| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The gpio interrupt status bit is getting set after the
irq is disabled and causing an immediate interrupt after
enablling the irq, so clear status bit on irq_unmask.
Change-Id: I89245b90b06b37671369e59c15fb24a991cc114a
Signed-off-by: Tengfei Fan <tengfeif@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Commit 09854ba94c6a ("mm: do_wp_page() simplification") reorganized all
the code around the page re-use vs copy, but in the process also moved
the final unlock_page() around to after the wp_page_reuse() call.
That normally doesn't matter - but it means that the unlock_page() is
now done after releasing the page table lock. Again, not a big deal,
you'd think.
But it turns out that it's very wrong indeed, because once we've
released the page table lock, we've basically lost our only reference to
the page - the page tables - and it could now be free'd at any time. We
do hold the mmap_sem, so no actual unmap() can happen, but madvise can
come in and a MADV_DONTNEED will zap the page range - and free the page.
So now the page may be free'd just as we're unlocking it, which in turn
will usually trigger a "Bad page state" error in the freeing path. To
make matters more confusing, by the time the debug code prints out the
page state, the unlock has typically completed and everything looks fine
again.
This all doesn't happen in any normal situations, but it does trigger
with the dirtyc0w_child LTP test. And it seems to trigger much more
easily (but not expclusively) on s390 than elsewhere, probably because
s390 doesn't do the "batch pages up for freeing after the TLB flush"
that gives the unlock_page() more time to complete and makes the race
harder to hit.
Fixes: 09854ba94c6a ("mm: do_wp_page() simplification")
Link: https://lore.kernel.org/lkml/a46e9bbef2ed4e17778f5615e818526ef848d791.camel@redhat.com/
Link: https://lore.kernel.org/linux-mm/c41149a8-211e-390b-af1d-d5eee690fecb@linux.alibaba.com/
Reported-by: Qian Cai <cai@redhat.com>
Reported-by: Alex Shi <alex.shi@linux.alibaba.com>
Bisected-and-analyzed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Tested-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Idae0eb8d7478ab61de567ca9e446df4cc4dfc2a0
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Remove the function as the last reference has gone away with the do_wp_page()
changes.
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Ie4da88791abe9407157566854b2db9b94c0c962f
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
How about we just make sure we're the only possible valid user fo the
page before we bother to reuse it?
Simplify, simplify, simplify.
And get rid of the nasty serialization on the page lock at the same time.
[peterx: add subject prefix]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: I25c2cf9a3afebc19aaeda29ffbfcb82edb7fcb7c
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add an optimization for KSM pages almost in the same way that we have
for ordinary anonymous pages. If there is a write fault in a page,
which is mapped to an only pte, and it is not related to swap cache; the
page may be reused without copying its content.
[ Note that we do not consider PageSwapCache() pages at least for now,
since we don't want to complicate __get_ksm_page(), which has nice
optimization based on this (for the migration case). Currenly it is
spinning on PageSwapCache() pages, waiting for when they have
unfreezed counters (i.e., for the migration finish). But we don't want
to make it also spinning on swap cache pages, which we try to reuse,
since there is not a very high probability to reuse them. So, for now
we do not consider PageSwapCache() pages at all. ]
So in reuse_ksm_page() we check for 1) PageSwapCache() and 2)
page_stable_node(), to skip a page, which KSM is currently trying to
link to stable tree. Then we do page_ref_freeze() to prohibit KSM to
merge one more page into the page, we are reusing. After that, nobody
can refer to the reusing page: KSM skips !PageSwapCache() pages with
zero refcount; and the protection against of all other participants is
the same as for reused ordinary anon pages pte lock, page lock and
mmap_sem.
[akpm@linux-foundation.org: replace BUG_ON()s with WARN_ON()s]
Link: http://lkml.kernel.org/r/154471491016.31352.1168978849911555609.stgit@localhost.localdomain
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: If32387b1f7c36f0e12fcbb0926bf1b67886ec594
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
fair
When rt_mutex_setprio changes a task's scheduling class to RT,
we're seeing cases where the task's vruntime is not updated
correctly upon return to the fair class.
Specifically, the following is being observed:
- task is deactivated while still in the fair class
- task is boosted to RT via rt_mutex_setprio, which changes
the task to RT and calls check_class_changed.
- check_class_changed leads to detach_task_cfs_rq, at which point
the vruntime_normalized check sees that the task's state is TASK_WAKING,
which results in skipping the subtraction of the rq's min_vruntime
from the task's vruntime
- later, when the prio is deboosted and the task is moved back
to the fair class, the fair rq's min_vruntime is added to
the task's vruntime, even though it wasn't subtracted earlier.
The immediate result is inflation of the task's vruntime, giving
it lower priority (starving it if there's enough available work).
The longer-term effect is inflation of all vruntimes because the
task's vruntime becomes the rq's min_vruntime when the higher
priority tasks go idle. That leads to a vicious cycle, where
the vruntime inflation repeatedly doubled.
The change here is to detect when vruntime_normalized is being
called when the task is waking but is waking in another class,
and to conclude that this is a case where vruntime has not
been normalized.
Bug: 80502612
Change-Id: If0bb02eb16939ca5e91ef282b7f9119ff68622c4
Signed-off-by: John Dias <joaodias@google.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
env_start|end in mm_struct
mmap_sem is on the hot path of kernel, and it very contended, but it is
abused too. It is used to protect arg_start|end and evn_start|end when
reading /proc/$PID/cmdline and /proc/$PID/environ, but it doesn't make
sense since those proc files just expect to read 4 values atomically and
not related to VM, they could be set to arbitrary values by C/R.
And, the mmap_sem contention may cause unexpected issue like below:
INFO: task ps:14018 blocked for more than 120 seconds.
Tainted: G E 4.9.79-009.ali3000.alios7.x86_64 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this
message.
ps D 0 14018 1 0x00000004
Call Trace:
schedule+0x36/0x80
rwsem_down_read_failed+0xf0/0x150
call_rwsem_down_read_failed+0x18/0x30
down_read+0x20/0x40
proc_pid_cmdline_read+0xd9/0x4e0
__vfs_read+0x37/0x150
vfs_read+0x96/0x130
SyS_read+0x55/0xc0
entry_SYSCALL_64_fastpath+0x1a/0xc5
Both Alexey Dobriyan and Michal Hocko suggested to use dedicated lock
for them to mitigate the abuse of mmap_sem.
So, introduce a new spinlock in mm_struct to protect the concurrent
access to arg_start|end, env_start|end and others, as well as replace
write map_sem to read to protect the race condition between prctl and
sys_brk which might break check_data_rlimit(), and makes prctl more
friendly to other VM operations.
This patch just eliminates the abuse of mmap_sem, but it can't resolve
the above hung task warning completely since the later
access_remote_vm() call needs acquire mmap_sem. The mmap_sem
scalability issue will be solved in the future.
Change-Id: Ifa8f001ee2fc4f0ce60c18e771cebcf8a1f0943e
[yang.shi@linux.alibaba.com: add comment about mmap_sem and arg_lock]
Link: http://lkml.kernel.org/r/1524077799-80690-1-git-send-email-yang.shi@linux.alibaba.com
Link: http://lkml.kernel.org/r/1523730291-109696-1-git-send-email-yang.shi@linux.alibaba.com
Signed-off-by: Yang Shi <yang.shi@linux.alibaba.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Git-commit: 88aa7cc688d48ddd84558b41d5905a0db9535c4b
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
|
| | | |
| | |
| | |
| | | |
Change-Id: I930b89ba4d4312bd830e396ec6f6b62a0516f725
|
| | | |
| | |
| | |
| | | |
Change-Id: Ifaa68915b52a0d6b54a5f80576ae65ba527a6c16
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a helper node that can be used to notify user space through sysfs
node when fb device has not had any activity for a specified amount of
time (through idle_time node).
Bug: 62110101
Change-Id: I4dfa4b1a376149aa55a940dad7ac336ec99f1af8
Signed-off-by: Adrian Salido <salidoa@google.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When tasks move across cpusets, the current affinity settings
are lost. Cache the task affinity and restore it during cpuset
migration. The restoring happens only when the cached affinity
is subset of the current cpuset settings.
Change-Id: I6c2ec1d5e3d994e176926d94b9e0cc92418020cc
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
An IRQ affinity is broken during hotplug/isolation when there
are no online and un-isolated CPUs in the current affinity mask.
An online and un-isolated CPU from the irq_default_affinity mask
(i.e /proc/irq/default_smp_affinity) is used as the current
affinity. However Individual IRQs can have their affinity hint
set via irq_set_affinity_hint() API. When such hint is available,
use it instead of the irq_default_affinity which is a system level
setting.
Change-Id: I53a537582ec4e1aed0c59b49f4fd5b6ca7c0c332
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
PM_QOS_REQ_AFFINE_IRQ request is supposed to apply the QoS vote
for the CPU(s) on which the attached interrupt arrives. Currently
the QoS vote is applied to all the CPUs present in the IRQ
affinity mask i.e desc->irq_data.common->affinity. However some
chips configure only a single CPU from this affinity mask to
receive the IRQ. This information is present in effective
affinity mask of an IRQ. Start using it so that a QoS vote is
not applied to other CPUs on which the IRQ never comes but
present in the affinity mask.
Change-Id: If26aa23bebe4a7d07ffedb5ff833ccdb4f4fb6ea
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There is currently no way to evaluate the effective affinity mask of a
given interrupt. Many irq chips allow only a single target CPU or a subset
of CPUs in the affinity mask.
Updating the mask at the time of setting the affinity to the subset would
be counterproductive because information for cpu hotplug about assigned
interrupt affinities gets lost. On CPU hotplug it's also pointless to force
migrate an interrupt, which is not targeted at the CPU effectively. But
currently the information is not available.
Provide a seperate mask to be updated by the irq_chip->irq_set_affinity()
implementations. Implement the read only proc files so the user can see the
effective mask as well w/o trying to deduce it from /proc/interrupts.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Keith Busch <keith.busch@intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Link: http://lkml.kernel.org/r/20170619235446.247834245@linutronix.de
Change-Id: Ibeec0031edb532d52cb411286f785aec160d6139
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Commit:
6e998916dfe3 ("sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency")
fixed a problem whereby clock_nanosleep() followed by clock_gettime() could
allow a task to wake early. It addressed the problem by calling the scheduling
classes update_curr() when the cputimer starts.
Said change induced a considerable performance regression on the syscalls
times() and clock_gettimes(CLOCK_PROCESS_CPUTIME_ID). There are some
debuggers and applications that monitor their own performance that
accidentally depend on the performance of these specific calls.
This patch mitigates the performace loss by prefetching data in the CPU
cache, as stalls due to cache misses appear to be where most time is spent
in our benchmarks.
Here are the performance gain of this patch over v4.7-rc7 on a Sandy Bridge
box with 32 logical cores and 2 NUMA nodes. The test is repeated with a
variable number of threads, from 2 to 4*num_cpus; the results are in
seconds and correspond to the average of 10 runs; the percentage gain is
computed with (before-after)/before so a positive value is an improvement
(it's faster). The improvement varies between a few percents for 5-20
threads and more than 10% for 2 or >20 threads.
pound_clock_gettime:
threads 4.7-rc7 patched 4.7-rc7
[num] [secs] [secs (percent)]
2 3.48 3.06 ( 11.83%)
5 3.33 3.25 ( 2.40%)
8 3.37 3.26 ( 3.30%)
12 3.32 3.37 ( -1.60%)
21 4.01 3.90 ( 2.74%)
30 3.63 3.36 ( 7.41%)
48 3.71 3.11 ( 16.27%)
79 3.75 3.16 ( 15.74%)
110 3.81 3.25 ( 14.80%)
128 3.88 3.31 ( 14.76%)
pound_times:
threads 4.7-rc7 patched 4.7-rc7
[num] [secs] [secs (percent)]
2 3.65 3.25 ( 11.03%)
5 3.45 3.17 ( 7.92%)
8 3.52 3.22 ( 8.69%)
12 3.29 3.36 ( -2.04%)
21 4.07 3.92 ( 3.78%)
30 3.87 3.40 ( 12.17%)
48 3.79 3.16 ( 16.61%)
79 3.88 3.28 ( 15.42%)
110 3.90 3.38 ( 13.35%)
128 4.00 3.38 ( 15.45%)
pound_clock_gettime and pound_clock_gettime are two benchmarks included in
the MMTests framework. They launch a given number of threads which
repeatedly call times() or clock_gettimes(). The results above can be
reproduced with cloning MMTests from github.com and running the "poundtime"
workload:
$ git clone https://github.com/gormanm/mmtests.git
$ cd mmtests
$ cp configs/config-global-dhp__workload_poundtime config
$ ./run-mmtests.sh --run-monitor $(uname -r)
The above will run "poundtime" measuring the kernel currently running on
the machine; Once a new kernel is installed and the machine rebooted,
running again
$ cd mmtests
$ ./run-mmtests.sh --run-monitor $(uname -r)
will produce results to compare with. A comparison table will be output
with:
$ cd mmtests/work/log
$ ../../compare-kernels.sh
the table will contain a lot of entries; grepping for "Amean" (as in
"arithmetic mean") will give the tables presented above. The source code
for the two benchmarks is reported at the end of this changelog for
clairity.
The cache misses addressed by this patch were found using a combination of
`perf top`, `perf record` and `perf annotate`. The incriminated lines were
found to be
struct sched_entity *curr = cfs_rq->curr;
and
delta_exec = now - curr->exec_start;
in the function update_curr() from kernel/sched/fair.c. This patch
prefetches the data from memory just before update_curr is called in the
interested execution path.
A comparison of the total number of cycles before and after the patch
follows; the data is obtained using `perf stat -r 10 -ddd <program>`
running over the same sequence of number of threads used above (a positive
gain is an improvement):
threads cycles before cycles after gain
2 19,699,563,964 +-1.19% 17,358,917,517 +-1.85% 11.88%
5 47,401,089,566 +-2.96% 45,103,730,829 +-0.97% 4.85%
8 80,923,501,004 +-3.01% 71,419,385,977 +-0.77% 11.74%
12 112,326,485,473 +-0.47% 110,371,524,403 +-0.47% 1.74%
21 193,455,574,299 +-0.72% 180,120,667,904 +-0.36% 6.89%
30 315,073,519,013 +-1.64% 271,222,225,950 +-1.29% 13.92%
48 321,969,515,332 +-1.48% 273,353,977,321 +-1.16% 15.10%
79 337,866,003,422 +-0.97% 289,462,481,538 +-1.05% 14.33%
110 338,712,691,920 +-0.78% 290,574,233,170 +-0.77% 14.21%
128 348,384,794,006 +-0.50% 292,691,648,206 +-0.66% 15.99%
A comparison of cache miss vs total cache loads ratios, before and after
the patch (again from the `perf stat -r 10 -ddd <program>` tables):
threads L1 misses/total*100 L1 misses/total*100 gain
before after
2 7.43 +-4.90% 7.36 +-4.70% 0.94%
5 13.09 +-4.74% 13.52 +-3.73% -3.28%
8 13.79 +-5.61% 12.90 +-3.27% 6.45%
12 11.57 +-2.44% 8.71 +-1.40% 24.72%
21 12.39 +-3.92% 9.97 +-1.84% 19.53%
30 13.91 +-2.53% 11.73 +-2.28% 15.67%
48 13.71 +-1.59% 12.32 +-1.97% 10.14%
79 14.44 +-0.66% 13.40 +-1.06% 7.20%
110 15.86 +-0.50% 14.46 +-0.59% 8.83%
128 16.51 +-0.32% 15.06 +-0.78% 8.78%
As a final note, the following shows the evolution of performance figures
in the "poundtime" benchmark and pinpoints commit 6e998916dfe3
("sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency") as a
major source of degradation, mostly unaddressed to this day (figures
expressed in seconds).
pound_clock_gettime:
threads parent of 6e998916dfe3 4.7-rc7
6e998916dfe3 itself
2 2.23 3.68 ( -64.56%) 3.48 (-55.48%)
5 2.83 3.78 ( -33.42%) 3.33 (-17.43%)
8 2.84 4.31 ( -52.12%) 3.37 (-18.76%)
12 3.09 3.61 ( -16.74%) 3.32 ( -7.17%)
21 3.14 4.63 ( -47.36%) 4.01 (-27.71%)
30 3.28 5.75 ( -75.37%) 3.63 (-10.80%)
48 3.02 6.05 (-100.56%) 3.71 (-22.99%)
79 2.88 6.30 (-118.90%) 3.75 (-30.26%)
110 2.95 6.46 (-119.00%) 3.81 (-29.24%)
128 3.05 6.42 (-110.08%) 3.88 (-27.04%)
pound_times:
threads parent of 6e998916dfe3 4.7-rc7
6e998916dfe3 itself
2 2.27 3.73 ( -64.71%) 3.65 (-61.14%)
5 2.78 3.77 ( -35.56%) 3.45 (-23.98%)
8 2.79 4.41 ( -57.71%) 3.52 (-26.05%)
12 3.02 3.56 ( -17.94%) 3.29 ( -9.08%)
21 3.10 4.61 ( -48.74%) 4.07 (-31.34%)
30 3.33 5.75 ( -72.53%) 3.87 (-16.01%)
48 2.96 6.06 (-105.04%) 3.79 (-28.10%)
79 2.88 6.24 (-116.83%) 3.88 (-34.81%)
110 2.98 6.37 (-114.08%) 3.90 (-31.12%)
128 3.10 6.35 (-104.61%) 4.00 (-28.87%)
The source code of the two benchmarks follows. To compile the two:
NR_THREADS=42
for FILE in pound_times pound_clock_gettime; do
gcc -lrt -O2 -lpthread -DNUM_THREADS=$NR_THREADS $FILE.c -o $FILE
done
==== BEGIN pound_times.c ====
struct tms start;
void *pound (void *threadid)
{
struct tms end;
int oldutime = 0;
int utime;
int i;
for (i = 0; i < 5000000 / NUM_THREADS; i++) {
times(&end);
utime = ((int)end.tms_utime - (int)start.tms_utime);
if (oldutime > utime) {
printf("utime decreased, was %d, now %d!\n", oldutime, utime);
}
oldutime = utime;
}
pthread_exit(NULL);
}
int main()
{
pthread_t th[NUM_THREADS];
long i;
times(&start);
for (i = 0; i < NUM_THREADS; i++) {
pthread_create (&th[i], NULL, pound, (void *)i);
}
pthread_exit(NULL);
return 0;
}
==== END pound_times.c ====
==== BEGIN pound_clock_gettime.c ====
void *pound (void *threadid)
{
struct timespec ts;
int rc, i;
unsigned long prev = 0, this = 0;
for (i = 0; i < 5000000 / NUM_THREADS; i++) {
rc = clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &ts);
if (rc < 0)
perror("clock_gettime");
this = (ts.tv_sec * 1000000000) + ts.tv_nsec;
if (0 && this < prev)
printf("%lu ns timewarp at iteration %d\n", prev - this, i);
prev = this;
}
pthread_exit(NULL);
}
int main()
{
pthread_t th[NUM_THREADS];
long rc, i;
pid_t pgid;
for (i = 0; i < NUM_THREADS; i++) {
rc = pthread_create(&th[i], NULL, pound, (void *)i);
if (rc < 0)
perror("pthread_create");
}
pthread_exit(NULL);
return 0;
}
==== END pound_clock_gettime.c ====
Suggested-by: Mike Galbraith <mgalbraith@suse.de>
Change-Id: Iad82d9f31c92e50e1e3b1339892512526ceb0acf
Signed-off-by: Giovanni Gherdovich <ggherdovich@suse.cz>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1470385316-15027-2-git-send-email-ggherdovich@suse.cz
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Tight loops of spin_lock_irqsave() and spin_unlock_irqrestore()
in timer and hrtimer are causing scheduling delays. Add delay of
few nano seconds after cpu_relax in the timer/hrtimer tight loops.
Change-Id: Iaa0ab92da93f7b245b1d922b6edca2bebdc0fbce
Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Default handle_irq for tlmm irq chip is handle_edge_irq. For direct
connect GPIOs, the handle_irq is not changed unlike non-direct connect
GPIOs. This causes an interrupt storm for level trigger types as
handle_edge_irq does not mask the interrupt within the function. Change
this to handle_fasteoi_irq such that both level and edge interrupts are
handled correctly.
Change-Id: I79f0d4d92145f85a8043875301400ecf36b46c7b
Signed-off-by: Archana Sathyakumar <asathyak@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Mutex acquisition deadlock can happen while cancelling cc_dettach
work during pd_hard_reset from the function usbin_plugin_hard_reset
_locked on vbus rise which is called in the same lock context that
we try to acquire in the cc_dettach work routine.
Check if cc_dettach work is running during pd_hard_reset and use
trylock instead of mutex_lock to prevent any deadlock if mutext is
already held.
Change-Id: I5530deb9e654d3d12ba1b4bc6876f36127a0d5a5
Signed-off-by: Umang Agrawal <uagrawal@codeaurora.org>
|
| | | |
| | |
| | |
| | | |
Change-Id: Id08c169f0c507390eab070d1ae77bfb992b50b81
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: I7753cc6db394704dbb959477150141d42b836bef
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently in wma_extscan_hotlist_match_event_handler
API, dest_hotlist get memory allocation based on numap
which takes value from event->total_entries.
But numap is limited to WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
and event->total_entries more than WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
can cause out of bound issue.
Fix is to populate dest_hotlist->numOfAps from numap
instead of event->total_entries to avoid any out of bound issue.
Change-Id: I756f7e4a4dcd454508bba83d4a8bbbb139530905
CRs-Fixed: 3346781
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* I don't know why this was disabled, but without this config Android 13 hangs on
the splash screen for ages, so let's re-enable it
Change-Id: I13db9b561e13897bc807d8ca3b3ae6a5a5d4a689
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
into lineage-20
1a4b80f8f201 ANDROID: arch:arm64: Increase kernel command line size
7c253f7aa663 of: reserved_mem: increase max number reserved regions
df4dbf557503 msm: camera: Fix indentations
2fc4a156d15d msm: camera: Fix code flow when populating CAM_V_CUSTOM1
687bcb61f125 ALSA: control: use counting semaphore as write lock for ELEM_WRITE operation
75cf9e8c1b1c ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
76cf3b5e53df ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations
e9af212f9685 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
95fc4fff573f msm: kgsl: Make sure that pool pages don't have any extra references
59ceabe0d242 msm: kgsl: Use dma_buf_get() to get dma_buf structure
d1f19956d6b9 ANDROID: usb: f_accessory: Check buffer size when initialised via composite
2d3ce4f7a366 kbuild: handle libs-y archives separately from built-in.o archives
65dc3fbd1593 kbuild: thin archives use P option to ar
362c7b73bac8 kbuild: thin archives for multi-y targets
43076241b514 kbuild: thin archives final link close --whole-archives option
aa04fc78256d kbuild: minor improvement for thin archives build
f5896747cda6 Merge tag 'LA.UM.7.2.c25-07700-sdm660.0' of https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 into android13-4.4-msm8998
321ac077ee7e qcacld-3.0: Fix out-of-bounds in tx_stats
42be8e4cbf13 BACKPORT: usb: gadget: rndis: prevent integer overflow in rndis_set_response()
b490a85b5945 FROMGIT: arm64: fix oops in concurrently setting insn_emulation sysctls
7ed7084b34a9 FROMLIST: binder: fix UAF of ref->proc caused by race condition
e31f087fb864 ANDROID: selinux: modify RTM_GETNEIGH{TBL}
80675d431434 UPSTREAM: usb: gadget: clear related members when goto fail
fb6adfb00108 UPSTREAM: usb: gadget: don't release an existing dev->buf
e4a8dd12424e UPSTREAM: USB: gadget: validate interface OS descriptor requests
8f0a947317e0 UPSTREAM: usb: gadget: rndis: check size of RNDIS_MSG_SET command
1541758765ff ion: Do not 'put' ION handle until after its final use
03b4b3cd8d30 Merge tag 'LA.UM.7.2.c25-07000-sdm660.0' of https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 into android13-4.4-msm8998
7dbda95466d5 Merge tag 'LA.UM.8.4.c25-06600-8x98.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.4 into android13-4.4-msm8998
369119e5df4e cert host tools: Stop complaining about deprecated OpenSSL functions
f8e30a0f9a17 fixup! BACKPORT: treewide: Fix function prototypes for module_param_call()
4fa5045f3dc9 arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
bcd9668da77f arm64: kernel: do not need to reset UAO on exception entry
c4ddd677f7e3 Kbuild: do not emit debug info for assembly with LLVM_IAS=1
1b880b6e19f8 qcacld-3.0: Add time slice duty cycle in wifi_interface_info
fd24be2b22a1 qcacmn: Add time slice duty cycle attribute into QCA vendor command
d719c1c825f8 qcacld-3.0: Use field-by-field assignment for FW stats
fb5eb3bda2d9 ext4: enable quota enforcement based on mount options
cd40d7f301de ext4: adds project ID support
360e2f3d18b8 ext4: add project quota support
c31ac2be1594 drivers: qcacld-3.0: Remove in_compat_syscall() redefinition
6735c13a269d arm64: link with -z norelro regardless of CONFIG_RELOCATABLE
99962aab3433 arm64: relocatable: fix inconsistencies in linker script and options
24bd8cc5e6bb arm64: prevent regressions in compressed kernel image size when upgrading to binutils 2.27
93bb4c2392a2 arm64: kernel: force ET_DYN ELF type for CONFIG_RELOCATABLE=y
a54bbb725ccb arm64: build with baremetal linker target instead of Linux when available
c5805c604a9b arm64: add endianness option to LDFLAGS instead of LD
ab6052788f60 arm64: Set UTS_MACHINE in the Makefile
c3330429b2c6 kbuild: clear LDFLAGS in the top Makefile
f33c1532bd61 kbuild: use HOSTLDFLAGS for single .c executables
38b7db363a96 BACKPORT: arm64: Change .weak to SYM_FUNC_START_WEAK_PI for arch/arm64/lib/mem*.S
716cb63e81d9 BACKPORT: crypto: arm64/aes-ce-cipher - move assembler code to .S file
7dfbaee16432 BACKPORT: arm64: Remove reference to asm/opcodes.h
531ee8624d17 BACKPORT: arm64: kprobe: protect/rename few definitions to be reused by uprobe
08d83c997b0c BACKPORT: arm64: Delete the space separator in __emit_inst
e3951152dc2d BACKPORT: arm64: Get rid of asm/opcodes.h
255820c0f301 BACKPORT: arm64: Fix minor issues with the dcache_by_line_op macro
21bb344a664b BACKPORT: crypto: arm64/aes-modes - get rid of literal load of addend vector
26d5a53c6e0d BACKPORT: arm64: vdso: remove commas between macro name and arguments
78bff1f77c9d BACKPORT: kbuild: support LLVM=1 to switch the default tools to Clang/LLVM
6634f9f63efe BACKPORT: kbuild: replace AS=clang with LLVM_IAS=1
b891e8fdc466 BACKPORT: Documentation/llvm: fix the name of llvm-size
75d6fa8368a8 BACKPORT: Documentation/llvm: add documentation on building w/ Clang/LLVM
95b0a5e52f2a BACKPORT: ANDROID: ftrace: fix function type mismatches
7da9c2138ec8 BACKPORT: ANDROID: fs: logfs: fix filler function type
d6d5a4b28ad0 BACKPORT: ANDROID: fs: gfs2: fix filler function type
9b194a470db5 BACKPORT: ANDROID: fs: exofs: fix filler function type
7a45ac4bfb49 BACKPORT: ANDROID: fs: afs: fix filler function type
4099e1b281e5 BACKPORT: drivers/perf: arm_pmu: fix function type mismatch
af7b738882f7 BACKPORT: dummycon: fix function types
1b0b55a36dbe BACKPORT: fs: nfs: fix filler function type
a58a0e30e20a BACKPORT: mm: fix filler function type mismatch
829e9226a8c0 BACKPORT: mm: fix drain_local_pages function type
865ef61b4da8 BACKPORT: vfs: pass type instead of fn to do_{loop,iter}_readv_writev()
08d2f8e7ba8e BACKPORT: module: Do not paper over type mismatches in module_param_call()
ea467f6c33e4 BACKPORT: treewide: Fix function prototypes for module_param_call()
d131459e6b8b BACKPORT: module: Prepare to convert all module_param_call() prototypes
6f52abadf006 BACKPORT: kbuild: fix --gc-sections
bf7540ffce44 BACKPORT: kbuild: record needed exported symbols for modules
c49d2545e437 BACKPORT: kbuild: Allow to specify composite modules with modname-m
427d0fc67dc1 BACKPORT: kbuild: add arch specific post-link Makefile
69f8a31838a3 BACKPORT: arm64: add a workaround for GNU gold with ARM64_MODULE_PLTS
ba3368756abf BACKPORT: arm64: explicitly pass --no-fix-cortex-a53-843419 to GNU gold
6dacd7e737fb BACKPORT: arm64: errata: Pass --fix-cortex-a53-843419 to ld if workaround enabled
d2787c21f2b5 BACKPORT: kbuild: add __ld-ifversion and linker-specific macros
2d471de60bb4 BACKPORT: kbuild: add ld-name macro
06280a90d845 BACKPORT: arm64: keep .altinstructions and .altinstr_replacement
eb0ad3ae07f9 BACKPORT: kbuild: add __cc-ifversion and compiler-specific variants
3d01e1eba86b BACKPORT: FROMLIST: kbuild: add clang-version.sh
18dd378ab563 BACKPORT: FROMLIST: kbuild: fix LD_DEAD_CODE_DATA_ELIMINATION
aabbc122b1de BACKPORT: kbuild: thin archives make default for all archs
756d47e345fc BACKPORT: kbuild: allow archs to select link dead code/data elimination
723ab99e48a7 BACKPORT: kbuild: allow architectures to use thin archives instead of ld -r
0b77ec583772 drivers/usb/serial/console.c: remove superfluous serial->port condition
6488cb478f04 drivers/firmware/efi/libstub.c: prevent a relocation
dba4259216a0 UPSTREAM: pidfd: fix a poll race when setting exit_state
baab6e33b07b BACKPORT: arch: wire-up pidfd_open()
5d2e9e4f8630 BACKPORT: pid: add pidfd_open()
f8396a127daf UPSTREAM: pidfd: add polling support
f4c358582254 UPSTREAM: signal: improve comments
5500316dc8d8 UPSTREAM: fork: do not release lock that wasn't taken
fc7d707593e3 BACKPORT: signal: support CLONE_PIDFD with pidfd_send_signal
f044fa00d72a BACKPORT: clone: add CLONE_PIDFD
f20fc1c548f2 UPSTREAM: Make anon_inodes unconditional
de80525cd462 UPSTREAM: signal: use fdget() since we don't allow O_PATH
229e1bdd624e UPSTREAM: signal: don't silently convert SI_USER signals to non-current pidfd
ada02e996b52 BACKPORT: signal: add pidfd_send_signal() syscall
828857678c5c compat: add in_compat_syscall to ask whether we're in a compat syscall
e7aede4896c0 bpf: Add new cgroup attach type to enable sock modifications
9ed75228b09c ebpf: allow bpf_get_current_uid_gid_proto also for networking
c5aa3963b4ae bpf: fix overflow in prog accounting
c46a001439fc bpf: Make sure mac_header was set before using it
8aed99185615 bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes
b0a638335ba6 bpf: avoid false sharing of map refcount with max_entries
1f21605e373c net: remove hlist_nulls_add_tail_rcu()
9ce369b09dbb udp: get rid of SLAB_DESTROY_BY_RCU allocations
070f539fb5d7 udp: no longer use SLAB_DESTROY_BY_RCU
a32d2ea857c5 inet: refactor inet[6]_lookup functions to take skb
fcf3e7bc7203 soreuseport: fix initialization race
df03c8cf024a soreuseport: Fix TCP listener hash collision
bd8b9f50c9d3 inet: Fix missing return value in inet6_hash
bae331196dd0 soreuseport: fast reuseport TCP socket selection
4ada2ed73da0 inet: create IPv6-equivalent inet_hash function
73f609838475 sock: struct proto hash function may error
e3b32750621b cgroup: Fix sock_cgroup_data on big-endian.
69dabcedd4b9 selinux: always allow mounting submounts
17d6ddebcc49 userns: Don't fail follow_automount based on s_user_ns
cbd08255e6f8 fs: Better permission checking for submounts
3a9ace719251 mnt: Move the FS_USERNS_MOUNT check into sget_userns
af53549b43c5 locks: sprinkle some tracepoints around the file locking code
07dbbc84aa34 locks: rename __posix_lock_file to posix_lock_inode
400cbe93d180 autofs: Fix automounts by using current_real_cred()->uid
7903280ee07a fs: Call d_automount with the filesystems creds
b87fb50ff1cd UPSTREAM: kernfs: Check KERNFS_HAS_RELEASE before calling kernfs_release_file()
c9c596de3e52 UPSTREAM: kernfs: fix locking around kernfs_ops->release() callback
2172eaf5a901 UPSTREAM: cgroup, bpf: remove unnecessary #include
dc81f3963dde kernfs: kernfs_sop_show_path: don't return 0 after seq_dentry call
ce9a52e20897 cgroup: Make rebind_subsystems() disable v2 controllers all at once
ce5e3aa14c39 cgroup: fix sock_cgroup_data initialization on earlier compilers
94a70ef24da9 samples/bpf: fix bpf_perf_event_output prototype
c1920272278e net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list
d7707635776b sk_buff: allow segmenting based on frag sizes
924bbacea75e ip_tunnel, bpf: ip_tunnel_info_opts_{get, set} depends on CONFIG_INET
0e9008d618f4 bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err
01b437940f5e soreuseport: add compat case for setsockopt SO_ATTACH_REUSEPORT_CBPF
421fbf04bf2c soreuseport: change consume_skb to kfree_skb in error case
1ab50514c430 ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only
f3dfd61c502d soreuseport: fix ordering for mixed v4/v6 sockets
245ee3c90795 soreuseport: fix NULL ptr dereference SO_REUSEPORT after bind
113fb209854a bpf: do not blindly change rlimit in reuseport net selftest
985253ef27d2 bpf: fix rlimit in reuseport net selftest
ae61334510be soreuseport: Fix reuseport_bpf testcase on 32bit architectures
6efa24da01a5 udp: fix potential infinite loop in SO_REUSEPORT logic
66df70c6605d soreuseport: BPF selection functional test for TCP
fe161031b8a8 soreuseport: pass skb to secondary UDP socket lookup
9223919efdf2 soreuseport: BPF selection functional test
2090ed790dbb soreuseport: fix mem leak in reuseport_add_sock()
67887f6ac3f1 Merge "diag: Ensure dci entry is valid before sending the packet"
e41c0da23b38 diag: Prevent out of bound write while sending dci pkt to remote
e1085d1ef39b diag: Ensure dci entry is valid before sending the packet
16802e80ecb5 Merge "ion: Fix integer overflow in msm_ion_custom_ioctl"
57146f83f388 ion: Fix integer overflow in msm_ion_custom_ioctl
6fc2001969fe diag: Use valid data_source for a valid token
0c6dbf858a98 qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response
f07caca0c485 qcacld-3.0: Fix array OOB for duplicate rate
5a359aba0364 msm: kgsl: Remove 'fd' dependency to get dma_buf handle
da8317596949 msm: kgsl: Fix gpuaddr_in_range() to check upper bound
2ed91a98d8b4 msm: adsprpc: Handle UAF in fastrpc debugfs read
2967159ad303 msm: kgsl: Add a sysfs node to control performance counter reads
e392a84f25f5 msm: kgsl: Perform cache flush on the pages obtained using get_user_pages()
28b45f75d2ee soc: qcom: hab: Add sanity check for payload_count
885caec7690f Merge "futex: Fix inode life-time issue"
0f57701d2643 Merge "futex: Handle faults correctly for PI futexes"
7d7eb450c333 Merge "futex: Rework inconsistent rt_mutex/futex_q state"
124ebd87ef2f msm: kgsl: Fix out of bound write in adreno_profile_submit_time
228bbfb25032 futex: Fix inode life-time issue
7075ca6a22b3 futex: Handle faults correctly for PI futexes
a436b73e9032 futex: Simplify fixup_pi_state_owner()
11b99dbe3221 futex: Use pi_state_update_owner() in put_pi_state()
f34484030550 rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
079d1c90b3c3 futex: Provide and use pi_state_update_owner()
3b51e24eb17b futex: Replace pointless printk in fixup_owner()
0eac5c2583a1 futex: Avoid violating the 10th rule of futex
6d6ed38b7d10 futex: Rework inconsistent rt_mutex/futex_q state
3c8f7dfd59b5 futex: Remove rt_mutex_deadlock_account_*()
9c870a329520 futex,rt_mutex: Provide futex specific rt_mutex API
7504736e8725 msm: adsprpc: Handle UAF in process shell memory
994e5922a0c2 Disable TRACER Check to improve Camera Performance
8fb3f17b3ad1 msm: kgsl: Deregister gpu address on memdesc_sg_virt failure
13aa628efdca Merge "crypto: Fix possible stack out-of-bound error"
92e777451003 Merge "msm: kgsl: Correct the refcount on current process PID."
9ca218394ed4 Merge "msm: kgsl: Compare pid pointer instead of TGID for a new process"
7eed1f2e0f43 Merge "qcom,max-freq-level change for trial"
6afb5eb98e36 crypto: Fix possible stack out-of-bound error
8b5ba278ed4b msm: kgsl: Correct the refcount on current process PID.
4150552fac96 msm: kgsl: Compare pid pointer instead of TGID for a new process
c272102c0793 qcom,max-freq-level change for trial
854ef3ce73f5 msm: kgsl: Protect the memdesc->gpuaddr in SVM use cases.
79c8161aeac9 msm: kgsl: Stop using memdesc->usermem.
Change-Id: Iea7db1362c3cd18e36f243411e773a9054f6a445
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Android passes a lot of arguments via kernel command line.
Current kernel command line is close to limit on a lot of devices.
Increase kernel command line size to avoid cases when arguments
are trimmed.
Bug: 120817253
Change-Id: I18fc3a066273718fce021d85ca31e3f755706a13
Signed-off-by: Syuan Yang <syuanyang@google.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Increase MAX_RESERVED_REGIONS to 32 to accommodate the
number of carveouts we need to support.
Change-Id: Ie1658731ea3c49afafc7771d16fd8979a13ff765
Signed-off-by: Liam Mark <lmark@codeaurora.org>
|
| | | |
| | |
| | |
| | | |
Change-Id: I1bf8d016b276f53d87d831acd24a65b471192960
|
| | | |
| | |
| | |
| | | |
Change-Id: I431e987a5267bb0f28561382a5a4ce337846d7f4
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In ALSA control interface, applications can execute two types of request
for value of members on each element; ELEM_READ and ELEM_WRITE. In ALSA
control core, these two requests are handled within read lock of a
counting semaphore, therefore several processes can run to execute these
two requests at the same time. This has an issue because ELEM_WRITE
requests have an effect to change state of the target element. Concurrent
access should be controlled for each of ELEM_READ/ELEM_WRITE case.
This commit uses the counting semaphore as write lock for ELEM_WRITE
requests, while use it as read lock for ELEM_READ requests. The state of
a target element is maintained exclusively between ELEM_WRITE/ELEM_READ
operations.
There's a concern. If the counting semaphore is acquired for read lock
in implementations of 'struct snd_kcontrol.put()' in each driver, this
commit shall cause dead lock. As of v4.13-rc5, 'snd-mixer-oss.ko',
'snd-emu10k1.ko' and 'snd-soc-sst-atom-hifi2-platform.ko' includes codes
for read locks, but these are not in a call graph from
'struct snd_kcontrol.put(). Therefore, this commit is safe.
In current implementation, the same solution is applied for the other
operations to element; e.g. ELEM_LOCK and ELEM_UNLOCK. There's another
discussion about an overhead to maintain concurrent access to an element
during operating the other elements on the same card instance, because the
lock primitive is originally implemented to maintain a list of elements on
the card instance. There's a substantial difference between
per-element-list lock and per-element lock.
Here, let me investigate another idea to add per-element lock to maintain
the concurrent accesses with inquiry/change requests to an element. It's
not so frequent for applications to operate members on elements, while
adding a new lock primitive to structure increases memory footprint for
all of element sets somehow. Experimentally, inquiry operation is more
frequent than change operation and usage of counting semaphore for the
inquiry operation brings no blocking to the other inquiry operations. Thus
the overhead is not so critical for usual applications. For the above
reasons, in this commit, the per-element lock is not introduced.
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Alexander Grund <theflamefire89@gmail.com>
Signed-off-by: Ulrich Hecht <uli+cip@fpond.eu>
Change-Id: I2e14b47c0854ef14883a3e2c5628b3fa9f772a71
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
commit 5a23699a39abc5328921a81b89383d088f6ba9cc upstream.
The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE
operations" introduced a potential for kernel memory corruption due
to an incorrect if statement allowing non-readable controls to fall
through and call the get function. For TLV controls a driver can omit
SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function
can be called. Instead the normal get() can be invoked unexpectedly
and as the driver expects that this will only be called for controls
<= 512 bytes, potentially try to copy >512 bytes into the 512 byte
return array, so corrupting kernel memory.
The problem is an attempt to refactor the snd_ctl_elem_read function
to invert the logic so that it conditionally aborted if the control
is unreadable instead of conditionally executing. But the if statement
wasn't inverted correctly.
The correct inversion of
if (a && !b)
is
if (!a || b)
Fixes: becf9e5d553c2 ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations")
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Alexander Grund <theflamefire89@gmail.com>
[uli: touched up commit message]
Signed-off-by: Ulrich Hecht <uli+cip@fpond.eu>
Change-Id: I2ba4da0896711eda284cb3c0004229b472aa6720
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
commit becf9e5d553c2389d857a3c178ce80fdb34a02e1 upstream.
ALSA control core handles ELEM_READ/ELEM_WRITE requests within lock
acquisition of a counting semaphore. The lock is acquired in helper
functions in the end of call path before calling implementations of each
driver.
ioctl(2) with SNDRV_CTL_ELEM_READ
...
->snd_ctl_ioctl()
->snd_ctl_elem_read_user()
->snd_ctl_elem_read()
->down_read(controls_rwsem)
->snd_ctl_find_id()
->struct snd_kcontrol.get()
->up_read(controls_rwsem)
ioctl(2) with SNDRV_CTL_ELEM_WRITE
...
->snd_ctl_ioctl()
->snd_ctl_elem_write_user()
->snd_ctl_elem_write()
->down_read(controls_rwsem)
->snd_ctl_find_id()
->struct snd_kcontrol.put()
->up_read(controls_rwsem)
This commit moves the lock acquisition to middle of the call graph to
simplify the helper functions. As a result:
ioctl(2) with SNDRV_CTL_ELEM_READ
...
->snd_ctl_ioctl()
->snd_ctl_elem_read_user()
->down_read(controls_rwsem)
->snd_ctl_elem_read()
->snd_ctl_find_id()
->struct snd_kcontrol.get()
->up_read(controls_rwsem)
ioctl(2) with SNDRV_CTL_ELEM_WRITE
...
->snd_ctl_ioctl()
->snd_ctl_elem_write_user()
->down_read(controls_rwsem)
->snd_ctl_elem_write()
->snd_ctl_find_id()
->struct snd_kcontrol.put()
->up_read(controls_rwsem)
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Fixes: e8064dec769e6 "ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF"
Signed-off-by: Alexander Grund <theflamefire89@gmail.com>
[uli: added upstream commit id]
Signed-off-by: Ulrich Hecht <uli+cip@fpond.eu>
Change-Id: I72ea6a8b828938b56935fc4ce08021e5e91135a1
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ Note: this is a fix that works around the bug equivalently as the
two upstream commits:
1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
but in a simpler way to fit with older stable trees -- tiwai ]
Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.
Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:
64-bits:
snd_ctl_ioctl
snd_ctl_elem_read_user
[takes controls_rwsem]
snd_ctl_elem_read [lock properly held, all good]
[drops controls_rwsem]
32-bits (compat):
snd_ctl_ioctl_compat
snd_ctl_elem_write_read_compat
ctl_elem_write_read
snd_ctl_elem_read [missing lock, not good]
CVE-2023-0266 was assigned for this issue.
Bug: 265303544
Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@vger.kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I09e6834ccdacb1e35b4dfa20d94e82a0e4afac7e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before putting a page back in the pool be sure that it doesn't have
any additional references that would be a signal that somebody else
is looking at the page and that it would be a bad idea to keep it
around and run the risk of accidentally handing it to a different
process.
Change-Id: Ic0dedbad0cf2ffb34b76ad23e393c5a911114b82
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently we don't ensure if vma->vm_file is associated with dma_buf. This
can cause issues later when private_data from a non dma_buf file is used as
dma_buf structure. Hence get the fd that is associated with vma->vm_file
and use dma_buf_get() to get pointer to dma_buf structure. dma_buf_get()
ensures that the file from the input fd is associated with dma_buf.
Change-Id: Ib78aef8b16bedca5ca86d3a132278ff9f07dce73
Signed-off-by: Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When communicating with accessory devices via USBFS, the initialisation
call-stack looks like:
ConfigFS > Gadget ConfigFS > UDC > Gadget ConfigFS > Composite
Eventually ending up in composite_dev_prepare() where memory for the
data buffer is allocated and initialised. The default size used for the
allocation is USB_COMP_EP0_BUFSIZ (4k). When handling bulk transfers,
acc_ctrlrequest() needs to be able to handle buffers up to
BULK_BUFFER_SIZE (16k). Instead of adding new generic attributes to
'struct usb_request' to track the size of the allocated buffer, we can
simply split off the affected thread of execution to travel via a
knowledgeable abstracted function acc_ctrlrequest_composite() where we
can complete the necessary specific checks.
Bug: 264029575
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ia1280f85499621d3fa57f7262b4a2c80f4be7773
Signed-off-by: Lee Jones <joneslee@google.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The thin archives build currently puts all lib.a and built-in.o
files together and links them with --whole-archive.
This works because thin archives can recursively refer to thin
archives. However some architectures include libgcc.a, which may
not be a thin archive, or it may not be constructed with the "P"
option, in which case its contents do not get linked correctly.
So don't pull .a libs into the root built-in.o archive. These
libs should already have symbol tables and indexes built, so they
can be direct linker inputs. Move them out of the --whole-archive
option, which restore the conditional linking behaviour of lib.a
to thin archives builds.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Change-Id: I42d8c27102477c7a21f29f3f4e7c6f19691ddca6
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The P option makes ar do full path name matching and can prevent ar
from discarding files with duplicate names in some cases of creating
thin archives from thin archives. The sh architecture in particular
loses some object files from its kernel/cpu/sh*/ directories without
this option.
This could be a bug in binutils ar, but the P option should not cause
any negative effects so it is safe to use to work around this with.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Change-Id: I24f247271cd6bf245da10362a0cbb204033791b4
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
THIN_ARCHIVES builds archives for built-in.o targets, have it build
multi-y targets as archives as well.
This saves another ~15% of the size of intermediate artifacts in the
build tree. After this patch, the linker is only used in final link,
and special cases like vdsos.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Change-Id: Ic42ae9917ec19215a63e99b1fca1bd6fd4592294
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Close the --whole-archives option with --no-whole-archive. Some
architectures end up including additional .o and files multiple
times after this, and they get duplicate symbols when they are
brought under the --whole-archives option.
This matches more closely with the incremental final link.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Change-Id: I6efef94b96f62802de5efe10a5e5171d8983ab49
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The root built-in.o archive is currently generated before all object
files are built for the final link, due to final build of init/ after
version update. In practice it seems like it doesn't matter because
the archive symbol table does not change, but it is more logical to
create the final archive as the last step.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Change-Id: I8255d2e046dc2632d6875a5f9e59514a8e16bb65
|
| | |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 into android13-4.4-msm8998
"LA.UM.7.2.c25-07700-sdm660.0"
* tag 'LA.UM.7.2.c25-07700-sdm660.0' of https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0:
qcacld-3.0: Fix out-of-bounds in tx_stats
Change-Id: Ib8c44a17e48376841ae45ff886c33b245f13762f
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The tx_stats array length num_entries can't be more than
param_buf->num_tx_stats from fw.
Otherwies out-of-bounds will happen when read wmi_tx_stats.
Change-Id: I7ab3c7cc7baef6d903ba6301622bd67efe52cebe
CRs-Fixed: 3104318
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream.
If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.
Bug: 239842288
Cc: stable@kernel.org
Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I4dcecb9ada2680a4211e5ccc9b27de2df964e404
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
emulation_proc_handler() changes table->data for proc_dointvec_minmax
and can generate the following Oops if called concurrently with itself:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
| Internal error: Oops: 96000006 [#1] SMP
| Call trace:
| update_insn_emulation_mode+0xc0/0x148
| emulation_proc_handler+0x64/0xb8
| proc_sys_call_handler+0x9c/0xf8
| proc_sys_write+0x18/0x20
| __vfs_write+0x20/0x48
| vfs_write+0xe4/0x1d0
| ksys_write+0x70/0xf8
| __arm64_sys_write+0x20/0x28
| el0_svc_common.constprop.0+0x7c/0x1c0
| el0_svc_handler+0x2c/0xa0
| el0_svc+0x8/0x200
To fix this issue, keep the table->data as &insn->current_mode and
use container_of() to retrieve the insn pointer. Another mutex is
used to protect against the current_mode update but not for retrieving
insn_emulation as table->data is no longer changing.
Bug: 237540956
Co-developed-by: hewenliang <hewenliang4@huawei.com>
Signed-off-by: hewenliang <hewenliang4@huawei.com>
Signed-off-by: Haibin Zhang <haibinzhang@tencent.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com
Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.com
Signed-off-by: Will Deacon <will@kernel.org>
[Lee: Added Fixes: tag]
(cherry picked from commit af483947d472eccb79e42059276c4deed76f99a6
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core)
Fixes: 587064b610c7 ("arm64: Add framework for legacy instruction emulation")
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If9b96bb79c79903f9d8292e719b06fdef57ef1c5
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
reference for a node. In this case, the target proc normally releases
the failed reference upon close as expected. However, if the target is
dying in parallel the call will race with binder_deferred_release(), so
the target could have released all of its references by now leaving the
cleanup of the new failed reference unhandled.
The transaction then ends and the target proc gets released making the
ref->proc now a dangling pointer. Later on, ref->node is closed and we
attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
use-after-free bug reported below. Let's fix this by cleaning up the
failed reference on the spot instead of relying on the target to do so.
==================================================================
BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
dump_backtrace.part.0+0x1d0/0x1e0
show_stack+0x18/0x70
dump_stack_lvl+0x68/0x84
print_report+0x2e4/0x61c
kasan_report+0xa4/0x110
kasan_check_range+0xfc/0x1a4
__kasan_check_write+0x3c/0x50
_raw_spin_lock+0xa8/0x150
binder_deferred_func+0x5e0/0x9b0
process_one_work+0x38c/0x5f0
worker_thread+0x9c/0x694
kthread+0x188/0x190
ret_from_fork+0x10/0x20
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Bug: 239630375
Link: https://lore.kernel.org/all/20220801182511.3371447-1-cmllamas@google.com/
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I5085dd0dc805a780a64c057e5819f82dd8f02868
(cherry picked from commit ae3fa5d16a02ba7c7b170e0e1ab56d6f0ba33964)
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Map the permission gating RTM_GETNEIGH/RTM_GETNEIGHTBL messages to a
new permission so that it can be distinguished from the other netlink
route permissions in selinux policy. The new permission is triggered by
a flag set in system images T and up.
This change is intended to be backported to all kernels that a T system
image can run on top of.
Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: On Cuttlefish, run combinations of:
- Policy bit set or omitted (see https://r.android.com/1701847)
- This patch applied or omitted
- App having nlmsg_readneigh permission or not
Verify that only the combination of this patch + the policy bit being
set + the app not having the nlmsg_readneigh permission prevents the
app from sending RTM_GETNEIGH messages.
Change-Id: I4bcfce4decb34ea9388eeedfc4be67403de8a980
Signed-off-by: Bram Bonné <brambonne@google.com>
(cherry picked from commit fac07550bdac9adea0dbe3edbdbec7a9a690a178)
(cherry picked from commit 32d7afd1472c3cce509a3455b40a575540eac780)
CVE-2022-20399
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 501e38a5531efbd77d5c73c0ba838a889bfc1d74 upstream.
dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.
Bug: 220261709
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20211231172138.7993-3-hbh25y@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I149a16bc8db7262c3ab9c2f72a0f10c6caebee83
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 89f3594d0de58e8a57d92d497dea9fee3d4b9cda upstream.
dev->buf does not need to be released if it already exists before
executing dev_config.
Bug: 220261709
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: Id53d6770fbae0a7fcf0fa136157c0ab34fb5da64
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Stall the control endpoint in case provided index exceeds array size of
MAX_CONFIG_INTERFACES or when the retrieved function pointer is null.
Bug: 213172319
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I78f46b6f2140394a6bc6cff9f829c0742d7ad2fc
(cherry picked from commit c7732dbce590ef33ac2345f21efa6703f78b9e95)
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Check the size of the RNDIS_MSG_SET command given to us before
attempting to respond to an invalid message size.
Bug: 162326603
Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Cc: stable@kernel.org
Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 38ea1eac7d88072bbffb630e2b3db83ca649b826)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I61168b48de4ca79a3a28dd4d3b81779bc25554c1
(cherry picked from commit 16d19b656133457225cf69a4825faf30a0ca59a4)
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
pass_to_user() eventually calls kref_put() on an ION handle which is
still live, potentially allowing for it to be legitimately freed by
the client.
Prevent this from happening before its final use in both ION_IOC_ALLOC
and ION_IOC_IMPORT.
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I2e54dbe91ec5f97f4da8dcc1fe0793a934da4537
|
