January 2024 - Linux-stable-mirror

Re: [PATCH v2 05/28] binder: fix unused alloc->free_async_space

by Carlos Llamas

On Fri, Dec 01, 2023 at 05:21:34PM +0000, Carlos Llamas wrote: > Each transaction is associated with a 'struct binder_buffer' that stores > the metadata about its buffer area. Since commit 74310e06be4d ("android: > binder: Move buffer out of area shared with user space") this struct is > no longer embedded within the buffer itself but is instead allocated on > the heap to prevent userspace access to this driver-exclusive info. > > Unfortunately, the space of this struct is still being accounted for in > the total buffer size calculation, specifically for async transactions. > This results in an additional 104 bytes added to every async buffer > request, and this area is never used. > > This wasted space can be substantial. If we consider the maximum mmap > buffer space of SZ_4M, the driver will reserve half of it for async > transactions, or 0x200000. This area should, in theory, accommodate up > to 262,144 buffers of the minimum 8-byte size. However, after adding > the extra 'sizeof(struct binder_buffer)', the total number of buffers > drops to only 18,724, which is a sad 7.14% of the actual capacity. > > This patch fixes the buffer size calculation to enable the utilization > of the entire async buffer space. This is expected to reduce the number > of -ENOSPC errors that are seen on the field. > > Fixes: 74310e06be4d ("android: binder: Move buffer out of area shared with user space") > Signed-off-by: Carlos Llamas <cmllamas(a)google.com> > --- Sorry, I forgot to Cc: stable(a)vger.kernel.org. -- Carlos Llamas

1 year, 1 month

2
6
0 0

[PATCH v4 2/4] ASoC: qcom: sc8280xp: limit speaker volumes

by Johan Hovold

The UCM configuration for the Lenovo ThinkPad X13s has up until now been setting the speaker PA volume to the minimum -3 dB when enabling the speakers, but this does not prevent the user from increasing the volume further. Limit the digital gain and PA volumes to a combined -3 dB in the machine driver to reduce the risk of speaker damage until we have active speaker protection in place (or higher safe levels have been established). Note that the PA volume limit cannot be set lower than 0 dB or PulseAudio gets confused when the first 16 levels all map to -3 dB. Also note that this will probably need to be generalised using machine-specific limits, but a common limit should do for now. Cc: stable(a)vger.kernel.org # 6.5 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- sound/soc/qcom/sc8280xp.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sound/soc/qcom/sc8280xp.c b/sound/soc/qcom/sc8280xp.c index ed4bb551bfbb..b7fd503a1666 100644 --- a/sound/soc/qcom/sc8280xp.c +++ b/sound/soc/qcom/sc8280xp.c @@ -32,12 +32,14 @@ static int sc8280xp_snd_init(struct snd_soc_pcm_runtime *rtd) case WSA_CODEC_DMA_RX_0: case WSA_CODEC_DMA_RX_1: /* - * set limit of 0dB on Digital Volume for Speakers, - * this can prevent damage of speakers to some extent without - * active speaker protection + * Set limit of -3 dB on Digital Volume and 0 dB on PA Volume + * to reduce the risk of speaker damage until we have active + * speaker protection in place. */ - snd_soc_limit_volume(card, "WSA_RX0 Digital Volume", 84); - snd_soc_limit_volume(card, "WSA_RX1 Digital Volume", 84); + snd_soc_limit_volume(card, "WSA_RX0 Digital Volume", 81); + snd_soc_limit_volume(card, "WSA_RX1 Digital Volume", 81); + snd_soc_limit_volume(card, "SpkrLeft PA Volume", 17); + snd_soc_limit_volume(card, "SpkrRight PA Volume", 17); break; default: break; -- 2.41.0

1 year, 1 month

3
7
0 0

[PATCH v5 3/4] ASoC: codecs: lpass-wsa-macro: fix compander volume hack

by Johan Hovold

The LPASS WSA macro codec driver is updating the digital gain settings behind the back of user space on DAPM events if companding has been enabled. As compander control is exported to user space, this can result in the digital gain setting being incremented (or decremented) every time the sound server is started and the codec suspended depending on what the UCM configuration looks like. Soon enough playback will become distorted (or too quiet). This is specifically a problem on the Lenovo ThinkPad X13s as this bypasses the limit for the digital gain setting that has been set by the machine driver. Fix this by simply dropping the compander gain offset hack. If someone cares about modelling the impact of the compander setting this can possibly be done by exporting it as a volume control later. Note that the volume registers still need to be written after enabling clocks in order for any prior updates to take effect. Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route") Cc: stable(a)vger.kernel.org # 5.11 Cc: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- sound/soc/codecs/lpass-wsa-macro.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c index 7e21cec3c2fb..6ce309980cd1 100644 --- a/sound/soc/codecs/lpass-wsa-macro.c +++ b/sound/soc/codecs/lpass-wsa-macro.c @@ -1584,7 +1584,6 @@ static int wsa_macro_enable_interpolator(struct snd_soc_dapm_widget *w, u16 gain_reg; u16 reg; int val; - int offset_val = 0; struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); if (w->shift == WSA_MACRO_COMP1) { @@ -1623,10 +1622,8 @@ static int wsa_macro_enable_interpolator(struct snd_soc_dapm_widget *w, CDC_WSA_RX1_RX_PATH_MIX_SEC0, CDC_WSA_RX_PGA_HALF_DB_MASK, CDC_WSA_RX_PGA_HALF_DB_ENABLE); - offset_val = -2; } val = snd_soc_component_read(component, gain_reg); - val += offset_val; snd_soc_component_write(component, gain_reg, val); wsa_macro_config_ear_spkr_gain(component, wsa, event, gain_reg); @@ -1654,10 +1651,6 @@ static int wsa_macro_enable_interpolator(struct snd_soc_dapm_widget *w, CDC_WSA_RX1_RX_PATH_MIX_SEC0, CDC_WSA_RX_PGA_HALF_DB_MASK, CDC_WSA_RX_PGA_HALF_DB_DISABLE); - offset_val = 2; - val = snd_soc_component_read(component, gain_reg); - val += offset_val; - snd_soc_component_write(component, gain_reg, val); } wsa_macro_config_ear_spkr_gain(component, wsa, event, gain_reg); -- 2.43.0

1 year, 1 month

1
0
0 0

[PATCH v5 2/4] ASoC: qcom: sc8280xp: limit speaker volumes

by Johan Hovold

The UCM configuration for the Lenovo ThinkPad X13s has up until now been setting the speaker PA volume to the minimum -3 dB when enabling the speakers, but this does not prevent the user from increasing the volume further. Limit the digital gain and PA volumes to a combined -3 dB in the machine driver to reduce the risk of speaker damage until we have active speaker protection in place (or higher safe levels have been established). Note that the PA volume limit cannot be set lower than 0 dB or PulseAudio gets confused when the first 16 levels all map to -3 dB. Also note that this will probably need to be generalised using machine-specific limits, but a common limit should do for now. Cc: stable(a)vger.kernel.org # 6.5 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- sound/soc/qcom/sc8280xp.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sound/soc/qcom/sc8280xp.c b/sound/soc/qcom/sc8280xp.c index ed4bb551bfbb..b7fd503a1666 100644 --- a/sound/soc/qcom/sc8280xp.c +++ b/sound/soc/qcom/sc8280xp.c @@ -32,12 +32,14 @@ static int sc8280xp_snd_init(struct snd_soc_pcm_runtime *rtd) case WSA_CODEC_DMA_RX_0: case WSA_CODEC_DMA_RX_1: /* - * set limit of 0dB on Digital Volume for Speakers, - * this can prevent damage of speakers to some extent without - * active speaker protection + * Set limit of -3 dB on Digital Volume and 0 dB on PA Volume + * to reduce the risk of speaker damage until we have active + * speaker protection in place. */ - snd_soc_limit_volume(card, "WSA_RX0 Digital Volume", 84); - snd_soc_limit_volume(card, "WSA_RX1 Digital Volume", 84); + snd_soc_limit_volume(card, "WSA_RX0 Digital Volume", 81); + snd_soc_limit_volume(card, "WSA_RX1 Digital Volume", 81); + snd_soc_limit_volume(card, "SpkrLeft PA Volume", 17); + snd_soc_limit_volume(card, "SpkrRight PA Volume", 17); break; default: break; -- 2.43.0

1 year, 1 month

1
0
0 0

[PATCH v5 1/4] ASoC: codecs: wsa883x: fix PA volume control

by Johan Hovold

The PA gain can be set in steps of 1.5 dB from -3 dB to 18 dB, that is, in 15 levels. Fix the dB values for the PA volume control as experiments using wsa8835 show that the first 16 levels all map to the same lowest gain while the last three map to the highest gain. These values specifically need to be correct for the sound server to provide proper volume control. Note that level 0 (-3 dB) does not mute the PA so the mute flag should also not be set. Fixes: cdb09e623143 ("ASoC: codecs: wsa883x: add control, dapm widgets and map") Cc: stable(a)vger.kernel.org # 6.0 Cc: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- sound/soc/codecs/wsa883x.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sound/soc/codecs/wsa883x.c b/sound/soc/codecs/wsa883x.c index cb83c569e18d..a2e86ef7d18f 100644 --- a/sound/soc/codecs/wsa883x.c +++ b/sound/soc/codecs/wsa883x.c @@ -1098,7 +1098,11 @@ static int wsa_dev_mode_put(struct snd_kcontrol *kcontrol, return 1; } -static const DECLARE_TLV_DB_SCALE(pa_gain, -300, 150, -300); +static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(pa_gain, + 0, 14, TLV_DB_SCALE_ITEM(-300, 0, 0), + 15, 29, TLV_DB_SCALE_ITEM(-300, 150, 0), + 30, 31, TLV_DB_SCALE_ITEM(1800, 0, 0), +); static int wsa883x_get_swr_port(struct snd_kcontrol *kcontrol, struct snd_ctl_elem_value *ucontrol) -- 2.43.0

1 year, 1 month

1
0
0 0

[PATCH AUTOSEL 6.7 01/88] f2fs: fix to check return value of f2fs_reserve_new_block()

by Sasha Levin

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 956fa1ddc132e028f3b7d4cf17e6bfc8cb36c7fd ] Let's check return value of f2fs_reserve_new_block() in do_recover_data() rather than letting it fails silently. Also refactoring check condition on return value of f2fs_reserve_new_block() as below: - trigger f2fs_bug_on() only for ENOSPC case; - use do-while statement to avoid redundant codes; Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/f2fs/recovery.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c index b56d0f1078a7..16415c770b45 100644 --- a/fs/f2fs/recovery.c +++ b/fs/f2fs/recovery.c @@ -712,7 +712,16 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, */ if (dest == NEW_ADDR) { f2fs_truncate_data_blocks_range(&dn, 1); - f2fs_reserve_new_block(&dn); + do { + err = f2fs_reserve_new_block(&dn); + if (err == -ENOSPC) { + f2fs_bug_on(sbi, 1); + break; + } + } while (err && + IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)); + if (err) + goto err; continue; } @@ -720,12 +729,14 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, if (f2fs_is_valid_blkaddr(sbi, dest, META_POR)) { if (src == NULL_ADDR) { - err = f2fs_reserve_new_block(&dn); - while (err && - IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)) + do { err = f2fs_reserve_new_block(&dn); - /* We should not get -ENOSPC */ - f2fs_bug_on(sbi, err); + if (err == -ENOSPC) { + f2fs_bug_on(sbi, 1); + break; + } + } while (err && + IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)); if (err) goto err; } -- 2.43.0

1 year, 1 month

2
88
0 0

Re: [PATCH v2 03/28] binder: fix race between mmput() and do_exit()

by Carlos Llamas

On Fri, Dec 01, 2023 at 05:21:32PM +0000, Carlos Llamas wrote: > Task A calls binder_update_page_range() to allocate and insert pages on > a remote address space from Task B. For this, Task A pins the remote mm > via mmget_not_zero() first. This can race with Task B do_exit() and the > final mmput() refcount decrement will come from Task A. > > Task A | Task B > ------------------+------------------ > mmget_not_zero() | > | do_exit() > | exit_mm() > | mmput() > mmput() | > exit_mmap() | > remove_vma() | > fput() | > > In this case, the work of ____fput() from Task B is queued up in Task A > as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup > work gets executed. However, Task A instead sleep, waiting for a reply > from Task B that never comes (it's dead). > > This means the binder_deferred_release() is blocked until an unrelated > binder event forces Task A to go back to userspace. All the associated > death notifications will also be delayed until then. > > In order to fix this use mmput_async() that will schedule the work in > the corresponding mm->async_put_work WQ instead of Task A. > > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") > Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> > Signed-off-by: Carlos Llamas <cmllamas(a)google.com> > --- Sorry, I forgot to Cc: stable(a)vger.kernel.org. -- Carlos Llamas

1 year, 1 month

2
5
0 0

[PATCH 5.4.y 1/2] binder: fix race between mmput() and do_exit()

by Carlos Llamas

commit 9a9ab0d963621d9d12199df9817e66982582d5a5 upstream. Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() | In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A. Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Link: https://lore.kernel.org/r/20231201172212.1813387-4-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [cmllamas: fix trivial conflict with missing d8ed45c5dcd4.] Signed-off-by: Carlos Llamas <cmllamas(a)google.com> --- drivers/android/binder_alloc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index d0d422b5e243..d2c887d96d33 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -272,7 +272,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate, } if (mm) { up_write(&mm->mmap_sem); - mmput(mm); + mmput_async(mm); } return 0; @@ -305,7 +305,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate, err_no_vma: if (mm) { up_write(&mm->mmap_sem); - mmput(mm); + mmput_async(mm); } return vma ? -ENOMEM : -ESRCH; } base-commit: 9153fc9664959aa6bb35915b2bbd8fbc4c762962 prerequisite-patch-id: 040c7991c3b5fb63a9d12350a1400c91a057f7d5 -- 2.43.0.429.g432eaa2c6b-goog

1 year, 1 month

1
1
0 0

[PATCH 5.10/5.15] jfs: add check if log->bdev is NULL in lbmStartIO()

by Mikhail Ukhin

Fuzzing of 5.10 stable branch shows NULL pointer dereference happens in lbmStartIO() on log->bdev pointer. The reason for bdev being NULL is the JFS_NOINTEGRITY flag is set on mount of this fs. When this flag is enabled, it results in the open_dummy_log function being called, which initializes a new dummy_log, but does not assign a value to bdev. The error is fixed in 5.18 by commit 07888c665b405b1cd3577ddebfeb74f4717a84c4. Backport of this commit is too intrusive, so it is more reasonable to apply a small patch to fix this issue. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Signed-off-by: Mikhail Ukhin <mish.uxin2012(a)yandex.ru> Signed-off-by: Mikhail Ivanov <iwanov-23(a)bk.ru> Signed-off-by: Pavel Koshutin <koshutin.pavel(a)yandex.ru> Signed-off-by: Artem Sadovnikov <ancowi69(a)gmail.com> --- fs/jfs/jfs_logmgr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 78fd136ac13b..d6f0fea96ba1 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1983,7 +1983,8 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) bio = bio_alloc(GFP_NOFS, 1); bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9); - bio_set_dev(bio, log->bdev); + if (log->bdev != NULL) + bio_set_dev(bio, log->bdev); bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset); BUG_ON(bio->bi_iter.bi_size != LOGPSIZE); @@ -2127,7 +2128,8 @@ static void lbmStartIO(struct lbuf * bp) bio = bio_alloc(GFP_NOFS, 1); bio->bi_iter.bi_sector = bp->l_blkno << (log->l2bsize - 9); - bio_set_dev(bio, log->bdev); + if (log->bdev != NULL) + bio_set_dev(bio, log->bdev); bio_add_page(bio, bp->l_page, LOGPSIZE, bp->l_offset); BUG_ON(bio->bi_iter.bi_size != LOGPSIZE); -- 2.25.1

1 year, 1 month

3
3
0 0

[PATCH 5.10.y 1/1] net: ethernet: mtk_eth_soc: remove duplicate if statements

by Chukun Pan

It seems that there was something wrong with backport, causing `if (err)` to appear twice in the same place. Fixes: da86a63479e ("net: ethernet: mtk_eth_soc: fix error handling in mtk_open()") Signed-off-by: Chukun Pan <amadeus(a)jmu.edu.cn> --- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c index aa9e616cc1d5..011210e6842d 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -2302,7 +2302,6 @@ static int mtk_open(struct net_device *dev) if (!refcount_read(&eth->dma_refcnt)) { int err = mtk_start_dma(eth); - if (err) if (err) { phylink_disconnect_phy(mac->phylink); return err; -- 2.25.1

1 year, 1 month

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2024