Merge tag 'LA.UM.9.14.r1-21600-LAHAINA.QSSI14.0' of https://git.codel…

…inaro.org/clo/la/kernel/msm-5.4 into upstream-merge

"LA.UM.9.14.r1-21600-LAHAINA.QSSI14.0"

* tag 'LA.UM.9.14.r1-21600-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4:
  msm: kgsl: Keep postamble packets in a privileged buffer
  msm: kgsl: Check user generated timestamp before queuing drawobjs
  msm: ipa3: add ioctl interface for dual backhaul
  dwc3: Add check for sg queued trbs while reclaiming
  soc: spcom: Addressing KASAN issue slab-out-of-bounds
  clk: qcom: gcc: Add support for edp ref clock for Yupik
  clk: qcom: gcc: Add support for EDP Ref clock Yupik
  msm: Add config option for Realtek R8168 driver
  msm: synx: Check for zero before reducing bind handles
  ANDROID: mm/filemap: Fix missing put_page() for speculative page fault
  BACKPORT: FROMGIT: cgroup: Use separate src/dst nodes when preloading css_sets for migration
  ANDROID: Re-enable fast mremap and fix UAF with SPF
  ANDROID: mm: fix invalid backport in speculative page fault path
  ANDROID: disable page table moves when speculative page faults are enabled
  ANDROID: mm: assert that mmap_lock is taken exclusively in vm_write_begin
  ANDROID: mm: remove sequence counting when mmap_lock is not exclusively owned
  ANDROID: mm/khugepaged: add missing vm_write_{begin|end}
  BACKPORT: FROMLIST: mm: implement speculative handling in filemap_fault()
  ANDROID: mm: prevent reads of unstable pmd during speculation
  ANDROID: mm: prevent speculative page fault handling for in do_swap_page()
  ANDROID: mm: skip pte_alloc during speculative page fault
  i2c-msm-geni: KASAN: use-after-free in __list_add_valid+0x2c/0xc4

Signed-off-by: EndCredits <endcredits@crepuscular-aosp.icu>

android/GKI_VERSION

@@ -1 +1 @@
-LTS_5.4.226_d72fdcc7094f
+LTS_5.4.226_2af3bdf29330

drivers/clk/qcom/gcc-yupik.c

@@ -2173,6 +2173,19 @@ static struct clk_branch gcc_pcie_clkref_en = {
 	},
 };
 
+static struct clk_branch gcc_edp_clkref_en = {
+	.halt_reg = 0x8c008,
+	.halt_check = BRANCH_HALT,
+	.clkr = {
+		.enable_reg = 0x8c008,
+		.enable_mask = BIT(0),
+		.hw.init = &(struct clk_init_data){
+			.name = "gcc_edp_clkref_en",
+			.ops = &clk_branch2_ops,
+		},
+	},
+};
+
 static struct clk_branch gcc_pcie_throttle_core_clk = {
 	.halt_reg = 0x90018,
 	.halt_check = BRANCH_HALT_SKIP,
@@ -3510,6 +3523,7 @@ static struct clk_regmap *gcc_yupik_clocks[] = {
 	[GCC_VIDEO_AXI0_CLK] = &gcc_video_axi0_clk.clkr,
 	[GCC_VIDEO_MVP_THROTTLE_CORE_CLK] =
 		&gcc_video_mvp_throttle_core_clk.clkr,
+	[GCC_EDP_CLKREF_EN] = &gcc_edp_clkref_en.clkr,
 };
 
 static const struct qcom_reset_map gcc_yupik_resets[] = {

drivers/gpu/msm/adreno.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 /*
  * Copyright (c) 2008-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 #ifndef __ADRENO_H
 #define __ADRENO_H
@@ -16,9 +16,6 @@
 #include "adreno_ringbuffer.h"
 #include "kgsl_sharedmem.h"
 
-/* Index to preemption scratch buffer to store KMD postamble */
-#define KMD_POSTAMBLE_IDX 100
-
 /* ADRENO_DEVICE - Given a kgsl_device return the adreno device struct */
 #define ADRENO_DEVICE(device) \
 		container_of(device, struct adreno_device, dev)

drivers/gpu/msm/adreno_a6xx_preempt.c

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "adreno.h"
@@ -553,8 +553,7 @@ unsigned int a6xx_preemption_pre_ibsubmit(
 
 		/* Add a KMD post amble to clear the perf counters during preemption */
 		if (!adreno_dev->perfcounter) {
-			u64 kmd_postamble_addr =
-					PREEMPT_SCRATCH_ADDR(adreno_dev, KMD_POSTAMBLE_IDX);
+			u64 kmd_postamble_addr = SCRATCH_POSTAMBLE_ADDR(KGSL_DEVICE(adreno_dev));
 
 			*cmds++ = cp_type7_packet(CP_SET_AMBLE, 3);
 			*cmds++ = lower_32_bits(kmd_postamble_addr);
@@ -695,6 +694,7 @@ static int a6xx_preemption_ringbuffer_init(struct adreno_device *adreno_dev,
 
 int a6xx_preemption_init(struct adreno_device *adreno_dev)
 {
+	u32 flags = ADRENO_FEATURE(adreno_dev, ADRENO_APRIV) ? KGSL_MEMDESC_PRIVILEGED : 0;
 	struct kgsl_device *device = KGSL_DEVICE(adreno_dev);
 	struct kgsl_iommu *iommu = KGSL_IOMMU_PRIV(device);
 	struct adreno_preemption *preempt = &adreno_dev->preempt;
@@ -717,7 +717,7 @@ int a6xx_preemption_init(struct adreno_device *adreno_dev)
 
 	if (IS_ERR_OR_NULL(preempt->scratch)) {
 		preempt->scratch = kgsl_allocate_global(device, PAGE_SIZE,
-			0, 0, 0, "preempt_scratch");
+			0, 0, flags, "preempt_scratch");
 		if (IS_ERR(preempt->scratch))
 			return PTR_ERR(preempt->scratch);
 	}
@@ -733,12 +733,13 @@ int a6xx_preemption_init(struct adreno_device *adreno_dev)
 		return ret;
 
 	/*
-	 * First 8 dwords of the preemption scratch buffer is used to store the address for CP
-	 * to save/restore VPC data. Reserve 11 dwords in the preemption scratch buffer from
-	 * index KMD_POSTAMBLE_IDX for KMD postamble pm4 packets
+	 * First 28 dwords of the device scratch buffer are used to store shadow rb data.
+	 * Reserve 11 dwords in the device scratch buffer from SCRATCH_POSTAMBLE_OFFSET for
+	 * KMD postamble pm4 packets. This should be in *device->scratch* so that userspace
+	 * cannot access it.
 	 */
 	if (!adreno_dev->perfcounter) {
-		u32 *postamble = preempt->scratch->hostptr + (KMD_POSTAMBLE_IDX * sizeof(u64));
+		u32 *postamble = device->scratch->hostptr + SCRATCH_POSTAMBLE_OFFSET;
 		u32 count = 0;
 
 		postamble[count++] = cp_type7_packet(CP_REG_RMW, 3);

drivers/gpu/msm/adreno_hwsched.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "adreno.h"
@@ -903,6 +904,23 @@ int adreno_hwsched_queue_cmds(struct kgsl_device_private *dev_priv,
 
 	user_ts = *timestamp;
 
+	/*
+	 * If there is only one drawobj in the array and it is of
+	 * type SYNCOBJ_TYPE, skip comparing user_ts as it can be 0
+	 */
+	if (!(count == 1 && drawobj[0]->type == SYNCOBJ_TYPE) &&
+		(drawctxt->base.flags & KGSL_CONTEXT_USER_GENERATED_TS)) {
+		/*
+		 * User specified timestamps need to be greater than the last
+		 * issued timestamp in the context
+		 */
+		if (timestamp_cmp(drawctxt->timestamp, user_ts) >= 0) {
+			spin_unlock(&drawctxt->lock);
+			kmem_cache_free(jobs_cache, job);
+			return -ERANGE;
+		}
+	}
+
 	for (i = 0; i < count; i++) {
 
 		switch (drawobj[i]->type) {

drivers/gpu/msm/kgsl.h

@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 /*
  * Copyright (c) 2008-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 #ifndef __KGSL_H
 #define __KGSL_H
@@ -71,6 +72,11 @@
 #define SCRATCH_RPTR_GPU_ADDR(dev, id) \
 	((dev)->scratch->gpuaddr + SCRATCH_RPTR_OFFSET(id))
 
+/* OFFSET to KMD postamble packets in scratch buffer */
+#define SCRATCH_POSTAMBLE_OFFSET (100 * sizeof(u64))
+#define SCRATCH_POSTAMBLE_ADDR(dev) \
+	((dev)->scratch->gpuaddr + SCRATCH_POSTAMBLE_OFFSET)
+
 /* Timestamp window used to detect rollovers (half of integer range) */
 #define KGSL_TIMESTAMP_WINDOW 0x80000000
 

drivers/i2c/busses/i2c-msm-geni.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/clk.h>
@@ -136,10 +137,12 @@ struct geni_i2c_dev {
 	bool disable_dma_mode;
 	bool prev_cancel_pending; //Halt cancel till IOS in good state
 	bool is_i2c_rtl_based; /* doing pending cancel only for rtl based SE's */
+	atomic_t is_xfer_in_progress; /* Used to maintain xfer inprogress status */
 };
 
 static struct geni_i2c_dev *gi2c_dev_dbg[MAX_SE];
 static int arr_idx;
+static int geni_i2c_runtime_suspend(struct device *dev);
 
 struct geni_i2c_err_log {
 	int err;
@@ -1052,11 +1055,13 @@ static int geni_i2c_xfer(struct i2c_adapter *adap,
 	int i, ret = 0, timeout = 0;
 
 	gi2c->err = 0;
+	atomic_set(&gi2c->is_xfer_in_progress, 1);
 
 	/* Client to respect system suspend */
 	if (!pm_runtime_enabled(gi2c->dev)) {
 		GENI_SE_ERR(gi2c->ipcl, false, gi2c->dev,
 			"%s: System suspended\n", __func__);
+		atomic_set(&gi2c->is_xfer_in_progress, 0);
 		return -EACCES;
 	}
 
@@ -1068,6 +1073,7 @@ static int geni_i2c_xfer(struct i2c_adapter *adap,
 			pm_runtime_put_noidle(gi2c->dev);
 			/* Set device in suspended since resume failed */
 			pm_runtime_set_suspended(gi2c->dev);
+			atomic_set(&gi2c->is_xfer_in_progress, 0);
 			return ret;
 		}
 	}
@@ -1078,12 +1084,13 @@ static int geni_i2c_xfer(struct i2c_adapter *adap,
 		if (ret) {
 			pm_runtime_mark_last_busy(gi2c->dev);
 			pm_runtime_put_autosuspend(gi2c->dev);
+			atomic_set(&gi2c->is_xfer_in_progress, 0);
 			return ret; //Don't perform xfer is cancel failed
 		}
 	}
 
 	GENI_SE_DBG(gi2c->ipcl, false, gi2c->dev,
-		"n:%d addr:0x%x\n", num, msgs[0].addr);
+		    "n:%d addr:0x%x\n", num, msgs[0].addr);
 
 	gi2c->dbg_num = num;
 	kfree(gi2c->dbg_buf_ptr);
@@ -1268,7 +1275,7 @@ static int geni_i2c_xfer(struct i2c_adapter *adap,
 		pm_runtime_mark_last_busy(gi2c->dev);
 		pm_runtime_put_autosuspend(gi2c->dev);
 	}
-
+	atomic_set(&gi2c->is_xfer_in_progress, 0);
 	gi2c->cur = NULL;
 	GENI_SE_DBG(gi2c->ipcl, false, gi2c->dev,
 		"i2c txn ret:%d, num:%d, err:%d\n", ret, num, gi2c->err);
@@ -1476,10 +1483,10 @@ static int geni_i2c_probe(struct platform_device *pdev)
 		return ret;
 	}
 
+	atomic_set(&gi2c->is_xfer_in_progress, 0);
 	snprintf(boot_marker, sizeof(boot_marker),
-				"M - DRIVER GENI_I2C_%d Ready", gi2c->adap.nr);
+		 "M - DRIVER GENI_I2C_%d Ready", gi2c->adap.nr);
 	place_marker(boot_marker);
-
 	dev_info(gi2c->dev, "I2C probed\n");
 	return 0;
 }
@@ -1489,6 +1496,33 @@ static int geni_i2c_remove(struct platform_device *pdev)
 	struct geni_i2c_dev *gi2c = platform_get_drvdata(pdev);
 	int i;
 
+	if (atomic_read(&gi2c->is_xfer_in_progress)) {
+		GENI_SE_ERR(gi2c->ipcl, true, gi2c->dev,
+			    "%s: Xfer is in progress\n", __func__);
+		return -EBUSY;
+	}
+
+	if (!pm_runtime_status_suspended(gi2c->dev)) {
+		if (geni_i2c_runtime_suspend(gi2c->dev))
+			GENI_SE_ERR(gi2c->ipcl, true, gi2c->dev,
+				    "%s: runtime suspend failed\n", __func__);
+	}
+
+	if (gi2c->se_mode == GSI_ONLY) {
+		if (gi2c->tx_c) {
+			GENI_SE_ERR(gi2c->ipcl, true, gi2c->dev,
+				    "%s: clearing tx dma resource\n", __func__);
+			dma_release_channel(gi2c->tx_c);
+		}
+		if (gi2c->rx_c) {
+			GENI_SE_ERR(gi2c->ipcl, true, gi2c->dev,
+				    "%s: clearing rx dma resource\n", __func__);
+			dma_release_channel(gi2c->rx_c);
+		}
+	}
+
+	pm_runtime_put_noidle(gi2c->dev);
+	pm_runtime_set_suspended(gi2c->dev);
 	pm_runtime_disable(gi2c->dev);
 	i2c_del_adapter(&gi2c->adap);
 
@@ -1594,6 +1628,19 @@ static int geni_i2c_suspend_late(struct device *device)
 	int ret;
 
 	GENI_SE_DBG(gi2c->ipcl, false, gi2c->dev, "%s\n", __func__);
+
+	if (atomic_read(&gi2c->is_xfer_in_progress)) {
+		if (!pm_runtime_status_suspended(gi2c->dev)) {
+			GENI_SE_ERR(gi2c->ipcl, true, gi2c->dev,
+				    ":%s: runtime PM is active\n", __func__);
+			return -EBUSY;
+		}
+		GENI_SE_ERR(gi2c->ipcl, true, gi2c->dev,
+			    "%s System suspend not allowed while xfer in progress\n",
+			    __func__);
+		return -EBUSY;
+	}
+
 	/* Make sure no transactions are pending */
 	ret = i2c_trylock_bus(&gi2c->adap, I2C_LOCK_SEGMENT);
 	if (!ret) {

drivers/media/platform/msm/synx/synx.c

@@ -870,7 +870,8 @@ int synx_bind(struct synx_session session_id,
 		mutex_lock(&synx_obj->obj_lock);
 		memset(&synx_obj->bound_synxs[bound_idx], 0,
 			sizeof(struct synx_external_desc));
-		synx_obj->num_bound_synxs--;
+		if (synx_obj->num_bound_synxs)
+			synx_obj->num_bound_synxs--;
 		goto free;
 	}
 

drivers/platform/msm/Kconfig

@@ -168,6 +168,16 @@ config R8125
 	  To compile this driver as a module, choose M here: the module
 	  will be called r8125.
 
+config R8168
+	tristate "Realtek R8168 driver"
+	depends on PCI
+	help
+	  This is a 1Gbps ethernet driver for the PCI network cards based on
+	  the Realtek RTL8111K chip. If you have one of those, say Y here.
+
+	  To compile this driver as a module, choose M here: the module
+	  will be called r8168.
+
 config R8125_IOSS
 	tristate "Realtek R8125 IOSS glue driver"
 	depends on R8125

drivers/soc/qcom/spcom.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2015-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 /*
@@ -631,8 +632,12 @@ static int spcom_handle_create_channel_command(void *cmd_buf, int cmd_size)
 	mutex_lock(&spcom_dev->chdev_count_lock);
 	ret = spcom_create_channel_chardev(cmd->ch_name, cmd->is_sharable);
 	mutex_unlock(&spcom_dev->chdev_count_lock);
-	if (ret)
-		spcom_pr_err("failed to create ch[%s], ret [%d]\n", cmd->ch_name, ret);
+	if (ret) {
+		if (-EINVAL == ret)
+			spcom_pr_err("failed to create channel, ret [%d]\n", ret);
+		else
+			spcom_pr_err("failed to create ch[%s], ret [%d]\n", cmd->ch_name, ret);
+	}
 
 	return ret;
 }

drivers/usb/dwc3/gadget.c

@@ -3277,7 +3277,13 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep,
 	 * processed by the core. Hence do not reclaim it until
 	 * it is processed by the core.
 	 */
-	if (req->trb->ctrl & DWC3_TRB_CTRL_HWO) {
+	/*
+	 * If sg transfer are in progress, avoid checking
+	 * HWO bit here as these will get cleared during
+	 * ep reclaim.
+	 */
+	if ((req->trb->ctrl & DWC3_TRB_CTRL_HWO)
+		       && (req->num_queued_sgs == 0))	{
 		dbg_event(0xFF, "PEND TRB", dep->number);
 		return 1;
 	}

include/dt-bindings/clock/qcom,gcc-yupik.h

@@ -177,6 +177,7 @@
 #define GCC_AGGRE_NOC_PCIE_CENTER_SF_AXI_CLK			167
 #define GCC_AGGRE_NOC_PCIE_TBU_CLK				168
 #define GCC_PCIE_CLKREF_EN					169
+#define GCC_EDP_CLKREF_EN					170
 
 /* GCC power domains */
 #define GCC_PCIE_0_GDSC						0

include/uapi/linux/rmnet_ipa_fd_ioctl.h

@@ -37,6 +37,7 @@
 #define WAN_IOCTL_RMV_OFFLOAD_CONNECTION     19
 #define WAN_IOCTL_GET_WAN_MTU                20
 #define WAN_IOCTL_NOTIFY_NAT_MOVE_RES        21
+#define WAN_IOCTL_NOTIFY_DUAL_BACKHAUL_INFO   22
 
 /* User space may not have this defined. */
 #ifndef IFNAMSIZ
@@ -195,6 +196,10 @@ struct wan_ioctl_query_per_client_stats {
 		WAN_IOCTL_ADD_FLT_RULE, \
 		struct ipa_install_fltr_rule_req_msg_v01 *)
 
+#define  WAN_IOC_NOTIFY_DUAL_BACKHAUL_INFO _IOWR(WAN_IOC_MAGIC, \
+		WAN_IOCTL_NOTIFY_DUAL_BACKHAUL_INFO, \
+		struct ipa_eth_backhaul_info_req_msg_v01 *)
+
 #define WAN_IOC_ADD_FLT_RULE_INDEX _IOWR(WAN_IOC_MAGIC, \
 		WAN_IOCTL_ADD_FLT_INDEX, \
 		struct ipa_fltr_installed_notif_req_msg_v01 *)

kernel/cgroup/cgroup.c

@@ -3056,8 +3056,8 @@ static int cgroup_update_dfl_csses(struct cgroup *cgrp)
 	DEFINE_CGROUP_MGCTX(mgctx);
 	struct cgroup_subsys_state *d_css;
 	struct cgroup *dsct;
-	struct ext_css_set *ext_src_set;
 	bool has_tasks;
+	struct ext_css_set *ext_src_set;
 	int ret;
 
 	lockdep_assert_held(&cgroup_mutex);