From 897443c4424c3221bc8a8ffcbea01c4a0762378d Mon Sep 17 00:00:00 2001 From: Naman Padhiar Date: Fri, 30 Aug 2019 12:39:38 +0530 Subject: [PATCH 01/19] icnss: Correct condition to check invalid address range For wlfw_msa_mem_info_send_sync_msg QMI request to firmware, it expects range of addresses and size in response from firmware. Correct condition used to check whether address and size in response fall under valid range. Change-Id: If431fdf3d2bd8a913bd5ee34e0a5778d7c2f36e7 Signed-off-by: Naman Padhiar --- drivers/soc/qcom/icnss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/qcom/icnss.c b/drivers/soc/qcom/icnss.c index c895d219cf85..331398656247 100644 --- a/drivers/soc/qcom/icnss.c +++ b/drivers/soc/qcom/icnss.c @@ -1379,7 +1379,7 @@ static int wlfw_msa_mem_info_send_sync_msg(void) for (i = 0; i < resp.mem_region_info_len; i++) { if (resp.mem_region_info[i].size > penv->msa_mem_size || - resp.mem_region_info[i].region_addr > max_mapped_addr || + resp.mem_region_info[i].region_addr >= max_mapped_addr || resp.mem_region_info[i].region_addr < penv->msa_pa || resp.mem_region_info[i].size + resp.mem_region_info[i].region_addr > max_mapped_addr) { -- GitLab From 2dbdad8da72ca03f053f2dfefc17053ef786f036 Mon Sep 17 00:00:00 2001 From: Todd Kjos Date: Mon, 12 Aug 2019 10:11:52 -0700 Subject: [PATCH 02/19] ANDROID: fix binder change in merge of 4.9.188 The 4.9.188 merge was missing the change to the binder driver associated with the linux-4.9.y commit 16903f1a5ba7 ("coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping"). It was left out because the android-4.9 binder driver has been significantly refactored compared to linux-4.9.y. This patch applies the missing change from that patch to the binder driver. Change-Id: I803e558cb629fedff04b14e23ac9f83e98628ede Fixes: d4fff2d0a879 ("Merge 4.9.188 into android-4.9") Signed-off-by: Todd Kjos Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3378ce511d7a792ddf0d69d11ce5e284309893fd) --- drivers/android/binder_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index d34d1eb96b36..bc37bd8d1e20 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -218,6 +218,11 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate, if (mm) { down_write(&mm->mmap_sem); + if (!mmget_still_valid(mm)) { + if (allocate == 0) + goto free_range; + goto err_no_vma; + } vma = alloc->vma; } -- GitLab From 1ead9dab03a1d1449337cb49edd3a198a177ddb1 Mon Sep 17 00:00:00 2001 From: Andrea Arcangeli Date: Thu, 18 Apr 2019 17:50:52 -0700 Subject: [PATCH 03/19] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream. The core dumping code has always run without holding the mmap_sem for writing, despite that is the only way to ensure that the entire vma layout will not change from under it. Only using some signal serialization on the processes belonging to the mm is not nearly enough. This was pointed out earlier. For example in Hugh's post from Jul 2017: https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils "Not strictly relevant here, but a related note: I was very surprised to discover, only quite recently, how handle_mm_fault() may be called without down_read(mmap_sem) - when core dumping. That seems a misguided optimization to me, which would also be nice to correct" In particular because the growsdown and growsup can move the vm_start/vm_end the various loops the core dump does around the vma will not be consistent if page faults can happen concurrently. Pretty much all users calling mmget_not_zero()/get_task_mm() and then taking the mmap_sem had the potential to introduce unexpected side effects in the core dumping code. Adding mmap_sem for writing around the ->core_dump invocation is a viable long term fix, but it requires removing all copy user and page faults and to replace them with get_dump_page() for all binary formats which is not suitable as a short term fix. For the time being this solution manually covers the places that can confuse the core dump either by altering the vma layout or the vma flags while it runs. Once ->core_dump runs under mmap_sem for writing the function mmget_still_valid() can be dropped. Allowing mmap_sem protected sections to run in parallel with the coredump provides some minor parallelism advantage to the swapoff code (which seems to be safe enough by never mangling any vma field and can keep doing swapins in parallel to the core dumping) and to some other corner case. In order to facilitate the backporting I added "Fixes: 86039bd3b4e6" however the side effect of this same race condition in /proc/pid/mem should be reproducible since before 2.6.12-rc2 so I couldn't add any other "Fixes:" because there's no hash beyond the git genesis commit. Because find_extend_vma() is the only location outside of the process context that could modify the "mm" structures under mmap_sem for reading, by adding the mmget_still_valid() check to it, all other cases that take the mmap_sem for reading don't need the new check after mmget_not_zero()/get_task_mm(). The expand_stack() in page fault context also doesn't need the new check, because all tasks under core dumping are frozen. Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") Signed-off-by: Andrea Arcangeli Reported-by: Jann Horn Suggested-by: Oleg Nesterov Acked-by: Peter Xu Reviewed-by: Mike Rapoport Reviewed-by: Oleg Nesterov Reviewed-by: Jann Horn Acked-by: Jason Gunthorpe Acked-by: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [akaher@vmware.com: stable 4.9 backport - handle binder_update_page_range - mhocko@suse.com] Signed-off-by: Ajay Kaher Signed-off-by: Greg Kroah-Hartman Change-Id: Ie880f57a876b1da9c31b5e660a9b82e270c1c787 --- fs/proc/task_mmu.c | 18 ++++++++++++++++++ fs/userfaultfd.c | 9 +++++++++ include/linux/mm.h | 20 ++++++++++++++++++++ mm/mmap.c | 6 +++++- 4 files changed, 52 insertions(+), 1 deletion(-) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 4fc08953b97c..a472f7cfa675 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -1122,6 +1122,24 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, count = -EINTR; goto out_mm; } + /* + * Avoid to modify vma->vm_flags + * without locked ops while the + * coredump reads the vm_flags. + */ + if (!mmget_still_valid(mm)) { + /* + * Silently return "count" + * like if get_task_mm() + * failed. FIXME: should this + * function have returned + * -ESRCH if get_task_mm() + * failed like if + * get_proc_task() fails? + */ + up_write(&mm->mmap_sem); + goto out_mm; + } for (vma = mm->mmap; vma; vma = vma->vm_next) { vm_write_begin(vma); WRITE_ONCE(vma->vm_flags, diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 00b661d52727..37bb9207acd2 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -479,6 +479,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file) * taking the mmap_sem for writing. */ down_write(&mm->mmap_sem); + if (!mmget_still_valid(mm)) + goto skip_mm; prev = NULL; for (vma = mm->mmap; vma; vma = vma->vm_next) { cond_resched(); @@ -504,6 +506,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file) vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; vm_write_end(vma); } +skip_mm: up_write(&mm->mmap_sem); mmput(mm); wakeup: @@ -805,6 +808,9 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, goto out; down_write(&mm->mmap_sem); + if (!mmget_still_valid(mm)) + goto out_unlock; + vma = find_vma_prev(mm, start, &prev); if (!vma) goto out_unlock; @@ -953,6 +959,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, goto out; down_write(&mm->mmap_sem); + if (!mmget_still_valid(mm)) + goto out_unlock; + vma = find_vma_prev(mm, start, &prev); if (!vma) goto out_unlock; diff --git a/include/linux/mm.h b/include/linux/mm.h index e7b96529374f..cf0e4279d4ba 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1213,6 +1213,26 @@ void zap_page_range(struct vm_area_struct *vma, unsigned long address, unsigned long size, struct zap_details *); void unmap_vmas(struct mmu_gather *tlb, struct vm_area_struct *start_vma, unsigned long start, unsigned long end); +/* + * This has to be called after a get_task_mm()/mmget_not_zero() + * followed by taking the mmap_sem for writing before modifying the + * vmas or anything the coredump pretends not to change from under it. + * + * NOTE: find_extend_vma() called from GUP context is the only place + * that can modify the "mm" (notably the vm_start/end) under mmap_sem + * for reading and outside the context of the process, so it is also + * the only case that holds the mmap_sem for reading that must call + * this function. Generally if the mmap_sem is hold for reading + * there's no need of this check after get_task_mm()/mmget_not_zero(). + * + * This function can be obsoleted and the check can be removed, after + * the coredump code will hold the mmap_sem for writing before + * invoking the ->core_dump methods. + */ +static inline bool mmget_still_valid(struct mm_struct *mm) +{ + return likely(!mm->core_state); +} /** * mm_walk - callbacks for walk_page_range diff --git a/mm/mmap.c b/mm/mmap.c index 9ba15d8242cc..78444deb81f5 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2561,7 +2561,8 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) vma = find_vma_prev(mm, addr, &prev); if (vma && (vma->vm_start <= addr)) return vma; - if (!prev || expand_stack(prev, addr)) + /* don't alter vm_end if the coredump is running */ + if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr)) return NULL; if (prev->vm_flags & VM_LOCKED) populate_vma_page_range(prev, addr, prev->vm_end, NULL); @@ -2587,6 +2588,9 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) return vma; if (!(vma->vm_flags & VM_GROWSDOWN)) return NULL; + /* don't alter vm_start if the coredump is running */ + if (!mmget_still_valid(mm)) + return NULL; start = vma->vm_start; if (expand_stack(vma, addr)) return NULL; -- GitLab From 18833b17b0a0ddc93073a02aa5a6594ebf3321a5 Mon Sep 17 00:00:00 2001 From: Jordan Crouse Date: Mon, 9 Sep 2019 10:41:36 -0600 Subject: [PATCH 04/19] msm: kgsl: Execute user profiling commands in an IB Execute user profiling in an indirect buffer. This ensures that addresses and values specified directly from the user don't end up in the ringbuffer. Change-Id: Ic0dedbadedcaab29ce5738a39c1ff6269261bae4 Signed-off-by: Jordan Crouse Signed-off-by: Harshitha Sai Neelati --- drivers/gpu/msm/adreno_ringbuffer.c | 57 +++++++++++++++++++++++------ drivers/gpu/msm/adreno_ringbuffer.h | 14 ++++++- 2 files changed, 58 insertions(+), 13 deletions(-) diff --git a/drivers/gpu/msm/adreno_ringbuffer.c b/drivers/gpu/msm/adreno_ringbuffer.c index f7f01f5cfbeb..cf199cc954eb 100644 --- a/drivers/gpu/msm/adreno_ringbuffer.c +++ b/drivers/gpu/msm/adreno_ringbuffer.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2018,2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -299,6 +299,11 @@ static int _adreno_ringbuffer_probe(struct adreno_device *adreno_dev, PAGE_SIZE, 0, KGSL_MEMDESC_PRIVILEGED, "pagetable_desc"); if (ret) return ret; + + /* allocate a chunk of memory to create user profiling IB1s */ + kgsl_allocate_global(KGSL_DEVICE(adreno_dev), &rb->profile_desc, + PAGE_SIZE, KGSL_MEMFLAGS_GPUREADONLY, 0, "profile_desc"); + return kgsl_allocate_global(KGSL_DEVICE(adreno_dev), &rb->buffer_desc, KGSL_RB_SIZE, KGSL_MEMFLAGS_GPUREADONLY, 0, "ringbuffer"); @@ -344,7 +349,7 @@ static void _adreno_ringbuffer_close(struct adreno_device *adreno_dev, kgsl_free_global(device, &rb->pagetable_desc); kgsl_free_global(device, &rb->preemption_desc); - + kgsl_free_global(device, &rb->profile_desc); kgsl_free_global(device, &rb->buffer_desc); kgsl_del_event_group(&rb->events); memset(rb, 0, sizeof(struct adreno_ringbuffer)); @@ -837,6 +842,37 @@ static inline int _get_alwayson_counter(struct adreno_device *adreno_dev, return (unsigned int)(p - cmds); } +/* This is the maximum possible size for 64 bit targets */ +#define PROFILE_IB_DWORDS 4 +#define PROFILE_IB_SLOTS (PAGE_SIZE / (PROFILE_IB_DWORDS << 2)) + +static int set_user_profiling(struct adreno_device *adreno_dev, + struct adreno_ringbuffer *rb, u32 *cmds, u64 gpuaddr) +{ + int dwords, index = 0; + u64 ib_gpuaddr; + u32 *ib; + + if (!rb->profile_desc.hostptr) + return 0; + + ib = ((u32 *) rb->profile_desc.hostptr) + + (rb->profile_index * PROFILE_IB_DWORDS); + ib_gpuaddr = rb->profile_desc.gpuaddr + + (rb->profile_index * (PROFILE_IB_DWORDS << 2)); + + dwords = _get_alwayson_counter(adreno_dev, ib, gpuaddr); + + /* Make an indirect buffer for the request */ + cmds[index++] = cp_mem_packet(adreno_dev, CP_INDIRECT_BUFFER_PFE, 2, 1); + index += cp_gpuaddr(adreno_dev, &cmds[index], ib_gpuaddr); + cmds[index++] = dwords; + + rb->profile_index = (rb->profile_index + 1) % PROFILE_IB_SLOTS; + + return index; +} + /* adreno_rindbuffer_submitcmd - submit userspace IBs to the GPU */ int adreno_ringbuffer_submitcmd(struct adreno_device *adreno_dev, struct kgsl_drawobj_cmd *cmdobj, @@ -937,14 +973,11 @@ int adreno_ringbuffer_submitcmd(struct adreno_device *adreno_dev, !adreno_is_a3xx(adreno_dev) && (cmdobj->profiling_buf_entry != NULL)) { user_profiling = true; - dwords += 6; - /* - * REG_TO_MEM packet on A5xx and above needs another ordinal. - * Add 2 more dwords since we do profiling before and after. + * User side profiling uses two IB1s, one before with 4 dwords + * per INDIRECT_BUFFER_PFE call */ - if (!ADRENO_LEGACY_PM4(adreno_dev)) - dwords += 2; + dwords += 8; /* * we want to use an adreno_submit_time struct to get the @@ -1003,11 +1036,11 @@ int adreno_ringbuffer_submitcmd(struct adreno_device *adreno_dev, } /* - * Add cmds to read the GPU ticks at the start of command obj and + * Add IB1 to read the GPU ticks at the start of command obj and * write it into the appropriate command obj profiling buffer offset */ if (user_profiling) { - cmds += _get_alwayson_counter(adreno_dev, cmds, + cmds += set_user_profiling(adreno_dev, rb, cmds, cmdobj->profiling_buffer_gpuaddr + offsetof(struct kgsl_drawobj_profiling_buffer, gpu_ticks_submitted)); @@ -1055,11 +1088,11 @@ int adreno_ringbuffer_submitcmd(struct adreno_device *adreno_dev, } /* - * Add cmds to read the GPU ticks at the end of command obj and + * Add IB1 to read the GPU ticks at the end of command obj and * write it into the appropriate command obj profiling buffer offset */ if (user_profiling) { - cmds += _get_alwayson_counter(adreno_dev, cmds, + cmds += set_user_profiling(adreno_dev, rb, cmds, cmdobj->profiling_buffer_gpuaddr + offsetof(struct kgsl_drawobj_profiling_buffer, gpu_ticks_retired)); diff --git a/drivers/gpu/msm/adreno_ringbuffer.h b/drivers/gpu/msm/adreno_ringbuffer.h index a4dc901cf0b6..7297930927bc 100644 --- a/drivers/gpu/msm/adreno_ringbuffer.h +++ b/drivers/gpu/msm/adreno_ringbuffer.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2018,2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -135,6 +135,18 @@ struct adreno_ringbuffer { unsigned long sched_timer; enum adreno_dispatcher_starve_timer_states starve_timer_state; spinlock_t preempt_lock; + /** + * @profile_desc: global memory to construct IB1s to do user side + * profiling + */ + struct kgsl_memdesc profile_desc; + /** + * @profile_index: Pointer to the next "slot" in profile_desc for a user + * profiling IB1. This allows for PAGE_SIZE / 16 = 256 simultaneous + * commands per ringbuffer with user profiling enabled + * enough. + */ + u32 profile_index; }; /* Returns the current ringbuffer */ -- GitLab From b5322e14bcea434fcaa3146c1e1996fc8d6e085e Mon Sep 17 00:00:00 2001 From: Jordan Crouse Date: Wed, 4 Sep 2019 10:18:07 -0600 Subject: [PATCH 05/19] msm: kgsl: Verify the offset of the profiling buffer If a command is using a profiling buffer, make sure that the offset is within the bounds of the specified memory descriptor. Change-Id: Ic0dedbadc77e8eccd957136467bd0c56a1af2dab Signed-off-by: Jordan Crouse Signed-off-by: Deepak Kumar --- drivers/gpu/msm/kgsl_drawobj.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/msm/kgsl_drawobj.c b/drivers/gpu/msm/kgsl_drawobj.c index 3dbaea4a0ccb..eaeb3772ed5f 100644 --- a/drivers/gpu/msm/kgsl_drawobj.c +++ b/drivers/gpu/msm/kgsl_drawobj.c @@ -571,13 +571,29 @@ static void add_profiling_buffer(struct kgsl_device *device, return; } - cmdobj->profiling_buf_entry = entry; - if (id != 0) + if (!id) { + cmdobj->profiling_buffer_gpuaddr = gpuaddr; + } else { + u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer); + + /* + * Make sure there is enough room in the object to store the + * entire profiling buffer object + */ + if (off < offset || off >= entry->memdesc.size) { + dev_err(device->dev, + "ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n", + drawobj->context->id, id, offset, gpuaddr, size); + kgsl_mem_entry_put(entry); + return; + } + cmdobj->profiling_buffer_gpuaddr = entry->memdesc.gpuaddr + offset; - else - cmdobj->profiling_buffer_gpuaddr = gpuaddr; + } + + cmdobj->profiling_buf_entry = entry; } /** -- GitLab From 1d6627adee0b382048c0f0b3cb9ac2e585e78341 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 13 Aug 2019 12:53:17 +0100 Subject: [PATCH 06/19] tcp: Clear sk_send_head after purging the write queue Denis Andzakovic discovered a potential use-after-free in older kernel versions, using syzkaller. tcp_write_queue_purge() frees all skbs in the TCP write queue and can leave sk->sk_send_head pointing to freed memory. tcp_disconnect() clears that pointer after calling tcp_write_queue_purge(), but tcp_connect() does not. It is (surprisingly) possible to add to the write queue between disconnection and reconnection, so this needs to be done in both places. This bug was introduced by backports of commit 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") and does not exist upstream because of earlier changes in commit 75c119afe14f ("tcp: implement rb-tree based retransmit queue"). The latter is a major change that's not suitable for stable. Reported-by: Denis Andzakovic Bisected-by: Salvatore Bonaccorso Fixes: 7f582b248d0a ("tcp: purge write queue in tcp_connect_init()") Cc: # before 4.15 Cc: Eric Dumazet Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman Bug: 143009752 (cherry picked from commit e99e7745d03fc50ba7c5b7c91c17294fee2d5991) Signed-off-by: Matthias Maennich Change-Id: Ie325f18e7fe1c327a45e149034b90d2e74922263 (cherry picked from commit 3ed1460d6b17326093eb657afa89a7274e444a32) --- include/net/tcp.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/net/tcp.h b/include/net/tcp.h index 76d7c9735591..efd418951013 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1536,6 +1536,8 @@ struct tcp_fastopen_context { struct rcu_head rcu; }; +static inline void tcp_init_send_head(struct sock *sk); + /* write queue abstraction */ static inline void tcp_write_queue_purge(struct sock *sk) { @@ -1543,6 +1545,7 @@ static inline void tcp_write_queue_purge(struct sock *sk) while ((skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) sk_wmem_free_skb(sk, skb); + tcp_init_send_head(sk); sk_mem_reclaim(sk); tcp_clear_all_retrans_hints(tcp_sk(sk)); } -- GitLab From 6f2916004edb6550bf8129546f30d5eed74f614b Mon Sep 17 00:00:00 2001 From: Hillf Danton Date: Tue, 6 Aug 2019 16:40:15 +0800 Subject: [PATCH 07/19] HID: hiddev: do cleanup in failure of opening a device Undo what we did for opening before releasing the memory slice. Reported-by: syzbot Cc: Andrey Konovalov Signed-off-by: Hillf Danton Signed-off-by: Jiri Kosina --- drivers/hid/usbhid/hiddev.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index b59b15d4caa9..7a7b520325b4 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -322,6 +322,10 @@ static int hiddev_open(struct inode *inode, struct file *file) return 0; bail_unlock: mutex_unlock(&hiddev->existancelock); + + spin_lock_irq(&list->hiddev->list_lock); + list_del(&list->node); + spin_unlock_irq(&list->hiddev->list_lock); bail: file->private_data = NULL; vfree(list); -- GitLab From 5df97756b107aff74e5182e99a0eb14593d4e985 Mon Sep 17 00:00:00 2001 From: Hillf Danton Date: Tue, 6 Aug 2019 16:38:58 +0800 Subject: [PATCH 08/19] HID: hiddev: avoid opening a disconnected device syzbot found the following crash on: HEAD commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=147ac20c600000 kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 dashboard link: https://syzkaller.appspot.com/bug?extid=62a1e04fd3ec2abf099e compiler: gcc (GCC) 9.0.0 20181231 (experimental) ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753 Read of size 8 at addr ffff8881cf591a08 by task syz-executor.1/26260 CPU: 1 PID: 26260 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x6a/0x32c mm/kasan/report.c:351 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 kasan_report+0xe/0x12 mm/kasan/common.c:612 __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753 lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159 hiddev_release+0x82/0x520 drivers/hid/usbhid/hiddev.c:221 __fput+0x2d7/0x840 fs/file_table.c:280 task_work_run+0x13f/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x8ef/0x2c50 kernel/exit.c:878 do_group_exit+0x125/0x340 kernel/exit.c:982 get_signal+0x466/0x23d0 kernel/signal.c:2728 do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815 exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath arch/x86/entry/common.c:274 [inline] do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459829 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f75b2a6ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000075c078 RCX: 0000000000459829 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078 RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c R13: 00007ffcdfe1023f R14: 00007f75b2a6d9c0 R15: 000000000075c07c Allocated by task 104: save_stack+0x1b/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc mm/kasan/common.c:487 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:900 hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882 hid_hw_start drivers/hid/hid-core.c:1981 [inline] hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972 appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308 hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209 really_probe+0x281/0x650 drivers/base/dd.c:548 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 __device_attach+0x217/0x360 drivers/base/dd.c:882 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 device_add+0xae6/0x16f0 drivers/base/core.c:2114 hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365 usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 really_probe+0x281/0x650 drivers/base/dd.c:548 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 __device_attach+0x217/0x360 drivers/base/dd.c:882 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 device_add+0xae6/0x16f0 drivers/base/core.c:2114 usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 really_probe+0x281/0x650 drivers/base/dd.c:548 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 __device_attach+0x217/0x360 drivers/base/dd.c:882 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 device_add+0xae6/0x16f0 drivers/base/core.c:2114 usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 hub_port_connect drivers/usb/core/hub.c:5098 [inline] hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] port_event drivers/usb/core/hub.c:5359 [inline] hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 worker_thread+0x96/0xe20 kernel/workqueue.c:2415 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 104: save_stack+0x1b/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 slab_free_hook mm/slub.c:1423 [inline] slab_free_freelist_hook mm/slub.c:1470 [inline] slab_free mm/slub.c:3012 [inline] kfree+0xe4/0x2f0 mm/slub.c:3953 hiddev_connect.cold+0x45/0x5c drivers/hid/usbhid/hiddev.c:914 hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882 hid_hw_start drivers/hid/hid-core.c:1981 [inline] hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972 appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308 hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209 really_probe+0x281/0x650 drivers/base/dd.c:548 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 __device_attach+0x217/0x360 drivers/base/dd.c:882 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 device_add+0xae6/0x16f0 drivers/base/core.c:2114 hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365 usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 really_probe+0x281/0x650 drivers/base/dd.c:548 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 __device_attach+0x217/0x360 drivers/base/dd.c:882 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 device_add+0xae6/0x16f0 drivers/base/core.c:2114 usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 really_probe+0x281/0x650 drivers/base/dd.c:548 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 __device_attach+0x217/0x360 drivers/base/dd.c:882 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 device_add+0xae6/0x16f0 drivers/base/core.c:2114 usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 hub_port_connect drivers/usb/core/hub.c:5098 [inline] hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] port_event drivers/usb/core/hub.c:5359 [inline] hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 worker_thread+0x96/0xe20 kernel/workqueue.c:2415 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8881cf591900 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 264 bytes inside of 512-byte region [ffff8881cf591900, ffff8881cf591b00) The buggy address belongs to the page: page:ffffea00073d6400 refcount:1 mapcount:0 mapping:ffff8881da002500 index:0x0 compound_mapcount: 0 flags: 0x200000000010200(slab|head) raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da002500 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881cf591900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881cf591980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8881cf591a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881cf591a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881cf591b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== In order to avoid opening a disconnected device, we need to check exist again after acquiring the existance lock, and bail out if necessary. Reported-by: syzbot Cc: Andrey Konovalov Signed-off-by: Hillf Danton Signed-off-by: Jiri Kosina --- drivers/hid/usbhid/hiddev.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index 7a7b520325b4..549d957f7165 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -308,6 +308,14 @@ static int hiddev_open(struct inode *inode, struct file *file) spin_unlock_irq(&list->hiddev->list_lock); mutex_lock(&hiddev->existancelock); + /* + * recheck exist with existance lock held to + * avoid opening a disconnected device + */ + if (!list->hiddev->exist) { + res = -ENODEV; + goto bail_unlock; + } if (!list->hiddev->open++) if (list->hiddev->exist) { struct hid_device *hid = hiddev->hid; -- GitLab From 5e847d083e1e421610e58c9c8168911a8fe12562 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Mon, 12 Aug 2019 16:11:07 -0400 Subject: [PATCH 09/19] USB: core: Fix races in character device registration and deregistraion The syzbot fuzzer has found two (!) races in the USB character device registration and deregistration routines. This patch fixes the races. The first race results from the fact that usb_deregister_dev() sets usb_minors[intf->minor] to NULL before calling device_destroy() on the class device. This leaves a window during which another thread can allocate the same minor number but will encounter a duplicate name error when it tries to register its own class device. A typical error message in the system log would look like: sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0' The patch fixes this race by destroying the class device first. The second race is in usb_register_dev(). When that routine runs, it first allocates a minor number, then drops minor_rwsem, and then creates the class device. If the device creation fails, the minor number is deallocated and the whole routine returns an error. But during the time while minor_rwsem was dropped, there is a window in which the minor number is allocated and so another thread can successfully open the device file. Typically this results in use-after-free errors or invalid accesses when the other thread closes its open file reference, because the kernel then tries to release resources that were already deallocated when usb_register_dev() failed. The patch fixes this race by keeping minor_rwsem locked throughout the entire routine. Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/file.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/usb/core/file.c b/drivers/usb/core/file.c index 422ce7b20d73..1626abeca8e8 100644 --- a/drivers/usb/core/file.c +++ b/drivers/usb/core/file.c @@ -191,9 +191,10 @@ int usb_register_dev(struct usb_interface *intf, intf->minor = minor; break; } - up_write(&minor_rwsem); - if (intf->minor < 0) + if (intf->minor < 0) { + up_write(&minor_rwsem); return -EXFULL; + } /* create a usb class device for this usb interface */ snprintf(name, sizeof(name), class_driver->name, minor - minor_base); @@ -201,12 +202,11 @@ int usb_register_dev(struct usb_interface *intf, MKDEV(USB_MAJOR, minor), class_driver, "%s", kbasename(name)); if (IS_ERR(intf->usb_dev)) { - down_write(&minor_rwsem); usb_minors[minor] = NULL; intf->minor = -1; - up_write(&minor_rwsem); retval = PTR_ERR(intf->usb_dev); } + up_write(&minor_rwsem); return retval; } EXPORT_SYMBOL_GPL(usb_register_dev); @@ -232,12 +232,12 @@ void usb_deregister_dev(struct usb_interface *intf, return; dev_dbg(&intf->dev, "removing %d minor\n", intf->minor); + device_destroy(usb_class->class, MKDEV(USB_MAJOR, intf->minor)); down_write(&minor_rwsem); usb_minors[intf->minor] = NULL; up_write(&minor_rwsem); - device_destroy(usb_class->class, MKDEV(USB_MAJOR, intf->minor)); intf->usb_dev = NULL; intf->minor = -1; destroy_usb_class(); -- GitLab From 197ccdd9b96858798eadf1098bd724c8a3f2f008 Mon Sep 17 00:00:00 2001 From: Chandana Kishori Chiluveru Date: Tue, 10 Sep 2019 16:31:24 +0530 Subject: [PATCH 10/19] usb: gadget: core: unmap request from DMA only if previously mapped In the SG case this is already handled since a non-zero request->num_mapped_sgs is a clear indicator that dma_map_sg() had been called. While it would be nice to do the same for the singly mapped case by simply checking for non-zero request->dma, it's conceivable that 0 is a valid dma_addr_t handle. Hence add a flag 'dma_mapped' to struct usb_request and use this to determine the need to call dma_unmap_single(). Otherwise, if a request is not DMA mapped then the result of calling usb_request_unmap_request() would safely be a no-op. Change-Id: Ibb00d6df31f21522da9ebbcda3ae288cb7b189fa Signed-off-by: Jack Pham Signed-off-by: Felipe Balbi Git-commit: 31fe084ffaaf8abece14f8ca28e5e3b4e2bf97b6 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git [cchiluve@codeaurora.org: resolve trivial merge conflicts] Signed-off-by: Chandana Kishori Chiluveru --- drivers/usb/gadget/udc/core.c | 5 ++++- include/linux/usb/gadget.h | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index 0c71938d837a..53f9beab6bd6 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -857,6 +857,8 @@ int usb_gadget_map_request_by_dev(struct device *dev, dev_err(dev, "failed to map buffer\n"); return -EFAULT; } + + req->dma_mapped = 1; } return 0; @@ -881,9 +883,10 @@ void usb_gadget_unmap_request_by_dev(struct device *dev, is_in ? DMA_TO_DEVICE : DMA_FROM_DEVICE); req->num_mapped_sgs = 0; - } else if (req->dma != DMA_ERROR_CODE) { + } else if (req->dma_mapped) { dma_unmap_single(dev, req->dma, req->length, is_in ? DMA_TO_DEVICE : DMA_FROM_DEVICE); + req->dma_mapped = 0; } } EXPORT_SYMBOL_GPL(usb_gadget_unmap_request_by_dev); diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 0267bed4bcf9..7c9e8aa43004 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -147,6 +147,7 @@ struct gsi_channel_info { * by adding a zero length packet as needed; * @short_not_ok: When reading data, makes short packets be * treated as errors (queue stops advancing till cleanup). + * @dma_mapped: Indicates if request has been mapped to DMA (internal) * @complete: Function called when request completes, so this request and * its buffer may be re-used. The function will always be called with * interrupts disabled, and it must not sleep. @@ -203,6 +204,7 @@ struct usb_request { unsigned no_interrupt:1; unsigned zero:1; unsigned short_not_ok:1; + unsigned dma_mapped:1; void (*complete)(struct usb_ep *ep, struct usb_request *req); -- GitLab From 8bb19531c2d0e74a6dffab95bc4f2e2df9e8abde Mon Sep 17 00:00:00 2001 From: Harshdeep Dhatt Date: Mon, 9 Sep 2019 11:05:48 -0600 Subject: [PATCH 11/19] msm: kgsl: Disable deprecated ioctls Disabling sparse ioctls as they are deprecated. Change-Id: I5a4c78ec96fad4cda29a61d090e8bfb798123e3f Signed-off-by: Harshdeep Dhatt Signed-off-by: Archana Sriram --- drivers/gpu/msm/kgsl.c | 26 ++++++++++++++++++++++++++ drivers/gpu/msm/kgsl_device.h | 3 ++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c index 596d17381799..6ffc882ce75a 100644 --- a/drivers/gpu/msm/kgsl.c +++ b/drivers/gpu/msm/kgsl.c @@ -3337,12 +3337,16 @@ long kgsl_ioctl_sparse_phys_alloc(struct kgsl_device_private *dev_priv, unsigned int cmd, void *data) { struct kgsl_process_private *process = dev_priv->process_priv; + struct kgsl_device *device = dev_priv->device; struct kgsl_sparse_phys_alloc *param = data; struct kgsl_mem_entry *entry; uint64_t flags; int ret; int id; + if (!(device->flags & KGSL_FLAG_SPARSE)) + return -ENOTSUPP; + ret = _sparse_alloc_param_sanity_check(param->size, param->pagesize); if (ret) return ret; @@ -3422,9 +3426,13 @@ long kgsl_ioctl_sparse_phys_free(struct kgsl_device_private *dev_priv, unsigned int cmd, void *data) { struct kgsl_process_private *process = dev_priv->process_priv; + struct kgsl_device *device = dev_priv->device; struct kgsl_sparse_phys_free *param = data; struct kgsl_mem_entry *entry; + if (!(device->flags & KGSL_FLAG_SPARSE)) + return -ENOTSUPP; + entry = kgsl_sharedmem_find_id_flags(process, param->id, KGSL_MEMFLAGS_SPARSE_PHYS); if (entry == NULL) @@ -3454,10 +3462,14 @@ long kgsl_ioctl_sparse_virt_alloc(struct kgsl_device_private *dev_priv, unsigned int cmd, void *data) { struct kgsl_process_private *private = dev_priv->process_priv; + struct kgsl_device *device = dev_priv->device; struct kgsl_sparse_virt_alloc *param = data; struct kgsl_mem_entry *entry; int ret; + if (!(device->flags & KGSL_FLAG_SPARSE)) + return -ENOTSUPP; + ret = _sparse_alloc_param_sanity_check(param->size, param->pagesize); if (ret) return ret; @@ -3498,9 +3510,13 @@ long kgsl_ioctl_sparse_virt_free(struct kgsl_device_private *dev_priv, unsigned int cmd, void *data) { struct kgsl_process_private *process = dev_priv->process_priv; + struct kgsl_device *device = dev_priv->device; struct kgsl_sparse_virt_free *param = data; struct kgsl_mem_entry *entry = NULL; + if (!(device->flags & KGSL_FLAG_SPARSE)) + return -ENOTSUPP; + entry = kgsl_sharedmem_find_id_flags(process, param->id, KGSL_MEMFLAGS_SPARSE_VIRT); if (entry == NULL) @@ -3847,6 +3863,7 @@ long kgsl_ioctl_sparse_bind(struct kgsl_device_private *dev_priv, unsigned int cmd, void *data) { struct kgsl_process_private *private = dev_priv->process_priv; + struct kgsl_device *device = dev_priv->device; struct kgsl_sparse_bind *param = data; struct kgsl_sparse_binding_object obj; struct kgsl_mem_entry *virt_entry; @@ -3855,6 +3872,9 @@ long kgsl_ioctl_sparse_bind(struct kgsl_device_private *dev_priv, int ret = 0; int i = 0; + if (!(device->flags & KGSL_FLAG_SPARSE)) + return -ENOTSUPP; + ptr = (void __user *) (uintptr_t) param->list; if (param->size > sizeof(struct kgsl_sparse_binding_object) || @@ -3910,6 +3930,9 @@ long kgsl_ioctl_gpu_sparse_command(struct kgsl_device_private *dev_priv, long result; unsigned int i = 0; + if (!(device->flags & KGSL_FLAG_SPARSE)) + return -ENOTSUPP; + /* Make sure sparse and syncpoint count isn't too big */ if (param->numsparse > KGSL_MAX_SPARSE || param->numsyncs > KGSL_MAX_SYNCPOINTS) @@ -4665,6 +4688,9 @@ int kgsl_device_platform_probe(struct kgsl_device *device) /* Initialize logging first, so that failures below actually print. */ kgsl_device_debugfs_init(device); + /* Disable the sparse ioctl invocation as they are not used */ + device->flags &= ~KGSL_FLAG_SPARSE; + status = kgsl_pwrctrl_init(device); if (status) goto error; diff --git a/drivers/gpu/msm/kgsl_device.h b/drivers/gpu/msm/kgsl_device.h index 4a98a240810a..01c38d0b6b30 100644 --- a/drivers/gpu/msm/kgsl_device.h +++ b/drivers/gpu/msm/kgsl_device.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2002,2007-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2002,2007-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -66,6 +66,7 @@ enum kgsl_event_results { }; #define KGSL_FLAG_WAKE_ON_TOUCH BIT(0) +#define KGSL_FLAG_SPARSE BIT(1) /* * "list" of event types for ftrace symbolic magic -- GitLab From c751bea15d8f8aa9234a2255e41f2766eeec9942 Mon Sep 17 00:00:00 2001 From: Archana Sriram Date: Tue, 15 Oct 2019 10:36:26 +0530 Subject: [PATCH 12/19] msm: kgsl: Check user generated timestamp before queuing drawobjs In ioctls like kgsl_ioctl_submit_commands(), if both syncobj type and cmd/marker/sparseobj type are submitted, the syncobj is queued first followed by the other obj type. After syncobj is successfully queued, in case of failure in get_timestamp while queuing the other obj, both the command objs are destroyed. As sync obj is already queued, accessing this later would cause a crash. Compare the user generated timestamp with the drawctxt timestamp and return early in case of error. This avoids unnecessary queuing of drawobjs. Change-Id: I336c95c42ab1075d7653cba02772f92c918c884c Signed-off-by: Archana Sriram Signed-off-by: Harshitha Sai Neelati --- drivers/gpu/msm/adreno_dispatch.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/msm/adreno_dispatch.c b/drivers/gpu/msm/adreno_dispatch.c index a634d9871992..c26ab8f412dd 100644 --- a/drivers/gpu/msm/adreno_dispatch.c +++ b/drivers/gpu/msm/adreno_dispatch.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1411,6 +1411,22 @@ int adreno_dispatcher_queue_cmds(struct kgsl_device_private *dev_priv, user_ts = *timestamp; + /* + * If there is only one drawobj in the array and it is of + * type SYNCOBJ_TYPE, skip comparing user_ts as it can be 0 + */ + if (!(count == 1 && drawobj[0]->type == SYNCOBJ_TYPE) && + (drawctxt->base.flags & KGSL_CONTEXT_USER_GENERATED_TS)) { + /* + * User specified timestamps need to be greater than the last + * issued timestamp in the context + */ + if (timestamp_cmp(drawctxt->timestamp, user_ts) >= 0) { + spin_unlock(&drawctxt->lock); + return -ERANGE; + } + } + for (i = 0; i < count; i++) { switch (drawobj[i]->type) { -- GitLab From 61792746b16b0f393e70a9a8389d98d8940356c2 Mon Sep 17 00:00:00 2001 From: yutingshih Date: Fri, 7 Feb 2020 14:33:28 +0800 Subject: [PATCH 13/19] The ramp steps and timing of LED breath display modified Root cause: N/A How to fix: Ramp steps and timing modified Feature: Issue: Depends-On: RiskArea: LED Change-Id: Ie4eda07475a3ab543d77563b4ac5f4bc0bd94e58 (cherry picked from commit 82edac0eb7620bf66b6778be6e64e889f1f77c04) --- arch/arm64/boot/dts/qcom/pmi632.dtsi | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/pmi632.dtsi b/arch/arm64/boot/dts/qcom/pmi632.dtsi index 966a3b06fad5..c6d69473c9f7 100755 --- a/arch/arm64/boot/dts/qcom/pmi632.dtsi +++ b/arch/arm64/boot/dts/qcom/pmi632.dtsi @@ -581,30 +581,80 @@ nvmem = <&pmi632_sdam7>; qcom,pbs-client = <&pmi632_pbs_client3>; qcom,lut-sdam-base = <0x80>; + //<2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]Modified for breath ramp and timing. + #if 1 + qcom,lut-patterns = <0 0 0 0 0 0 0 0 0 0 2 16 30 44 58 72 86 100 100 + 100 100 86 72 58 44 30 16 2 0 0 0 0 0 0 0 0 0 0>; + #else + /* Code default */ qcom,lut-patterns = <0 0 0 14 28 42 56 70 84 100 100 84 70 56 42 28 14 0 0 0>; + #endif + //>2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]. lpg@1 { qcom,lpg-chan-id = <1>; + //<2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]Modified for breath ramp and timing. + #if 1 + qcom,ramp-step-ms = <80>; + qcom,ramp-pause-hi-count = <80>; + qcom,ramp-pause-lo-count = <80>; + qcom,ramp-low-index = <0>; + qcom,ramp-high-index = <37>; + //qcom,ramp-toggle; /* ramp from high to low */ + //qcom,ramp-from-low-to-high; + qcom,ramp-pattern-repeat; + #else + /* Code default */ qcom,ramp-step-ms = <200>; qcom,ramp-low-index = <0>; qcom,ramp-high-index = <19>; qcom,ramp-pattern-repeat; + #endif + //>2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]. qcom,lpg-sdam-base = <0x48>; }; lpg@2 { qcom,lpg-chan-id = <2>; + //<2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]Modified for breath ramp and timing. + #if 1 + qcom,ramp-step-ms = <80>; + qcom,ramp-pause-hi-count = <80>; + qcom,ramp-pause-lo-count = <80>; + qcom,ramp-low-index = <0>; + qcom,ramp-high-index = <37>; + //qcom,ramp-toggle; /* ramp from high to low */ + //qcom,ramp-from-low-to-high; + qcom,ramp-pattern-repeat; + #else + /* Code default */ qcom,ramp-step-ms = <200>; qcom,ramp-low-index = <0>; qcom,ramp-high-index = <19>; qcom,ramp-pattern-repeat; + #endif + //>2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]. qcom,lpg-sdam-base = <0x56>; }; lpg@3 { qcom,lpg-chan-id = <3>; + //<2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]Modified for breath ramp and timing. + #if 1 + qcom,ramp-step-ms = <80>; + qcom,ramp-pause-hi-count = <80>; + qcom,ramp-pause-lo-count = <80>; + qcom,ramp-low-index = <0>; + qcom,ramp-high-index = <37>; + //qcom,ramp-toggle; /* ramp from high to low */ + //qcom,ramp-from-low-to-high; + qcom,ramp-pattern-repeat; + #else + /* Code default */ qcom,ramp-step-ms = <200>; qcom,ramp-low-index = <0>; qcom,ramp-high-index = <19>; qcom,ramp-pattern-repeat; + #endif + //>2019/10/25-Yuting Shih.[FAIRPHONE][MISC][COMMON][LED][][]. qcom,lpg-sdam-base = <0x64>; }; }; -- GitLab From 2a39f6d7deaa3a70575501bf3c35404e68e2d021 Mon Sep 17 00:00:00 2001 From: louisliu Date: Fri, 21 Feb 2020 15:54:18 +0800 Subject: [PATCH 14/19] Fix android.security.sts.Poc19_02#testPocCVE_2018_13900 Root cause: N/A How to fix: QCOM Patch CR_2287499.patch QCOM case ID:04467755 Issue: PRJ8901-646 Change-Id: Iacf0f5bf7c2e90f2fd91b8deb8be4b03a38f21ea --- drivers/platform/msm/ipa/ipa_v2/ipa_rt.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) mode change 100644 => 100755 drivers/platform/msm/ipa/ipa_v2/ipa_rt.c diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c old mode 100644 new mode 100755 index be529688b3f2..82d72554b120 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c @@ -1067,9 +1067,8 @@ static int __ipa_add_rt_rule(enum ipa_ip_type ip, const char *name, * tables */ if (!strcmp(tbl->name, IPA_DFLT_RT_TBL_NAME) && - (tbl->rule_cnt > 0) && (at_rear != 0)) { - IPAERR("cannot add rule at end of tbl rule_cnt=%d at_rear=%d\n", - tbl->rule_cnt, at_rear); + (tbl->rule_cnt > 0)) { + IPAERR_RL("cannot add rules to default rt table\n"); goto error; } @@ -1606,6 +1605,11 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule) goto error; } + if (!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) { + IPAERR_RL("Default tbl rule cannot be modified\n"); + return -EINVAL; + } + /* Adding check to confirm still * header entry present in header table or not */ -- GitLab From af9cb4fbc3efb00898d0fc7400540420d20f4fb8 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Thu, 3 Oct 2019 14:53:59 -0400 Subject: [PATCH 15/19] HID: Fix assumption that devices have inputs The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff driver. The problem is caused by the driver's assumption that the device must have an input report. While this will be true for all normal HID input devices, a suitably malicious device can violate the assumption. The same assumption is present in over a dozen other HID drivers. This patch fixes them by checking that the list of hid_inputs for the hid_device is nonempty before allowing it to be used. Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Signed-off-by: Benjamin Tissoires --- drivers/hid/hid-axff.c | 11 +++++++++-- drivers/hid/hid-dr.c | 12 +++++++++--- drivers/hid/hid-emsff.c | 12 +++++++++--- drivers/hid/hid-gaff.c | 12 +++++++++--- drivers/hid/hid-holtekff.c | 12 +++++++++--- drivers/hid/hid-lg2ff.c | 12 +++++++++--- drivers/hid/hid-lg3ff.c | 11 +++++++++-- drivers/hid/hid-lg4ff.c | 11 +++++++++-- drivers/hid/hid-lgff.c | 11 +++++++++-- drivers/hid/hid-logitech-hidpp.c | 11 +++++++++-- drivers/hid/hid-sony.c | 12 +++++++++--- drivers/hid/hid-tmff.c | 12 +++++++++--- drivers/hid/hid-zpff.c | 12 +++++++++--- 13 files changed, 117 insertions(+), 34 deletions(-) diff --git a/drivers/hid/hid-axff.c b/drivers/hid/hid-axff.c index a594e478a1e2..843aed4dec80 100644 --- a/drivers/hid/hid-axff.c +++ b/drivers/hid/hid-axff.c @@ -75,13 +75,20 @@ static int axff_init(struct hid_device *hid) { struct axff_device *axff; struct hid_report *report; - struct hid_input *hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list =&hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int field_count = 0; int i, j; int error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV; diff --git a/drivers/hid/hid-dr.c b/drivers/hid/hid-dr.c index 818ea7d93533..309969b8dc2e 100644 --- a/drivers/hid/hid-dr.c +++ b/drivers/hid/hid-dr.c @@ -87,13 +87,19 @@ static int drff_init(struct hid_device *hid) { struct drff_device *drff; struct hid_report *report; - struct hid_input *hidinput = list_first_entry(&hid->inputs, - struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV; diff --git a/drivers/hid/hid-emsff.c b/drivers/hid/hid-emsff.c index d82d75bb11f7..80f9a02dfa69 100644 --- a/drivers/hid/hid-emsff.c +++ b/drivers/hid/hid-emsff.c @@ -59,13 +59,19 @@ static int emsff_init(struct hid_device *hid) { struct emsff_device *emsff; struct hid_report *report; - struct hid_input *hidinput = list_first_entry(&hid->inputs, - struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_first_entry(&hid->inputs, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV; diff --git a/drivers/hid/hid-gaff.c b/drivers/hid/hid-gaff.c index 2d8cead3adca..5a02c50443cb 100644 --- a/drivers/hid/hid-gaff.c +++ b/drivers/hid/hid-gaff.c @@ -77,14 +77,20 @@ static int gaff_init(struct hid_device *hid) { struct gaff_device *gaff; struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; struct list_head *report_ptr = report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output reports found\n"); return -ENODEV; diff --git a/drivers/hid/hid-holtekff.c b/drivers/hid/hid-holtekff.c index 9325545fc3ae..3e84551cca9c 100644 --- a/drivers/hid/hid-holtekff.c +++ b/drivers/hid/hid-holtekff.c @@ -140,13 +140,19 @@ static int holtekff_init(struct hid_device *hid) { struct holtekff_device *holtekff; struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); + struct hid_input *hidinput; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; + struct input_dev *dev; int error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + if (list_empty(report_list)) { hid_err(hid, "no output report found\n"); return -ENODEV; diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c index 0e3fb1a7e421..6909d9c2fc67 100644 --- a/drivers/hid/hid-lg2ff.c +++ b/drivers/hid/hid-lg2ff.c @@ -62,11 +62,17 @@ int lg2ff_init(struct hid_device *hid) { struct lg2ff_device *lg2ff; struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); - struct input_dev *dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *dev; int error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + /* Check that the report looks ok */ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7); if (!report) diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c index 8c2da183d3bc..acf739fc4060 100644 --- a/drivers/hid/hid-lg3ff.c +++ b/drivers/hid/hid-lg3ff.c @@ -129,12 +129,19 @@ static const signed short ff3_joystick_ac[] = { int lg3ff_init(struct hid_device *hid) { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); - struct input_dev *dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *dev; const signed short *ff_bits = ff3_joystick_ac; int error; int i; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + /* Check that the report looks ok */ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35)) return -ENODEV; diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c index 1fc12e357035..a37a60725514 100644 --- a/drivers/hid/hid-lg4ff.c +++ b/drivers/hid/hid-lg4ff.c @@ -1261,8 +1261,8 @@ static int lg4ff_handle_multimode_wheel(struct hid_device *hid, u16 *real_produc int lg4ff_init(struct hid_device *hid) { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); - struct input_dev *dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *dev; struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; struct hid_report *report = list_entry(report_list->next, struct hid_report, list); const struct usb_device_descriptor *udesc = &(hid_to_usb_dev(hid)->descriptor); @@ -1274,6 +1274,13 @@ int lg4ff_init(struct hid_device *hid) int mmode_ret, mmode_idx = -1; u16 real_product_id; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + /* Check that the report looks ok */ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) return -1; diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c index e1394af0ae7b..1871cdcd1e0a 100644 --- a/drivers/hid/hid-lgff.c +++ b/drivers/hid/hid-lgff.c @@ -127,12 +127,19 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) int lgff_init(struct hid_device* hid) { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); - struct input_dev *dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *dev; const signed short *ff_bits = ff_joystick; int error; int i; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + /* Check that the report looks ok */ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) return -ENODEV; diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 2e2515a4c070..478c91a78e84 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -1229,8 +1229,8 @@ static void hidpp_ff_destroy(struct ff_device *ff) static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) { struct hid_device *hid = hidpp->hid_dev; - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); - struct input_dev *dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *dev; const struct usb_device_descriptor *udesc = &(hid_to_usb_dev(hid)->descriptor); const u16 bcdDevice = le16_to_cpu(udesc->bcdDevice); struct ff_device *ff; @@ -1239,6 +1239,13 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) int error, j, num_slots; u8 version; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + if (!dev) { hid_err(hid, "Struct input_dev not set!\n"); return -EINVAL; diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c index 1b1dccd37fbd..958ac59c5a0e 100644 --- a/drivers/hid/hid-sony.c +++ b/drivers/hid/hid-sony.c @@ -2008,9 +2008,15 @@ static int sony_play_effect(struct input_dev *dev, void *data, static int sony_init_ff(struct sony_sc *sc) { - struct hid_input *hidinput = list_entry(sc->hdev->inputs.next, - struct hid_input, list); - struct input_dev *input_dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *input_dev; + + if (list_empty(&sc->hdev->inputs)) { + hid_err(sc->hdev, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(sc->hdev->inputs.next, struct hid_input, list); + input_dev = hidinput->input; input_set_capability(input_dev, EV_FF, FF_RUMBLE); return input_ff_create_memless(input_dev, NULL, sony_play_effect); diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c index b83376077d72..9e908d94cc4c 100644 --- a/drivers/hid/hid-tmff.c +++ b/drivers/hid/hid-tmff.c @@ -126,12 +126,18 @@ static int tmff_init(struct hid_device *hid, const signed short *ff_bits) struct tmff_device *tmff; struct hid_report *report; struct list_head *report_list; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); - struct input_dev *input_dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *input_dev; int error; int i; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + input_dev = hidinput->input; + tmff = kzalloc(sizeof(struct tmff_device), GFP_KERNEL); if (!tmff) return -ENOMEM; diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c index a29756c6ca02..4e7e01be99b1 100644 --- a/drivers/hid/hid-zpff.c +++ b/drivers/hid/hid-zpff.c @@ -66,11 +66,17 @@ static int zpff_init(struct hid_device *hid) { struct zpff_device *zpff; struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); - struct input_dev *dev = hidinput->input; + struct hid_input *hidinput; + struct input_dev *dev; int i, error; + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); + return -ENODEV; + } + hidinput = list_entry(hid->inputs.next, struct hid_input, list); + dev = hidinput->input; + for (i = 0; i < 4; i++) { report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); if (!report) -- GitLab From f04c478d2bd4dfcef9d45a53c5d9fd2c4a4890d1 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Fri, 15 Nov 2019 11:35:05 -0800 Subject: [PATCH 16/19] Input: ff-memless - kill timer in destroy() No timer must be left running when the device goes away. Signed-off-by: Oliver Neukum Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.com Signed-off-by: Dmitry Torokhov --- drivers/input/ff-memless.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/input/ff-memless.c b/drivers/input/ff-memless.c index fcc6c3368182..ea3f0f5eb534 100644 --- a/drivers/input/ff-memless.c +++ b/drivers/input/ff-memless.c @@ -501,6 +501,15 @@ static void ml_ff_destroy(struct ff_device *ff) { struct ml_device *ml = ff->private; + /* + * Even though we stop all playing effects when tearing down + * an input device (via input_device_flush() that calls into + * input_ff_flush() that stops and erases all effects), we + * do not actually stop the timer, and therefore we should + * do it here. + */ + del_timer_sync(&ml->timer); + kfree(ml->private); } -- GitLab From c1b7eb8fba147a6f291ee1ac088f15f8d82534c3 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 6 Nov 2019 17:55:47 +0100 Subject: [PATCH 17/19] ALSA: timer: Fix incorrectly assigned timer instance The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") unified the error handling code paths with the standard goto, but it introduced a subtle bug: the timer instance is stored in snd_timer_open() incorrectly even if it returns an error. This may eventually lead to UAF, as spotted by fuzzer. The culprit is the snd_timer_open() code checks the SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri. This variable is supposed to be the newly created instance, but we (ab-)used it for a temporary check before the actual creation of a timer instance. After that point, there is another check for the max number of instances, and it bails out if over the threshold. Before the refactoring above, it worked fine because the code returned directly from that point. After the refactoring, however, it jumps to the unified error path that stores the timeri variable in return -- even if it returns an error. Unfortunately this stored value is kept in the caller side (snd_timer_user_tselect()) in tu->timeri. This causes inconsistency later, as if the timer was successfully assigned. In this patch, we fix it by not re-using timeri variable but a temporary variable for testing the exclusive connection, so timeri remains NULL at that point. Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") Reported-and-tested-by: Tristan Madani Cc: Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de Signed-off-by: Takashi Iwai --- sound/core/timer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index d3b626083944..8dc8f3a81359 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -280,9 +280,10 @@ int snd_timer_open(struct snd_timer_instance **ti, return -ENODEV; } if (!list_empty(&timer->open_list_head)) { - timeri = list_entry(timer->open_list_head.next, + struct snd_timer_instance *t = + list_entry(timer->open_list_head.next, struct snd_timer_instance, open_list); - if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { + if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { mutex_unlock(®ister_mutex); return -EBUSY; } -- GitLab From 11b0453d99bdcc654c1d70fa7199d4bc5cdd595e Mon Sep 17 00:00:00 2001 From: ssizon Date: Fri, 5 Jun 2020 01:04:21 +0530 Subject: [PATCH 18/19] FP3: Switch to pref defconfig --- arch/arm64/configs/lineageos_FP3_defconfig | 199 ++++++++------------- 1 file changed, 75 insertions(+), 124 deletions(-) diff --git a/arch/arm64/configs/lineageos_FP3_defconfig b/arch/arm64/configs/lineageos_FP3_defconfig index 75604865b522..70e66c9608ab 100644 --- a/arch/arm64/configs/lineageos_FP3_defconfig +++ b/arch/arm64/configs/lineageos_FP3_defconfig @@ -46,7 +46,7 @@ CONFIG_THREAD_INFO_IN_TASK=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" # CONFIG_COMPILE_TEST is not set -CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION="-perf" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_DEFAULT_HOSTNAME="(none)" CONFIG_SWAP=y @@ -99,7 +99,7 @@ CONFIG_IRQ_TIME_ACCOUNTING=y CONFIG_SCHED_WALT=y # CONFIG_BSD_PROCESS_ACCT is not set CONFIG_TASKSTATS=y -CONFIG_TASK_DELAY_ACCT=y +# CONFIG_TASK_DELAY_ACCT is not set CONFIG_TASK_XACCT=y CONFIG_TASK_IO_ACCOUNTING=y @@ -130,7 +130,7 @@ CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_GENERIC_SCHED_CLOCK=y CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_CGROUPS=y -CONFIG_CGROUP_DEBUG=y +# CONFIG_CGROUP_DEBUG is not set CONFIG_CGROUP_FREEZER=y # CONFIG_CGROUP_PIDS is not set # CONFIG_CGROUP_DEVICE is not set @@ -159,7 +159,7 @@ CONFIG_SCHED_AUTOGROUP=y CONFIG_SCHED_TUNE=y CONFIG_DEFAULT_USE_ENERGY_AWARE=y # CONFIG_SYSFS_DEPRECATED is not set -CONFIG_RELAY=y +# CONFIG_RELAY is not set CONFIG_BLK_DEV_INITRD=y CONFIG_INITRAMFS_SOURCE="" CONFIG_RD_GZIP=y @@ -347,6 +347,7 @@ CONFIG_DEFAULT_IOSCHED="cfq" CONFIG_ASN1=y CONFIG_UNINLINE_SPIN_UNLOCK=y CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_MUTEX_SPIN_ON_OWNER=y CONFIG_RWSEM_SPIN_ON_OWNER=y CONFIG_LOCK_SPIN_ON_OWNER=y CONFIG_ARCH_USE_QUEUED_RWLOCKS=y @@ -476,11 +477,11 @@ CONFIG_BOUNCE=y # CONFIG_KSM is not set CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_TRANSPARENT_HUGEPAGE is not set -CONFIG_CLEANCACHE=y +# CONFIG_CLEANCACHE is not set # CONFIG_FRONTSWAP is not set CONFIG_CMA=y # CONFIG_CMA_DEBUG is not set -CONFIG_CMA_DEBUGFS=y +# CONFIG_CMA_DEBUGFS is not set CONFIG_CMA_AREAS=7 # CONFIG_ZPOOL is not set # CONFIG_ZBUD is not set @@ -528,6 +529,7 @@ CONFIG_ARM64_MODULE_CMODEL_LARGE=y CONFIG_ARM64_MODULE_PLTS=y CONFIG_RELOCATABLE=y CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_MODULE_REGION_FULL=y # # Boot options @@ -572,10 +574,7 @@ CONFIG_PM_WAKELOCKS=y CONFIG_PM_WAKELOCKS_LIMIT=0 # CONFIG_PM_WAKELOCKS_GC is not set CONFIG_PM=y -CONFIG_PM_DEBUG=y -# CONFIG_PM_ADVANCED_DEBUG is not set -# CONFIG_PM_TEST_SUSPEND is not set -CONFIG_PM_SLEEP_DEBUG=y +# CONFIG_PM_DEBUG is not set CONFIG_PM_OPP=y CONFIG_PM_CLK=y # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set @@ -962,7 +961,7 @@ CONFIG_INET_SCTP_DIAG=y # CONFIG_TIPC is not set # CONFIG_ATM is not set CONFIG_L2TP=y -CONFIG_L2TP_DEBUGFS=y +# CONFIG_L2TP_DEBUGFS is not set CONFIG_L2TP_V3=y CONFIG_L2TP_IP=y CONFIG_L2TP_ETH=y @@ -1056,7 +1055,7 @@ CONFIG_NET_CLS_ACT=y # CONFIG_NET_CLS_IND is not set CONFIG_NET_SCH_FIFO=y # CONFIG_DCB is not set -CONFIG_DNS_RESOLVER=y +# CONFIG_DNS_RESOLVER is not set # CONFIG_BATMAN_ADV is not set # CONFIG_OPENVSWITCH is not set # CONFIG_VSOCKETS is not set @@ -1460,13 +1459,12 @@ CONFIG_NET_VENDOR_BROADCOM=y # CONFIG_BCMGENET is not set # CONFIG_SYSTEMPORT is not set # CONFIG_DNET is not set -# CONFIG_NET_VENDOR_EZCHIP is not set +CONFIG_NET_VENDOR_EZCHIP=y +# CONFIG_EZCHIP_NPS_MANAGEMENT_ENET is not set # CONFIG_NET_VENDOR_HISILICON is not set CONFIG_NET_VENDOR_INTEL=y CONFIG_NET_VENDOR_I825XX=y -CONFIG_NET_VENDOR_MARVELL=y -# CONFIG_MVMDIO is not set -# CONFIG_MVNETA_BM is not set +# CONFIG_NET_VENDOR_MARVELL is not set CONFIG_NET_VENDOR_MICREL=y # CONFIG_KS8842 is not set # CONFIG_KS8851 is not set @@ -1481,7 +1479,7 @@ CONFIG_NET_VENDOR_8390=y CONFIG_NET_VENDOR_QUALCOMM=y # CONFIG_QCA7000 is not set # CONFIG_QCOM_EMAC is not set -# CONFIG_NET_VENDOR_RENESAS is not set +CONFIG_NET_VENDOR_RENESAS=y # CONFIG_NET_VENDOR_ROCKER is not set CONFIG_NET_VENDOR_SAMSUNG=y # CONFIG_SXGBE_ETH is not set @@ -1854,7 +1852,6 @@ CONFIG_UNIX98_PTYS=y # # Serial drivers # -CONFIG_SERIAL_EARLYCON=y # CONFIG_SERIAL_8250 is not set # @@ -1867,10 +1864,8 @@ CONFIG_SERIAL_EARLYCON=y # CONFIG_SERIAL_MAX310X is not set # CONFIG_SERIAL_UARTLITE is not set CONFIG_SERIAL_CORE=y -CONFIG_SERIAL_CORE_CONSOLE=y -CONFIG_SERIAL_MSM=y +# CONFIG_SERIAL_MSM is not set # CONFIG_SERIAL_MSM_GENI is not set -CONFIG_SERIAL_MSM_CONSOLE=y CONFIG_SERIAL_MSM_HS=y # CONFIG_SERIAL_SCCNXP is not set # CONFIG_SERIAL_SC16IS7XX is not set @@ -2739,11 +2734,11 @@ CONFIG_FB_CFB_FILLRECT=y CONFIG_FB_CFB_COPYAREA=y CONFIG_FB_CFB_IMAGEBLIT=y # CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set -CONFIG_FB_SYS_FILLRECT=y -CONFIG_FB_SYS_COPYAREA=y -CONFIG_FB_SYS_IMAGEBLIT=y +# CONFIG_FB_SYS_FILLRECT is not set +# CONFIG_FB_SYS_COPYAREA is not set +# CONFIG_FB_SYS_IMAGEBLIT is not set # CONFIG_FB_FOREIGN_ENDIAN is not set -CONFIG_FB_SYS_FOPS=y +# CONFIG_FB_SYS_FOPS is not set # CONFIG_FB_SVGALIB is not set # CONFIG_FB_MACMODES is not set # CONFIG_FB_BACKLIGHT is not set @@ -2760,7 +2755,7 @@ CONFIG_FB_SYS_FOPS=y # CONFIG_FB_SMSCUFX is not set # CONFIG_FB_UDL is not set # CONFIG_FB_IBM_GXT4500 is not set -CONFIG_FB_VIRTUAL=y +# CONFIG_FB_VIRTUAL is not set # CONFIG_FB_METRONOME is not set CONFIG_FB_MSM=y # CONFIG_FB_BROADSHEET is not set @@ -3331,7 +3326,7 @@ CONFIG_MMC=y CONFIG_MMC_PERF_PROFILING=y # CONFIG_PWRSEQ_EMMC is not set # CONFIG_PWRSEQ_SIMPLE is not set -CONFIG_MMC_RING_BUFFER=y +# CONFIG_MMC_RING_BUFFER is not set # CONFIG_MMC_EMBEDDED_SDIO is not set CONFIG_MMC_PARANOID_SD_INIT=y CONFIG_MMC_CLKGATE=y @@ -3797,9 +3792,7 @@ CONFIG_IOMMU_DMA=y CONFIG_ARM_SMMU=y # CONFIG_ARM_SMMU_V3 is not set CONFIG_QCOM_LAZY_MAPPING=y -CONFIG_IOMMU_DEBUG=y -CONFIG_IOMMU_DEBUG_TRACKING=y -CONFIG_IOMMU_TESTS=y +# CONFIG_IOMMU_DEBUG is not set # # Remoteproc drivers @@ -3817,7 +3810,7 @@ CONFIG_IOMMU_TESTS=y # # Broadcom SoC drivers # -CONFIG_QCOM_CPUSS_DUMP=y +# CONFIG_QCOM_CPUSS_DUMP is not set CONFIG_QCOM_RUN_QUEUE_STATS=y # CONFIG_QCOM_GSBI is not set # CONFIG_QCOM_LLCC is not set @@ -3828,7 +3821,7 @@ CONFIG_MSM_L2_SPM=y CONFIG_QCOM_SCM=y # CONFIG_SETUP_SSR_NOTIF_TIMEOUTS is not set CONFIG_MSM_BOOT_STATS=y -CONFIG_MSM_CORE_HANG_DETECT=y +# CONFIG_MSM_CORE_HANG_DETECT is not set # CONFIG_MSM_GLADIATOR_HANG_DETECT is not set # CONFIG_MSM_GLADIATOR_ERP is not set # CONFIG_QCOM_EUD is not set @@ -3836,8 +3829,7 @@ CONFIG_QCOM_WATCHDOG_V2=y # CONFIG_QCOM_WDOG_IPI_ENABLE is not set CONFIG_QPNP_PBS=y CONFIG_QCOM_MEMORY_DUMP_V2=y -CONFIG_MSM_DEBUG_LAR_UNLOCK=y -# CONFIG_QCOM_MINIDUMP is not set +# CONFIG_MSM_DEBUG_LAR_UNLOCK is not set CONFIG_MSM_RPM_SMD=y CONFIG_QCOM_BUS_SCALING=y # CONFIG_QCOM_BUS_CONFIG_RPMH is not set @@ -3850,7 +3842,7 @@ CONFIG_MSM_SMD_DEBUG=y CONFIG_MSM_TZ_SMMU=y # CONFIG_MSM_GLINK_LOOPBACK_SERVER is not set # CONFIG_MSM_SPSS_UTILS is not set -CONFIG_TRACER_PKT=y +# CONFIG_TRACER_PKT is not set # CONFIG_QTI_RPMH_API is not set CONFIG_MSM_SMP2P=y CONFIG_MSM_IPC_ROUTER_SMD_XPRT=y @@ -3877,14 +3869,14 @@ CONFIG_MSM_IDLE_STATS_BUCKET_SHIFT=2 CONFIG_MSM_IDLE_STATS_BUCKET_COUNT=10 CONFIG_MSM_SUSPEND_STATS_FIRST_BUCKET=1000000000 # CONFIG_QCOM_DCC_V2 is not set -CONFIG_QCOM_DCC=y +# CONFIG_QCOM_DCC is not set CONFIG_QTI_RPM_STATS_LOG=y CONFIG_QCOM_FORCE_WDOG_BITE_ON_PANIC=y # CONFIG_QMP_DEBUGFS_CLIENT is not set CONFIG_MEM_SHARE_QMI_SERVICE=y # CONFIG_MSM_REMOTEQDSS is not set # CONFIG_QSEE_IPC_IRQ_BRIDGE is not set -CONFIG_MSM_JTAGV8=y +# CONFIG_MSM_JTAGV8 is not set CONFIG_MSM_BAM_DMUX=y # CONFIG_MSM_PIL_SSR_BG is not set # CONFIG_MSM_BGCOM is not set @@ -4329,7 +4321,14 @@ CONFIG_FS_MBCACHE=y # CONFIG_OCFS2_FS is not set # CONFIG_BTRFS_FS is not set # CONFIG_NILFS2_FS is not set -# CONFIG_F2FS_FS is not set +CONFIG_F2FS_FS=y +CONFIG_F2FS_STAT_FS=y +CONFIG_F2FS_FS_XATTR=y +CONFIG_F2FS_FS_POSIX_ACL=y +CONFIG_F2FS_FS_SECURITY=y +# CONFIG_F2FS_CHECK_FS is not set +CONFIG_F2FS_FS_ENCRYPTION=y +# CONFIG_F2FS_FAULT_INJECTION is not set # CONFIG_FS_DAX is not set CONFIG_FS_POSIX_ACL=y # CONFIG_EXPORTFS_BLOCK_OPS is not set @@ -4368,7 +4367,7 @@ CONFIG_FUSE_FS=y # DOS/FAT/NT Filesystems # CONFIG_FAT_FS=y -CONFIG_MSDOS_FS=y +# CONFIG_MSDOS_FS is not set CONFIG_VFAT_FS=y CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" @@ -4483,7 +4482,7 @@ CONFIG_NLS_ISO8859_1=y CONFIG_PRINTK_TIME=y CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 # CONFIG_BOOT_PRINTK_DELAY is not set -CONFIG_DYNAMIC_DEBUG=y +# CONFIG_DYNAMIC_DEBUG is not set # CONFIG_DEBUG_MODULE_LOAD_INFO is not set # @@ -4515,33 +4514,19 @@ CONFIG_DEBUG_KERNEL=y # # Memory Debugging # -CONFIG_PAGE_EXTENSION=y -CONFIG_DEBUG_PAGEALLOC=y -CONFIG_SLUB_DEBUG_PANIC_ON=y -CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y -CONFIG_PAGE_POISONING=y -# CONFIG_PAGE_POISONING_ENABLE_DEFAULT is not set -# CONFIG_PAGE_POISONING_NO_SANITY is not set -# CONFIG_PAGE_POISONING_ZERO is not set +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_SLUB_DEBUG_PANIC_ON is not set +# CONFIG_PAGE_POISONING is not set # CONFIG_DEBUG_PAGE_REF is not set -CONFIG_DEBUG_OBJECTS=y -# CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_WORK=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y -CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_SLUB_DEBUG_ON is not set # CONFIG_SLUB_STATS is not set CONFIG_HAVE_DEBUG_KMEMLEAK=y -CONFIG_DEBUG_KMEMLEAK=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4000 -# CONFIG_DEBUG_KMEMLEAK_TEST is not set -CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set # CONFIG_DEBUG_VM is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_HAVE_ARCH_KASAN=y # CONFIG_KASAN is not set @@ -4553,54 +4538,40 @@ CONFIG_ARCH_HAS_KCOV=y # # Debug Lockups and Hangs # -CONFIG_LOCKUP_DETECTOR=y -CONFIG_HARDLOCKUP_DETECTOR_OTHER_CPU=y -CONFIG_HARDLOCKUP_DETECTOR=y -# CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set -CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=0 -CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y -CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=1 +# CONFIG_LOCKUP_DETECTOR is not set # CONFIG_PANIC_ON_RECURSIVE_FAULT is not set -CONFIG_DETECT_HUNG_TASK=y -CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 -# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 -CONFIG_WQ_WATCHDOG=y +# CONFIG_DETECT_HUNG_TASK is not set +# CONFIG_WQ_WATCHDOG is not set # CONFIG_PANIC_ON_OOPS is not set CONFIG_PANIC_ON_OOPS_VALUE=0 CONFIG_PANIC_TIMEOUT=5 CONFIG_SCHED_DEBUG=y CONFIG_SCHED_INFO=y -CONFIG_PANIC_ON_SCHED_BUG=y -CONFIG_PANIC_ON_RT_THROTTLING=y +# CONFIG_PANIC_ON_SCHED_BUG is not set +# CONFIG_PANIC_ON_RT_THROTTLING is not set CONFIG_SCHEDSTATS=y -CONFIG_SCHED_STACK_END_CHECK=y +# CONFIG_SCHED_STACK_END_CHECK is not set # CONFIG_DEBUG_TIMEKEEPING is not set -# CONFIG_DEBUG_TASK_STACK_SCAN_OFF is not set # CONFIG_DEBUG_PREEMPT is not set # # Lock Debugging (spinlocks, mutexes, etc...) # # CONFIG_DEBUG_RT_MUTEXES is not set -CONFIG_DEBUG_SPINLOCK=y -CONFIG_DEBUG_SPINLOCK_BITE_ON_BUG=y -# CONFIG_DEBUG_SPINLOCK_PANIC_ON_BUG is not set -CONFIG_DEBUG_MUTEXES=y +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set # CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set # CONFIG_DEBUG_LOCK_ALLOC is not set # CONFIG_PROVE_LOCKING is not set # CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_ATOMIC_SLEEP=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set # CONFIG_LOCK_TORTURE_TEST is not set -CONFIG_TRACE_IRQFLAGS=y CONFIG_STACKTRACE=y # CONFIG_DEBUG_KOBJECT is not set -# CONFIG_DEBUG_KOBJECT_RELEASE is not set CONFIG_HAVE_DEBUG_BUGVERBOSE=y CONFIG_DEBUG_BUGVERBOSE=y -CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_LIST is not set # CONFIG_DEBUG_PI_LIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set @@ -4622,16 +4593,7 @@ CONFIG_RCU_PANIC_ON_STALL=0 # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_NOTIFIER_ERROR_INJECTION is not set -CONFIG_FAULT_INJECTION=y -# CONFIG_FAILSLAB is not set -CONFIG_FAIL_PAGE_ALLOC=y -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set -# CONFIG_UFS_FAULT_INJECTION is not set -# CONFIG_FAIL_FUTEX is not set -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +# CONFIG_FAULT_INJECTION is not set # CONFIG_LATENCYTOP is not set CONFIG_NOP_TRACER=y CONFIG_HAVE_FUNCTION_TRACER=y @@ -4640,39 +4602,31 @@ CONFIG_HAVE_DYNAMIC_FTRACE=y CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y CONFIG_HAVE_SYSCALL_TRACEPOINTS=y CONFIG_HAVE_C_RECORDMCOUNT=y -CONFIG_TRACER_MAX_TRACE=y CONFIG_TRACE_CLOCK=y CONFIG_RING_BUFFER=y CONFIG_EVENT_TRACING=y CONFIG_CONTEXT_SWITCH_TRACER=y -CONFIG_RING_BUFFER_ALLOW_SWAP=y CONFIG_IPC_LOGGING=y -CONFIG_QCOM_RTB=y -CONFIG_QCOM_RTB_SEPARATE_CPUS=y +# CONFIG_QCOM_RTB is not set CONFIG_TRACING=y CONFIG_GENERIC_TRACER=y CONFIG_TRACING_SUPPORT=y CONFIG_FTRACE=y -CONFIG_FUNCTION_TRACER=y -CONFIG_FUNCTION_GRAPH_TRACER=y +# CONFIG_FUNCTION_TRACER is not set # CONFIG_PREEMPTIRQ_EVENTS is not set -CONFIG_IRQSOFF_TRACER=y -CONFIG_PREEMPT_TRACER=y +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_PREEMPT_TRACER is not set # CONFIG_SCHED_TRACER is not set # CONFIG_HWLAT_TRACER is not set # CONFIG_FTRACE_SYSCALLS is not set -CONFIG_TRACER_SNAPSHOT=y -CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP=y +# CONFIG_TRACER_SNAPSHOT is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_PROFILE_ALL_BRANCHES is not set # CONFIG_STACK_TRACER is not set -CONFIG_BLK_DEV_IO_TRACE=y +# CONFIG_BLK_DEV_IO_TRACE is not set # CONFIG_PROBE_EVENTS is not set -CONFIG_DYNAMIC_FTRACE=y -# CONFIG_FUNCTION_PROFILER is not set CONFIG_CPU_FREQ_SWITCH_PROFILER=y -CONFIG_FTRACE_MCOUNT_RECORD=y # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_TRACEPOINT_BENCHMARK is not set # CONFIG_RING_BUFFER_BENCHMARK is not set @@ -4683,7 +4637,7 @@ CONFIG_TRACING_EVENTS_GPIO=y # # Runtime Testing # -CONFIG_LKDTM=y +# CONFIG_LKDTM is not set # CONFIG_TEST_LIST_SORT is not set # CONFIG_BACKTRACE_SELF_TEST is not set # CONFIG_RBTREE_TEST is not set @@ -4704,10 +4658,9 @@ CONFIG_LKDTM=y # CONFIG_TEST_BPF is not set # CONFIG_TEST_FIRMWARE is not set # CONFIG_TEST_UDELAY is not set -CONFIG_MEMTEST=y -CONFIG_MEMTEST_ENABLE_DEFAULT=0 +# CONFIG_MEMTEST is not set # CONFIG_TEST_STATIC_KEYS is not set -CONFIG_PANIC_ON_DATA_CORRUPTION=y +# CONFIG_PANIC_ON_DATA_CORRUPTION is not set # CONFIG_SAMPLES is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set @@ -4716,22 +4669,21 @@ CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y # CONFIG_STRICT_DEVMEM is not set -CONFIG_ARM64_PTDUMP=y -CONFIG_PID_IN_CONTEXTIDR=y +# CONFIG_ARM64_PTDUMP is not set +# CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_ARM64_RANDOMIZE_TEXT_OFFSET is not set CONFIG_DEBUG_SET_MODULE_RONX=y -# CONFIG_DEBUG_ALIGN_RODATA is not set +CONFIG_DEBUG_ALIGN_RODATA=y # CONFIG_ARM64_STRICT_BREAK_BEFORE_MAKE is not set CONFIG_CORESIGHT=y CONFIG_CORESIGHT_LINKS_AND_SINKS=y CONFIG_CORESIGHT_LINK_AND_SINK_TMC=y # CONFIG_CORESIGHT_SINK_TPIU is not set # CONFIG_CORESIGHT_SINK_ETBV10 is not set -CONFIG_CORESIGHT_SOURCE_ETM4X=y -CONFIG_CORESIGHT_REMOTE_ETM=y -CONFIG_CORESIGHT_REMOTE_ETM_DEFAULT_ENABLE=0 +# CONFIG_CORESIGHT_SOURCE_ETM4X is not set +# CONFIG_CORESIGHT_REMOTE_ETM is not set CONFIG_CORESIGHT_QCOM_REPLICATOR=y -CONFIG_CORESIGHT_DBGUI=y +# CONFIG_CORESIGHT_DBGUI is not set CONFIG_CORESIGHT_STM=y CONFIG_CORESIGHT_OST=y CONFIG_CORESIGHT_TPDA=y @@ -4866,7 +4818,7 @@ CONFIG_CRYPTO_XCBC=y # Digest # CONFIG_CRYPTO_CRC32C=y -# CONFIG_CRYPTO_CRC32 is not set +CONFIG_CRYPTO_CRC32=y # CONFIG_CRYPTO_CRCT10DIF is not set CONFIG_CRYPTO_GHASH=y # CONFIG_CRYPTO_POLY1305 is not set @@ -5025,7 +4977,6 @@ CONFIG_UCS2_STRING=y # CONFIG_SG_SPLIT is not set CONFIG_SG_POOL=y CONFIG_ARCH_HAS_SG_CHAIN=y -CONFIG_STACKDEPOT=y CONFIG_SBITMAP=y CONFIG_QMI_ENCDEC=y -# CONFIG_QMI_ENCDEC_DEBUG is not set \ No newline at end of file +# CONFIG_QMI_ENCDEC_DEBUG is not set -- GitLab From 785d01c05b23e26ff3a12f279732c3c74f41c41a Mon Sep 17 00:00:00 2001 From: /e/ Date: Fri, 5 Jun 2020 11:21:14 +0200 Subject: [PATCH 19/19] Set CONFIG_HZ to 300 --- arch/arm64/configs/lineageos_FP3_defconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/configs/lineageos_FP3_defconfig b/arch/arm64/configs/lineageos_FP3_defconfig index 70e66c9608ab..44745463721c 100644 --- a/arch/arm64/configs/lineageos_FP3_defconfig +++ b/arch/arm64/configs/lineageos_FP3_defconfig @@ -442,11 +442,11 @@ CONFIG_ARCH_NR_GPIO=1280 # CONFIG_PREEMPT_VOLUNTARY is not set CONFIG_PREEMPT=y CONFIG_PREEMPT_COUNT=y -CONFIG_HZ_100=y +# CONFIG_HZ_100 is not set # CONFIG_HZ_250 is not set -# CONFIG_HZ_300 is not set +CONFIG_HZ_300=y # CONFIG_HZ_1000 is not set -CONFIG_HZ=100 +CONFIG_HZ=300 CONFIG_SCHED_HRTICK=y CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y CONFIG_ARCH_HAS_HOLES_MEMORYMODEL=y -- GitLab