actions(struct tcf_exts *)'
  'int tcf_exts_terse_dump(struct sk_buff *, struct tcf_exts *)'
  'int tcf_generic_walker(struct tc_action_net *, struct sk_buff *, struct netlink_callback *, int, const struct tc_action_ops *, struct netlink_ext_ack *)'
  'int tcf_idr_check_alloc(struct tc_action_net *, u32 *, struct tc_action * *, int)'
  'void tcf_idr_cleanup(struct tc_action_net *, u32)'
  'int tcf_idr_create_from_flags(struct tc_action_net *, u32, struct nlattr *, struct tc_action * *, const struct tc_action_ops *, int, u32)'
  'int tcf_idr_release(struct tc_action *, bool)'
  'int tcf_idr_search(struct tc_action_net *, struct tc_action * *, u32)'
  'void tcf_idrinfo_destroy(const struct tc_action_ops *, struct tcf_idrinfo *)'
  'int tcf_register_action(struct tc_action_ops *, struct pernet_operations *)'
  'int tcf_unregister_action(struct tc_action_ops *, struct pernet_operations *)'

Bug: 316040982

Change-Id: I00ee6a74d989f064481ff0792e1fc7e13297259f
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

3 function symbol(s) added
  'void led_blink_set_oneshot(struct led_classdev *, unsigned long int *, unsigned long int *, int)'
  'void led_set_brightness_nosleep(struct led_classdev *, unsigned int)'
  'void led_stop_software_blink(struct led_classdev *)'

Bug: 316040982

Change-Id: I572c748daf772e6d60e621e5de66c9c0197d87c3
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

Initial add for oem specific symbol list

2 function symbol(s) added
  'void * devres_find(struct device *, dr_release_t, dr_match_t, void *)'
  'bool refcount_dec_if_one(refcount_t *)'

Bug: 316040982

Change-Id: Ife8808fead2e700f8213090d4a11b2666c43f04b
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

1 function symbol(s) added
  'int __traceiter_android_rvh_set_task_comm(void *, struct task_struct *, bool)'

1 variable symbol(s) added
  'struct tracepoint __tracepoint_android_rvh_set_task_comm'

Bug: 317949078
Change-Id: Ie83da092349eb881e93f892aa391b108da313011
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>

android_rvh_set_task_comm:
	To record vendor-specific task comm's change.

We need to know the name changes of specific tasks so that
we can notify the user layer of the pids of these tasks,
and then the user layer can set some attributes of the tasks
based on the names, such as priority scheduling, priority, etc.

Since the user layer is notified through netlink, and netlink may
cause blocking actions when sending messages, it's non-atomic context,
so set the hook be restricted.

Bug: 317949078
Change-Id: Ica30c123be339a7ef29c727bfaa7513efced5bd1
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>

Task A calls binder_update_page_range() to allocate and insert pages on
a remote address space from Task B. For this, Task A pins the remote mm
via mmget_not_zero() first. This can race with Task B do_exit() and the
final mmput() refcount decrement will come from Task A.

  Task A            | Task B
  ------------------+------------------
  mmget_not_zero()  |
                    |  do_exit()
                    |    exit_mm()
                    |      mmput()
  mmput()           |
    exit_mmap()     |
      remove_vma()  |
        fput()      |

In this case, the work of ____fput() from Task B is queued up in Task A
as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup
work gets executed. However, Task A instead sleep, waiting for a reply
from Task B that never comes (it's dead).

This means the binder_deferred_release() is blocked until an unrelated
binder event forces Task A to go back to userspace. All the associated
death notifications will also be delayed until then.

In order to fix this use mmput_async() that will schedule the work in
the corresponding mm->async_put_work WQ instead of Task A.

Fixes: 457b9a6f ("Staging: android: add binder driver")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>

Bug: 293845143
Link: https://lore.kernel.org/all/20231201172212.1813387-4-cmllamas@google.com/


Change-Id: I2ec43b375e115c0daf21df3893da634dbefeed3e
Signed-off-by: Carlos Llamas <cmllamas@google.com>

KASAN-related crash observed on aosp-main cuttlefish with commit b37eb452.

In commit b37eb452 ("KMI workaround for CONFIG_NETFILTER_FAMILY_BRIDGE"),
type struct nf_hook_entries for global init_net are statically preserved
as 'init_nf_hooks_bridge' which is an array of type struct nf_hook_entries
instead of a member of struct net_ns.
And also 'init_nf_hooks_bridgep' addresses to init_nf_hooks_bridge.

netfilter_net_init() initialize the pointer array of type struct nf_hook_entries
but in case for nf_hook_birdge, get_nf_hooks_bridge() for init_net returns
the address of 'init_nf_hooks_bridgep' that is compatible with
type struct nf_hook_entries ** but it's not allocated array size of nf_hook_entries
(NF_INET_NUMHOOKS)

As the result, netfilter_net_init() initialize out-of-bounds memory and then
it possibly causes kernel panic with KASAN enabled configuration.

[   15.437905] ==================================================================
[   15.439156] BUG: KASAN: global-out-of-bounds in netfilter_net_init+0x17b/0x240
[   15.439156] Write of size 8 at addr ffffffff84e40488 by task swapper/0/1
[   15.439156]
[   15.439156] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.137-android13-8-...
[   15.439156] Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.04-gc2f63...
[   15.439156] Call Trace:
[   15.439156]  <TASK>
[   15.439156]  dump_stack_lvl+0xbb/0xf2
[   15.439156]  print_address_description+0x87/0x3b0
[   15.439156]  ? _raw_spin_lock_irqsave+0x80/0xe0
[   15.439156]  kasan_report+0x17a/0x1c0
[   15.439156]  ? netfilter_net_init+0x17b/0x240
[   15.439156]  ? netfilter_net_init+0x17b/0x240
[   15.439156]  __asan_store8+0x80/0x90
[   15.439156]  netfilter_net_init+0x17b/0x240
[   15.439156]  ops_init+0x1dd/0x290
[   15.439156]  ? kfree+0xc8/0x210
[   15.439156]  register_pernet_operations+0x176/0x350
[   15.439156]  ? alsa_sound_last_init+0x97/0x97
[   15.439156]  register_pernet_subsys+0x28/0x40
[   15.439156]  netfilter_init+0x16/0x4d
[   15.439156]  sock_init+0xa1/0xc6
[   15.439156]  do_one_initcall+0xfc/0x380
[   15.439156]  do_initcall_level+0x103/0x1dd
[   15.439156]  do_initcalls+0x4e/0x8e
[   15.439156]  do_basic_setup+0x6d/0x74
[   15.439156]  kernel_init_freeable+0x19a/0x21b
[   15.439156]  ? rest_init+0xe0/0xe0
[   15.439156]  kernel_init+0x1d/0x240
[   15.439156]  ? rest_init+0xe0/0xe0
[   15.439156]  ret_from_fork+0x1f/0x30
[   15.439156]  </TASK>
[   15.439156]
[   15.439156] The buggy address belongs to the variable:
[   15.439156]  init_nf_hooks_bridgep+0x8/0x20
[   15.439156]
[   15.439156] Memory state around the buggy address:
[   15.439156]  ffffffff84e40380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   15.439156]  ffffffff84e40400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   15.439156] >ffffffff84e40480: 00 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
[   15.439156]                       ^
[   15.439156]  ffffffff84e40500: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
[   15.439156]  ffffffff84e40580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   15.439156] ==================================================================

Tto fix the issue, it's just simple:
- type 'init_nf_hooks_bridge' makes changed to
  pointer array of type struct nf_hook_entries.
- type 'init_nf_hooks_bridgep' makes changed to pointer of pointer
  and it makes address to the array top of 'init_nf_hooks_bridge'.
- get_nf_hooks_bridge() for global init_net should return 'init_nf_hooks_bridgep'
  which address to pointer array so that netfilter_net_init can initialize.

Bug: 316040984
Fixes: b37eb452 ("KMI workaround for CONFIG_NETFILTER_FAMILY_BRIDGE")

Change-Id: I29a36da490e1ca18c04fd8c4dea235782f14b83b
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

1 function symbol(s) added
  'int __traceiter_android_vh_rt_mutex_steal(void*, int, int, bool*)'

1 variable symbol(s) added
  'struct tracepoint __tracepoint_android_vh_rt_mutex_steal'

Bug: 317670024
Change-Id: I28f0379adaec041400e49cbd1e497b2f8c5c893d
Signed-off-by: xeiliujie <xieliujie@oppo.com>

Add hooks at rt_mutex_steal function so that oems can decide
whether tasks with the same priority steal the rt_mutex or
not. We did experiments and found that rt_mutex throughput
can benefit a lot when threads with the same priority can
steal the rt_mutex lock.

Bug: 317670024
Change-Id: Id60a7a41c6c77a67808982d3667946cabe4acc8f
Signed-off-by: xeiliujie <xieliujie@oppo.com>

There is a chance if a frequent switch of the governor
done in a loop result in timer list corruption where
timer cancel being done from two place one from
cancel_delayed_work_sync() and followed by expire_timers()
can be seen from the traces[1].

while true
do
        echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor
        echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor
done

It looks to be issue with devfreq driver where
device_monitor_[start/stop] need to synchronized so that
delayed work should get corrupted while it is either
being queued or running or being cancelled.

Let's use polling flag and devfreq lock to synchronize the
queueing the timer instance twice and work data being
corrupted.

[1]
...
..
<idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428
<idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c
<idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428
kworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227
vendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428
vendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428
vendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532
vendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428
xxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428

[2]

 9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a
[ 9436.261664][    C4] Mem abort info:
[ 9436.261666][    C4]   ESR = 0x96000044
[ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits
[ 9436.261671][    C4]   SET = 0, FnV = 0
[ 9436.261673][    C4]   EA = 0, S1PTW = 0
[ 9436.261675][    C4] Data abort info:
[ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044
[ 9436.261680][    C4]   CM = 0, WnR = 1
[ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges
[ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0
...

[ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1
[ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)
[ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)
[ 9436.262161][    C4] pc : expire_timers+0x9c/0x438
[ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438
[ 9436.262168][    C4] sp : ffffffc010023dd0
[ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18
[ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008
[ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280
[ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122
[ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80
[ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038
[ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201
[ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100
[ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8
[ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff
[ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122
[ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8
[ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101
[ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff889edc155c
[ 9436.262227][    C4] x1 : ffffff8001005200 x0 : ffffff80444f0428
[ 9436.262232][    C4] Call trace:
[ 9436.262236][    C4]  expire_timers+0x9c/0x438
[ 9436.262240][    C4]  __run_timers+0x1f0/0x330
[ 9436.262245][    C4]  run_timer_softirq+0x28/0x58
[ 9436.262255][    C4]  efi_header_end+0x168/0x5ec
[ 9436.262265][    C4]  __irq_exit_rcu+0x108/0x124
[ 9436.262274][    C4]  __handle_domain_irq+0x118/0x1e4
[ 9436.262282][    C4]  gic_handle_irq.30369+0x6c/0x2bc
[ 9436.262286][    C4]  el0_irq_naked+0x60/0x6c

Bug: 317188938
Change-Id: I9a22325f6abbf28217c8f37b093cf77509b0139a
Link: https://lore.kernel.org/all/1700860318-4025-1-git-send-email-quic_mojha@quicinc.com/


Reported-by: Joyyoung Huang <huangzaiyang@oppo.com>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
(cherry picked from commit aed5ed59
 https://git.kernel.org/pub/scm/linux/kernel/git/chanwoo/linux.git

 devfreq-next)
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>

[ Upstream commit f0498d2a ]

Kuyo reported sporadic failures on a sched_setaffinity() vs CPU
hotplug stress-test -- notably affine_move_task() remains stuck in
wait_for_completion(), leading to a hung-task detector warning.

Specifically, it was reported that stop_one_cpu_nowait(.fn =
migration_cpu_stop) returns false -- this stopper is responsible for
the matching complete().

The race scenario is:

	CPU0					CPU1

					// doing _cpu_down()

  __set_cpus_allowed_ptr()
    task_rq_lock();
					takedown_cpu()
					  stop_machine_cpuslocked(take_cpu_down..)

					<PREEMPT: cpu_stopper_thread()
					  MULTI_STOP_PREPARE
					  ...
    __set_cpus_allowed_ptr_locked()
      affine_move_task()
        task_rq_unlock();

  <PREEMPT: cpu_stopper_thread()\>
    ack_state()
					  MULTI_STOP_RUN
					    take_cpu_down()
					      __cpu_disable();
					      stop_machine_park();
						stopper->enabled = false;
					 />
   />
	stop_one_cpu_nowait(.fn = migration_cpu_stop);
          if (stopper->enabled) // false!!!

That is, by doing stop_one_cpu_nowait() after dropping rq-lock, the
stopper thread gets a chance to preempt and allows the cpu-down for
the target CPU to complete.

OTOH, since stop_one_cpu_nowait() / cpu_stop_queue_work() needs to
issue a wakeup, it must not be ran under the scheduler locks.

Solve this apparent contradiction by keeping preemption disabled over
the unlock + queue_stopper combination:

	preempt_disable();
	task_rq_unlock(...);
	if (!stop_pending)
	  stop_one_cpu_nowait(...)
	preempt_enable();

This respects the lock ordering contraints while still avoiding the
above race. That is, if we find the CPU is online under rq-lock, the
targeted stop_one_cpu_nowait() must succeed.

Apply this pattern to all similar stop_one_cpu_nowait() invocations.

BUG: 317318329
Fixes: 6d337eab ("sched: Fix migrate_disable() vs set_cpus_allowed_ptr()")
Reported-by: "Kuyo Chang (張建文)" <Kuyo.Chang@mediatek.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: "Kuyo Chang (張建文)" <Kuyo.Chang@mediatek.com>
Link: https://lkml.kernel.org/r/20231010200442.GA16515@noisy.programming.kicks-ass.net


Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Dylan Chang <dylan.chang@nothing.tech>
Change-Id: Ib2cc52566f43c3c10f694ce9c1c6a6569b4e2687

We found an issue under Android OTA scenario that many BIOs have to do
FEC where the data under dm-verity is 100% complete and no corruption.

Android OTA has many dm-block layers, from upper to lower:
dm-verity
dm-snapshot
dm-origin & dm-cow
dm-linear
ufs

DM tables have to change 2 times during Android OTA merging process.
When doing table change, the dm-snapshot will be suspended for a while.
During this interval, many readahead IOs are submitted to dm_verity
from filesystem. Then the kverity works are busy doing FEC process
which cost too much time to finish dm-verity IO. This causes needless
delay which feels like system is hung.

After adding debugging it was found that each readahead IO needed
around 10s to finish when this situation occurred. This is due to IO
amplification:

dm-snapshot suspend
erofs_readahead     // 300+ io is submitted
	dm_submit_bio (dm_verity)
		dm_submit_bio (dm_snapshot)
		bio return EIO
		bio got nothing, it's empty
	verity_end_io
	verity_verify_io
	forloop range(0, io->n_blocks)    // each io->nblocks ~= 20
		verity_fec_decode
		fec_decode_rsb
		fec_read_bufs
		forloop range(0, v->fec->rsn) // v->fec->rsn = 253
			new_read
			submit_bio (dm_snapshot)
		end loop
	end loop
dm-snapshot resume

Readahead BIOs get nothing while dm-snapshot is suspended, so all of
them will cause verity's FEC.
Each readahead BIO needs to verify ~20 (io->nblocks) blocks.
Each block needs to do FEC, and every block needs to do 253
(v->fec->rsn) reads.
So during the suspend interval(~200ms), 300 readahead BIOs trigger
~1518000 (300*20*253) IOs to dm-snapshot.

As readahead IO is not required by userspace, and to fix this issue,
it is best to pass readahead errors to upper layer to handle it.

Cc: stable@vger.kernel.org
Fixes: a739ff3f ("dm verity: add support for forward error correction")
Bug: 316972624
Link: https://lore.kernel.org/dm-devel/b84fb49-bf63-3442-8c99-d565e134f2@redhat.com


Signed-off-by: Wu Bo <bo.wu@vivo.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Akilesh Kailash <akailash@google.com>
(cherry picked from commit 0193e396)
Change-Id: I73560e5660cebdc1997e1f9926cbb8888789eb46

commit 317eb968 upstream.

Otherwise set elements can be deactivated twice which will cause a crash.

Bug: 316310313
Reported-by: Xingyuan Mo <hdthky0@gmail.com>
Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 189c2a82)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I27fb6ee806642e23ca02700763a387341dd463e6

Bug: 292925770
Test: fuse_test run. The following steps on Android also now pass:

	Create /data/123 and /data/media/0/Android/data/45 directories
	Mount /data/123 directory to /data/media/0/Android/data/45 directory
	Create 1.txt under the /data/123 directory

	File 1.txt should appear in /storage/emulated/0/Android/data/45
Signed-off-by: Paul Lawrence <paullawrence@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:9323938705b42cb4dd863d5cf8022ba8f2282952)
Merged-In: I1fe27d743ca2981e624a9aa87d9ab6deb313aadc
Change-Id: I1fe27d743ca2981e624a9aa87d9ab6deb313aadc

Enabling CONFIG_NETFILTER_FAMILY_BRIDGE causes the new element,
hooks_bridge[] to be added to netns_nf. Since the KMI is frozen
this could not be added.

The only instantiation of struct netns_nf is as an embedded field
of struct net. So instead of adding the field to struct netns_nf,
a new "struct ext_net" is added that contains struct net and
the new hooks_bridge[] field. An accessor function,
get_nf_hooks_bridge() is added to get a pointer to the new
field.

There is a global init_net of type struct net which must be special
cased since it is not a member of a struct ext_net. All other
instances of struct net are allocated via net_alloc() which now
allocates a struct ext_net.

Since CONFIG_NETFILTER_FAMILY_BRIDGE is a hidden config that is
needed for vendor modules, it is enabled via init/Kconfig.gki.

Bug: 316040984

Change-Id: I2c7384e3df9b88f12464dc0138986fed12ca626a
Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

Nothing fancy here.  Keeping full history is not required.

  `git checkout mainline/master -- scripts/checkpatch.pl`

This may need to be done periodically.

Bug: 316492624
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I4c90b50197ca7277c59e96bf332ecf795c4f3d12

It turns out there are more subtle races beyond just the main part of
__iommu_probe_device() itself running in parallel - the dev_iommu_free()
on the way out of an unsuccessful probe can still manage to trip up
concurrent accesses to a device's fwspec. Thus, extend the scope of
iommu_probe_device_lock() to also serialise fwspec creation and initial
retrieval.

Reported-by: Zhenhua Huang <quic_zhenhuah@quicinc.com>
Link: https://lore.kernel.org/linux-iommu/e2e20e1c-6450-4ac5-9804-b0000acdf7de@quicinc.com/


Fixes: 01657bc1 ("iommu: Avoid races around device probe")
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Bug: 316312210
Bug: 308940593
Link: https://lore.kernel.org/all/16f433658661d7cadfea51e7c65da95826112a2b.1700071477.git.robin.murphy@arm.com/


Change-Id: I461df05b03644cb93bc93599cb9f5464bf893923
Signed-off-by: André Draszik <draszik@google.com>
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>

The USB Type-C Cable and Connector Specification defines the wire
connections for the USB Type-C to USB 2.0 Standard-A cable assembly
(Release 2.2, Chapter 3.5.2).
The Notes says that Pin A5 (CC) of the USB Type-C plug shall be connected
to Vbus through a resister Rp.
However, there is a large amount of such double Rp connected to Vbus
non-standard cables which produced by UGREEN circulating on the market, and
it can affects the normal operations of the state machine easily,
especially to CC1 and CC2 be pulled up at the same time.
In fact, we can regard those cables as sink to avoid abnormal state.

Message as follow:
[   58.900212] VBUS on
[   59.265433] CC1: 0 -> 3, CC2: 0 -> 3 [state TOGGLING, polarity 0, connected]
[   62.623308] CC1: 3 -> 0, CC2: 3 -> 0 [state TOGGLING, polarity 0, disconnected]
[   62.625006] VBUS off
[   62.625012] VBUS VSAFE0V

Signed-off-by: Michael Wu <michael@allwinnertech.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20230920063030.66312-1-michael@allwinnertech.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 311131373
(cherry picked from commit dbc1defe)
Signed-off-by: Aran Dalton <arda@allwinnertech.com>
Change-Id: I1a7b897bfc9557b4518442d098aca7504bb49187

add two symbol to oplus symbol list, which already EXPORTED
1. static_key_enable
2. static_key_disable

Bug: 312913816
Change-Id: Icbf000a670f5db32b1f45ce0d25d5d48600747ec
Signed-off-by: liwei <liwei1234@oppo.com>

2 function symbol(s) added
  'int __traceiter_android_vh_vmscan_kswapd_done(void *, int, unsigned int, unsigned int, unsigned int)'
  'int __traceiter_mm_vmscan_kswapd_wake(void *, int, int, int)'

2 variable symbol(s) added
  'struct tracepoint __tracepoint_android_vh_vmscan_kswapd_done'
  'struct tracepoint __tracepoint_mm_vmscan_kswapd_wake'

Bug: 309352303
Change-Id: I1ef24cb506c4bfa2a1d0b26c7104ac2195be8fe8
Signed-off-by: liwei <liwei1234@oppo.com>

export tracepoint symbol trace_mm_vmscan_kswapd_wake so we can hook it in our ko
to capture some kswapd running info.

Bug: 309352303
Change-Id: Ieb37f544502f33e708dacda6cbb552792dfbbc6b
Signed-off-by: liwei <liwei1234@oppo.com>

To monitor the reclaiming ability of kswapd, add vendor hook recording when the kswapd finish the reclaiming job and the reclaim progress.

android_vh_vmscan_kswpad_done(int, unsigned int, unsigned int, unsigned int)

Bug: 301044280

Change-Id: Id6e0a97003f0a156cff4d0996bc38bcd89b1dc69
Signed-off-by: John Hsu <john.hsu@mediatek.com>
Signed-off-by: liwei <liwei1234@oppo.com>

This reverts commit 34ab3c63.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I9690155270178cb84d09eff7899eba89d94ffecb

This reverts commit c1ac0c4c.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ib5bf80e4402521097db6a2ef589cea9ac71370ff

This reverts commit 01b6b46d.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ic0a1dfedb74d3a14ad3aeea1281751448b6139f2

This reverts commit 037015c5.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I881c8aa254cc071cb6c37da807f86b7e65e6e853

This reverts commit c86c5b5b.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I8aaa5976ac4e8bc4e0e01d34ab172e2e806264b3

This reverts commit 63d8d65c.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I449002bf7b37e1ced9ac4ee3704a9352e2354937

This reverts commit 3d465781.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Id7e4add39ce0eceb652e0ad67052d42be17f01f9

This reverts commit c8b576b6.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ib533188fa4ddf5cebcb2b2cca51a4bb7f9e7470b

This reverts commit c23c3349.

Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Iaae7d69e96905bebf423c810191c14abf2889dfc

This reverts commit 6b3a7a04.

Change-Id: Ida3dcbebeb381b59130f32acd531ba31f5e62587
Signed-off-by: Lee Jones <joneslee@google.com>

This reverts commit e0ce4ed8.

Change-Id: I7065d49e676018425e6fccfcd732c6aa489bf839
Signed-off-by: Lee Jones <joneslee@google.com>

This reverts commit ad645b07.

Change-Id: I247c417d309e27a590fcc23068a5edcf845d276f
Signed-off-by: Lee Jones <joneslee@google.com>

This reverts commit 710e41c4.

Change-Id: I03af737f10fceed91ad4bda8e4a425e1903bd13c
Signed-off-by: Lee Jones <joneslee@google.com>