From 7cc2fcb4ca22681fe6b6017a994816bf70d02fc5 Mon Sep 17 00:00:00 2001
From: Kever Yang <kever.yang@rock-chips.com>
Date: Tue, 28 Sep 2021 14:43:56 +0800
Subject: [PATCH 1/5] ANDROID: GKI: rockchip: Enable symbols for rk81x

Leaf changes summary: 1 artifact changed
Changed leaf types summary: 0 leaf type changed
Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 0 Added function
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 1 Added variable

1 Added variable:

  [A] 'class* power_supply_class'

Bug: 194515348
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Change-Id: I576b9d2ea7b62bd9c91257fa09ee8d2464634b58
---
 android/abi_gki_aarch64.xml      |  2 ++
 android/abi_gki_aarch64_rockchip | 36 +++++++++++++++++++++++++-------
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml
index c862b911aa68..a8d4a6ee8354 100644
--- a/android/abi_gki_aarch64.xml
+++ b/android/abi_gki_aarch64.xml
@@ -5976,6 +5976,7 @@
       <elf-symbol name='pm_power_off_prepare' size='8' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x1f0cb5bf'/>
       <elf-symbol name='pm_suspend_global_flags' size='4' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x42635d55'/>
       <elf-symbol name='pm_wq' size='8' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x7d59dd46'/>
+      <elf-symbol name='power_supply_class' size='8' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xdba05b80'/>
       <elf-symbol name='rcu_cpu_stall_suppress' size='4' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xb0747ed2'/>
       <elf-symbol name='rcu_cpu_stall_suppress_at_boot' size='4' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x789c73d9'/>
       <elf-symbol name='reboot_mode' size='4' type='object-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x429c3f9c'/>
@@ -133000,6 +133001,7 @@
         <parameter type-id='c0c93c9e' name='psy' filepath='drivers/power/supply/power_supply_core.c' line='121' column='1'/>
         <return type-id='48b5725f'/>
       </function-decl>
+      <var-decl name='power_supply_class' type-id='67aca04f' mangled-name='power_supply_class' visibility='default' filepath='drivers/power/supply/power_supply_core.c' line='27' column='1' elf-symbol-id='power_supply_class'/>
       <function-decl name='power_supply_find_ocv2cap_table' mangled-name='power_supply_find_ocv2cap_table' filepath='drivers/power/supply/power_supply_core.c' line='905' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='power_supply_find_ocv2cap_table'>
         <parameter type-id='78ba63ff' name='info' filepath='drivers/power/supply/power_supply_core.c' line='905' column='1'/>
         <parameter type-id='95e97e5e' name='temp' filepath='drivers/power/supply/power_supply_core.c' line='906' column='1'/>
diff --git a/android/abi_gki_aarch64_rockchip b/android/abi_gki_aarch64_rockchip
index 1be34e9ce144..b9ba322a6be6 100644
--- a/android/abi_gki_aarch64_rockchip
+++ b/android/abi_gki_aarch64_rockchip
@@ -1,5 +1,6 @@
 [abi_symbol_list]
 # commonly used symbols
+  add_timer
   add_uevent_var
   aes_encrypt
   alloc_chrdev_region
@@ -42,6 +43,7 @@
   __check_object_size
   __class_create
   class_destroy
+  class_for_each_device
   clk_bulk_disable
   clk_bulk_enable
   clk_bulk_prepare
@@ -128,6 +130,7 @@
   devm_gpiod_get_index
   devm_gpiod_get_index_optional
   devm_gpiod_get_optional
+  devm_gpio_request
   devm_input_allocate_device
   devm_ioremap
   devm_ioremap_resource
@@ -146,6 +149,7 @@
   devm_platform_ioremap_resource_byname
   devm_power_supply_register
   devm_pwm_get
+  devm_regmap_field_alloc
   __devm_regmap_init_i2c
   __devm_regmap_init_mmio_clk
   devm_regulator_bulk_get
@@ -194,7 +198,9 @@
   enable_irq
   extcon_get_edev_by_phandle
   extcon_get_state
+  extcon_register_notifier
   extcon_set_state_sync
+  extcon_unregister_notifier
   failure_tracking
   find_next_bit
   find_next_zero_bit
@@ -216,13 +222,17 @@
   gpiochip_generic_request
   gpiochip_get_data
   gpiod_cansleep
+  gpiod_direction_input
   gpiod_direction_output
   gpiod_get_optional
+  gpiod_get_raw_value
   gpiod_get_value
   gpiod_get_value_cansleep
   gpiod_set_consumer_name
   gpiod_set_value
   gpiod_set_value_cansleep
+  gpiod_to_irq
+  gpio_to_desc
   handle_simple_irq
   hid_debug
   hid_hw_close
@@ -270,8 +280,10 @@
   irq_set_chained_handler_and_data
   irq_set_chip_and_handler_name
   irq_set_chip_data
+  irq_set_irq_type
   irq_set_irq_wake
   jiffies
+  jiffies_to_msecs
   kasan_flag_enabled
   kasprintf
   kernel_neon_begin
@@ -287,6 +299,7 @@
   kstrtoull
   ktime_get
   ktime_get_mono_fast_ns
+  ktime_get_with_offset
   kvfree
   kvmalloc_node
   led_classdev_register_ext
@@ -318,6 +331,7 @@
   mutex_unlock
   no_llseek
   nr_cpu_ids
+  ns_to_timespec64
   nvmem_cell_put
   nvmem_cell_read
   of_address_to_resource
@@ -334,6 +348,7 @@
   of_find_node_by_name
   of_find_property
   of_get_child_by_name
+  of_get_named_gpio_flags
   of_get_next_available_child
   of_get_next_child
   of_get_parent
@@ -389,7 +404,9 @@
   __pm_runtime_suspend
   __pm_runtime_use_autosuspend
   __pm_stay_awake
+  pm_wakeup_ws_event
   power_supply_changed
+  power_supply_class
   power_supply_get_drvdata
   preempt_schedule
   preempt_schedule_notrace
@@ -423,6 +440,9 @@
   register_reboot_notifier
   regmap_bulk_read
   regmap_bulk_write
+  regmap_field_read
+  regmap_field_update_bits_base
+  regmap_irq_get_virq
   regmap_read
   regmap_update_bits_base
   regmap_write
@@ -447,6 +467,10 @@
   reset_control_assert
   reset_control_deassert
   revalidate_disk_size
+  rtc_class_open
+  rtc_read_time
+  rtc_tm_to_time64
+  rtc_valid_tm
   scatterwalk_map_and_copy
   schedule
   schedule_timeout
@@ -752,7 +776,6 @@
   usb_wakeup_enabled_descendants
 
 # required by fan53555.ko
-  gpiod_get_raw_value
   gpiod_set_raw_value
 
 # required by ghash-ce.ko
@@ -860,7 +883,6 @@
 
 # required by leds-gpio.ko
   devm_gpio_request_one
-  gpio_to_desc
 
 # required by ledtrig-heartbeat.ko
   atomic_notifier_chain_unregister
@@ -916,7 +938,6 @@
   ida_free
   init_srcu_struct
   kobject_uevent_env
-  ktime_get_with_offset
   list_sort
   memchr_inv
   param_ops_byte
@@ -1198,6 +1219,11 @@
   regmap_del_irq_chip
   regmap_irq_get_domain
 
+# required by rk818_battery.ko
+  blocking_notifier_call_chain
+  blocking_notifier_chain_register
+  blocking_notifier_chain_unregister
+
 # required by rockchip-iommu.ko
   bus_set_iommu
   device_link_add
@@ -1493,7 +1519,6 @@
   iommu_set_fault_handler
   iommu_unmap
   memblock_free
-  ns_to_timespec64
   of_graph_get_next_endpoint
   of_graph_get_port_by_id
   of_graph_get_remote_port
@@ -1520,7 +1545,6 @@
   devm_rtc_allocate_device
   __rtc_register_device
   rtc_time64_to_tm
-  rtc_tm_to_time64
   rtc_update_irq
 
 # required by sdhci-of-arasan.ko
@@ -1556,7 +1580,6 @@
   fasync_helper
   get_sg_io_hdr
   import_iovec
-  jiffies_to_msecs
   kill_fasync
   __module_get
   nonseekable_open
@@ -1645,7 +1668,6 @@
   devm_get_clk_from_child
   devm_kasprintf
   devm_kvasprintf
-  of_get_named_gpio_flags
   snd_soc_card_jack_new
   snd_soc_dai_set_sysclk
   snd_soc_dai_set_tdm_slot

From 6fbdea577232ca9232d731b11dd167c9be6c1bd9 Mon Sep 17 00:00:00 2001
From: wangting11 <wangting11@xiaomi.com>
Date: Mon, 11 Oct 2021 17:30:16 +0800
Subject: [PATCH 2/5] ANDROID: GKI: update xiaomi symbol list

Leaf changes summary: 1 artifact changed
Changed leaf types summary: 0 leaf type changed
Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable

1 Added function:

  [A] 'function unsigned long int try_to_free_mem_cgroup_pages(mem_cgroup*, unsigned long int, gfp_t, bool)'

Bug: 202691227
Signed-off-by: ting wang <wangting11@xiaomi.com>
Change-Id: I5274ab355cf01b29b2ec2953856855b4101d868d
---
 android/abi_gki_aarch64.xml    | 8 ++++++++
 android/abi_gki_aarch64_xiaomi | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/android/abi_gki_aarch64.xml b/android/abi_gki_aarch64.xml
index a8d4a6ee8354..99d3d642cfc0 100644
--- a/android/abi_gki_aarch64.xml
+++ b/android/abi_gki_aarch64.xml
@@ -4799,6 +4799,7 @@
       <elf-symbol name='tracing_off' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x7944e0fc'/>
       <elf-symbol name='try_module_get' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x36505ade'/>
       <elf-symbol name='try_to_del_timer_sync' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xfaf9e645'/>
+      <elf-symbol name='try_to_free_mem_cgroup_pages' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xbb15d792'/>
       <elf-symbol name='try_wait_for_completion' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0x21ef374c'/>
       <elf-symbol name='tso_build_data' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xf1a9d575'/>
       <elf-symbol name='tso_build_hdr' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes' crc='0xa8551457'/>
@@ -138544,6 +138545,13 @@
         <parameter type-id='9248e67f' name='timer' filepath='kernel/time/timer.c' line='1227' column='1'/>
         <return type-id='95e97e5e'/>
       </function-decl>
+      <function-decl name='try_to_free_mem_cgroup_pages' mangled-name='try_to_free_mem_cgroup_pages' filepath='mm/vmscan.c' line='3385' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='try_to_free_mem_cgroup_pages'>
+        <parameter type-id='223696fb' name='memcg' filepath='mm/vmscan.c' line='3385' column='1'/>
+        <parameter type-id='7359adad' name='nr_pages' filepath='mm/vmscan.c' line='3386' column='1'/>
+        <parameter type-id='3eb7c31c' name='gfp_mask' filepath='mm/vmscan.c' line='3387' column='1'/>
+        <parameter type-id='b50a4934' name='may_swap' filepath='mm/vmscan.c' line='3388' column='1'/>
+        <return type-id='7359adad'/>
+      </function-decl>
       <function-decl name='try_wait_for_completion' mangled-name='try_wait_for_completion' filepath='kernel/sched/completion.c' line='282' column='1' visibility='default' binding='global' size-in-bits='64' elf-symbol-id='try_wait_for_completion'>
         <parameter type-id='389faaf7' name='x' filepath='kernel/sched/completion.c' line='282' column='1'/>
         <return type-id='b50a4934'/>
diff --git a/android/abi_gki_aarch64_xiaomi b/android/abi_gki_aarch64_xiaomi
index 132268bcaafd..ff95f2ae9959 100644
--- a/android/abi_gki_aarch64_xiaomi
+++ b/android/abi_gki_aarch64_xiaomi
@@ -187,3 +187,6 @@
 
 #required by mi_gamekey.ko module
   gpio_request_array
+
+#extend_reclaim.ko
+  try_to_free_mem_cgroup_pages

From 2521995617681876aeef4012ecbbcaf63d5a8bc5 Mon Sep 17 00:00:00 2001
From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Date: Fri, 25 Jun 2021 15:14:56 +1200
Subject: [PATCH 3/5] UPSTREAM: usb: max-3421: Prevent corruption of freed
 memory

commit b5fdf5c6e6bee35837e160c00ac89327bdad031b upstream.

The MAX-3421 USB driver remembers the state of the USB toggles for a
device/endpoint. To save SPI writes, this was only done when a new
device/endpoint was being used. Unfortunately, if the old device was
removed, this would cause writes to freed memory.

To fix this, a simpler scheme is used. The toggles are read from
hardware when a URB is completed, and the toggles are always written to
hardware when any URB transaction is started. This will cause a few more
SPI transactions, but no causes kernel panics.

Fixes: 2d53139f3162 ("Add support for using a MAX3421E chip as a host driver.")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Link: https://lore.kernel.org/r/20210625031456.8632-1-mark.tomlinson@alliedtelesis.co.nz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 202859772
Change-Id: I55e4fd4609e7e0c68986bcf10718f486d2e55cad
---
 drivers/usb/host/max3421-hcd.c | 44 +++++++++++-----------------------
 1 file changed, 14 insertions(+), 30 deletions(-)

diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c
index ebb8180b52ab..c86d413226eb 100644
--- a/drivers/usb/host/max3421-hcd.c
+++ b/drivers/usb/host/max3421-hcd.c
@@ -153,8 +153,6 @@ struct max3421_hcd {
 	 */
 	struct urb *curr_urb;
 	enum scheduling_pass sched_pass;
-	struct usb_device *loaded_dev;	/* dev that's loaded into the chip */
-	int loaded_epnum;		/* epnum whose toggles are loaded */
 	int urb_done;			/* > 0 -> no errors, < 0: errno */
 	size_t curr_len;
 	u8 hien;
@@ -492,39 +490,17 @@ max3421_set_speed(struct usb_hcd *hcd, struct usb_device *dev)
  * Caller must NOT hold HCD spinlock.
  */
 static void
-max3421_set_address(struct usb_hcd *hcd, struct usb_device *dev, int epnum,
-		    int force_toggles)
+max3421_set_address(struct usb_hcd *hcd, struct usb_device *dev, int epnum)
 {
-	struct max3421_hcd *max3421_hcd = hcd_to_max3421(hcd);
-	int old_epnum, same_ep, rcvtog, sndtog;
-	struct usb_device *old_dev;
+	int rcvtog, sndtog;
 	u8 hctl;
 
-	old_dev = max3421_hcd->loaded_dev;
-	old_epnum = max3421_hcd->loaded_epnum;
-
-	same_ep = (dev == old_dev && epnum == old_epnum);
-	if (same_ep && !force_toggles)
-		return;
-
-	if (old_dev && !same_ep) {
-		/* save the old end-points toggles: */
-		u8 hrsl = spi_rd8(hcd, MAX3421_REG_HRSL);
-
-		rcvtog = (hrsl >> MAX3421_HRSL_RCVTOGRD_BIT) & 1;
-		sndtog = (hrsl >> MAX3421_HRSL_SNDTOGRD_BIT) & 1;
-
-		/* no locking: HCD (i.e., we) own toggles, don't we? */
-		usb_settoggle(old_dev, old_epnum, 0, rcvtog);
-		usb_settoggle(old_dev, old_epnum, 1, sndtog);
-	}
 	/* setup new endpoint's toggle bits: */
 	rcvtog = usb_gettoggle(dev, epnum, 0);
 	sndtog = usb_gettoggle(dev, epnum, 1);
 	hctl = (BIT(rcvtog + MAX3421_HCTL_RCVTOG0_BIT) |
 		BIT(sndtog + MAX3421_HCTL_SNDTOG0_BIT));
 
-	max3421_hcd->loaded_epnum = epnum;
 	spi_wr8(hcd, MAX3421_REG_HCTL, hctl);
 
 	/*
@@ -532,7 +508,6 @@ max3421_set_address(struct usb_hcd *hcd, struct usb_device *dev, int epnum,
 	 * address-assignment so it's best to just always load the
 	 * address whenever the end-point changed/was forced.
 	 */
-	max3421_hcd->loaded_dev = dev;
 	spi_wr8(hcd, MAX3421_REG_PERADDR, dev->devnum);
 }
 
@@ -667,7 +642,7 @@ max3421_select_and_start_urb(struct usb_hcd *hcd)
 	struct max3421_hcd *max3421_hcd = hcd_to_max3421(hcd);
 	struct urb *urb, *curr_urb = NULL;
 	struct max3421_ep *max3421_ep;
-	int epnum, force_toggles = 0;
+	int epnum;
 	struct usb_host_endpoint *ep;
 	struct list_head *pos;
 	unsigned long flags;
@@ -777,7 +752,6 @@ done:
 			usb_settoggle(urb->dev, epnum, 0, 1);
 			usb_settoggle(urb->dev, epnum, 1, 1);
 			max3421_ep->pkt_state = PKT_STATE_SETUP;
-			force_toggles = 1;
 		} else
 			max3421_ep->pkt_state = PKT_STATE_TRANSFER;
 	}
@@ -785,7 +759,7 @@ done:
 	spin_unlock_irqrestore(&max3421_hcd->lock, flags);
 
 	max3421_ep->last_active = max3421_hcd->frame_number;
-	max3421_set_address(hcd, urb->dev, epnum, force_toggles);
+	max3421_set_address(hcd, urb->dev, epnum);
 	max3421_set_speed(hcd, urb->dev);
 	max3421_next_transfer(hcd, 0);
 	return 1;
@@ -1380,6 +1354,16 @@ max3421_urb_done(struct usb_hcd *hcd)
 		status = 0;
 	urb = max3421_hcd->curr_urb;
 	if (urb) {
+		/* save the old end-points toggles: */
+		u8 hrsl = spi_rd8(hcd, MAX3421_REG_HRSL);
+		int rcvtog = (hrsl >> MAX3421_HRSL_RCVTOGRD_BIT) & 1;
+		int sndtog = (hrsl >> MAX3421_HRSL_SNDTOGRD_BIT) & 1;
+		int epnum = usb_endpoint_num(&urb->ep->desc);
+
+		/* no locking: HCD (i.e., we) own toggles, don't we? */
+		usb_settoggle(urb->dev, epnum, 0, rcvtog);
+		usb_settoggle(urb->dev, epnum, 1, sndtog);
+
 		max3421_hcd->curr_urb = NULL;
 		spin_lock_irqsave(&max3421_hcd->lock, flags);
 		usb_hcd_unlink_urb_from_ep(hcd, urb);

From 354472cec035395e3c438d73c1562dd200d3a785 Mon Sep 17 00:00:00 2001
From: "Paul E. McKenney" <paulmck@kernel.org>
Date: Tue, 25 May 2021 10:12:45 -0700
Subject: [PATCH 4/5] UPSTREAM: rcu-tasks: Don't delete holdouts within
 trc_inspect_reader()

[ Upstream commit 1d10bf55d85d34eb73dd8263635f43fd72135d2d ]

As Yanfei pointed out, although invoking trc_del_holdout() is safe
from the viewpoint of the integrity of the holdout list itself,
the put_task_struct() invoked by trc_del_holdout() can result in
use-after-free errors due to later accesses to this task_struct structure
by the RCU Tasks Trace grace-period kthread.

This commit therefore removes this call to trc_del_holdout() from
trc_inspect_reader() in favor of the grace-period thread's existing call
to trc_del_holdout(), thus eliminating that particular class of
use-after-free errors.

Bug: 202954022
Change-Id: Ib1e8eb51f74db89407462cadff1bc8c17565abb4
Reported-by: "Xu, Yanfei" <yanfei.xu@windriver.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/rcu/tasks.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
index 73bbe792fe1e..208acb286ec2 100644
--- a/kernel/rcu/tasks.h
+++ b/kernel/rcu/tasks.h
@@ -879,10 +879,9 @@ static bool trc_inspect_reader(struct task_struct *t, void *arg)
 		in_qs = likely(!t->trc_reader_nesting);
 	}
 
-	// Mark as checked.  Because this is called from the grace-period
-	// kthread, also remove the task from the holdout list.
+	// Mark as checked so that the grace-period kthread will
+	// remove it from the holdout list.
 	t->trc_reader_checked = true;
-	trc_del_holdout(t);
 
 	if (in_qs)
 		return true;  // Already in quiescent state, done!!!

From 400df946fe242b5d7edf4b8bf6f17d160cc25bde Mon Sep 17 00:00:00 2001
From: "Paul E. McKenney" <paulmck@kernel.org>
Date: Tue, 25 May 2021 11:28:40 -0700
Subject: [PATCH 5/5] UPSTREAM: rcu-tasks: Don't delete holdouts within
 trc_wait_for_one_reader()

[ Upstream commit a9ab9cce9367a2cc02a3c7eb57a004dc0b8f380d ]

Invoking trc_del_holdout() from within trc_wait_for_one_reader() is
only a performance optimization because the RCU Tasks Trace grace-period
kthread will eventually do this within check_all_holdout_tasks_trace().
But it is not a particularly important performance optimization because
it only applies to the grace-period kthread, of which there is but one.
This commit therefore removes this invocation of trc_del_holdout() in
favor of the one in check_all_holdout_tasks_trace() in the grace-period
kthread.

Bug: 202954022
Change-Id: I339f39776a96bcced4c7622d321e66f83299bcf7
Reported-by: "Xu, Yanfei" <yanfei.xu@windriver.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/rcu/tasks.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
index 208acb286ec2..b338f514ee5a 100644
--- a/kernel/rcu/tasks.h
+++ b/kernel/rcu/tasks.h
@@ -908,7 +908,6 @@ static void trc_wait_for_one_reader(struct task_struct *t,
 	// The current task had better be in a quiescent state.
 	if (t == current) {
 		t->trc_reader_checked = true;
-		trc_del_holdout(t);
 		WARN_ON_ONCE(t->trc_reader_nesting);
 		return;
 	}