Change-Id: I789fc0ba1156b8c2443313e095579472e992582b

Change-Id: If6b307ce1edc5e70f7da82edaef25dbaf0012342

范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
The reason is due to insufficient serialization in lo_release(), which
will continue to use the loop device even after it has decremented the
lo_refcnt to zero.

In the meantime, another process can come in, open the loop device
again as it is being shut down. Confusion ensues.

Change-Id: I7a8d36cf41792ed94536e8110d812425a64b5a1d
Reported-by: 范龙飞 <long7573@126.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: ae665016
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>

(I can trivially verify that that idr_remove in cleanup_net happens
 after the network namespace count has dropped to zero --EWB)

Function get_net_ns_by_id() does not check for net::count
after it has found a peer in netns_ids idr.

It may dereference a peer, after its count has already been
finaly decremented. This leads to double free and memory
corruption:

put_net(peer)                                   rtnl_lock()
atomic_dec_and_test(&peer->count) [count=0]     ...
__put_net(peer)                                 get_net_ns_by_id(net, id)
  spin_lock(&cleanup_list_lock)
  list_add(&net->cleanup_list, &cleanup_list)
  spin_unlock(&cleanup_list_lock)
queue_work()                                      peer = idr_find(&net->netns_ids, id)
  |                                               get_net(peer) [count=1]
  |                                               ...
  |                                               (use after final put)
  v                                               ...
  cleanup_net()                                   ...
    spin_lock(&cleanup_list_lock)                 ...
    list_replace_init(&cleanup_list, ..)          ...
    spin_unlock(&cleanup_list_lock)               ...
    ...                                           ...
    ...                                           put_net(peer)
    ...                                             atomic_dec_and_test(&peer->count) [count=0]
    ...                                               spin_lock(&cleanup_list_lock)
    ...                                               list_add(&net->cleanup_list, &cleanup_list)
    ...                                               spin_unlock(&cleanup_list_lock)
    ...                                             queue_work()
    ...                                           rtnl_unlock()
    rtnl_lock()                                   ...
    for_each_net(tmp) {                           ...
      id = __peernet2id(tmp, peer)                ...
      spin_lock_irq(&tmp->nsid_lock)              ...
      idr_remove(&tmp->netns_ids, id)             ...
      ...                                         ...
      net_drop_ns()                               ...
	net_free(peer)                            ...
    }                                             ...
  |
  v
  cleanup_net()
    ...
    (Second free of peer)

Also, put_net() on the right cpu may reorder with left's cpu
list_replace_init(&cleanup_list, ..), and then cleanup_list
will be corrupted.

Since cleanup_net() is executed in worker thread, while
put_net(peer) can happen everywhere, there should be
enough time for concurrent get_net_ns_by_id() to pick
the peer up, and the race does not seem to be unlikely.
The patch fixes the problem in standard way.

(Also, there is possible problem in peernet2id_alloc(), which requires
check for net::count under nsid_lock and maybe_get_net(peer), but
in current stable kernel it's used under rtnl_lock() and it has to be
safe. Openswitch begun to use peernet2id_alloc(), and possibly it should
be fixed too. While this is not in stable kernel yet, so I'll send
a separate message to netdev@ later).

Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Fixes: 0c7aecd4 "netns: add rtnl cmd to add and get peer netns ids"
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I1df8b4f6c4c93b3751e44d62db9afc10b3673d00
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: 21b59443
[dcagle@codeaurora.org: Resolve trivial merge conflict]
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>

Currently, mask pointers are not updated in
case peripherals are supporting more mask
tables. The patch updates the mask pointers
properly.

Change-Id: I1360c722076fca0215e0ccd28247c4741a1ebd88
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

Destroy mutex before file free, to avoid use after free of mutex.

Change-Id: I4ff73dc17b15043eacbb299219a379bfd1a8efa6
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

Remove the use of dmac_flush_range for userspace buffers and add
msm_ion_do_cache_op for flushing user space buffers.

Change-Id: Ice73eafac840bd1cabee0a2bfc8a641832a7d0c8
Acked-by: Bharath Kumar <bkumar@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

While setting enable bit of spi interrupt, there is
chance of enabling spurious interrupt which is by default
disabled for soc. So instead of setting restore the
previous state of enable bit.

Change-Id: Ie6e363f04864fc6e36be83ebd20b19b5e6b45f54
Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>

Change-Id: Ibb25d0da74a1d831d84d695c243146dd22765e73

commit c52232a4 upstream.

On CPU hotunplug the enqueued timers of the unplugged CPU are migrated to a
live CPU. This happens from the control thread which initiated the unplug.

If the CPU on which the control thread runs came out from a longer idle
period then the base clock of that CPU might be stale because the control
thread runs prior to any event which forwards the clock.

In such a case the timers from the unplugged CPU are queued on the live CPU
based on the stale clock which can cause large delays due to increased
granularity of the outer timer wheels which are far away from base:;clock.

But there is a worse problem than that. The following sequence of events
illustrates it:

 - CPU0 timer1 is queued expires = 59969 and base->clk = 59131.

   The timer is queued at wheel level 2, with resulting expiry time = 60032
   (due to level granularity).

 - CPU1 enters idle @60007, with next timer expiry @60020.

 - CPU0 is hotplugged at @60009

 - CPU1 exits idle and runs the control thread which migrates the
   timers from CPU0

   timer1 is now queued in level 0 for immediate handling in the next
   softirq because the requested expiry time 59969 is before CPU1 base->clk
   60007

 - CPU1 runs code which forwards the base clock which succeeds because the
   next expiring timer. which was collected at idle entry time is still set
   to 60020.

   So it forwards beyond 60007 and therefore misses to expire the migrated
   timer1. That timer gets expired when the wheel wraps around again, which
   takes between 63 and 630ms depending on the HZ setting.

Address both problems by invoking forward_timer_base() for the control CPUs
timer base. All other places, which might run into a similar problem
(mod_timer()/add_timer_on()) already invoke forward_timer_base() to avoid
that.

[ tglx: Massaged comment and changelog ]

Change-Id: Ied68e3e2f7d429b6da90d645bfbe3293e01601e5
Fixes: a683f390 ("timers: Forward the wheel clock whenever possible")
Co-developed-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: linux-arm-msm@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180118115022.6368-1-clingutla@codeaurora.org


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: c52232a4
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


[gkohli@codeaurora: Resolve trivial merge conflicts]
Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>

Clear all saved restore configuration, and changed spi
configuration, from prior save/restore.

Change-Id: Ic750b39d95d074d911406cf44b295c251532e40e
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>

Some of the GICD registers could be read in and stored as zeros if an
intterupt is triggered around the same time as the system sleep. The
pending state of the interrupt would be latched but the configuration
registers for the interrupt is reset. To ensure that the interrupt
triggers, restore the interrupts configuration around System sleep
notification.

Change-Id: Ib04720241e8fa4382383bd08897c4e19aaaded8c
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>

Provide api to save/restore GICD state for SPIs. SPI
configuration is restored for GICD_ICFGR, GICD_ISENABLER,
GICD_IPRIORITYR, GICD_IROUTER registers. Following is the
sequence for restore:

1. For SPIs, check whether any of GICD_ICFGR, GICD_ISENABLER,
   GICD_IPRIORITYR, GICD_IROUTER, current configuration is
   different from saved configuration.

For all irqs, with mismatched configurations,

2. Set GICD_ICENABLER and wait for its completion.

3. Restore any changed GICD_ICFGR, GICD_IPRIORITYR, GICD_IROUTER
   configurations.

4. Set GICD_ICACTIVER.

5. Set pending for the interrupt.

6. Enable interrupt and wait for its completion.

Change-Id: I31cd5eb8c3226dcdfd474bc88b91c1cb5ca909e6
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Signed-off-by: Channagoud Kadabi <ckadabi@codeaurora.org>

Change-Id: I25e45f1d2072d218a8002609d6e3480735b7663a

CX GDSC has a parent supply which is required to be enabled
before turning on CX GDSC; therefore, specify VDD_CX as the
parent supply for CX GDSC.
Also update the min level for VDD_CX regulator.

Change-Id: If770109a03152e98183930289556d6c3cf6ec497
Signed-off-by: Odelu Kukatla <okukatla@codeaurora.org>

As part of shutdown when we free the power settings we should
assign the pointer to NULL. And in power down we validate the
settings.

Change-Id: I7abe11548e211dfd89387069191234488dcfd0ce
Signed-off-by: Karthik Anantha Ram <kartanan@codeaurora.org>

Wait for GMU to move to ACTIVE state before triggering preemption.
This is required to make sure CP doesn't interrupt GMU during
wake-up from IFPC.

Change-Id: I9c8ee07a4887deb30483b5523585d547b5d38806
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

Currently, GMU recovery for preemption and performance
counter OOB set failures is not getting triggered.
Enable this to make sure GMU snapshot is dumped and
recovery happens for these failures.

Change-Id: Ie4084c236957538d396cfb504f50d7b325a5743d
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

On GMU recovery failure, kgsl clears the GMU_FAULT bit
and also restores the kgsl state to orginal state from
which GMU/GPU wake up was triggered to make sure any
attempt to wake GMU/GPU after this is treated as a fresh
start/hard reset. But on recovery failure, GMU HS, clocks
and IRQ are still ON/enabled because of which any attempt
of GMU/GPU wakeup results in multiple warnings from GMU
start as HS, clocks and IRQ are still ON while doing a
fresh start i.e. wake up from SLUMBER.

Suspend the GMU on recovery failure to make sure next
attempt to wake up GMU/GPU is indeed a fresh start/
hard reset.

Change-Id: Ib0ffa8e19bbcf6ace1c438ec04275f7aabddce1b
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

RSCC wake-up sequence should only be triggered if RSCC
sleep sequence was done earlier i.e. they should always
be balanced to make sure GMU FW, RSCC and PDC state are
in sync.

Add GMU_RSCC_SLEEP_SEQ_DONE GMU flag to track whether
RSCC sleep sequence was done or not and trigger sleep
and wake-up sequence based on this flag to make they
are always balanced.

Change-Id: I78d8be52a770bd6e939da91fa68b6fd01f10034e
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

This is needed in order to avoid the spurious interrupts
seen during preemption.

Change-Id: Id8a465d1d3ea5b6994ab36d24d0efa1a84c9c6b6
Signed-off-by: Harshdeep Dhatt <hdhatt@codeaurora.org>
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

Use usleep_delay when waiting for CX votes to be removed,
usleep_delay will yield control to other RT threads.

Signed-off-by: Oleg Perelet <operelet@codeaurora.org>
Change-Id: Ia305dfe1e051a8fb603da595ad1e1cbcfc9f285c
Signed-off-by: George Shen <sqiao@codeaurora.org>
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

Unbalanced OOB set and clear function calls may cause undefined
GMU behavior and result in system failure.

Change-Id: Idc1aa69787726de701fe32a9578bbbe158d271a6
Signed-off-by: George Shen <sqiao@codeaurora.org>
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

If ice_fde_flag is not configured which means older design is
in-place. New logic is added to handle old scenario to avoid boot
up issues.

Change-Id: I0dce89c0665bdc41e0d6c50f0b1f777b22e4d4d5
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>

During the device encryption the vold daemon sends sectors
to drivers. Encryption has to be done only for the data
partition sectors which are passed from user space.

Change-Id: I701359a11cfb1574192badb23b92fec5bf4ad488
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>

Correct copyright year which got introduced in 
commit 929de822.

Change-Id: I9399cff801d1430b5dd5e48c92651fcc8d754e93
Signed-off-by: Niranjan Reddy Dumbala <dnreddy@codeaurora.org>

Change-Id: I909b52618a200eb49f892186ef13978f87ece296
Signed-off-by: Niranjan Reddy Dumbala <dnreddy@codeaurora.org>