git.stricted.de - GitHub/LineageOS/android_kernel_motorola

ANDROID: dm: verity: add minimum prefetch size

- For device like eMMC, it gives better performance to read more hash
blocks at a time.
- For android, set it to default 128.
For other devices, set it to 1 which is the same as now.
- saved boot-up time by 300ms in tested device

bug: 32246564

Change-Id: Ibc0401a0cddba64b862a80445844b4e595213621
Cc: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Keun-young Park <keunyoung@google.com>

ANDROID: dm: android-verity: mark dev as rw for linear target

Mark as rw when adding as linear target to allow changes
to the underlying filesystem through adb disable verity
and adb remount.

(Cherry-picked from
https://partner-android-review.googlesource.com/#/c/613573/
79a3032bb62da65a5d724eb70c8bdc662945d475)

BUG: 28845874
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: If41e9cad8e0f054f4778c09a6e2f0cb8af6fddaf

ANDROID: dm: android-verity: allow disable dm-verity for Treble VTS

To start Treble VTS test, a single AOSP system.img will be flashed onto
the device. The size of AOSP system.img might be different than the
system partition size on device, making locating verity metadata fail
(at the last fixed size of the partition).

This change allows disabling dm-verity on system partition when the
device is unlocked (orange device state) with invalid metadata.

BUG: 35603549
Test: boot device with a different-sized system.img, checks verity is
not enabled via:

"adb shell getprop | grep partition.system.verified"

Change-Id: Ide78dca4eefde4ab019e4b202d3f590dcb1bb506
Signed-off-by: Bowgo Tsai <bowgotsai@google.com>

ANDROID: dm: android-verity: fix table_make_digest() error handling

If table_make_digest() fails, verify_verity_signature() would try to
pass the returned ERR_PTR() to kfree().

This fixes the smatch error:

drivers/md/dm-android-verity.c:601 verify_verity_signature() error: 'pks' dereferencing possible ERR_PTR()

Change-Id: I9b9b7764b538cb4a5f94337660e9b0f149b139be
Signed-off-by: Greg Hackmann <ghackmann@google.com>

ANDROID: dm: android-verity: rebase for 4.9

Export the direct_access method of dm_linear target for
dm-android-verity target.

Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I46556d882305e5194352946264cbc9c06e5038e4

[AmitP: Rebased the changes for v4.14]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: dm: android-verity: Remove fec_header location constraint

This CL removes the mandate of the fec_header being located right
after the ECC data.

(Cherry-picked from https://android-review.googlesource.com/#/c/280401)

Bug: 28865197
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: Ie04c8cf2dd755f54d02dbdc4e734a13d6f6507b5

ANDROID: dm: android-verity: adopt changes made to dm callbacks

v4.4 introduced changes to the callbacks used for
dm-linear and dm-verity-target targets. Move to those headers
in dm-android-verity.

Verified on hikey while having
BOARD_USES_RECOVERY_AS_BOOT := true
BOARD_BUILD_SYSTEM_ROOT_IMAGE := true

BUG: 27339727
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: Ic64950c3b55f0a6eaa570bcedc2ace83bbf3005e

ANDROID: dm: android-verity: pack the fec_header structure

The fec_header structure is generated build time and stored on disk.
The fec_header might be build on a 64 bits machine while it is read
per a 32 bits device or the other way around. In such situations, the
fec_header fields are not aligned as expected by the device and it
fails to read the fec_header structure.

This patch makes the fec_header packed.

Change-Id: Idb84453e70cc11abd5ef3a0adfbb16f8b5feaf06
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>

ANDROID: dm: android-verity: Verify header before fetching table

Move header validation logic before reading the verity_table as
an invalid header implies the table is invalid as well.

(Cherry-picked from:
https://partner-android-review.git.corp.google.com/#/c/625203)

BUG: 29940612
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: Ib34d25c0854202f3e70df0a6d0ef1d96f0250c8e

ANDROID: dm: android-verity: allow adb disable-verity only in userdebug

adb disable-verity was allowed when the phone is in the
unlocked state. Since the driver is now aware of the build
variant, honor "adb disable-verity" only in userdebug
builds.

(Cherry-picked from
https://partner-android-review.git.corp.google.com/#/c/622117)

BUG: 29276559
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I7ce9f38d8c7a62361392c5a8ccebb288f8a3a2ea

ANDROID: dm: android-verity: mount as linear target if eng build

eng builds dont have verity enabled i.e it does even
have verity metadata appended to the parition. Therefore
add rootdev as linear device and map the entire partition
if build variant is "eng".

(Cherry-picked based on
https://partner-android-review.git.corp.google.com/#/c/618690/)

BUG: 29276559
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I8f5c2289b842b820ca04f5773525e5449bb3f355

ANDROID: dm: android-verity: use default verity public key

If the dm-android-verity target does not provide a default
key try using the default public key from the system keyring.
The defualt verity keyid is passed as a kernel command line
argument veritykeyid=.

The order of the dm-android-verity params have been reversed
to facilitate the change.

Old format example:
dm="system none ro,0 1 android-verity Android:#7e4333f9bba00adfe0ede979e28ed1920492b40f /dev/mmcblk0p43"

New formats supported:
dm="system none ro,0 1 android-verity /dev/mmcblk0p43 Android:#7e4333f9bba00adfe0ede979e28ed1920492b40f"

(or)

dm="system none ro,0 1 android-verity /dev/mmcblk0p43"
when veritykeyid= is set in the kernel command line.

BUG: 28384658
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I506c89b053d835ab579e703eef2bc1f8487250de
(cherry picked from commit c5c74d0327729f35b576564976885596c6d0e7fb)

ANDROID: dm: android-verity: fix signature verification flag

The bug was that the signature verification was only
happening when verity was disabled. It should always
happen when verity is enabled.

Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I2d9354e240d36ea06fc68c2d18d8e87b823a4c2f
(cherry picked from commit 5364b5ca0b1a12a58283b51408e43fc36d4e4fe7)

ANDROID: dm: android-verity: use name_to_dev_t

This patch makes android_verity_ctr() parse its block device string
parameter with name_to_dev_t(). It allows the use of less hardware
related block device reference like PARTUUID for instance.

Change-Id: Idb84453e70cc11abd5ef3a0adfbb16f8b5feaf07
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>

ANDROID: dm: android-verity: Mounting root as linear device when verity disabled

This CL makes android-verity target to be added as linear
dm device if when bootloader is unlocked and verity is disabled.

Bug: 27175947
Change-Id: Ic41ca4b8908fb2777263799cf3a3e25934d70f18
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
[AmitP: Folded following android-4.9 commit changes into this patch
7e70218c2699 ("ANDROID: dm: Minor cleanup")
67584ff8412b ("ANDROID: dm: rename dm-linear methods for dm-android-verity")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: dm: android-verity: Add android verity target

This device-mapper target is virtually a VERITY target. This
target is setup by reading the metadata contents piggybacked
to the actual data blocks in the block device. The signature
of the metadata contents are verified against the key included
in the system keyring. Upon success, the underlying verity
target is setup.

BUG: 27175947

Change-Id: I7e99644a0960ac8279f02c0158ed20999510ea97
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
[AmitP: Folded following android-4.9 commit changes into this patch
56f6a6b2b1cd ("ANDROID: dm-android-verity: Rebase on top of 4.1")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: dm: do_mounts_dm: Update init/do_mounts_dm.c to the latest ChromiumOS version.

This is needed for AVB.

Bug: None
Test: Compiles.
Change-Id: I45b5d435652ab66ec07420ab17f2c7889f7e4d95
Signed-off-by: David Zeuthen <zeuthen@google.com>

ANDROID: dm: do_mounts_dm: fix dm_substitute_devices()

When candidate is the last parameter, candidate_end points to the '\0'
character and not the DM_FIELD_SEP character. In such a situation, we
should not move the candidate_end pointer one character backward.

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>

ANDROID: dm: do_mounts_dm: Rebase on top of 4.9

1. "dm: optimize use SRCU and RCU" removes the use of dm_table_put.
2. "dm: remove request-based logic from make_request_fn wrapper" necessitates
    calling dm_setup_md_queue or else the request_queue's make_request_fn
    pointer ends being unset.

[    7.711600] Internal error: Oops - bad mode: 0 [#1] PREEMPT SMP
[    7.717519] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W       4.1.15-02273-gb057d16-dirty #33
[    7.726559] Hardware name: HiKey Development Board (DT)
[    7.731779] task: ffffffc005f8acc0 ti: ffffffc005f8c000 task.ti: ffffffc005f8c000
[    7.739257] PC is at 0x0
[    7.741787] LR is at generic_make_request+0x8c/0x108
....
[    9.082931] Call trace:
[    9.085372] [<          (null)>]           (null)
[    9.090074] [<ffffffc0003f4ac0>] submit_bio+0x98/0x1e0
[    9.095212] [<ffffffc0001e2618>] _submit_bh+0x120/0x1f0
[    9.096165] cfg80211: Calling CRDA to update world regulatory domain
[    9.106781] [<ffffffc0001e5450>] __bread_gfp+0x94/0x114
[    9.112004] [<ffffffc00024a748>] ext4_fill_super+0x18c/0x2d64
[    9.117750] [<ffffffc0001b275c>] mount_bdev+0x194/0x1c0
[    9.122973] [<ffffffc0002450dc>] ext4_mount+0x14/0x1c
[    9.128021] [<ffffffc0001b29a0>] mount_fs+0x3c/0x194
[    9.132985] [<ffffffc0001d059c>] vfs_kern_mount+0x4c/0x134
[    9.138467] [<ffffffc0001d2168>] do_mount+0x204/0xbbc
[    9.143514] [<ffffffc0001d2ec4>] SyS_mount+0x94/0xe8
[    9.148479] [<ffffffc000c54074>] mount_block_root+0x120/0x24c
[    9.154222] [<ffffffc000c543e8>] mount_root+0x110/0x12c
[    9.159443] [<ffffffc000c54574>] prepare_namespace+0x170/0x1b8
[    9.165273] [<ffffffc000c53d98>] kernel_init_freeable+0x23c/0x260
[    9.171365] [<ffffffc0009b1748>] kernel_init+0x10/0x118
[    9.176589] Code: bad PC value
[    9.179807] ---[ end trace 75e1bc52ba364d13 ]---

Bug: 27175947

Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: I952d86fd1475f0825f9be1386e3497b36127abd0

CHROMIUM: dm: boot time specification of dm=

This is a wrap-up of three patches pending upstream approval.
I'm bundling them because they are interdependent, and it'll be
easier to drop it on rebase later.

1. dm: allow a dm-fs-style device to be shared via dm-ioctl

Integrates feedback from Alisdair, Mike, and Kiyoshi.

Two main changes occur here:

- One function is added which allows for a programmatically created
mapped device to be inserted into the dm-ioctl hash table.  This binds
the device to a name and, optional, uuid which is needed by udev and
allows for userspace management of the mapped device.

- dm_table_complete() was extended to handle all of the final
functional changes required for the table to be operational once
called.

2. init: boot to device-mapper targets without an initr*

Add a dm= kernel parameter modeled after the md= parameter from
do_mounts_md.  It allows for device-mapper targets to be configured at
boot time for use early in the boot process (as the root device or
otherwise).  It also replaces /dev/XXX calls with major:minor opportunistically.

The format is dm="name uuid ro,table line 1,table line 2,...".  The
parser expects the comma to be safe to use as a newline substitute but,
otherwise, uses the normal separator of space.  Some attempt has been
made to make it forgiving of additional spaces (using skip_spaces()).

A mapped device created during boot will be assigned a minor of 0 and
may be access via /dev/dm-0.

An example dm-linear root with no uuid may look like:

root=/dev/dm-0  dm="lroot none ro, 0 4096 linear /dev/ubdb 0, 4096 4096 linear /dv/ubdc 0"

Once udev is started, /dev/dm-0 will become /dev/mapper/lroot.

Older upstream threads:
http://marc.info/?l=dm-devel&m=127429492521964&w=2
http://marc.info/?l=dm-devel&m=127429499422096&w=2
http://marc.info/?l=dm-devel&m=127429493922000&w=2

Latest upstream threads:
https://patchwork.kernel.org/patch/104859/
https://patchwork.kernel.org/patch/104860/
https://patchwork.kernel.org/patch/104861/

Bug: 27175947

Signed-off-by: Will Drewry <wad@chromium.org>
Review URL: http://codereview.chromium.org/2020011

Change-Id: I92bd53432a11241228d2e5ac89a3b20d19b05a31

[AmitP: Refactored the original changes based on upstream changes,
        commit e52347bd66f6 ("Documentation/admin-guide: split the kernel parameter list to a separate file")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: dm: verity-fec: add sysfs attribute fec/corrected

Add a sysfs entry that allows user space to determine whether dm-verity
has come across correctable errors on the underlying block device.

Bug: 22655252
Bug: 27928374
Change-Id: I80547a2aa944af2fb9ffde002650482877ade31b
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
(cherry picked from commit 7911fad5f0a2cf5afc2215657219a21e6630e001)

[AmitP: Folded following android-4.9 commit changes into this patch
3278f53e4658 ("ANDROID: dm verity fec: add missing release from fec_ktype")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

CHROMIUM: dma-buf: dma-fence: fix warning when releasing active sync point

Userspace can close the sync device while there are still active fence
points, in which case kernel produces the following warning:

[   43.853176] ------------[ cut here ]------------
[   43.857834] WARNING: CPU: 0 PID: 892 at /mnt/host/source/src/third_party/kernel/v3.18/drivers/staging/android/sync.c:439 android_fence_release+0x88/0x104()
[   43.871741] CPU: 0 PID: 892 Comm: Binder_5 Tainted: G     U 3.18.0-07661-g0550ce9 #1
[   43.880176] Hardware name: Google Tegra210 Smaug Rev 1+ (DT)
[   43.885834] Call trace:
[   43.888294] [<ffffffc000207464>] dump_backtrace+0x0/0x10c
[   43.893697] [<ffffffc000207580>] show_stack+0x10/0x1c
[   43.898756] [<ffffffc000ab1258>] dump_stack+0x74/0xb8
[   43.903814] [<ffffffc00021d414>] warn_slowpath_common+0x84/0xb0
[   43.909736] [<ffffffc00021d530>] warn_slowpath_null+0x14/0x20
[   43.915482] [<ffffffc00088aefc>] android_fence_release+0x84/0x104
[   43.921582] [<ffffffc000671cc4>] fence_release+0x104/0x134
[   43.927066] [<ffffffc00088b0cc>] sync_fence_free+0x74/0x9c
[   43.932552] [<ffffffc00088b128>] sync_fence_release+0x34/0x48
[   43.938304] [<ffffffc000317bbc>] __fput+0x100/0x1b8
[   43.943185] [<ffffffc000317cc8>] ____fput+0x8/0x14
[   43.947982] [<ffffffc000237f38>] task_work_run+0xb0/0xe4
[   43.953297] [<ffffffc000207074>] do_notify_resume+0x44/0x5c
[   43.958867] ---[ end trace 5a2aa4027cc5d171 ]---

Let's fix it by introducing a new optional callback (disable_signaling)
to fence operations so that drivers can do proper clean ups when we
remove last callback for given fence.

BUG=chrome-os-partner:40303
TEST=Boot Smaug and observe that warning is gone.

Change-Id: I05c34dcf74438c28405438c7ead0706b1f810fff
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/303409
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
[AmitP: Refactored original changes by aligning with upstream
        naming convention and by using dma_fence_to_sync_pt()
        helper instead of container_of().

        Also folded following android-4.9 changes into this patch
        fb66dc2a6e5e ("ANDROID: dma-buf/sw_sync: Rename active_list to link")].
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

CHROMIUM: cgroups: relax permissions on moving tasks between cgroups

Android expects system_server to be able to move tasks between different
cgroups/cpusets, but does not want to be running as root. Let's relax
permission check so that processes can move other tasks if they have
CAP_SYS_NICE in the affected task's user namespace.

BUG=b:31790445,chromium:647994
TEST=Boot android container, examine logcat

Change-Id: Ia919c66ab6ed6a6daf7c4cf67feb38b13b1ad09b
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/394927
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
[AmitP: Refactored original changes to align with upstream commit
201af4c0fab0 ("cgroup: move cgroup files under kernel/cgroup/")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: cpuset: Make cpusets restore on hotplug

This deliberately changes the behavior of the per-cpuset
cpus file to not be effected by hotplug. When a cpu is offlined,
it will be removed from the cpuset/cpus file. When a cpu is onlined,
if the cpuset originally requested that that cpu was part of the cpuset,
that cpu will be restored to the cpuset. The cpus files still
have to be hierachical, but the ranges no longer have to be out of
the currently online cpus, just the physically present cpus.

Change-Id: I22cdf33e7d312117bcefba1aeb0125e1ada289a9
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
[AmitP: Refactored original changes to align with upstream commit
201af4c0fab0 ("cgroup: move cgroup files under kernel/cgroup/")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: cpu: send KOBJ_ONLINE event when enabling cpus

In case some sysfs nodes needs to be labeled with a different label than
sysfs then user needs to be notified when a core is brought back online.

Signed-off-by: Thierry Strudel <tstrudel@google.com>
Bug: 29359497
Change-Id: I0395c86e01cd49c348fda8f93087d26f88557c91

ANDROID: cpuidle: governor: menu: don't use loadavg

get_loadavg doesn't work as intended.  According to the comments, it
should be returning an average over a few seconds, but it is actually
reading the instantaneous load.  It is almost always returning 0, but
can sometimes, depending on workload, spike very high into the hundreds
even when the average cpu load is under 10%.  Disable it for now.

Change-Id: I63ed100af1cf9463549939b8113ed83676db5f86
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: binder: clarify deferred thread work.

Rename the function to more accurately reflect what
it does, and add a comment explaining why we use it.

Change-Id: I8d011c017dfc6e24b5b54fc462578f8e153e5926
Signed-off-by: Martijn Coenen <maco@android.com>

ANDROID: binder: show high watermark of alloc->pages.

Show the high watermark of the index into the alloc->pages
array, to facilitate sizing the buffer on a per-process
basis.

Change-Id: I2b40cd16628e0ee45216c51dc9b3c5b0c862032e
Signed-off-by: Martijn Coenen <maco@android.com>

ANDROID: binder: Add thread->process_todo flag.

This flag determines whether the thread should currently
process the work in the thread->todo worklist.

The prime usecase for this is improving the performance
of synchronous transactions: all synchronous transactions
post a BR_TRANSACTION_COMPLETE to the calling thread,
but there's no reason to return that command to userspace
right away - userspace anyway needs to wait for the reply.

Likewise, a synchronous transaction that contains a binder
object can cause a BC_ACQUIRE/BC_INCREFS to be returned to
userspace; since the caller must anyway hold a strong/weak
ref for the duration of the call, postponing these commands
until the reply comes in is not a problem.

Note that this flag is not used to determine whether a
thread can handle process work; a thread should never pick
up process work when thread work is still pending.

Before patch:
------------------------------------------------------------------
Benchmark                           Time           CPU Iterations
------------------------------------------------------------------
BM_sendVec_binderize/4          45959 ns      20288 ns      34351
BM_sendVec_binderize/8          45603 ns      20080 ns      34909
BM_sendVec_binderize/16         45528 ns      20113 ns      34863
BM_sendVec_binderize/32         45551 ns      20122 ns      34881
BM_sendVec_binderize/64         45701 ns      20183 ns      34864
BM_sendVec_binderize/128        45824 ns      20250 ns      34576
BM_sendVec_binderize/256        45695 ns      20171 ns      34759
BM_sendVec_binderize/512        45743 ns      20211 ns      34489
BM_sendVec_binderize/1024       46169 ns      20430 ns      34081

After patch:
------------------------------------------------------------------
Benchmark                           Time           CPU Iterations
------------------------------------------------------------------
BM_sendVec_binderize/4          42939 ns      17262 ns      40653
BM_sendVec_binderize/8          42823 ns      17243 ns      40671
BM_sendVec_binderize/16         42898 ns      17243 ns      40594
BM_sendVec_binderize/32         42838 ns      17267 ns      40527
BM_sendVec_binderize/64         42854 ns      17249 ns      40379
BM_sendVec_binderize/128        42881 ns      17288 ns      40427
BM_sendVec_binderize/256        42917 ns      17297 ns      40429
BM_sendVec_binderize/512        43184 ns      17395 ns      40411
BM_sendVec_binderize/1024       43119 ns      17357 ns      40432

Signed-off-by: Martijn Coenen <maco@android.com>
Change-Id: Ia70287066d62aba64e98ac44ff1214e37ca75693

ANDROID: binder: fix node sched policy calculation

We should use FLAT_BINDER_FLAG_SCHED_POLICY_MASK as
the mask to calculate sched policy.

Change-Id: Ic252fd7c68495830690130d792802c02f99fc8fc
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>

ANDROID: binder: init desired_prio.sched_policy before use it

In function binder_transaction_priority(), we access
desired_prio before initialzing it.

This patch fix this.

Change-Id: I9d14d50f9a128010476a65b52631630899a44633
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>

ANDROID: binder: fix transaction leak.

If a call to put_user() fails, we failed to
properly free a transaction and send a failed
reply (if necessary).

Bug: 63117588
Test: binderLibTest

Change-Id: Ia98db8cd82ce354a4cdc8811c969988d585c7e31
Signed-off-by: Martijn Coenen <maco@android.com>

ANDROID: binder: Add tracing for binder priority inheritance.

Bug: 34461621
Change-Id: I5ebb1c0c49fd42a89ee250a1d70221f767c82c7c
Signed-off-by: Martijn Coenen <maco@google.com>

ANDROID: binder: don't check prio permissions on restore.

Because we have disabled RT priority inheritance for
the regular binder domain, the following can happen:

1) thread A (prio 98) calls into thread B
2) because RT prio inheritance is disabled, thread B
   runs at the lowest nice (prio 100) instead
3) thread B calls back into A; A will run at prio 100
   for the duration of the transaction
4) When thread A is done with the call from B, we will
   try to restore the prio back to 98. But, we fail
   because the process doesn't hold CAP_SYS_NICE,
   neither is RLIMIT_RT_PRIO set.

While the proper fix going forward will be to
correctly apply CAP_SYS_NICE or RLIMIT_RT_PRIO,
for now it seems reasonable to not check permissions
on the restore path.

Change-Id: Ibede5960c9b7bb786271c001e405de50be64d944
Signed-off-by: Martijn Coenen <maco@android.com>

ANDROID: binder: add RT inheritance flag to node.

Allows a binder node to specify whether it wants to
inherit real-time scheduling policy from a caller.

Change-Id: I375b6094bf441c19f19cba06d5a6be02cd07d714
Signed-off-by: Martijn Coenen <maco@android.com>

ANDROID: binder: improve priority inheritance.

By raising the priority of a thread selected for
a transaction *before* we wake it up.

Delay restoring the priority when doing a reply
until after we wake-up the process receiving
the reply.

Change-Id: Ic332e4e0ed7d2d3ca6ab1034da4629c9eadd3405
Signed-off-by: Martijn Coenen <maco@google.com>

ANDROID: binder: add min sched_policy to node.

This change adds flags to flat_binder_object.flags
to allow indicating a minimum scheduling policy for
the node. It also clarifies the valid value range
for the priority bits in the flags.

Internally, we use the priority map that the kernel
uses, e.g. [0..99] for real-time policies and [100..139]
for the SCHED_NORMAL/SCHED_BATCH policies.

Bug: 34461621
Bug: 37293077
Change-Id: I12438deecb53df432da18c6fc77460768ae726d2
Signed-off-by: Martijn Coenen <maco@google.com>

ANDROID: binder: add support for RT prio inheritance.

Adds support for SCHED_BATCH/SCHED_FIFO/SCHED_RR
priority inheritance.

Change-Id: I71f356e476be2933713a0ecfa2cc31aa141e2dc6
Signed-off-by: Martijn Coenen <maco@google.com>
[AmitP: Include <uapi/linux/sched/types.h> for struct sched_param]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: ashmem: Shrink directly through shmem_fallocate

When ashmem_shrink is called from direct reclaim on a user thread, a
call to do_fallocate will check for permissions against the security
policy of that user thread. It can thus fail by chance if called on a
thread that isn't permitted to modify the relevant ashmem areas.

Because we know that we have a shmem file underneath, call the shmem
implementation of fallocate directly instead of going through the
user-space interface for fallocate.

FIX=DMS06243560
Area: Kernel/Linux Kernel

Bug: 21951515
Change-Id: Ie98fff18a2bdeb535cd24d4fbdd13677e12681a7
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>

ANDROID: ashmem: Add shmem_set_file to mm/shmem.c

NOT FOR STAGING
This patch re-adds the original shmem_set_file to mm/shmem.c
and converts ashmem.c back to using it.

Change-Id: Ie604c9f8f4d0ee6bc2aae1a96d261c8373a1a2dc
CC: Brian Swetland <swetland@google.com>
CC: Colin Cross <ccross@android.com>
CC: Arve Hjønnevåg <arve@android.com>
CC: Dima Zavin <dima@android.com>
CC: Robert Love <rlove@google.com>
CC: Greg KH <greg@kroah.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>

ANDROID: fiq_debugger: Remove wakelock.h dependencies

Change-Id: I16a0dd4c4c6ee6440ce8a921bc0834d904b81f37
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

ANDROID: fiq_debugger: Add fiq_debugger.disable option

This change allows to use same kernel image with
different console options for uart and fiq_debugger.
If fiq_debugger.disable will be set to 1/y/Y,
fiq_debugger will not be initialized.

Change-Id: I71fda54f5f863d13b1437b1f909e52dd375d002d
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

ANDROID: fiq_debugger: Add option to apply uart overlay by FIQ_DEBUGGER_UART_OVERLAY

fiq_debugger is taking over uart, so it is necessary to disable
original uart in DT file. It can be done manually or by overlay.

Change-Id: I9f50ec15b0e22e602d73b9f745fc8666f8925d09
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

ANDROID: fiq_debugger: Add fiq_watchdog_triggered api

Dumps registers and stacktrace into console-ramoops when called
from a watchdog fiq.

Change-Id: Ib6fab5a52f670db18e64214d5e4890e8292a749c
Signed-off-by: Arve Hjønnevåg <arve@android.com>

ANDROID: fiq_debugger: Call fiq_debugger_printf through a function pointer from cpu specific code

This allows the output from the register and stack trace code to be
sent elsewhere.

Change-Id: I41bb0d5a25e1b9ca55feef5dbd675818b2f832d5
Signed-off-by: Arve Hjønnevåg <arve@android.com>

ANDROID: fiq_debugger: add ARM64 support

Add fiq_debugger_arm64.c that implements the platform-specific
functions.

Change-Id: I4d8b96777bb8503a93d4eb47bbde8e018740a5bf
Signed-off-by: Colin Cross <ccross@android.com>
[AmitP: Remove unused stackframe -> sp to align with upstream commit
        31e43ad3b74a ("arm64: unwind: remove sp from struct stackframe")

        Also folded following android-4.9 commit changes into this patch
        a33d9f9fa333 ("ANDROID: fiq_debugger: Pass task parameter to unwind_frame()")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: fiq_debugger: split arm support into fiq_debugger_arm.c

Split arm support into a separate .c file that is only built for
CONFIG_ARM.

Change-Id: Iba16f4d51608bf9c3e5c8acefefcd38fead9797c
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: fiq_debugger: use pt_regs for registers

IRQ mode already passes in a struct pt_regs from get_irq_regs().
FIQ mode passes in something similar but not identical to a
struct pt_regs - FIQ mode stores the spsr of the interrupted mode
in slot 17, while pt_regs expects orig_r0.

Replace the existing mixture of void *regs, unsigned *regs, and
struct pt_regs * const with const struct pt_regs *. Modify
dump_regs not to print the spsr since it won't be there in a
struct pt_regs anyways. Modify dump_allregs to highlight the
mode that was interrupted, making spsr easy to find there.

Change-Id: Ibfe1723d702306c7605fd071737d7be9ee9d8c12
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: fiq_debugger: allow compiling without CONFIG_FIQ_GLUE

Allow compiling fiq_debugger.c without CONFIG_FIQ_GLUE for
platforms that don't support FIQs.

Change-Id: Iabdfd790d24fa9d47b29d2f850c567af2dcad78f
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: fiq_debugger: rename debug->fiq_debugger

Rename variables and functions in the global namespace to avoid
future collisions.

Change-Id: Ic23a304b0f794efc94cc6d086fddd63231d99c98
Signed-off-by: Colin Cross <ccross@android.com>
[AmitP: Folded following android-4.9 commit changes into this patch
daeea72326db ("ANDROID: fiq_debugger: Build fixes for 4.1")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: fiq_debugger: move into drivers/staging/android/fiq_debugger/

Move fiq_debugger into drivers/staging/android/fiq_debugger/ to
allow for sharing between ARM and ARM64.

Change-Id: I6ca5e8b7e3d000f57da3234260261c5592cef2a8
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: kdb: support new lines without carriage returns

kdb expects carriage returns through the serial port to terminate
commands. Modify it to accept the first seen carriage return or
new line as a terminator, but not treat \r\n as two terminators.

Change-Id: I06166017e7703d24310eefcb71c3a7d427088db7
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: ARM: fiq_debugger: Update tty code for 3.9

Signed-off-by: Arve Hjønnevåg <arve@android.com>

ANDROID: ARM: fiq_debugger: lock between tty and console writes

debug_console_write calls debug_uart_flush, which will usually wait
until the serial port fifo empties.  If another thread is continuously
calling fiq_tty_write, the fifo will constantly be refilled and
debug_uart_flush might never return.

Add a spinlock that is locked in debug_console_write and fiq_tty_write
to ensure they can't run at the same time.  This has an extra advantage
of preventing lines from the console and tty from being mixed together.

Also reduce the size returned by fiq_tty_write_room to keep the time
spent with the spinlock held to a reasonable value.

In addition, make sure fiq context can't loop forever by never calling
debug_uart_flush when the console is enabled.

Change-Id: I5712b01f740ca0c84f680d2032c9fa16b7656939
Signed-off-by: Colin Cross <ccross@android.com>
[AmitP: Folded following android-4.9 commit changes into this patch
        b4ffddec3493 ("ANDROID: ARM: fiq_debugger: fix uninitialised spin_lock.")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: ARM: fiq_debugger: add process context reboot command

kernel_restart cannot be called from interrupt context.  Add support for
commands called from a work function, and implement the "reboot" command
there.  Also rename the existing irq-mode command to "reset" and change
it to use machine_restart instead of kernel_restart.

Change-Id: I3c423147c01db03d89e95a5b99096ca89462079f
Signed-off-by: Colin Cross <ccross@android.com>
[AmitP: Folded following android-4.9 commit changes into this patch
        3b61956a41a5 ("ANDROID: fiq_debugger: Fix minor bug in code")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: ARM: fiq_debugger: fix multiple consoles and make it a preferred console

Fix setting up consoles on multiple fiq debugger devices by
splitting the tty driver init into the initcall, and initializing
the single tty device during probe. Has the side effect of moving
the tty device node to /dev/ttyFIQx, where x is the platform device
id, which should normally match the serial port.

To avoid having to pass a different console=/dev/ttyFIQx for every
device, make the fiq debugger a preferred console that will be used
by default if no console was passed on the command line.

Change-Id: I6cc2670628a41e84615859bc96adba189966d647
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: ARM: kgdb: ignore breakpoint instructions from user mode

Avoid conflicts with user mode usage of the same instructions, as with
Clang -ftrapv.

Change-Id: I12d1c6d8f94376bfd2503cb0be843d7e478fb6ea
Signed-off-by: Todd Poynor <toddpoynor@google.com>

ANDROID: ARM: fiq_debugger: add support for kgdb

Adds polling tty ops to the fiq debugger console tty, which allows
kgdb to run against an fiq debugger console.

Add a check in do_sysrq to prevent enabling kgdb from the fiq
debugger unless a flag (writable only by root) has been set. This
should make it safe to enable KGDB on a production device.

Also add a shortcut to enable the console and kgdb together, to
allow kgdb to be enabled when the shell on the console is not
responding.

Change-Id: Ifc65239ca96c9887431a6a36b9b44a539002f544
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: ARM: fiq_debugger: add debug_putc

Convert all the calls to state->pdata->uart_putc to a debug_putc
helper.

Change-Id: Idc007bd170ff1b51d0325e238105ae0c86d23777
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: ARM: fiq_debugger: add support for reboot commands

Pass the rest of the reboot command to kernel_restart to allow
reboot bootloader to work from FIQ debugger.

Change-Id: I4e7b366a69268dda17ffcf4c84f2373d15cb1271
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: ARM: fiq_debugger: Add generic fiq serial debugger

Change-Id: Ibb536c88f0dbaf4766d0599296907e35e42cbfd6
Signed-off-by: Iliyan Malchev <malchev@google.com>
Signed-off-by: Arve Hjønnevåg <arve@android.com>
[AmitP: Upstream commit 2a1f062a4acf ("sched/headers: Move signal wakeup &
        sigpending methods from <linux/sched.h> into <linux/sched/signal.h>")
        moved few signal definitions to <linux/sched/signal.h>. Hence include
        that instead of <linux/sched.h>.

        Also folded following android-4.9 commit changes into this patch
        69279c68eed4 ("ANDROID: ARM: fiq_debugger: fix compiling for v3.3")
        d05890d37ecc ("ANDROID: ARM: fiq_debugger: Fix to compile on 3.7")
        9de62e0d3f24 ("ANDROID: ARM: fiq_debugger: Use kmsg_dumper to dump kernel logs")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: ARM: fiq_glue: Add custom fiq return handler api.

Change-Id: I5ff2764e85151ca0a88576542fda07c2d33dd065
Signed-off-by: Arve Hjønnevåg <arve@android.com>

ANDROID: ARM: fiq_glue: Add fiq_glue

Change-Id: I27d2554e07d9de204e0a06696d38db51608d9f6b
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: arm64: pass return address to dma_common_contiguous_remap

Added return address to show caller function in /proc/vmallocinfo

Change-Id: Ieb0bbf6ec82b561cea6ff18f0516744050dfc269

ANDROID: arm64: check for upper PAGE_SHIFT bits in pfn_valid()

pfn_valid() returns a false positive when the lower (64 - PAGE_SHIFT)
bits match a valid pfn but some of the upper bits are set. This caused
a kernel panic in kpageflags_read() when a userspace utility parsed
/proc/*/pagemap, neglected to discard the upper flag bits, and tried to
lseek()+read() from the corresponding offset in /proc/kpageflags.

A valid pfn will never have the upper PAGE_SHIFT bits set, so simply
check for this before passing the pfn to memblock_is_memory().

Change-Id: Ief5d8cd4dd93cbecd545a634a8d5885865cb5970
Signed-off-by: Greg Hackmann <ghackmann@google.com>

ANDROID: arm: mm: Optionally flush entire dcache from v6_dma_flush_range

If CACHE_FLUSH_RANGE_LIMIT is defined, then the entire dcache will
be flushed if the requested range is larger than this limit.

Change-Id: I29277d645a9d6716b1952cf3b870c78496261dd0
Signed-off-by: Arve Hjønnevåg <arve@android.com>

ANDROID: arm: decompressor: Flush tlb before swiching domain 0 to client mode

If the bootloader used a page table that is incompatible with domain 0
in client mode, and boots with the mmu on, then swithing domain 0 to
client mode causes a fault if we don't flush the tlb after updating
the page table pointer.

v2: Add ISB before loading dacr.

Signed-off-by: Arve Hjønnevåg <arve@android.com>

ANDROID: arm: fault: assume no context when IRQs are disabled during data abort.

Bail out early if IRQs are disabled in do_page_fault or else
[14415.157266] BUG: sleeping function called from invalid context at arch/arm/mm/fault.c:301

Russell King's idea from
http://comments.gmane.org/gmane.linux.ports.arm.omap/59256

Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: arm: add option to flush console before reboot

If the console_lock was held while the system was rebooted, the messages
in the temporary logbuffer would not have propogated to all the console
drivers.

This force releases the console lock if it failed to be acquired.

Change-Id: I193dcf7b968be17966833e50b8b8bc70d5d9fe89
Signed-off-by: Dima Zavin <dima@android.com>

ANDROID: arm64: process: dump memory around registers when displaying regs

A port of 8608d7c4418c75841c562a90cddd9beae5798a48 to ARM64. Both the
original code and this port are limited to dumping kernel addresses, so
don't bother if the registers are from a userspace process.

Change-Id: Idc76804c54efaaeb70311cbb500c54db6dac4525
Signed-off-by: Greg Hackmann <ghackmann@google.com>

ANDROID: arm: process: Add display of memory around registers when displaying regs.

This is extremely useful in diagnosing remote crashes, and is based heavily
on original work by <md@google.com>.

Signed-off-by: San Mehat <san@google.com>
Cc: Michael Davidson <md@google.com>
[ARM] process: Use uber-safe probe_kernel_address() to read mem when dumping.

This prevents the dump from taking pagefaults / external aborts.

Change-Id: I8df76e8638780f94fb1bd7ea4471e3f7b01df950
Signed-off-by: San Mehat <san@google.com>

ANDROID: arm64: Allow to choose appended kernel image

By default appended kernel image is Image.gz-dtb.
New config option BUILD_ARM64_APPENDED_KERNEL_IMAGE_NAME
allows to choose between Image.gz-dtb and Image-dtb.

Change-Id: I1c71b85136f1beeb61782e4646820718c1ccd7e4
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
[AmitP: Add BUILD_ARM64_APPENDED_KERNEL_IMAGE_NAME as one of the
default build targets to align with upstream commit
06995804b57 ("arm64: Use full path in KBUILD_IMAGE definition")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: arm64: add option to build Image-dtb

Some bootloaders couldn't decompress Image.gz-dtb.

Change-Id: I698cd0c4ee6894e8d0655d88f3ecf4826c28a645
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
[AmitP: Folded following android-4.9 commit changes into this patch
56b70ac2447f ("ANDROID: ARM64: Ignore Image-dtb from git point of view")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: arm64: add option to build Image.gz/dtb combo

Allows a defconfig to set a list of dtbs to concatenate with an
Image.gz to create a Image.gz-dtb.

Includes 8adb162 arm64: Fix correct dtb clean-files location

Change-Id: I0b462322d5c970f1fdf37baffece7ad058099f4a
Signed-off-by: Alex Ray <aray@google.com>

ANDROID: arm: convert build of appended dtb zImage to list of dtbs

Allow CONFIG_BUILD_ARM_APPENDED_DTB_IMAGE_NAMES to specify
a space separated list of dtbs to append to the zImage,
and name the resulting file zImage-dtb

Change-Id: Ied5d0bafbd1d01fc1f109c15c4283de7029903c9
Signed-off-by: Colin Cross <ccross@android.com>

ANDROID: arm: add config option to build zImage/dtb combo

Allows a defconfig to set a default dtb to concatenate with a zImage
to create a zImage-dtb.<dtb name>

Signed-off-by: Erik Gilling <konkers@android.com>
Change-Id: I34b643b1c49228fbae88a56e46c93c478089620d

ANDROID: arm: Fix dtb list when DTB_IMAGE_NAMES is empty

In the 3.10 kernel, dtb-y is not defined in Makefile.boot anymore
but in dts/Makefile, so it needs to be included too.

Change-Id: I6d6fccf933709bcb6220ce8f12b4b9e2a7c40d63
Signed-off-by: Benoit Goby <benoit@android.com>

ANDROID: arch: force -fno-pic

The Android toolchains enable -fpic by default. -fpic isn't
needed for the kernel and breaks CONFIG_JUMP_LABEL, so turn it off.

Change-Id: I685da1dc60e4cf1e9abcfb56e03654675ac02a0c
Signed-off-by: Greg Hackmann <ghackmann@google.com>
[AmitP: Folded following android-4.9 commit changes into this patch
5acb60f60a2c ("ANDROID: arch: x86: disable pic for Android toolchain")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: add script to fetch android kernel config fragments

The Android kernel config fragments now live in a separate repository.
To prevent others from having to search for this location, add a script
to fetch and unpack the fragments.

Update .gitignore to include these fragments.

Change-Id: If2d4a59b86e4573b0a9b3190025dfe4191870b46
Signed-off-by: Steve Muckle <smuckle@google.com>

Linux 4.14

Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull x86 fixes from Thomas Gleixner:
"A set of small fixes:

   - make KGDB work again which got broken by the conversion of WARN()
     to #UD. The WARN fixup needs to run before the notifier callchain,
     otherwise KGDB tries to handle it and crashes.

   - disable KASAN in the ORC unwinder to prevent false positive KASAN
     warnings

   - prevent default mapping above 47bit when 5 level page tables are
     enabled

   - make the delay calibration optimization work correctly, which had
     the conditionals the wrong way around and was operating on data
     which was not yet updated.

   - remove the bogus X86_TRAP_BP trap init from the default IDT init
     table, which broke 32bit int3 handling by overwriting the correct
     int3 setup.

   - replace this_cpu* with boot_cpu_data access in the preemptible
     oprofile init code"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/debug: Handle warnings before the notifier chain, to fix KGDB crash
  x86/mm: Fix ELF_ET_DYN_BASE for 5-level paging
  x86/idt: Remove X86_TRAP_BP initialization in idt_setup_traps()
  x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
  x86/unwind: Disable KASAN checking in the ORC unwinder
  x86/smpboot: Make optimization of delay calibration work correctly

Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull perf tool fixes from Thomas Gleixner:
"A small set of fixes for perf tool:

   - synchronize the i915 drm header to avoid the 'out of date' warning

   - make sure that perf trace cleans up its temporary files on exit

   - unbreak the build with newer flex versions

   - add missing braces in the eBPF parsing rules"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  tooling/headers: Sync the tools/include/uapi/drm/i915_drm.h UAPI header
  perf trace: Call machine__exit() at exit
  perf tools: Fix eBPF event specification parsing
  perf tools: Add "reject" option for parse-events.l

Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

1) Use after free in vlan, from Cong Wang.

2) Handle NAPI poll with a zero budget properly in mlx5 driver, from
    Saeed Mahameed.

3) If DMA mapping fails in mlx5 driver, NULL out page, from Inbar
    Karmy.

4) Handle overrun in RX FIFO of sun4i CAN driver, from Gerhard
    Bertelsmann.

5) Missing return in mdb and vlan prepare phase of DSA layer, from
    Vivien Didelot.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  vlan: fix a use-after-free in vlan_device_event()
  net: dsa: return after vlan prepare phase
  net: dsa: return after mdb prepare phase
  can: ifi: Fix transmitter delay calculation
  tcp: fix tcp_fastretrans_alert warning
  tcp: gso: avoid refcount_t warning from tcp_gso_segment()
  can: peak: Add support for new PCIe/M2 CAN FD interfaces
  can: sun4i: handle overrun in RX FIFO
  can: c_can: don't indicate triple sampling support for D_CAN
  net/mlx5e: Increase Striding RQ minimum size limit to 4 multi-packet WQEs
  net/mlx5e: Set page to null in case dma mapping fails
  net/mlx5e: Fix napi poll with zero budget
  net/mlx5: Cancel health poll before sending panic teardown command
  net/mlx5: Loop over temp list to release delay events
  rds: ib: Fix NULL pointer dereference in debug code

Merge tag 'linux-can-fixes-for-4.14-20171110' of git://git./linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2017-11-10

this is a pull request for net/master.

The first patch by Richard Schütz for the c_can driver removes the false
indication to support triple sampling for d_can. Gerhard Bertelsmann's
patch for the sun4i driver improves the RX overrun handling. The patch
by Stephane Grosjean for the peak_canfd driver adds the PCI ids for
various new PCIe/M2 interfaces. Marek Vasut's patch for the ifi driver
fix transmitter delay calculation.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

Merge tag 'mlx5-fixes-2017-11-08' of git://git./linux/kernel/git/saeed/linux

Saeed Mahameed says:

====================
Mellanox, mlx5 fixes 2017-11-08

The following series includes some fixes for mlx5 core and etherent
driver.

Sorry for the late submission but as you can see i have some very
critical fixes below that i would like them merged into this RC.

Please pull and let me know if there is any problem.

For -stable:
('net/mlx5e: Set page to null in case dma mapping fails') kernels >= 4.13
('net/mlx5: FPGA, return -EINVAL if size is zero') kernels >= 4.13
('net/mlx5: Cancel health poll before sending panic teardown command') kernels >= 4.13

V1->V2:
- Fix Reviewed-by tag of the 2nd patch.
- Drop the FPGA 0 size fix, it needs some more change log info.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

vlan: fix a use-after-free in vlan_device_event()

After refcnt reaches zero, vlan_vid_del() could free
dev->vlan_info via RCU:

RCU_INIT_POINTER(dev->vlan_info, NULL);
call_rcu(&vlan_info->rcu, vlan_info_rcu_free);

However, the pointer 'grp' still points to that memory
since it is set before vlan_vid_del():

        vlan_info = rtnl_dereference(dev->vlan_info);
        if (!vlan_info)
                goto out;
        grp = &vlan_info->grp;

Depends on when that RCU callback is scheduled, we could
trigger a use-after-free in vlan_group_for_each_dev()
right following this vlan_vid_del().

Fix it by moving vlan_vid_del() before setting grp. This
is also symmetric to the vlan_vid_add() we call in
vlan_device_event().

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
Cc: Alexander Duyck <alexander.duyck@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

tooling/headers: Sync the tools/include/uapi/drm/i915_drm.h UAPI header

Last minute upstream update to one of the UAPI headers - sync it with tooling,
to address this warning:

Warning: Kernel ABI header at 'tools/include/uapi/drm/i915_drm.h' differs from latest version at 'include/uapi/drm/i915_drm.h'

Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge branch 'perf/urgent' of git://git./linux/kernel/git/acme/linux into perf/urgent

Pull perf tooling fixes from Arnaldo Carvalho de Melo.

Signed-off-by: Ingo Molnar <mingo@kernel.org>

net: dsa: return after vlan prepare phase

The current code does not return after successfully preparing the VLAN
addition on every ports member of a it. Fix this.

Fixes: 1ca4aa9cd4cc ("net: dsa: check VLAN capability of every switch")
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>

net: dsa: return after mdb prepare phase

The current code does not return after successfully preparing the MDB
addition on every ports member of a multicast group. Fix this.

Fixes: a1a6b7ea7f2d ("net: dsa: add cross-chip multicast support")
Reported-by: Egil Hjelmeland <privat@egil-hjelmeland.no>
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>

Merge tag 'ceph-for-4.14-rc9' of git://github.com/ceph/ceph-client

Pull ceph gix from Ilya Dryomov:
"Memory allocation flags fix, marked for stable"

* tag 'ceph-for-4.14-rc9' of git://github.com/ceph/ceph-client:
rbd: use GFP_NOIO for parent stat and data requests

Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

Pull input layer updates from Dmitry Torokhov:

- a new ACPI ID for Elan touchpad found in yet another Ideapad model

- Synaptics RMI4 will allow binding to controllers reporting SMB
   version 3 (note that we are not adding any new ACPI IDs to the
   Synaptics PS/2 drover so unless user explicitly enables intertouch
   support there is no user-visible change)

- a fixup to TSC 2004/5 touchscreen driver to mark input devices as
   "direct" to help userspace identify the type of device they are
   dealing with

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: synaptics-rmi4 - RMI4 can also use SMBUS version 3
  Input: tsc200x-core - set INPUT_PROP_DIRECT
  Input: elan_i2c - add ELAN060C to the ACPI table

Merge tag 'for-linus' of git://git./virt/kvm/kvm

Pull KVM fix from Radim Krčmář:
"Fix PPC HV host crash that can occur as a result of resizing the guest
hashed page table"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: PPC: Book3S HV: Fix exclusion between HPT resizing and other HPT updates

Merge tag 'mips_fixes_4.14_2' of git://git./linux/kernel/git/jhogan/mips

Pull MIPS fixes from James Hogan:
"A final few MIPS fixes for 4.14:

   - fix BMIPS NULL pointer dereference (4.7)

   - fix AR7 early GPIO init allocation failure (3.19)

   - fix dead serial output on certain AR7 platforms (2.6.35)"

* tag 'mips_fixes_4.14_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
  MIPS: AR7: Ensure that serial ports are properly set up
  MIPS: AR7: Defer registration of GPIO
  MIPS: BMIPS: Fix missing cbr address

.mailmap: Add Maciej W. Rozycki's Imagination e-mail address

Following my recent transition from Imagination Technologies to the=20
reincarnated MIPS company add a .mailmap mapping for my work address,
so that `scripts/get_maintainer.pl' gets it right for past commits.

Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Revert "x86: CPU: Fix up "cpu MHz" in /proc/cpuinfo"

This reverts commit 941f5f0f6ef5338814145cf2b813cf1f98873e2f.

Sadly, it turns out that we really can't just do the cross-CPU IPI to
all CPU's to get their proper frequencies, because it's much too
expensive on systems with lots of cores.

So we'll have to revert this for now, and revisit it using a smarter
model (probably doing one system-wide IPI at open time, and doing all
the frequency calculations in parallel).

Reported-by: WANG Chao <chao.wang@ucloud.cn>
Reported-by: Ingo Molnar <mingo@kernel.org>
Cc: Rafael J Wysocki <rafael.j.wysocki@intel.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Merge tag 'drm-fixes-for-v4.14-rc9' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
"Last few patches to wrap up.

  Two i915 fixes that are on their way to stable, one vmware black
  screen bug, and one const patch that I was going to drop, but it was
  clearly a pretty safe one liner"

* tag 'drm-fixes-for-v4.14-rc9' of git://people.freedesktop.org/~airlied/linux:
  drm/i915: Deconstruct struct sgt_dma initialiser
  drm/i915: Reject unknown syncobj flags
  drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
  drm/vmwgfx: constify vmw_fence_ops

can: ifi: Fix transmitter delay calculation

The CANFD transmitter delay calculation formula was updated in the
latest software drop from IFI and improves the behavior of the IFI
CANFD core during bitrate switching. Use the new formula to improve
stability of the CANFD operation.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Markus Marb <markus@marb.org>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

tcp: fix tcp_fastretrans_alert warning

This patch fixes the cause of an WARNING indicatng TCP has pending
retransmission in Open state in tcp_fastretrans_alert().

The root cause is a bad interaction between path mtu probing,
if enabled, and the RACK loss detection. Upong receiving a SACK
above the sequence of the MTU probing packet, RACK could mark the
probe packet lost in tcp_fastretrans_alert(), prior to calling
tcp_simple_retransmit().

tcp_simple_retransmit() only enters Loss state if it newly marks
the probe packet lost. If the probe packet is already identified as
lost by RACK, the sender remains in Open state with some packets
marked lost and retransmitted. Then the next SACK would trigger
the warning. The likely scenario is that the probe packet was
lost due to its size or network congestion. The actual impact of
this warning is small by potentially entering fast recovery an
ACK later.

The simple fix is always entering recovery (Loss) state if some
packet is marked lost during path MTU probing.

Fixes: a0370b3f3f2c ("tcp: enable RACK loss detection to trigger recovery")
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

tcp: gso: avoid refcount_t warning from tcp_gso_segment()

When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1
and N2, we want to transfer socket ownership to the new fresh skbs.

In order to avoid expensive atomic operations on a cache line subject to
cache bouncing, we replace the sequence :

refcount_add(N1, &sk->sk_wmem_alloc);
refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments

refcount_sub(O, &sk->sk_wmem_alloc);

by a single

refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc);

Problem is :

In some pathological cases, sum(N) - O might be a negative number, and
syzkaller bot was apparently able to trigger this trace [1]

atomic_t was ok with this construct, but we need to take care of the
negative delta with refcount_t

[1]
refcount_t: saturated; leaking memory.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 8404 at lib/refcount.c:77 refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 8404 Comm: syz-executor2 Not tainted 4.14.0-rc5-mm1+ #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1c4/0x1e0 kernel/panic.c:546
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
RSP: 0018:ffff8801c606e3a0 EFLAGS: 00010282
RAX: 0000000000000026 RBX: 0000000000001401 RCX: 0000000000000000
RDX: 0000000000000026 RSI: ffffc900036fc000 RDI: ffffed0038c0dc68
RBP: ffff8801c606e430 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801d97f5eba R11: 0000000000000000 R12: ffff8801d5acf73c
R13: 1ffff10038c0dc75 R14: 00000000ffffffff R15: 00000000fffff72f
refcount_add+0x1b/0x60 lib/refcount.c:101
tcp_gso_segment+0x10d0/0x16b0 net/ipv4/tcp_offload.c:155
tcp4_gso_segment+0xd4/0x310 net/ipv4/tcp_offload.c:51
inet_gso_segment+0x60c/0x11c0 net/ipv4/af_inet.c:1271
skb_mac_gso_segment+0x33f/0x660 net/core/dev.c:2749
__skb_gso_segment+0x35f/0x7f0 net/core/dev.c:2821
skb_gso_segment include/linux/netdevice.h:3971 [inline]
validate_xmit_skb+0x4ba/0xb20 net/core/dev.c:3074
__dev_queue_xmit+0xe49/0x2070 net/core/dev.c:3497
dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
neigh_hh_output include/net/neighbour.h:471 [inline]
neigh_output include/net/neighbour.h:479 [inline]
ip_finish_output2+0xece/0x1460 net/ipv4/ip_output.c:229
ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:238 [inline]
ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:459 [inline]
ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137
tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341
__tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513
tcp_push_pending_frames include/net/tcp.h:1722 [inline]
tcp_data_snd_check net/ipv4/tcp_input.c:5050 [inline]
tcp_rcv_established+0x8c7/0x18a0 net/ipv4/tcp_input.c:5497
tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x124/0x360 net/core/sock.c:2264
release_sock+0xa4/0x2a0 net/core/sock.c:2776
tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
___sys_sendmsg+0x31c/0x890 net/socket.c:2048
__sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138

Fixes: 14afee4b6092 ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>