1 function symbol(s) added
  'int __traceiter_scsi_dispatch_cmd_start(void*, struct scsi_cmnd*)'

Bug: 374933205
Bug: 351275734
Change-Id: I7a11f990160142a9b5c0e1894d8de12d71738d59
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit 0775e862)

Export some  tracepoints for vendor modules to track file
write processes related to user scenarios, and improve system
performance by increasing the I/O priority of critical file pages.

Bug: 374933205
Bug: 351275734
Change-Id: Ie25420d2c655b859be4c24a532012290a3aed80d
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>
(cherry picked from commit d893627a)

In some cases VMAs are split without the mmap write lock held;
later the lock is taken to fixup vm_flags of the original VMA.
Since some uppper bits of vm_flags are used to encode the ELF
padding ranges, they need to be modified on splits. This is
usually handled correctly by __split_vma(). However in the above
case, the flags get over witten later under the write lock.

Preserve vm_flag bits on reset to correctly represent padding.
Bug: 374933205
Bug: 357901498
Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit 4e714a20)

Introduce inline header to avoid circular dependency. This
will be used in a subsequent patch.

Also take opportunity to do some small noop refactor in
vma_pad_pages() and split_pad_vma() for more robust code.

Bug: 374933205
Bug: 357901498
Change-Id: Ia5f447758d0d07ed3e1429ca1e35dcc0741cc22a
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit 7b43073a)

commit 3b3a2a9c upstream.

If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")

Commands to trigger KASAN UaF:

ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF

Bug: 374933205
Fixes: 50612537 ("netem: fix classful handling")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Change-Id: Ibed65179fdaef5d4a4161814390d93a980d6c03a
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry-pick from commit dde33a9d)

commit 5ceac440 upstream.

When multiple streams are in use, multiple TDs might be in flight when
an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for
each, to ensure everything is reset properly and the caches cleared.
Change the logic so that any N>1 TDs found active for different streams
are deferred until after the first one is processed, calling
xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to
queue another command until we are done with all of them. Also change
the error/"should never happen" paths to ensure we at least clear any
affected TDs, even if we can't issue a command to clear the hardware
cache, and complain loudly with an xhci_warn() if this ever happens.

This problem case dates back to commit e9df17eb ("USB: xhci: Correct
assumptions about number of rings per endpoint.") early on in the XHCI
driver's life, when stream support was first added.
It was then identified but not fixed nor made into a warning in commit
674f8438 ("xhci: split handling halted endpoints into two steps"),
which added a FIXME comment for the problem case (without materially
changing the behavior as far as I can tell, though the new logic made
the problem more obvious).

Then later, in commit 94f33914 ("xhci: Fix failure to give back some
cached cancelled URBs."), it was acknowledged again.

[Mathias: commit 94f33914 ("xhci: Fix failure to give back some cached
cancelled URBs.") was a targeted regression fix to the previously mentioned
patch. Users reported issues with usb stuck after unmounting/disconnecting
UAS devices. This rolled back the TD clearing of multiple streams to its
original state.]

Apparently the commit author was aware of the problem (yet still chose
to submit it): It was still mentioned as a FIXME, an xhci_dbg() was
added to log the problem condition, and the remaining issue was mentioned
in the commit description. The choice of making the log type xhci_dbg()
for what is, at this point, a completely unhandled and known broken
condition is puzzling and unfortunate, as it guarantees that no actual
users would see the log in production, thereby making it nigh
undebuggable (indeed, even if you turn on DEBUG, the message doesn't
really hint at there being a problem at all).

It took me *months* of random xHC crashes to finally find a reliable
repro and be able to do a deep dive debug session, which could all have
been avoided had this unhandled, broken condition been actually reported
with a warning, as it should have been as a bug intentionally left in
unfixed (never mind that it shouldn't have been left in at all).

> Another fix to solve clearing the caches of all stream rings with
> cancelled TDs is needed, but not as urgent.

3 years after that statement and 14 years after the original bug was
introduced, I think it's finally time to fix it. And maybe next time
let's not leave bugs unfixed (that are actually worse than the original
bug), and let's actually get people to review kernel commits please.

Fixes xHC crashes and IOMMU faults with UAS devices when handling
errors/faults. Easiest repro is to use `hdparm` to mark an early sector
(e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop.
At least in the case of JMicron controllers, the read errors end up
having to cancel two TDs (for two queued requests to different streams)
and the one that didn't get cleared properly ends up faulting the xHC
entirely when it tries to access DMA pages that have since been unmapped,
referred to by the stale TDs. This normally happens quickly (after two
or three loops). After this fix, I left the `cat` in a loop running
overnight and experienced no xHC failures, with all read errors
recovered properly. Repro'd and tested on an Apple M1 Mac Mini
(dwc3 host).

On systems without an IOMMU, this bug would instead silently corrupt
freed memory, making this a security bug (even on systems with IOMMUs
this could silently corrupt memory belonging to other USB devices on the
same controller, so it's still a security bug). Given that the kernel
autoprobes partition tables, I'm pretty sure a malicious USB device
pretending to be a UAS device and reporting an error with the right
timing could deliberately trigger a UAF and write to freed memory, with
no user action.

[Mathias: Commit message and code comment edit, original at:]
https://lore.kernel.org/linux-usb/20240524-xhci-streams-v1-1-6b1f13819bea@marcan.st/



Bug: 374933205
Fixes: e9df17eb ("USB: xhci: Correct assumptions about number of rings per endpoint.")
Fixes: 94f33914 ("xhci: Fix failure to give back some cached cancelled URBs.")
Fixes: 674f8438 ("xhci: split handling halted endpoints into two steps")
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Reviewed-by: Neal Gompa <neal@gompa.dev>
Change-Id: I4faad8f8bb633472e0f8d3e1dde8963fda7e288b
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240611120610.3264502-5-mathias.nyman@linux.intel.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 949be4ec)

1 function symbol(s) added
  'int __traceiter_android_rvh_update_cpus_allowed(void*, struct task_struct*, struct cpumask*, const struct cpumask*, int*)'

1 variable symbol(s) added
  'struct tracepoint __tracepoint_android_rvh_update_cpus_allowed'

Bug: 355095092
Bug: 375375781
Bug: 375376470
Bug: 375370937
Change-Id: Iefc09546e3312afcbe0942558dad4a534d3bb6ea
Signed-off-by: xiaofeng <xiaofeng5@xiaomi.com>
(cherry picked from commit abe66e77)

Vendors might want to change tasks affinity settings when they are
moving from one cpuset into the other. Add vendor hook to give control
to vendor to implement what they need.

This reverts commit a42f6e7d("Revert "ANDROID: sched/cpuset: Add
vendor hook to change tasks affinity"") to effectively bring back the
original change.

Bug: 323765868
Bug: 375376470
Bug: 375370937
Change-Id: I47c1ee0dabda491732932c653bd80e95ee550791
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Signed-off-by: Sai Harshini Nimmala <quic_snimmala@quicinc.com>
(cherry picked from commit 77277e4b)
(cherry picked from commit 59502f88)

4 function symbol(s) added
  'int __traceiter_android_vh_wq_queue_work(void*, struct work_struct *, char *, unsigned int, unsigned int)'
  'int __traceiter_android_vh_wq_wake_idle_worker(void*, struct task_struct *, struct work_struct *)'

4 variable symbol(s) added
  'struct tracepoint __tracepoint_android_vh_wq_queue_work'
  'struct tracepoint __tracepoint_android_vh_wq_wake_idle_worker'

Bug: 374015971
Bug: 375071856
Change-Id: I3aac930e7a0e07cc59c87d792a609ff201092ff1
Signed-off-by: liulu liu <liulu.liu@honor.corp-partner.google.com>
(cherry picked from commit e09a6513)

Add hooks in __queue_work() and process_one_work() to record
the working status and execution time of each delegated work.

Also add hooks in kick_pool() to allow us to know the next worker
and the first work, which is used to apply specific scheduling
policies to worker.

Bug: 374015971
Bug: 375071856
Change-Id: Id84541461b5f37300b5cad1cfbef4533aa0390d5
Signed-off-by: liulu liu <liulu.liu@honor.corp-partner.google.com>
(cherry picked from commit 69c4e483)

3 function symbol(s) added
  'int __traceiter_android_vh_blk_mq_delay_run_hw_queue(void*, int, struct blk_mq_hw_ctx*, unsigned long, bool*)'
  'int __traceiter_android_vh_blk_mq_kick_requeue_list(void*, struct request_queue*, unsigned long, bool*)'
  'int kblockd_mod_delayed_work_on(int, struct delayed_work*, unsigned long)'

2 variable symbol(s) added
  'struct tracepoint __tracepoint_android_vh_blk_mq_delay_run_hw_queue'
  'struct tracepoint __tracepoint_android_vh_blk_mq_kick_requeue_list'

Bug: 372168987
Bug: 374890311
Change-Id: I6176c212e984d6312a9ed357e7433f0ade22b57a
Signed-off-by: Yang Yang <yang.yang@vivo.com>
(cherry picked from commit 0f227407)

Introduce vendor hooks to determine which workqueue should be assigned
to a task based on its priority

Bug: 372168987
Bug: 374890311
Change-Id: I81f4d48f5f53021744c87524d412d9593745ffed
Signed-off-by: Yang Yang <yang.yang@vivo.com>
(cherry picked from commit baf74b82)

1 function symbol(s) update:
'u64 notrace get_dup_sched_clock(void);'

Bug: 373007513
Bug: 374913588
Change-Id: Ib4cc28d0109caaf952d316946cc503312ee1ae91
Signed-off-by: longwei <longwei.lw@vivo.corp-partner.google.com>
Signed-off-by: renchenghan <renchenghan@vivo.corp-partner.google.com>
(cherry picked from commit a5d47e12)

Add symbol get_dup_sched_clock to get latest copy of sched_clock.

Bug: 373007513
Bug: 374913588
Change-Id: I58fa9e7bb21fea09e854b9b8d4fc783ab7a5a962
Signed-off-by: longwei <longwei.lw@vivo.corp-partner.google.com>
Signed-off-by: renchenghan <renchenghan@vivo.corp-partner.google.com>
(cherry picked from commit 165f9422)

All zone append writes to a zone of a zoned block device will
have the same BIO sector, the start of the zone. When the
cypher IV mode uses sector values, all data targeting a
zone will be encrypted using the first sector numbers of the
zone. This will not result in write errors but will
cause most reads to fail as reads will use the sector values
for the actual data locations, resulting in IV mismatch.
To avoid this problem, ask DM core to emulate zone append
operations with regular writes.

Bug: 374251833
Bug: 374633526

Change-Id: I620687c41d04e9ea1f54c5037dae97ddd5bb67eb
Signed-off-by: LongPing Wei <weilongping@oppo.com>
(cherry picked from commit e9ae1809)

If curseg is not the first segment in its zone, the zone is not empty.
A new section should be allocated and avoid resetting the old zone.

Bug: 374633526

Reviewed-by: Chao Yu <chao@kernel.org>
Change-Id: I4234c4396ddabda60b7e42e3ccc9258872607a31
Signed-off-by: Sheng Yong <shengyong@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 76da333f)
(cherry picked from commit d5be8826)

For the fine tuning of GC behavior, add reserved_segments sysfs node.

Bug: 374633526

Change-Id: Ibe7b050377109a16953cb70783ae0c51b1508865
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 4cdca5a9)

get_ckpt_valid_blocks() checks valid ckpt blocks in current section.
It counts all vblocks from the first to the last segment in the
large section. However, START_SEGNO() is used to get the first segno
in an SIT block. This patch fixes that to get the correct start segno.

Fixes: 61461fc9 ("f2fs: fix to avoid touching checkpointed data in get_victim()")

Bug: 374254428

Change-Id: I9a94664d68b2661cb04e9e630e0d37d2887b1299
Signed-off-by: Sheng Yong <shengyong@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 8c409989)
(cherry picked from commit 38a446d5)

[ Upstream commit 9b4667ea ]

In v4l2_async_create_ancillary_links(), ancillary links are created for
lens and flash sub-devices. These are sub-device to sub-device links and
if the async notifier is related to a V4L2 device, the source sub-device
of the ancillary link is NULL, leading to a NULL pointer dereference.
Check the notifier's sd field is non-NULL in
v4l2_async_create_ancillary_links().

Bug: 373592534
Fixes: aa4faf6e ("media: v4l2-async: Create links during v4l2_async_match_notify()")
Change-Id: I76b4f1afe4c306d14c6f2bead867b507062cc2e5
Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
[Sakari Ailus: Reword the subject and commit messages slightly.]
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
(cherry picked from commit 249212ce)

[ Upstream commit cc5645fd ]

There is a possibility of buffer overflow in
show_rcu_tasks_trace_gp_kthread() if counters, passed
to sprintf() are huge. Counter numbers, needed for this
are unrealistically high, but buffer overflow is still
possible.

Use snprintf() with buffer size instead of sprintf().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Bug: 373592534
Fixes: edf3775f ("rcu-tasks: Add count for idle tasks on offline CPUs")
Change-Id: I4e1a7a8763a753e7d2428a39b9bb8f12330309f4
Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 32d988f4)

[ Upstream commit ccb326b5 ]

Running syzkaller with the newly reintroduced signed integer overflow
sanitizer shows this report:

[   62.982337] ------------[ cut here ]------------
[   62.985692] cgroup: Invalid name
[   62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46
[   62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1
[   62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long'
[   62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1
[   62.999369] random: crng reseeded on system resumption
[   63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000)
[   63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[   63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   63.000682] Call Trace:
[   63.000686]  <TASK>
[   63.000731]  dump_stack_lvl+0x93/0xd0
[   63.000919]  __get_user_pages+0x903/0xd30
[   63.001030]  __gup_longterm_locked+0x153e/0x1ba0
[   63.001041]  ? _raw_read_unlock_irqrestore+0x17/0x50
[   63.001072]  ? try_get_folio+0x29c/0x2d0
[   63.001083]  internal_get_user_pages_fast+0x1119/0x1530
[   63.001109]  iov_iter_extract_pages+0x23b/0x580
[   63.001206]  bio_iov_iter_get_pages+0x4de/0x1220
[   63.001235]  iomap_dio_bio_iter+0x9b6/0x1410
[   63.001297]  __iomap_dio_rw+0xab4/0x1810
[   63.001316]  iomap_dio_rw+0x45/0xa0
[   63.001328]  ext4_file_write_iter+0xdde/0x1390
[   63.001372]  vfs_write+0x599/0xbd0
[   63.001394]  ksys_write+0xc8/0x190
[   63.001403]  do_syscall_64+0xd4/0x1b0
[   63.001421]  ? arch_exit_to_user_mode_prepare+0x3a/0x60
[   63.001479]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   63.001535] RIP: 0033:0x7f7fd3ebf539
[   63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539
[   63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004
[   63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000
[   63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8
...
[   63.018142] ---[ end trace ]---

Historically, the signed integer overflow sanitizer did not work in the
kernel due to its interaction with `-fwrapv` but this has since been
changed [1] in the newest version of Clang; It was re-enabled in the
kernel with Commit 557f8c58 ("ubsan: Reintroduce signed overflow
sanitizer").

Let's rework this overflow checking logic to not actually perform an
overflow during the check itself, thus avoiding the UBSAN splat.

[1]: https://github.com/llvm/llvm-project/pull/82432



Bug: 373592534
Change-Id: Id740af2df4f989ec92a907b48b79bf10e39507dd
Signed-off-by: Justin Stitt <justinstitt@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240507-b4-sio-block-ioctl-v3-1-ba0c2b32275e@google.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit fd841ee0)

[ Upstream commit 1e1fdcbd ]

There are two issues around seqpacket_allow:
1. seqpacket_allow is not initialized when socket is
   created. Thus if features are never set, it will be
   read uninitialized.
2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared,
   then seqpacket_allow will not be cleared appropriately
   (existing apps I know about don't usually do this but
    it's legal and there's no way to be sure no one relies
    on this).

To fix:
	- initialize seqpacket_allow after allocation
	- set it unconditionally in set_features

Bug: 373592534
Reported-by:  <syzbot+6c21aeb59d0e82eb2782@syzkaller.appspotmail.com>
Reported-by: Jeongjun Park <aha310510@gmail.com>
Fixes: ced7b713 ("vhost/vsock: support SEQPACKET for transport").
Tested-by: Arseny Krasnov <arseny.krasnov@kaspersky.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240422100010-mutt-send-email-mst@kernel.org>
Change-Id: Id21647a996099fc425713e202677d4ce8e754928
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Acked-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 30bd4593)

commit 9537a842 upstream.

The notifier_entry of a notifier is not re-initialised after unregistering
the notifier. This leads to dangling pointers being left there so use
list_del_init() to return the notifier_entry an empty list.

Bug: 373592534
Fixes: b8ec754a ("media: v4l: async: Set v4l2_device and subdev in async notifier init")
Cc: <stable@vger.kernel.org> # for 6.6 and later
Change-Id: Ic0c0f05232983bf5029fe13415aaa150ee4179fe
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
(cherry picked from commit 87100b09)

This commit addresses an issue where the USB core could access an
invalid event buffer address during runtime suspend, potentially causing
SMMU faults and other memory issues in Exynos platforms. The problem
arises from the following sequence.
        1. In dwc3_gadget_suspend, there is a chance of a timeout when
        moving the USB core to the halt state after clearing the
        run/stop bit by software.
        2. In dwc3_core_exit, the event buffer is cleared regardless of
        the USB core's status, which may lead to an SMMU faults and
        other memory issues. if the USB core tries to access the event
        buffer address.

To prevent this hardware quirk on Exynos platforms, this commit ensures
that the event buffer address is not cleared by software  when the USB
core is active during runtime suspend by checking its status before
clearing the buffer address.

Bug: 373592534
Cc: stable <stable@kernel.org>
Change-Id: I6e913df0bbaed6cdddc4da794dd6b66efdae8d52
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240815064836.1491-1-selvarasu.g@samsung.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 7bb11a75)

commit 8a9d4201 upstream.

The graph walk tries to follow all links, even if they are not between
pads. This causes a crash with, e.g. a MEDIA_LNK_FL_ANCILLARY_LINK link.

Fix this by allowing the walk to proceed only for MEDIA_LNK_FL_DATA_LINK
links.

Bug: 373592534
Change-Id: Ie726616d9f33a77fa930a14f58e97e52305293d1
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: stable@vger.kernel.org # for 6.1 and later
Fixes: ae219872 ("media: mc: entity: Rewrite media_pipeline_start()")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
(cherry picked from commit e80d9db9)

1 function symbol(s) added
  'int __traceiter_android_rvh_dma_buf_stats_teardown(void*, struct dma_buf_sysfs_entry*, bool*)'

1 variable symbol(s) added
  'struct tracepoint __tracepoint_android_rvh_dma_buf_stats_teardown'

Bug: 254192604
Bug: 373555192
Change-Id: I9a641890d5aa92bd82ec83adfc3d5921e141e89d
Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com>

This vendor hook allows for the sysfs activity associated with
dma-buf-sysfs-stats teardowns to be performed asynchronously similar
to how the initialization works.

Bug: 254192604
Bug: 373555192
Signed-off-by: T.J. Mercier <tjmercier@google.com>
Change-Id: Ie076d0f8f67b96a97c71d9e6bf90539ebd9807bf

We don't need to handle them separately. Instead, just let them
decompose/casefold to themselves.

Change-Id: I01c3f2c98ae4d84269586cec09f18239cbee0abb
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
(cherry picked from commit 5c26d2f1)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Lee Jones <joneslee@google.com>

Detect gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.

Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size

Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.

In extreme cases they pull all data into skb linear. For UDP, this
causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
udp_hdr(seg->next)->dest.

Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.

Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/


Fixes: 9fd1ff5d ("udp: Support UDP fraglist GRO/GSO.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Bug: 373244724
Bug: 333849117
Change-Id: I5a317e002f149cf9d399dce9bf87cd649a24da19
(cherry picked from commit a1e40ac5)
Signed-off-by: Lena Wang <lena.wang@mediatek.corp-partner.google.com>
(cherry picked from commit 42c2d1ea)

White list the __tracepoint_android_vh_should_memcg_bypass symbol.

1 function symbol(s) added
  'int __traceiter_android_vh_should_memcg_bypass(void*, struct mem_cgroup*, int, bool*)'

1 variable symbol(s) added
  'struct tracepoint __tracepoint_android_vh_should_memcg_bypass'

Bug: 369921205
Bug: 370263554
Change-Id: I13ae1efde783bb440fa0cbab5b436d522d58d2a2
Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com>
(cherry picked from commit b5c719f9)

Add vendor hook to determine whether a memcg should be recalimed.
Avoid import memcg file pages are frequently reclaimed.

Bug: 369921205
Bug: 370263554
Change-Id: Iac4abcf3a59a9c26ef9895a8f0d35aa6b6c26776
Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com>

syzbot reports a f2fs bug as below:

BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097

CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
 do_read_inode fs/f2fs/inode.c:509 [inline]
 f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560
 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237
 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413
 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444
 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584
 do_handle_to_path fs/fhandle.c:155 [inline]
 handle_to_path fs/fhandle.c:210 [inline]
 do_handle_open+0x495/0x650 fs/fhandle.c:226
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

We missed to cover sanity_check_extent_cache() w/ extent cache lock,
so, below race case may happen, result in use after free issue.

- f2fs_iget
 - do_read_inode
  - f2fs_init_read_extent_tree
  : add largest extent entry in to cache
					- shrink
					 - f2fs_shrink_read_extent_tree
					  - __shrink_extent_tree
					   - __detach_extent_node
					   : drop largest extent entry
  - sanity_check_extent_cache
  : access et->largest w/o lock

let's refactor sanity_check_extent_cache() to avoid extent cache access
and call it before f2fs_init_read_extent_tree() to fix this issue.

Bug: 370263554
Reported-by:  <syzbot+74ebe2104433e9dc610d@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/00000000000009beea061740a531@google.com


Change-Id: Iea5ecace287c7740c48e38daf3e5397e51ea044b
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit d7409b05)

[ Upstream commit 1b3ec4f7 ]

Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
The request pointer had been changed earlier to point to a lock entry
that was added to the inode's list. However, before the tracepoint could
fire, another task raced in and freed that lock.

Fix this by moving the tracepoint inside the spinlock, which should
ensure that this doesn't happen.

Bug: 370263554
Fixes: 74f6f591 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock")
Link: https://lore.kernel.org/linux-fsdevel/724ffb0a2962e912ea62bb0515deadf39c325112.camel@kernel.org/


Reported-by: Light Hsieh (謝明燈) <Light.Hsieh@mediatek.com>
Change-Id: I59f2653b8041f2d8397f5e95538432ac303f349a
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/20240702-filelock-6-10-v1-1-96e766aadc98@kernel.org


Reviewed-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

commit f50733b4 upstream.

When opening a file for exec via do_filp_open(), permission checking is
done against the file's metadata at that moment, and on success, a file
pointer is passed back. Much later in the execve() code path, the file
metadata (specifically mode, uid, and gid) is used to determine if/how
to set the uid and gid. However, those values may have changed since the
permissions check, meaning the execution may gain unintended privileges.

For example, if a file could change permissions from executable and not
set-id:

---------x 1 root root 16048 Aug  7 13:16 target

to set-id and non-executable:

---S------ 1 root root 16048 Aug  7 13:16 target

it is possible to gain root privileges when execution should have been
disallowed.

While this race condition is rare in real-world scenarios, it has been
observed (and proven exploitable) when package managers are updating
the setuid bits of installed programs. Such files start with being
world-executable but then are adjusted to be group-exec with a set-uid
bit. For example, "chmod o-x,u+s target" makes "target" executable only
by uid "root" and gid "cdrom", while also becoming setuid-root:

-rwxr-xr-x 1 root cdrom 16048 Aug  7 13:16 target

becomes:

-rwsr-xr-- 1 root cdrom 16048 Aug  7 13:16 target

But racing the chmod means users without group "cdrom" membership can
get the permission to execute "target" just before the chmod, and when
the chmod finishes, the exec reaches brpm_fill_uid(), and performs the
setuid to root, violating the expressed authorization of "only cdrom
group members can setuid to root".

Re-check that we still have execute permissions in case the metadata
has changed. It would be better to keep a copy from the perm-check time,
but until we can do that refactoring, the least-bad option is to do a
full inode_permission() call (under inode lock). It is understood that
this is safe against dead-locks, but hardly optimal.

Bug: 370263554
Reported-by: Marco Vanotti <mvanotti@google.com>
Tested-by: Marco Vanotti <mvanotti@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Kees Cook <kees@kernel.org>
Change-Id: Ic16e3dfb9bc90ab6fb76188cbdd9b9d95ef1894c

commit 6d8acd02 upstream.

struct v4l2_async_notifier has several list_head members, but only
waiting_list and done_list are initialized. notifier_entry was kept
'zeroed' leading to an uninitialized list_head.
This results in a NULL-pointer dereference if csi2_async_register() fails,
e.g. node for remote endpoint is disabled, and returns -ENOTCONN.
The following calls to v4l2_async_nf_unregister() results in a NULL
pointer dereference.
Add the missing list head initializer.

Bug: 370263554
Fixes: b8ec754a ("media: v4l: async: Set v4l2_device and subdev in async notifier init")
Cc: <stable@vger.kernel.org> # for 6.6 and later
Change-Id: I0372bbeeddcb42f74ce8316750049c7e6839c450
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

We may trigger high frequent checkpoint for below case:
1. mkdir /mnt/dir1; set dir1 encrypted
2. touch /mnt/file1; fsync /mnt/file1
3. mkdir /mnt/dir2; set dir2 encrypted
4. touch /mnt/file2; fsync /mnt/file2
...

Although, newly created dir and file are not related, due to
commit bbf156f7 ("f2fs: fix lost xattrs of directories"), we will
trigger checkpoint whenever fsync() comes after a new encrypted dir
created.

In order to avoid such performance regression issue, let's record an
entry including directory's ino in global cache whenever we update
directory's xattr data, and then triggerring checkpoint() only if
xattr metadata of target file's parent was updated.

This patch updates to cover below no encryption case as well:
1) parent is checkpointed
2) set_xattr(dir) w/ new xnid
3) create(file)
4) fsync(file)

Bug: 370263554
Fixes: bbf156f7 ("f2fs: fix lost xattrs of directories")
Reported-by: wangzijie <wangzijie1@honor.com>
Reported-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reported-by: Yunlei He <heyunlei@hihonor.com>
Change-Id: I5c9ba153aa2fc6b3ea65bc33ba887a99442fc133
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit aaf8c0b9)
(cherry picked from commit 65ed3483)

syzbot reports a f2fs bug as below:

Change-Id: If5e353ff6d4ea2afd8850f9005c352d067a0b38b

------------[ cut here ]------------
kernel BUG at fs/f2fs/inline.c:258!
CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0
RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258
Call Trace:
 f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834
 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline]
 __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline]
 f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315
 do_writepages+0x35b/0x870 mm/page-writeback.c:2612
 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650
 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941
 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117
 wb_do_writeback fs/fs-writeback.c:2264 [inline]
 wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
 kthread+0x2f2/0x390 kernel/kthread.c:388
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The root cause is: inline_data inode can be fuzzed, so that there may
be valid blkaddr in its direct node, once f2fs triggers background GC
to migrate the block, it will hit f2fs_bug_on() during dirty page
writeback.

Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC,
so that, it can forbid migrating inline_data inode's data block for
fixing.

Bug: 370263554
Reported-by:  <syzbot+848062ba19c8782ca5c8@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000d103ce06174d7ec3@google.com


Change-Id: I2902af4a208fc254bdb874390583ed9ffcba1e45
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit fc01008c)

On some SoC's like SA8295P where the tertiary controller is host-only
capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible.
Trying to access them leads to a crash.

For DRD/Peripheral supported controllers, event buffer setup is done
again in gadget_pullup. Skip setup or cleanup of event buffers if
controller is host-only capable.

Suggested-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit 89d7f962
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

 master)
Bug: 370263554
Bug: 363901338
Bug: 233985973
Change-Id: I66bccca575b3524b8e446f38b154d2434335a65d
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
(cherry picked from commit f6b99539)
(cherry picked from commit cf502a22)

Keep atomic file clean while updating and make it dirtied during commit
in order to avoid unnecessary and excessive inode updates in the previous
fix.

Fixes: 4bf78322 ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")

Bug: 372260490
Change-Id: Ia65957ef9632fb8e3664d097ecd0c3af6a768802
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit fccaa81d)
(cherry picked from commit 57244e8b)

Case #1:
SQLite App		GC Thread		Kworker		Shrinker
- f2fs_ioc_start_atomic_write

- f2fs_ioc_commit_atomic_write
 - f2fs_commit_atomic_write
  - filemap_write_and_wait_range
  : write atomic_file's data to cow_inode
								echo 3 > drop_caches
								to drop atomic_file's
								cache.
			- f2fs_gc
			 - gc_data_segment
			  - move_data_page
			   - set_page_dirty

						- writepages
						 - f2fs_do_write_data_page
						 : overwrite atomic_file's data
						   to cow_inode
  - f2fs_down_write(&fi->i_gc_rwsem[WRITE])
  - __f2fs_commit_atomic_write
  - f2fs_up_write(&fi->i_gc_rwsem[WRITE])

Case #2:
SQLite App		GC Thread		Kworker
- f2fs_ioc_start_atomic_write

						- __writeback_single_inode
						 - do_writepages
						  - f2fs_write_cache_pages
						   - f2fs_write_single_data_page
						    - f2fs_do_write_data_page
						    : write atomic_file's data to cow_inode
			- f2fs_gc
			 - gc_data_segment
			  - move_data_page
			   - set_page_dirty

						- writepages
						 - f2fs_do_write_data_page
						 : overwrite atomic_file's data to cow_inode
- f2fs_ioc_commit_atomic_write

In above cases racing in between atomic_write and GC, previous
data in atomic_file may be overwrited to cow_file, result in
data corruption.

This patch introduces PAGE_PRIVATE_ATOMIC_WRITE bit flag in page.private,
and use it to indicate that there is last dirty data in atomic file,
and the data should be writebacked into cow_file, if the flag is not
tagged in page, we should never write data across files.

Fixes: 3db1de0e ("f2fs: change the current atomic write way")
Cc: Daeho Jeong <daehojeong@google.com>

Bug: 372260490
Change-Id: I7e6c2a790b7f57c41d3a955cd9ba519d4dba12f9
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 1a0bd289)
(cherry picked from commit 60f02a0b)