| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UAF scenario may occur in clients with EL1 privileges for
iova mappings when we miss to check the return value of
arm_lpae_init_pte which may lead to an PTE be counted as
it was set even if it was already existing. This can cause a
dangling IOMMU PTE to be left mapped pointing to a
freed object and cause UAF in the client if the dangling PTE
is accessed after a failed unmap operation.
Fixes: 27de1978c331 ("ANDROID: GKI: iommu/io-pgtable-arm: LPAE related updates by vendor")
Change-Id: I674b9b520e705b8f8e63ba20ed76e64cb2fe0f47
Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
(cherry picked from commit b1405fc833e94c7b69fd4a63ed204407284a58dc)
|
| |
|
|
|
|
|
|
|
| |
Payload size is not checked before payload access.
Check size to avoid out-of-boundary memory access.
Change-Id: I1bd8281ad263b8c0102335504a740312755b8d15
Signed-off-by: Shalini Manjunatha <quic_c_shalma@quicinc.com>
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10
Change-Id: I45b95e8bdd1a993a526590c94cf2f9a85c12af37
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"num_services", a signed integer when compared
with constant results in conversion of signed integer
to max possible unsigned int value when "num_services"
is a negative value. This can lead to OOB read.
Fix is to handle this case.
Change-Id: Id6a8f150d9019c972a87f789e4c626337a97bfff
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| |/
|
|
|
|
|
|
|
|
| |
Check for the max size of cvs command register
calibration data that can be copied else will
result in buffer overflow.
Change-Id: Id7a4c5a9795143798b68dfde779f17fb450e3848
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
(cherry picked from commit 606e2a66f0cd284cfe0d445230b45430b99578e8)
|
| |
|
|
|
|
|
|
|
|
|
| |
There is no error check for case when hpcm_start
is called for the same RX or TX tap points multiple times.
This can result in OOB access of struct vss_ivpcm_tap_point.
Handle this scenario with appropriate no_of_tp check.
Change-Id: Ib384d21c9bf372f3e5d78f64b5c056e836728399
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
(cherry picked from commit 521277c4c3ffc4a3f4a232de41cfa4fc7b6aaa35)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.
Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| |/
|
|
|
|
|
|
| |
Added check for voice session index.
Change-Id: Ifff36add5d62f2fdc3395de1447075d297f2c2df
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
(cherry picked from commit fd59b4b0abb1efb064f705fb47723a9262be9a0f)
|
| |
|
|
|
|
|
|
| |
Add check to return if session id is invalid.
Change-Id: Ida0e07b78657102a3bf6e73a1ca23c44ad112426
Signed-off-by: Lakshman Chaluvaraju <lchalu@codeaurora.org>
Signed-off-by: Tapas Dey <quic_tapadey@quicinc.com>
|
| |
|
|
|
|
|
|
|
| |
There is no check for voip pkt pkt_len,if it contains the
min required data. This can lead to integer underflow.
Add check for the same.
Change-Id: I4f57eb125967d52ad8da60d21a440af1f81d2579
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Current logic copies user buf size of data
from the avail dsp buf at a given offset.
If this offset returned from DSP in READ_DONE event
goes out of bounds or is corrupted, then it can lead to
out of bounds DSP buffer access, resulting in memory fault.
Fix is to add check for this buf offset, if it is within
the buf size range.
Change-Id: Ia81bf25a5a32a69c39dce7589c96bff99b9452f0
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before putting a page back in the pool be sure that it doesn't have
any additional references that would be a signal that somebody else
is looking at the page and that it would be a bad idea to keep it
around and run the risk of accidentally handing it to a different
process.
Change-Id: Ic0dedbad0cf2ffb34b76ad23e393c5a911114b82
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Harshitha Sai Neelati <quic_hsaineel@quicinc.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Currently we don't ensure if vma->vm_file is associated with dma_buf. This
can cause issues later when private_data from a non dma_buf file is used as
dma_buf structure. Hence get the fd that is associated with vma->vm_file
and use dma_buf_get() to get pointer to dma_buf structure. dma_buf_get()
ensures that the file from the input fd is associated with dma_buf.
Change-Id: Ib78aef8b16bedca5ca86d3a132278ff9f07dce73
Signed-off-by: Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>
Signed-off-by: Pankaj Gupta <quic_gpankaj@quicinc.com>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Possibility of a race condition which can free the dci entry
causing use after free case is prevented by adding the check
for entry's validity.
Change-Id: Ib436ffd16c266636d99885d6091eb1a6887737c7
Signed-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>
|
| |/
|
|
|
|
|
|
| |
Sanitize user input length for the maximum buffer size before
writing the dci packet to remote.
Change-Id: I1f813a969fcce589f9e5024864ef4a650f2cf64e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While handling some of custom commands vaddr and offset
are controlled from userspace. Handle the case where
start address can become 0 and leading to unintentional
operations.
Fixes: ff8868e4cf88 ("ion: ensure valid start address")
Change-Id: I995c7f0ae76910fa136ed95aaf4ac254d09885bd
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
|
| |/
|
|
|
|
|
|
| |
For a valid token indicating remote proc use data_source to
indicate packet originated from dci remote source.
Change-Id: I01729a905d532fae7ea046acc143598eca04460b
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
|
| |
|
|
|
|
|
|
|
| |
Get the dma_buf handle directly from 'vm_file' after
doing necessary checks on the file.
Change-Id: Id5eec16588d64e4e28483b32bb52d4d3d9b86b99
Signed-off-by: ravnar <quic_ravnar@quicinc.com>
Signed-off-by: Sanjay Yadav <quic_sanjyada@quicinc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently gpuaddr_in_range() accepts only the gpuaddr & returns
true if it lies in valid range. But this does not mean that the
entire buffer is within range.
Modify the function to accept size as a parameter and check that
both starting & ending points of buffer lie within mmu range.
Change-Id: I1d722295b9a27e746bfdb6d3bf409ffe722193cb
Signed-off-by: Rohan Sethi <quic_rohsethi@quicinc.com>
Signed-off-by: Abhishek Barman <quic_abarman@quicinc.com>
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>
|
| |
|
|
|
|
|
|
| |
Use lock to protect maps among multiple
threads to avoid race condition.
Change-Id: Ib0c83dd38ea8e5acb54a1478d10b02385c27ba31
Signed-off-by: Swathi K <quic_c_kataka@quicinc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently performance counters are global and can be read by anyone. Change
the behaviour to disable reading global counters as default and add a sysfs
node to enable/disable reads.
Change-Id: Ic3785acd9bd7425c2a844ed103d7b870d9f80adf
Signed-off-by: Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com>
Signed-off-by: Harshitha Sai Neelati <quic_hsaineel@quicinc.com>
Signed-off-by: Pankaj Gupta <quic_gpankaj@quicinc.com>
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Consider a scenario where user allocates anonymous memory but does not
write to it. Here the physical pages are not yet allocated. Now when this
memory is requested to be imported, a list of newly allocated zero pages
is obtained using get_user_pages(). Currently cache flush is not done for
these pages and hence GPU sees stale data. Fix this by performing cache
flush on these pages.
Change-Id: Id1e8aa20e8a9de112761732ed92f30c01088840b
Signed-off-by: Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>
Signed-off-by: Sebanti Das <quic_sebadas@quicinc.com>
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>
|
| |
|
|
|
|
|
|
|
|
| |
When handling memory import, payload_count is used for memory alloc
calculation. If the payload_count is too large, size will overflow
when creating page list.
Adding a sanity check for payload_count is necessary.
Change-Id: I6d60cea0c62bd29092852c55b766b77a94cb6e3b
Signed-off-by: lixiang <lixiang@codeaurora.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 8019ad13ef7f64be44d4f892af9c840179009254 upstream.
As reported by Jann, ihold() does not in fact guarantee inode
persistence. And instead of making it so, replace the usage of inode
pointers with a per boot, machine wide, unique inode identifier.
This sequence number is global, but shared (file backed) futexes are
rare enough that this should not become a performance issue.
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit:24bbfe34bb44c036c3a0874bf74fc2387d5557bf
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I2c28eac963cef6ed8b389fbdb079e355e3c36cc0
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Thomas Gleixner <tglx@linutronix.de>
fixup_pi_state_owner() tries to ensure that the state of the rtmutex,
pi_state and the user space value related to the PI futex are consistent
before returning to user space. In case that the user space value update
faults and the fault cannot be resolved by faulting the page in via
fault_in_user_writeable() the function returns with -EFAULT and leaves
the rtmutex and pi_state owner state inconsistent.
A subsequent futex_unlock_pi() operates on the inconsistent pi_state and
releases the rtmutex despite not owning it which can corrupt the RB tree of
the rtmutex and cause a subsequent kernel stack use after free.
It was suggested to loop forever in fixup_pi_state_owner() if the fault
cannot be resolved, but that results in runaway tasks which is especially
undesired when the problem happens due to a programming error and not due
to malice.
As the user space value cannot be fixed up, the proper solution is to make
the rtmutex and the pi_state consistent so both have the same owner. This
leaves the user space value out of sync. Any subsequent operation on the
futex will fail because the 10th rule of PI futexes (pi_state owner and
user space value are consistent) has been violated.
As a consequence this removes the inept attempts of 'fixing' the situation
in case that the current task owns the rtmutex when returning with an
unresolvable fault by unlocking the rtmutex which left pi_state::owner and
rtmutex::owner out of sync in a different and only slightly less dangerous
way.
Fixes: 1b7558e457ed ("futexes: fix fault handling in futex_lock_pi")
Reported-by: gzobqq@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 46358277b2da868763517f79aa0ac25ce78c4f68
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I9c0cf904296c48cee1bbeae00680f620708e37d8
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit f2dac39d93987f7de1e20b3988c8685523247ae2 ]
Too many gotos already and an upcoming fix would make it even more
unreadable.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 47e452fcf2f50645247aa0240ae26e0d14d6d3ad
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: Idf8902712a59e0c830fe0582a5b97a2ca54e1320
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 6ccc84f917d33312eb2846bd7b567639f585ad6d ]
No point in open coding it. This way it gains the extra sanity checks.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: f08a4af5ccb2a907a225dfd3d882656e5473da4a
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I54200e76097ceee3488bf8f11e9ab4e5c9194a3d
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697 ]
Nothing uses the argument. Remove it as preparation to use
pi_state_update_owner().
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 42255927e832f9c1ed8db4e84530bc6a54aa2fee
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I746f82437216fd73f533b58a0ce81753e40af41a
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit c5cade200ab9a2a3be9e7f32a752c8d86b502ec7 ]
Updating pi_state::owner is done at several places with the same
code. Provide a function for it and use that at the obvious places.
This is also a preparation for a bug fix to avoid yet another copy of the
same code or alternatively introducing a completely unpenetratable mess of
gotos.
Originally-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 34c8e1c2c025b8c3eefb43fbcec2699841f0d153
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: Ic680390868639f992e2f7d6b36191adee7043b5f
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 04b79c55201f02ffd675e1231d731365e335c307 ]
If that unexpected case of inconsistent arguments ever happens then the
futex state is left completely inconsistent and the printk is not really
helpful. Replace it with a warning and make the state consistent.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 3edf5f2ad6652c4e3e6c1eaf4d64be7cf516b1b5
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I8c14a61890813a669b6f9a9418c7dcae3686bb31
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Peter Zijlstra <peterz@infradead.org>
commit c1e2f0eaf015fb7076d51a339011f2383e6dd389 upstream.
Julia reported futex state corruption in the following scenario:
waiter waker stealer (prio > waiter)
futex(WAIT_REQUEUE_PI, uaddr, uaddr2,
timeout=[N ms])
futex_wait_requeue_pi()
futex_wait_queue_me()
freezable_schedule()
<scheduled out>
futex(LOCK_PI, uaddr2)
futex(CMP_REQUEUE_PI, uaddr,
uaddr2, 1, 0)
/* requeues waiter to uaddr2 */
futex(UNLOCK_PI, uaddr2)
wake_futex_pi()
cmp_futex_value_locked(uaddr2, waiter)
wake_up_q()
<woken by waker>
<hrtimer_wakeup() fires,
clears sleeper->task>
futex(LOCK_PI, uaddr2)
__rt_mutex_start_proxy_lock()
try_to_take_rt_mutex() /* steals lock */
rt_mutex_set_owner(lock, stealer)
<preempted>
<scheduled in>
rt_mutex_wait_proxy_lock()
__rt_mutex_slowlock()
try_to_take_rt_mutex() /* fails, lock held by stealer */
if (timeout && !timeout->task)
return -ETIMEDOUT;
fixup_owner()
/* lock wasn't acquired, so,
fixup_pi_state_owner skipped */
return -ETIMEDOUT;
/* At this point, we've returned -ETIMEDOUT to userspace, but the
* futex word shows waiter to be the owner, and the pi_mutex has
* stealer as the owner */
futex_lock(LOCK_PI, uaddr2)
-> bails with EDEADLK, futex word says we're owner.
And suggested that what commit:
73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state")
removes from fixup_owner() looks to be just what is needed. And indeed
it is -- I completely missed that requeue_pi could also result in this
case. So we need to restore that, except that subsequent patches, like
commit:
16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock")
changed all the locking rules. Even without that, the sequence:
- if (rt_mutex_futex_trylock(&q->pi_state->pi_mutex)) {
- locked = 1;
- goto out;
- }
- raw_spin_lock_irq(&q->pi_state->pi_mutex.wait_lock);
- owner = rt_mutex_owner(&q->pi_state->pi_mutex);
- if (!owner)
- owner = rt_mutex_next_owner(&q->pi_state->pi_mutex);
- raw_spin_unlock_irq(&q->pi_state->pi_mutex.wait_lock);
- ret = fixup_pi_state_owner(uaddr, q, owner);
already suggests there were races; otherwise we'd never have to look
at next_owner.
So instead of doing 3 consecutive wait_lock sections with who knows
what races, we do it all in a single section. Additionally, the usage
of pi_state->owner in fixup_owner() was only safe because only the
rt_mutex owner would modify it, which this additional case wrecks.
Luckily the values can only change away and not to the value we're
testing, this means we can do a speculative test and double check once
we have the wait_lock.
Fixes: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state")
Reported-by: Julia Cartwright <julia@ni.com>
Reported-by: Gratian Crisan <gratian.crisan@ni.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Julia Cartwright <julia@ni.com>
Tested-by: Gratian Crisan <gratian.crisan@ni.com>
Cc: Darren Hart <dvhart@infradead.org>
Link: https://lkml.kernel.org/r/20171208124939.7livp7no2ov65rrc@hirez.programming.kicks-ass.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Lee: Back-ported to solve a dependency]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: ad4740ceccfbf326b7f82ebac43d860a64240c1c
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I04d1f364e06a210765f67c3295426a0e91f5c51c
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| |\| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Peter Zijlstra <peterz@infradead.org>
[Upstream commit 73d786bd043ebc855f349c81ea805f6b11cbf2aa ]
There is a weird state in the futex_unlock_pi() path when it interleaves
with a concurrent futex_lock_pi() at the point where it drops hb->lock.
In this case, it can happen that the rt_mutex wait_list and the futex_q
disagree on pending waiters, in particular rt_mutex will find no pending
waiters where futex_q thinks there are. In this case the rt_mutex unlock
code cannot assign an owner.
The futex side fixup code has to cleanup the inconsistencies with quite a
bunch of interesting corner cases.
Simplify all this by changing wake_futex_pi() to return -EAGAIN when this
situation occurs. This then gives the futex_lock_pi() code the opportunity
to continue and the retried futex_unlock_pi() will now observe a coherent
state.
The only problem is that this breaks RT timeliness guarantees. That
is, consider the following scenario:
T1 and T2 are both pinned to CPU0. prio(T2) > prio(T1)
CPU0
T1
lock_pi()
queue_me() <- Waiter is visible
preemption
T2
unlock_pi()
loops with -EAGAIN forever
Which is undesirable for PI primitives. Future patches will rectify
this.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170322104151.850383690@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[Lee: Back-ported to solve a dependency]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 394fc4981426d5f6427e1adb80bec3ee8cf76bcf
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I73a7014a7176150c93b7caa7b487d85fc2922058
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
From: Peter Zijlstra <peterz@infradead.org>
These are unused and clutter up the code.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170322104151.652692478@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[Lee: Back-ported to solve a dependency]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: fd7924d6f23c8b9a1da45e438be773d5d11bda10
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: Iba692c91d753236748e9998d82b5f3f6c165c4af
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 5293c2efda37775346885c7e924d4ef7018ea60b ]
Part of what makes futex_unlock_pi() intricate is that
rt_mutex_futex_unlock() -> rt_mutex_slowunlock() can drop
rt_mutex::wait_lock.
This means it cannot rely on the atomicy of wait_lock, which would be
preferred in order to not rely on hb->lock so much.
The reason rt_mutex_slowunlock() needs to drop wait_lock is because it can
race with the rt_mutex fastpath, however futexes have their own fast path.
Since futexes already have a bunch of separate rt_mutex accessors, complete
that set and implement a rt_mutex variant without fastpath for them.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170322104151.702962446@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[Lee: Back-ported to solve a dependency]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 6510e4a2d04f33e4bfd221760faab23e55d8772b
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: I616435071e43d8fb6cc7e69cab6d48a8b4599073
Signed-off-by: pvijayku <pvijayku@codeaurora.org>
|
| |/
|
|
|
|
|
|
| |
Make sure there is enough room in the memory descriptor to store the
entire profiling buffer object.
Change-Id: I1e1c73097bb2bba9645b0a3c66fdbbc71d8ba8fa
Signed-off-by: Kamal Agrawal <kamaagra@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
| |
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: I99e8e4f94644c5d47b4863f89b308bd5de49c1d7
Signed-off-by: Swathi K <kataka@codeaurora.org>
|
| |
|
|
|
| |
Change-Id: I7acbfcb04a551052cb8b284850e1a6e0071ae9d6
Signed-off-by: shubtiwa <shubtiwa@codeaurora.org>
|
| |
|
|
|
|
|
|
|
| |
When memdesc_sg_virt returns error in kgsl_setup_anon_useraddr function,
the gpu address registered in SVM region will not be deregistered.
This change deregisters the gpu address on memdesc_sg_virt failure.
Change-Id: Ic99167e283a0c6331bb9f5f0b608b6cdb3c918e4
Signed-off-by: Neeraja P <neerp@codeaurora.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Adding fix to check the upper limit on the length
of the destination array while copying elements
from source address to avoid stack out of bound error.
Change-Id: I39d5768fa97f9d269cfb101a389bb771d13c7538
Signed-off-by: Monika Singh <monising@codeaurora.org>
|
| |\ \ |
|
