7a335f8708
914471 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
kamasali Satyanarayan
|
7a335f8708 |
Merge android11-5.4.249+ (d57e792) into msm-5.4
* remotes/origin/tmp-d57e792:
UPSTREAM: media: usb: siano: Fix warning due to null work_func_t function pointer
UPSTREAM: Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
ANDROID: ABI: Update allowed list for QCOM
UPSTREAM: net: tap_open(): set sk_uid from current_fsuid()
UPSTREAM: net: tun_chr_open(): set sk_uid from current_fsuid()
UPSTREAM: net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
UPSTREAM: net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
UPSTREAM: net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
UPSTREAM: net/sched: cls_fw: Fix improper refcount update leads to use-after-free
UPSTREAM: media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
ANDROID: ABI: Update allowed list for QCOM
UPSTREAM: usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
UPSTREAM: x86/mm: Avoid using set_pgd() outside of real PGD pages
UPSTREAM: net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
UPSTREAM: ipvlan:Fix out-of-bounds caused by unclear skb->cb
Linux 5.4.249
xfs: verify buffer contents when we skip log replay
mm: make wait_on_page_writeback() wait for multiple pending writebacks
mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback)
i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle
x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys
drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
drm/exynos: vidi: fix a wrong error return
ARM: dts: Fix erroneous ADS touchscreen polarities
ASoC: nau8824: Add quirk to active-high jack-detect
s390/cio: unregister device when the only path is gone
usb: gadget: udc: fix NULL dereference in remove()
nfcsim.c: Fix error checking for debugfs_create_dir
media: cec: core: don't set last_initiator if tx in progress
arm64: Add missing Set/Way CMO encodings
HID: wacom: Add error check to wacom_parse_and_register()
scsi: target: iscsi: Prevent login threads from racing between each other
sch_netem: acquire qdisc lock in netem_change()
Revert "net: phy: dp83867: perform soft reset and retain established link"
netfilter: nfnetlink_osf: fix module autoload
netfilter: nf_tables: disallow element updates of bound anonymous sets
be2net: Extend xmit workaround to BE3 chip
net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
ipvs: align inner_mac_header for encapsulation
mmc: usdhi60rol0: fix deferred probing
mmc: sh_mmcif: fix deferred probing
mmc: sdhci-acpi: fix deferred probing
mmc: omap_hsmmc: fix deferred probing
mmc: omap: fix deferred probing
mmc: mvsdio: fix deferred probing
mmc: mvsdio: convert to devm_platform_ioremap_resource
mmc: mtk-sd: fix deferred probing
net: qca_spi: Avoid high load if QCA7000 is not available
xfrm: Linearize the skb after offloading if needed.
ieee802154: hwsim: Fix possible memory leaks
rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer()
x86/mm: Avoid using set_pgd() outside of real PGD pages
cifs: Fix potential deadlock when updating vol in cifs_reconnect()
cifs: Merge is_path_valid() into get_normalized_path()
cifs: Introduce helpers for finding TCP connection
cifs: Get rid of kstrdup_const()'d paths
cifs: Clean up DFS referral cache
nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
writeback: fix dereferencing NULL mapping->host on writeback_page_template
ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN
mmc: meson-gx: remove redundant mmc_request_done() call from irq context
cgroup: Do not corrupt task iteration when rebinding subsystem
PCI: hv: Fix a race condition bug in hv_pci_query_relations()
Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
nilfs2: fix buffer corruption due to concurrent device reads
media: dvb-core: Fix use-after-free due to race at dvb_register_device()
media: dvbdev: fix error logic at dvb_register_device()
media: dvbdev: Fix memleak in dvb_register_device
tick/common: Align tick period during sched_timer setup
x86/purgatory: remove PGO flags
tracing: Add tracing_reset_all_online_cpus_unlocked() function
epoll: ep_autoremove_wake_function should use list_del_init_careful
list: add "list_del_init_careful()" to go with "list_empty_careful()"
mm: rewrite wait_on_page_bit_common() logic
nilfs2: reject devices with insufficient block count
UPSTREAM: net/sched: cls_u32: Fix reference counter leak leading to overflow
UPSTREAM: memstick: r592: Fix UAF bug in r592_remove due to race condition
BACKPORT: btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()
Revert "neighbour: Replace zero-length array with flexible-array member"
Revert "neighbour: fix unaligned access to pneigh_entry"
Revert "tcp: deny tcp_disconnect() when threads are waiting"
Linux 5.4.248
mmc: block: ensure error propagation for non-blk
drm/nouveau/kms: Fix NULL pointer dereference in nouveau_connector_detect_depth
neighbour: delete neigh_lookup_nodev as not used
net: Remove unused inline function dst_hold_and_use()
neighbour: Remove unused inline function neigh_key_eq16()
afs: Fix vlserver probe RTT handling
selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET
net: tipc: resize nlattr array to correct size
net: lapbether: only support ethernet devices
net/sched: cls_api: Fix lockup on flushing explicitly created chain
drm/nouveau: add nv_encoder pointer check for NULL
drm/nouveau/kms: Don't change EDID when it hasn't actually changed
drm/nouveau/dp: check for NULL nv_connector->native_mode
igb: fix nvm.ops.read() error handling
sctp: fix an error code in sctp_sf_eat_auth()
ipvlan: fix bound dev checking for IPv6 l3s mode
IB/isert: Fix incorrect release of isert connection
IB/isert: Fix possible list corruption in CMA handler
IB/isert: Fix dead lock in ib_isert
IB/uverbs: Fix to consider event queue closing also upon non-blocking mode
iavf: remove mask from iavf_irq_enable_queues()
RDMA/rxe: Fix the use-before-initialization error of resp_pkts
RDMA/rxe: Removed unused name from rxe_task struct
RDMA/rxe: Remove the unused variable obj
net/sched: cls_u32: Fix reference counter leak leading to overflow
ping6: Fix send to link-local addresses with VRF.
netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM
spi: fsl-dspi: avoid SCK glitches with continuous transfers
spi: spi-fsl-dspi: Remove unused chip->void_write_data
usb: dwc3: gadget: Reset num TRBs before giving back the request
serial: lantiq: add missing interrupt ack
USB: serial: option: add Quectel EM061KGL series
Remove DECnet support from kernel
ALSA: hda/realtek: Add a quirk for Compaq N14JP6
net: usb: qmi_wwan: add support for Compal RXM-G1
RDMA/uverbs: Restrict usage of privileged QKEYs
nouveau: fix client work fence deletion race
powerpc/purgatory: remove PGO flags
kexec: support purgatories with .text.hot sections
nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
nios2: dts: Fix tse_mac "max-frame-size" property
ocfs2: check new file size on fallocate call
ocfs2: fix use-after-free when unmounting read-only filesystem
drm:amd:amdgpu: Fix missing buffer object unlock in failure path
xen/blkfront: Only check REQ_FUA for writes
mips: Move initrd_start check after initrd address sanitisation.
MIPS: Alchemy: fix dbdma2
parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()
parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu()
btrfs: handle memory allocation failure in btrfs_csum_one_bio
power: supply: Fix logic checking if system is running from battery
irqchip/meson-gpio: Mark OF related data as maybe unused
regulator: Fix error checking for debugfs_create_dir
platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0
power: supply: Ratelimit no data debug output
ARM: dts: vexpress: add missing cache properties
power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule()
power: supply: sc27xx: Fix external_power_changed race
power: supply: ab8500: Fix external_power_changed race
s390/dasd: Use correct lock while counting channel queue length
dasd: refactor dasd_ioctl_information
KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
test_firmware: fix a memory leak with reqs buffer
ANDROID: HID: Only utilise UHID provided exports if UHID is enabled
Revert "firmware: arm_sdei: Fix sleep from invalid context BUG"
UPSTREAM: bluetooth: Perform careful capability checks in hci_sock_ioctl()
Revert "PM: domains: Fix up terminology with parent/child"
Revert "PM: domains: Restore comment indentation for generic_pm_domain.child_links"
Revert "scripts/gdb: bail early if there are no generic PD"
Revert "uapi/linux/const.h: prefer ISO-friendly __typeof__"
Revert "netfilter: nf_tables: don't write table validation state without mutex"
Linux 5.4.247
Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE"
mtd: spinand: macronix: Add support for MX35LFxGE4AD
btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()
btrfs: check return value of btrfs_commit_transaction in relocation
rbd: get snapshot context after exclusive lock is ensured to be held
drm/atomic: Don't pollute crtc_state->mode_blob with error pointers
cifs: handle empty list of targets in cifs_reconnect()
cifs: get rid of unused parameter in reconn_setup_dfs_targets()
ext4: only check dquot_initialize_needed() when debugging
eeprom: at24: also select REGMAP
i2c: sprd: Delete i2c adapter in .remove's error path
bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
usb: usbfs: Use consistent mmap functions
usb: usbfs: Enforce page requirements for mmap
pinctrl: meson-axg: add missing GPIOA_18 gpio group
rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting
Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
ceph: fix use-after-free bug for inodes when flushing capsnaps
can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
can: j1939: change j1939_netdev_lock type to mutex
can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket
drm/amdgpu: fix xclk freq on CHIP_STONEY
ALSA: hda/realtek: Add Lenovo P3 Tower platform
ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01
Input: psmouse - fix OOB access in Elantech protocol
Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
batman-adv: Broken sync while rescheduling delayed work
bnxt_en: Query default VLAN before VNIC setup on a VF
lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
net: sched: fix possible refcount leak in tc_chain_tmplt_add()
net: sched: move rtm_tca_policy declaration to include file
rfs: annotate lockless accesses to RFS sock flow table
rfs: annotate lockless accesses to sk->sk_rxhash
netfilter: ipset: Add schedule point in call_ad().
netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
Bluetooth: L2CAP: Add missing checks for invalid DCID
Bluetooth: Fix l2cap_disconnect_req deadlock
net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods
neighbour: fix unaligned access to pneigh_entry
neighbour: Replace zero-length array with flexible-array member
spi: qup: Request DMA before enabling clocks
i40e: fix build warnings in i40e_alloc.h
i40iw: fix build warning in i40iw_manage_apbvt()
block/blk-iocost (gcc13): keep large values in a new enum
blk-iocost: avoid 64-bit division in ioc_timer_fn
Linux 5.4.246
drm/edid: fix objtool warning in drm_cvt_modes()
wifi: rtlwifi: 8192de: correct checking of IQK reload
drm/edid: Fix uninitialized variable in drm_cvt_modes()
RDMA/bnxt_re: Remove the qp from list only if the qp destroy succeeds
RDMA/bnxt_re: Remove set but not used variable 'dev_attr'
scsi: dpt_i2o: Do not process completions with invalid addresses
scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)
regmap: Account for register length when chunking
test_firmware: fix the memory leak of the allocated firmware buffer
fbcon: Fix null-ptr-deref in soft_cursor
ext4: add lockdep annotations for i_data_sem for ea_inode's
ext4: disallow ea_inodes with extended attributes
ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
ext4: add EA_INODE checking to ext4_iget()
tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
selinux: don't use make's grouped targets feature yet
tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK
mmc: vub300: fix invalid response handling
wifi: rtlwifi: remove always-true condition pointed out by GCC 12
lib/dynamic_debug.c: use address-of operator on section symbols
treewide: Remove uninitialized_var() usage
kernel/extable.c: use address-of operator on section symbols
eth: sun: cassini: remove dead code
gcc-12: disable '-Wdangling-pointer' warning for now
ACPI: thermal: drop an always true check
x86/boot: Wrap literal addresses in absolute_pointer()
flow_dissector: work around stack frame size warning
ata: libata-scsi: Use correct device no in ata_find_dev()
scsi: stex: Fix gcc 13 warnings
misc: fastrpc: reject new invocations during device removal
misc: fastrpc: return -EPIPE to invocations on device removal
usb: gadget: f_fs: Add unbind event before functionfs_unbind
net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
iio: dac: build ad5758 driver when AD5758 is selected
iio: dac: mcp4725: Fix i2c_master_send() return value handling
iio: light: vcnl4035: fixed chip ID check
HID: wacom: avoid integer overflow in wacom_intuos_inout()
HID: google: add jewel USB id
iio: adc: mxs-lradc: fix the order of two cleanup operations
mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
atm: hide unused procfs functions
ALSA: oss: avoid missing-prototype warnings
netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT
wifi: b43: fix incorrect __packed annotation
scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
ARM: dts: stm32: add pin map for CAN controller on stm32f7
wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
media: dvb-core: Fix use-after-free due on race condition at dvb_net
media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
media: dvb_ca_en50221: fix a size write bug
media: netup_unidvb: fix irq init by register it at the end of probe
media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
media: dvb_demux: fix a bug for the continuity counter
ASoC: ssm2602: Add workaround for playback distortions
xfrm: Check if_id in inbound policy/secpath match
ASoC: dwc: limit the number of overrun messages
nbd: Fix debugfs_create_dir error checking
fbdev: stifb: Fix info entry in sti_struct on error path
fbdev: modedb: Add 1920x1080 at 60 Hz video mode
media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
ARM: 9295/1: unwind:fix unwind abort for uleb128 case
mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
watchdog: menz069_wdt: fix watchdog initialisation
mtd: rawnand: marvell: don't set the NAND frequency select
mtd: rawnand: marvell: ensure timing values are written
net: dsa: mv88e6xxx: Increase wait after reset deactivation
net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
udp6: Fix race condition in udp6_sendmsg & connect
net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
ocfs2/dlm: move BITS_TO_BYTES() to bitops.h for wider use
net: sched: fix NULL pointer dereference in mq_attach
net/sched: Prohibit regrafting ingress or clsact Qdiscs
net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
net/sched: sch_clsact: Only create under TC_H_CLSACT
net/sched: sch_ingress: Only create under TC_H_INGRESS
tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
tcp: deny tcp_disconnect() when threads are waiting
af_packet: do not use READ_ONCE() in packet_bind()
mtd: rawnand: ingenic: fix empty stub helper definitions
amd-xgbe: fix the false linkup in xgbe_phy_status
af_packet: Fix data-races of pkt_sk(sk)->num.
netrom: fix info-leak in nr_write_internal()
net/mlx5: fw_tracer, Fix event handling
dmaengine: pl330: rename _start to prevent build error
iommu/amd: Don't block updates to GATag if guest mode is on
iommu/rockchip: Fix unwind goto issue
RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
RDMA/bnxt_re: Refactor queue pair creation code
RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series
RDMA/efa: Fix unsupported page sizes in device
Linux 5.4.245
netfilter: ctnetlink: Support offloaded conntrack entry deletion
ipv{4,6}/raw: fix output xfrm lookup wrt protocol
binder: fix UAF caused by faulty buffer cleanup
bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
io_uring: have io_kill_timeout() honor the request references
io_uring: don't drop completion lock before timer is fully initialized
io_uring: always grab lock in io_cancel_async_work()
cdc_ncm: Fix the build warning
net/mlx5: Devcom, serialize devcom registration
net/mlx5: devcom only supports 2 ports
fs: fix undefined behavior in bit shift for SB_NOUSER
power: supply: bq24190: Call power_supply_changed() after updating input current
power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier()
power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
cdc_ncm: Implement the 32-bit version of NCM Transfer Block
Linux 5.4.244
3c589_cs: Fix an error handling path in tc589_probe()
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
net/mlx5: Fix error message when failing to allocate device memory
forcedeth: Fix an error handling path in nv_probe()
ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
power: supply: sbs-charger: Fix INHIBITED bit for Status reg
power: supply: bq27xxx: Fix poll_interval handling and races on remove
power: supply: bq27xxx: Fix I2C IRQ race on remove
power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
power: supply: leds: Fix blink to LED on transition
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
selftests: fib_tests: mute cleanup error message
net: fix skb leak in __skb_tstamp_tx()
media: radio-shark: Add endpoint checks
USB: sisusbvga: Add endpoint checks
USB: core: Add routines for endpoint checks in old drivers
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
net: fix stack overflow when LRO is disabled for virtual interfaces
fbdev: udlfb: Fix endpoint check
debugobjects: Don't wake up kswapd from fill_pool()
x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
parisc: Fix flush_dcache_page() for usage from irq context
selftests/memfd: Fix unknown type name build failure
x86/mm: Avoid incomplete Global INVLPG flushes
btrfs: use nofs when cleaning up aborted transactions
gpio: mockup: Fix mode of debugfs files
parisc: Allow to reboot machine after system halt
parisc: Handle kgdb breakpoints only in kernel context
m68k: Move signal frame following exception on 68020/030
ALSA: hda/realtek: Enable headset onLenovo M70/M90
ALSA: hda/ca0132: add quirk for EVGA X299 DARK
mt76: mt7615: Fix build with older compilers
spi: fsl-cpm: Use 16 bit mode for large transfers with even size
spi: fsl-spi: Re-organise transfer bits_per_word adaptation
watchdog: sp5100_tco: Immediately trigger upon starting.
s390/qdio: fix do_sqbs() inline assembly constraint
s390/qdio: get rid of register asm
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
vc_screen: rewrite vcs_size to accept vc, not inode
usb: gadget: u_ether: Fix host MAC address case
usb: gadget: u_ether: Convert prints to device prints
lib/string_helpers: Introduce string_upper() and string_lower() helpers
HID: wacom: add three styli to wacom_intuos_get_tool_type
HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
HID: wacom: Force pen out of prox if no events have been received in a while
netfilter: nf_tables: hold mutex on netns pre_exit path
netfilter: nf_tables: validate NFTA_SET_ELEM_OBJREF based on NFT_SET_OBJECT flag
netfilter: nf_tables: stricter validation of element data
netfilter: nf_tables: allow up to 64 bytes in the set element data area
netfilter: nf_tables: add nft_setelem_parse_key()
netfilter: nf_tables: validate registers coming from userspace.
netfilter: nftables: statify nft_parse_register()
netfilter: nftables: add nft_parse_register_store() and use it
netfilter: nftables: add nft_parse_register_load() and use it
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
powerpc/64s/radix: Fix soft dirty tracking
tpm/tpm_tis: Disable interrupts for more Lenovo devices
ceph: force updating the msg pointer in non-split case
serial: Add support for Advantech PCI-1611U card
statfs: enforce statfs[64] structure initialization
KVM: x86: do not report a vCPU as preempted outside instruction boundaries
can: kvaser_pciefd: Disable interrupts in probe error path
can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
can: kvaser_pciefd: Empty SRB buffer in probe
can: kvaser_pciefd: Call request_irq() before enabling interrupts
can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
ALSA: hda: Fix Oops by 9.1 surround channel names
usb: typec: altmodes/displayport: fix pin_assignment_show
usb: dwc3: debugfs: Resume dwc3 before accessing registers
USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
usb-storage: fix deadlock when a scsi command timeouts more than once
USB: usbtmc: Fix direction for 0-length ioctl control messages
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
igb: fix bit_shift to be in [1..8] range
cassini: Fix a memory leak in the error handling path of cas_init_one()
wifi: iwlwifi: mvm: don't trust firmware n_channels
net: bcmgenet: Restore phy_stop() depending upon suspend/close
net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
drm/exynos: fix g2d_open/close helper function definitions
media: netup_unidvb: fix use-after-free at del_timer()
net: hns3: fix reset delay time to avoid configuration timeout
net: hns3: fix sending pfc frames after reset issue
erspan: get the proto with the md version for collect_md
ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode
ip6_gre: Make o_seqno start from 0 in native mode
ip6_gre: Fix skb_under_panic in __gre6_xmit()
serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
vsock: avoid to close connected socket after the timeout
ALSA: firewire-digi00x: prevent potential use after free
net: fec: Better handle pm_runtime_get() failing in .remove()
af_key: Reject optional tunnel/BEET mode templates in outbound policies
cpupower: Make TSC read per CPU for Mperf monitor
ASoC: fsl_micfil: register platform component before registering cpu dai
btrfs: fix space cache inconsistency after error loading it from disk
btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid
mfd: dln2: Fix memory leak in dln2_probe()
phy: st: miphy28lp: use _poll_timeout functions for waits
Input: xpad - add constants for GIP interface numbers
iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
clk: tegra20: fix gcc-7 constant overflow warning
RDMA/core: Fix multiple -Warray-bounds warnings
recordmcount: Fix memory leaks in the uwrite function
sched: Fix KCSAN noinstr violation
mcb-pci: Reallocate memory region to avoid memory overlapping
serial: 8250: Reinit port->pm on port specific driver unbind
usb: typec: tcpm: fix multiple times discover svids error
HID: wacom: generic: Set battery quirk only when we see battery data
spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
HID: logitech-hidpp: Reconcile USB and Unifying serials
HID: logitech-hidpp: Don't use the USB serial for USB devices
staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
samples/bpf: Fix fout leak in hbm's run_bpf_prog
f2fs: fix to drop all dirty pages during umount() if cp_error is set
ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
ext4: set goal start correctly in ext4_mb_normalize_request
gfs2: Fix inode height consistency check
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
lib: cpu_rmap: Avoid use after free on rmap->obj array entries
scsi: target: iscsit: Free cmds before session free
net: Catch invalid index in XPS mapping
net: pasemi: Fix return type of pasemi_mac_start_tx()
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
ext2: Check block size validity during mount
wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
ACPICA: Avoid undefined behavior: applying zero offset to null pointer
drm/tegra: Avoid potential 32-bit integer overflow
ACPI: EC: Fix oops when removing custom query handlers
firmware: arm_sdei: Fix sleep from invalid context BUG
memstick: r592: Fix UAF bug in r592_remove due to race condition
regmap: cache: Return error in cache sync operations for REGCACHE_NONE
drm/amd/display: Use DC_LOG_DC in the trasform pixel function
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
af_unix: Fix data races around sk->sk_shutdown.
af_unix: Fix a data race of sk->sk_receive_queue->qlen.
net: datagram: fix data-races in datagram_poll()
ipvlan:Fix out-of-bounds caused by unclear skb->cb
net: add vlan_get_protocol_and_depth() helper
net: tap: check vlan with eth_type_vlan() method
net: annotate sk->sk_err write from do_recvmmsg()
netlink: annotate accesses to nlk->cb_running
netfilter: conntrack: fix possible bug_on with enable_hooks=1
net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
linux/dim: Do nothing if no time delta between samples
ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
drm/mipi-dsi: Set the fwnode for mipi_dsi_device
driver core: add a helper to setup both the of_node and fwnode of a device
Linux 5.4.243
drm/amd/display: Fix hang when skipping modeset
mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
drm/exynos: move to use request_irq by IRQF_NO_AUTOEN flag
drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()
firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
drm/msm: Fix double pm_runtime_disable() call
PM: domains: Restore comment indentation for generic_pm_domain.child_links
printk: declare printk_deferred_{enter,safe}() in include/linux/printk.h
PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
PCI: pciehp: Use down_read/write_nested(reset_lock) to fix lockdep errors
drbd: correctly submit flush bio on barrier
serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
ext4: fix invalid free tracking in ext4_xattr_move_to_block()
ext4: remove a BUG_ON in ext4_mb_release_group_pa()
ext4: bail out of ext4_xattr_ibody_get() fails for any reason
ext4: add bounds checking in get_max_inline_xattr_value_size()
ext4: fix deadlock when converting an inline directory in nojournal mode
ext4: improve error recovery code paths in __ext4_remount()
ext4: fix data races when using cached status extents
ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
ext4: fix WARNING in mb_find_extent
HID: wacom: insert timestamp to packed Bluetooth (BT) events
HID: wacom: Set a default resolution for older tablets
drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend
drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras
drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini()
drm/panel: otm8009a: Set backlight parent to panel device
f2fs: fix potential corruption when moving a directory
ARM: dts: s5pv210: correct MIPI CSIS clock name
ARM: dts: exynos: fix WM8960 clock name in Itop Elite
remoteproc: st: Call of_node_put() on iteration error
remoteproc: stm32: Call of_node_put() on iteration error
sh: nmi_debug: fix return value of __setup handler
sh: init: use OF_EARLY_FLATTREE for early init
sh: math-emu: fix macro redefined warning
inotify: Avoid reporting event with invalid wd
platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
cifs: fix pcchunk length type in smb2_copychunk_range
btrfs: print-tree: parent bytenr must be aligned to sector size
btrfs: don't free qgroup space unless specified
btrfs: fix btrfs_prev_leaf() to not return the same key twice
perf symbols: Fix return incorrect build_id size in elf_read_build_id()
perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp()
perf vendor events power9: Remove UTF-8 characters from JSON files
virtio_net: suppress cpu stall when free_unused_bufs
virtio_net: split free_unused_bufs()
net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621
ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init`
drm/amdgpu: add a missing lock for AMDGPU_SCHED
af_packet: Don't send zero-byte data in packet_sendmsg_spkt().
ionic: remove noise from ethtool rxnfc error msg
rxrpc: Fix hard call timeout units
net/sched: act_mirred: Add carrier check
writeback: fix call of incorrect macro
net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu
sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
net/sched: cls_api: remove block_cb from driver_list before freeing
net/ncsi: clear Tx enable mode when handling a Config required AEN
relayfs: fix out-of-bounds access in relay_file_read
kernel/relay.c: fix read_pos error when multiple readers
crypto: safexcel - Cleanup ring IRQ workqueues on load failure
crypto: inside-secure - irq balance
dm verity: fix error handling for check_at_most_once on FEC
dm verity: skip redundant verity_handle_err() on I/O errors
mailbox: zynqmp: Fix counts of child nodes
mailbox: zynq: Switch to flexible array to simplify code
tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
nohz: Add TICK_DEP_BIT_RCU
netfilter: nf_tables: deactivate anonymous set from preparation phase
debugobject: Ensure pool refill (again)
perf intel-pt: Fix CYC timestamps after standalone CBR
perf auxtrace: Fix address filter entire kernel size
dm ioctl: fix nested locking in table_clear() to remove deadlock concern
dm flakey: fix a crash with invalid table line
dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path
dm clone: call kmem_cache_destroy() in dm_clone_init() error path
s390/dasd: fix hanging blockdevice after request requeue
btrfs: scrub: reject unsupported scrub flags
scripts/gdb: fix lx-timerlist for Python3
clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent
wifi: rtl8xxxu: RTL8192EU always needs full init
mailbox: zynqmp: Fix typo in IPI documentation
mailbox: zynqmp: Fix IPI isr handling
md/raid10: fix null-ptr-deref in raid10_sync_request
nilfs2: fix infinite loop in nilfs_mdt_get_block()
nilfs2: do not write dirty data after degenerating to read-only
parisc: Fix argument pointer in real64_call_asm()
afs: Fix updating of i_size with dv jump from server
dmaengine: at_xdmac: do not enable all cyclic channels
dmaengine: dw-edma: Fix to enable to issue dma request on DMA processing
dmaengine: dw-edma: Fix to change for continuous transfer
phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port
pwm: mtk-disp: Disable shadow registers before setting backlight values
pwm: mtk-disp: Adjust the clocks to avoid them mismatch
pwm: mtk-disp: Don't check the return code of pwmchip_remove()
dmaengine: mv_xor_v2: Fix an error code.
leds: TI_LMU_COMMON: select REGMAP instead of depending on it
ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline
openrisc: Properly store r31 to pt_regs on unhandled exceptions
clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails
clocksource: davinci: axe a pointless __GFP_NOFAIL
clocksource/drivers/davinci: Avoid trailing '\n' hidden in pr_fmt()
RDMA/mlx5: Use correct device num_ports when modify DC
SUNRPC: remove the maximum number of retries in call_bind_status
Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
input: raspberrypi-ts: Release firmware handle when not needed
firmware: raspberrypi: Introduce devm_rpi_firmware_get()
firmware: raspberrypi: Keep count of all consumers
NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order
RDMA/siw: Remove namespace check from siw_netdev_event()
clk: add missing of_node_put() in "assigned-clocks" property parsing
power: supply: generic-adc-battery: fix unit scaling
rtc: meson-vrtc: Use ktime_get_real_ts64() to get the current time
RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()
rtc: omap: include header for omap_rtc_power_off_program prototype
RDMA/rdmavt: Delete unnecessary NULL check
RDMA/siw: Fix potential page_array out of range access
perf/core: Fix hardlockup failure caused by perf throttle
powerpc/rtas: use memmove for potentially overlapping buffer copy
macintosh: via-pmu-led: requires ATA to be set
powerpc/sysdev/tsi108: fix resource printk format warnings
powerpc/wii: fix resource printk format warnings
powerpc/mpc512x: fix resource printk format warning
macintosh/windfarm_smu_sat: Add missing of_node_put()
spmi: Add a check for remove callback when removing a SPMI driver
staging: rtl8192e: Fix W_DISABLE# does not work after stop/start
serial: 8250: Add missing wakeup event reporting
tty: serial: fsl_lpuart: adjust buffer length to the intended size
firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
usb: mtu3: fix kernel panic at qmu transfer done irq handler
usb: chipidea: fix missing goto in `ci_hdrc_probe`
sh: sq: Fix incorrect element size for allocating bitmap buffer
uapi/linux/const.h: prefer ISO-friendly __typeof__
spi: cadence-quadspi: fix suspend-resume implementations
mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel
mtd: spi-nor: cadence-quadspi: Don't initialize rx_dma_complete on failure
mtd: spi-nor: cadence-quadspi: Provide a way to disable DAC mode
mtd: spi-nor: cadence-quadspi: Make driver independent of flash geometry
scripts/gdb: bail early if there are no generic PD
PM: domains: Fix up terminology with parent/child
scripts/gdb: bail early if there are no clocks
ia64: salinfo: placate defined-but-not-used warning
ia64: mm/contig: fix section mismatch warning/error
of: Fix modalias string generation
vmci_host: fix a race condition in vmci_host_poll() causing GPF
spi: fsl-spi: Fix CPM/QE mode Litte Endian
spi: qup: Don't skip cleanup in remove's error path
linux/vt_buffer.h: allow either builtin or modular for macros
ASoC: es8316: Handle optional IRQ assignment
ASoC: es8316: Use IRQF_NO_AUTOEN when requesting the IRQ
genirq: Add IRQF_NO_AUTOEN for request_irq/nmi()
PCI: imx6: Install the fault handler only on compatible match
usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
iio: light: max44009: add missing OF device matching
fpga: bridge: fix kernel-doc parameter description
usb: host: xhci-rcar: remove leftover quirk handling
pstore: Revert pmsg_lock back to a normal mutex
tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
net: amd: Fix link leak when verifying config failed
netlink: Use copy_to_user() for optval in netlink_getsockopt().
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
ipv4: Fix potential uninit variable access bug in __ip_make_skb()
netfilter: nf_tables: don't write table validation state without mutex
bpf: Don't EFAULT for getsockopt with optval=NULL
ixgbe: Enable setting RSS table to default values
ixgbe: Allow flow hash to be set via ethtool
wifi: iwlwifi: mvm: check firmware response size
wifi: iwlwifi: make the loop for card preparation effective
md/raid10: fix memleak of md thread
md: update the optimal I/O size on reshape
md/raid10: fix memleak for 'conf->bio_split'
md/raid10: fix leak of 'r10bio->remaining' for recovery
bpf, sockmap: Revert buggy deadlock fix in the sockhash and sockmap
nvme-fcloop: fix "inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage"
nvme: fix async event trace event
nvme: handle the persistent internal error AER
bpf, sockmap: fix deadlocks in the sockhash and sockmap
scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
crypto: drbg - Only fail when jent is unavailable in FIPS mode
crypto: drbg - make drbg_prepare_hrng() handle jent instantiation errors
bpftool: Fix bug for long instructions in program CFG dumps
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_reg()
wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_rfreg()
rtlwifi: Replace RT_TRACE with rtl_dbg
rtlwifi: Start changing RT_TRACE into rtl_dbg
f2fs: handle dqget error in f2fs_transfer_project_quota()
scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS
scsi: target: iscsit: Fix TAS handling during conn cleanup
net/packet: convert po->auxdata to an atomic flag
net/packet: convert po->origdev to an atomic flag
net/packet: annotate accesses to po->xmit
vlan: partially enable SIOCSHWTSTAMP in container
scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
wifi: rtw88: mac: Return the original error from rtw_mac_power_switch()
wifi: rtw88: mac: Return the original error from rtw_pwr_seq_parser()
tools: bpftool: Remove invalid \' json escape
wifi: ath6kl: reduce WARN to dev_dbg() in callback
wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list()
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
wifi: ath6kl: minor fix for allocation size
tick/common: Align tick period with the HZ tick.
tick: Get rid of tick_period
tick/sched: Optimize tick_do_update_jiffies64() further
tick/sched: Reduce seqcount held scope in tick_do_update_jiffies64()
tick/sched: Use tick_next_period for lockless quick check
timekeeping: Split jiffies seqlock
debugobject: Prevent init race with static objects
arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step
x86/ioapic: Don't return 0 from arch_dynirq_lower_bound()
regulator: stm32-pwr: fix of_iomap leak
media: rc: gpio-ir-recv: Fix support for wake-up
media: rcar_fdp1: Fix refcount leak in probe and remove function
media: rcar_fdp1: Fix the correct variable assignments
media: rcar_fdp1: Make use of the helper function devm_platform_ioremap_resource()
media: rcar_fdp1: fix pm_runtime_get_sync() usage count
media: rcar_fdp1: simplify error check logic at fdp_open()
media: saa7134: fix use after free bug in saa7134_finidev due to race condition
media: dm1105: Fix use after free bug in dm1105_remove due to race condition
x86/apic: Fix atomic update of offset in reserve_eilvt_offset()
regulator: core: Avoid lockdep reports when resolving supplies
regulator: core: Consistently set mutex_owner when using ww_mutex_lock_slow()
drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe()
mmc: sdhci-of-esdhc: fix quirk to ignore command inhibit for data
drm/msm/adreno: drop bogus pm_runtime_set_active()
drm/msm/adreno: Defer enabling runpm until hw_init()
drm/msm: fix unbalanced pm_runtime_enable in adreno_gpu_{init, cleanup}
firmware: qcom_scm: Clear download bit during reboot
media: av7110: prevent underflow in write_ts_to_decoder()
media: uapi: add MEDIA_BUS_FMT_METADATA_FIXED media bus format.
media: bdisp: Add missing check for create_workqueue
ARM: dts: qcom: ipq8064: Fix the PCI I/O port range
ARM: dts: qcom: ipq8064: reduce pci IO size to 64K
ARM: dts: qcom: ipq4019: Fix the PCI I/O port range
EDAC/skx: Fix overflows on the DRAM row address mapping arrays
arm64: dts: renesas: r8a774c0: Remove bogus voltages from OPP table
arm64: dts: renesas: r8a77990: Remove bogus voltages from OPP table
drm/probe-helper: Cancel previous job before starting new one
drm/vgem: add missing mutex_destroy
drm/rockchip: Drop unbalanced obj unref
erofs: fix potential overflow calculating xattr_isize
erofs: stop parsing non-compact HEAD index if clusterofs is invalid
tpm, tpm_tis: Do not skip reset of original interrupt vector
selinux: ensure av_permissions.h is built when needed
selinux: fix Makefile dependencies of flask.h
ubifs: Free memory for tmpfile name
ubi: Fix return value overwrite issue in try_write_vid_and_data()
ubifs: Fix memleak when insert_old_idx() failed
Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path"
i2c: omap: Fix standard mode false ACK readings
KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted
reiserfs: Add security prefix to xattr name in reiserfs_security_write()
ring-buffer: Sync IRQ works before buffer destruction
pwm: meson: Fix g12a ao clk81 name
pwm: meson: Fix axg ao mux parents
kheaders: Use array declaration instead of char
ipmi: fix SSIF not responding under certain cond.
ipmi:ssif: Add send_retries increment
MIPS: fw: Allow firmware to pass a empty env
xhci: fix debugfs register accesses while suspended
debugfs: regset32: Add Runtime PM support
staging: iio: resolver: ads1210: fix config mode
perf sched: Cast PTHREAD_STACK_MIN to int as it may turn into sysconf(__SC_THREAD_STACK_MIN_VALUE)
USB: dwc3: fix runtime pm imbalance on unbind
USB: dwc3: fix runtime pm imbalance on probe errors
asm-generic/io.h: suppress endianness warnings for readq() and writeq()
ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750
iio: adc: palmas_gpadc: fix NULL dereference on rmmod
USB: serial: option: add UNISOC vendor and TOZED LT70C product
bluetooth: Perform careful capability checks in hci_sock_ioctl()
drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
counter: 104-quad-8: Fix race condition between FLAG and CNTR reads
Conflicts:
drivers/firmware/qcom_scm.c
drivers/md/dm-verity-target.c
drivers/usb/dwc3/core.c
drivers/usb/dwc3/debugfs.c
drivers/usb/gadget/function/f_fs.c
Change-Id: I0d6315cadf7c3458e54bee2de89bd92b968060f7
Signed-off-by: kamasali Satyanarayan <quic_kamasali@quicinc.com>
|
||
Elliot Berman
|
58114830df |
virt: haven: Correct max_buf_size for a connection
Continuation messages can carry a maximum payload of HH_RM_MAX_MSG_SIZE_BYTES. When initializing a connection buffer for reply sequences, the hdr_size is 4 bytes larger than the HH_RM_MAX_MSG_SIZE_BYTES: see the difference between struct hh_rm_rpc_hdr and struct hh_rm_rpc_reply_hdr. Fix the calculation. Change-Id: If7a1124f581c9d1da8f7749d0296e064e6499cdf [eberman: Make change in hh_rm_core.c] Signed-off-by: Elliot Berman <quic_eberman@quicinc.com> |
||
Duoming Zhou
|
d57e792d0b |
UPSTREAM: media: usb: siano: Fix warning due to null work_func_t function pointer
[ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ]
The previous commit ebad8e731c1c ("media: usb: siano: Fix use after
free bugs caused by do_submit_urb") adds cancel_work_sync() in
smsusb_stop_streaming(). But smsusb_stop_streaming() may be called,
even if the work_struct surb->wq has not been initialized. As a result,
the warning will occur. One of the processes that could lead to warning
is shown below:
smsusb_probe()
smsusb_init_device()
if (!dev->in_ep || !dev->out_ep || align < 0) {
smsusb_term_device(intf);
smsusb_stop_streaming()
cancel_work_sync(&dev->surbs[i].wq);
__cancel_work_timer()
__flush_work()
if (WARN_ON(!work->func)) // work->func is null
The log reported by syzbot is shown below:
WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063
Modules linked in:
CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0
RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066
...
RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246
RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8
RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8
R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160
smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344
smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419
smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567
...
This patch adds check before cancel_work_sync(). If surb->wq has not
been initialized, the cancel_work_sync() will not be executed.
Bug: 295075980
Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com
Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 8abb53c5167cfb5bb275512a3da4ec2468478626)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ie2946408cfde466d0138c23093ec6738b7e51161
|
||
Sungwoo Kim
|
118240f14b |
UPSTREAM: Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
commit 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 upstream. l2cap_sock_release(sk) frees sk. However, sk's children are still alive and point to the already free'd sk's address. To fix this, l2cap_sock_release(sk) also cleans sk's children. ================================================================== BUG: KASAN: use-after-free in l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650 Read of size 8 at addr ffff888104617aa8 by task kworker/u3:0/276 CPU: 0 PID: 276 Comm: kworker/u3:0 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci2 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0x95 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x175/0x478 mm/kasan/report.c:417 kasan_report+0xb1/0x130 mm/kasan/report.c:517 l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650 l2cap_chan_ready+0x10e/0x1e0 net/bluetooth/l2cap_core.c:1386 l2cap_config_req+0x753/0x9f0 net/bluetooth/l2cap_core.c:4480 l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5739 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:6509 [inline] l2cap_recv_frame+0xe2e/0x43c0 net/bluetooth/l2cap_core.c:7788 l2cap_recv_acldata+0x6ed/0x7e0 net/bluetooth/l2cap_core.c:8506 hci_acldata_packet net/bluetooth/hci_core.c:3813 [inline] hci_rx_work+0x66e/0xbc0 net/bluetooth/hci_core.c:4048 process_one_work+0x4ea/0x8e0 kernel/workqueue.c:2289 worker_thread+0x364/0x8e0 kernel/workqueue.c:2436 kthread+0x1b9/0x200 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> Allocated by task 288: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:968 [inline] __kmalloc+0x5a/0x140 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc+0x113/0x1f0 net/core/sock.c:2040 sk_alloc+0x36/0x3c0 net/core/sock.c:2093 l2cap_sock_alloc.constprop.0+0x39/0x1c0 net/bluetooth/l2cap_sock.c:1852 l2cap_sock_create+0x10d/0x220 net/bluetooth/l2cap_sock.c:1898 bt_sock_create+0x183/0x290 net/bluetooth/af_bluetooth.c:132 __sock_create+0x226/0x380 net/socket.c:1518 sock_create net/socket.c:1569 [inline] __sys_socket_create net/socket.c:1606 [inline] __sys_socket_create net/socket.c:1591 [inline] __sys_socket+0x112/0x200 net/socket.c:1639 __do_sys_socket net/socket.c:1652 [inline] __se_sys_socket net/socket.c:1650 [inline] __x64_sys_socket+0x40/0x50 net/socket.c:1650 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 288: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:523 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free mm/kasan/common.c:200 [inline] __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook mm/slub.c:1807 [inline] slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x88/0x1f0 mm/slub.c:3800 sk_prot_free net/core/sock.c:2076 [inline] __sk_destruct+0x347/0x430 net/core/sock.c:2168 sk_destruct+0x9c/0xb0 net/core/sock.c:2183 __sk_free+0x82/0x220 net/core/sock.c:2194 sk_free+0x7c/0xa0 net/core/sock.c:2205 sock_put include/net/sock.h:1991 [inline] l2cap_sock_kill+0x256/0x2b0 net/bluetooth/l2cap_sock.c:1257 l2cap_sock_release+0x1a7/0x220 net/bluetooth/l2cap_sock.c:1428 __sock_release+0x80/0x150 net/socket.c:650 sock_close+0x19/0x30 net/socket.c:1368 __fput+0x17a/0x5c0 fs/file_table.c:320 task_work_run+0x132/0x1c0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x113/0x120 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:296 do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc The buggy address belongs to the object at ffff888104617800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 680 bytes inside of 1024-byte region [ffff888104617800, ffff888104617c00) The buggy address belongs to the physical page: page:00000000dbca6a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104614000 pfn:0x104614 head:00000000dbca6a80 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffff888100041dc0 ffffea0004212c10 ffffea0004234b10 raw: ffff888104614000 0000000000080002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888104617980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888104617a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888104617a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888104617b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888104617b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Bug: 297025149 Ack: This bug is found by FuzzBT with a modified Syzkaller. Other contributors are Ruoyu Wu and Hui Peng. Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 29fac18499332211b2615ade356e2bd8b3269f98) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I1f4cf5a928b4825c63488bde0d5589517cc84ef8 |
||
Srinivasarao Pathipati
|
28e9ee34f7 |
ANDROID: ABI: Update allowed list for QCOM
Leaf changes summary: 1 artifact changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 1 Added function: [A] 'function int sysfs_emit(char*, const char*, ...)' Bug: 297153855 Change-Id: Ia8be1195062a8e64b3b8158c00196718e862b0aa Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com> |
||
Laszlo Ersek
|
d62f1fc162 |
UPSTREAM: net: tap_open(): set sk_uid from current_fsuid()
commit 5c9241f3ceab3257abe2923a59950db0dc8bb737 upstream. Commit 66b2c338adce initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/tapX" device node's owner UID. Per original commit |
||
|
Laszlo Ersek
|
657abd3d2b |
UPSTREAM: net: tun_chr_open(): set sk_uid from current_fsuid()
commit 9bc3047374d5bec163e83e743709e23753376f0c upstream. Commit a096ccca6e50 initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/net/tun" device node's owner UID. Per original commit |
||
Pradeep P V K
|
5708c10730 |
mtd: msm_qpic_nand: Add runtime status check in notifiers
During panic, all cores and irq's will gets disable. So, it is not recommended to request for a new resource during this time. So, add a check to return from notifier call based on the device runtime status. Change-Id: Ie4fd526ad2d107008b4af13997534fb614ca507a Signed-off-by: Pradeep P V K <quic_pragalla@quicinc.com> |
||
valis
|
212a7aaded |
UPSTREAM: net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
[ Upstream commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 ]
When route4_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.
This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.
Fix this by no longer copying the tcf_result struct from the old filter.
Bug: 296347075
Fixes:
|
||
|
valis
|
ac9e6cd126 |
UPSTREAM: net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
[ Upstream commit 76e42ae831991c828cffa8c37736ebfb831ad5ec ]
When fw_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.
This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.
Fix this by no longer copying the tcf_result struct from the old filter.
Bug: 296347075
Fixes:
|
||
|
valis
|
e4b912f612 |
UPSTREAM: net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
[ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ]
When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.
This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.
Fix this by no longer copying the tcf_result struct from the old filter.
Bug: 296347075
Fixes:
|
||
qctecmdr
|
35fe9a34d7 | Merge "defconfig: sdxlemur: Enable binder configs" | ||
Yogesh Lal
|
aa7c391a5d |
defconfig: sdxlemur: Enable binder configs
Enable android binder configs on sdxlemur. Change-Id: Ibe29fdbe0cee7fc33c0bd5dd3c6fcbf6d330617e Signed-off-by: Yogesh Lal <quic_ylal@quicinc.com> Signed-off-by: Sayan Dey <quic_sayand@quicinc.com> |
||
|
qctecmdr
|
d7bb68d35f | Merge "BACKPORT: FROMLIST: mm: protect free_pgtables with mmap_lock write lock in exit_mmap" | ||
|
qctecmdr
|
7305c42960 |
Merge "Merge android11-5.4.242+(e699d54) into msm-5.4"
|
||
M A Ramdhan
|
f38754f733 |
UPSTREAM: net/sched: cls_fw: Fix improper refcount update leads to use-after-free
[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]
In the event of a failure in tcf_change_indev(), fw_set_parms() will
immediately return an error after incrementing or decrementing
reference counter in tcf_bind_filter(). If attacker can control
reference counter to zero and make reference freed, leading to
use after free.
In order to prevent this, move the point of possible failure above the
point where the TC_FW_CLASSID is handled.
Bug: 292252062
Bug: 290783303
Fixes:
|
||
|
qctecmdr
|
3686b916e5 | Merge "bus: mhi: misc: Add check for dev_rp if it is iommu range or not" | ||
Suren Baghdasaryan
|
bb3bc96f35 |
BACKPORT: FROMLIST: mm: protect free_pgtables with mmap_lock write lock in exit_mmap
oom-reaper and process_mrelease system call should protect against races with exit_mmap which can destroy page tables while they walk the VMA tree. oom-reaper protects from that race by setting MMF_OOM_VICTIM and by relying on exit_mmap to set MMF_OOM_SKIP before taking and releasing mmap_write_lock. process_mrelease has to elevate mm->mm_users to prevent such race. Both oom-reaper and process_mrelease hold mmap_read_lock when walking the VMA tree. The locking rules and mechanisms could be simpler if exit_mmap takes mmap_write_lock while executing destructive operations such as free_pgtables. Change exit_mmap to hold the mmap_write_lock when calling free_pgtables. Operations like unmap_vmas() and unlock_range() are not destructive and could run under mmap_read_lock but for simplicity we take one mmap_write_lock during almost the entire operation. Note also that because oom-reaper checks VM_LOCKED flag, unlock_range() should not be allowed to race with it. In most cases this lock should be uncontended. Previously, Kirill reported ~4% regression caused by a similar change [1]. We reran the same test and although the individual results are quite noisy, the percentiles show lower regression with 1.6% being the worst case [2]. The change allows oom-reaper and process_mrelease to execute safely under mmap_read_lock without worries that exit_mmap might destroy page tables from under them. [1] https://lore.kernel.org/all/20170725141723.ivukwhddk2voyhuc@node.shutemov.name/ [2] https://lore.kernel.org/all/CAJuCfpGC9-c9P40x7oy=jy5SphMcd0o0G_6U1-+JAziGKG6dGA@mail.gmail.com/ Signed-off-by: Suren Baghdasaryan <surenb@google.com> Link: https://lore.kernel.org/all/20211124235906.14437-1-surenb@google.com/ Bug: 130172058 Bug: 189803002 Change-Id: Ic87272d09a0b68a1b0e968e8f1a1510fd6fc776a Git-commit: 28358ebf2adb31117893813992fefcfd359a6a16 Git-repo: https://android.googlesource.com/kernel/common/ [quic_gkohli@quicinc.com: Resolved cherry-pick conflict in mm/mmap.c due to mmap lock was implemented differently in older kernel, and Although process_mrelease is not applicable in older kernel, but this patch is required to take exclusive lock in exit_mmap path so that SPF knows an isolated vma was freed from this path] Signed-off-by: Gaurav Kohli <quic_gkohli@quicinc.com> Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com> |
||
|
qctecmdr
|
5305af0230 | Merge "PCI: Configure RC MPS to 128 for Realtek 8168 attach" | ||
|
qctecmdr
|
1cf266a831 | Merge "drivers: qcom: pil: Use update_marker for modem book kpi" | ||
Subramanian Ananthanarayanan
|
eaecb54706 |
PCI: Configure RC MPS to 128 for Realtek 8168 attach
Change is to configure QC RC MPS 128 bytes as 8168 device only supports 128 bytes. Without this quirk, since RC is using pcie_bus_perf flag MPS is configured to 256 bytes, when EP MRRS is changed to 4096 bytes RC is responding with packets of 256 bytes causing functionality break. Since pcie_bus_perf is used for many products, this change provies a provision to configure RC to 128 bytes for realtek 8168 attach alone. Change-Id: I4a82293e4f71bf188d4f0f2be8fa194c5ab007c2 Signed-off-by: Subramanian Ananthanarayanan <quic_skananth@quicinc.com> |
||
Krishna chaitanya chundru
|
f4a90045e0 |
bus: mhi: misc: Add check for dev_rp if it is iommu range or not
er_ctxt->rp pointer is updated by MDM which is untrusted to HLOS, it could be arbitrary value. If there is security issue on MDM, and updated pointer which is not align then driver will never come out of loop where checking against dev_rp != rp. So added check to make sure it is in the buffer range & aligned to 128bit. Change-Id: Ib484e07f2c75fcd657a4ccc648a3a20de3edeebc Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com> |
||
Khaja Hussain Shaik Khaji
|
dc03cfa27f |
drivers: qcom: pil: Use update_marker for modem book kpi
Use update_marker instead of place_marker to avoid OOM issue if boot kpi file keeps growing. Add update_marker() declaration in boot_stats header file. Change-Id: I9b842c10670b2adb918e246174fdac45fb53de40 Signed-off-by: Khaja Hussain Shaik Khaji <quic_kshaikkh@quicinc.com> |
||
Naveen S Nair
|
98c03480ec |
soc: qcom: add buffer overflow check on AON rx_buffer
Add buffer overflow check while accessing data buffer received from AON. Change-Id: I0472a0ad1e6edc3fe8102850fddacd89ceea4959 Signed-off-by: Naveen S Nair <quic_naveensn@quicinc.com> |
||
Lynus Vaz
|
dc674586ed |
msm: kgsl: Defer drawobj_sync_timeline_fence_work() to a workqueue
drawobj_sync_timeline_fence_work() does a cleanup of fence and syncobj allocations. Doing this cleanup in irq context requires the irq_work struct to remain valid after the function executes. Avoid this constraint by deferring this work to the memory workqueue. Change-Id: Icf648a61686c1ef3fd84467a2376b11a9a4bb803 Signed-off-by: Lynus Vaz <quic_lvaz@quicinc.com> |
||
Manoj Prabhu B
|
afe20da34b |
memshare: Avoid accessing uninitialized nodes
Prevent iterating over uninitialized memshare child nodes while handling client alloc and free requests. Change-Id: I421cd239bb999176e587ab0c06757d83485fad6e Signed-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com> Signed-off-by: Meenu Raja Sundaram <quic_mrajasun@quicinc.com> |
||
|
Srinivasarao Pathipati
|
a6b9d0d53d |
Merge android11-5.4.242+(e699d54) into msm-5.4
* remotes/origin/tmp-e699d54:
ANDROID: HID: Only utilise UHID provided exports if UHID is enabled
ANDROID: HID; Over-ride default maximum buffer size when using UHID
Revert "ANDROID: AVB error handler to invalidate vbmeta partition."
UPSTREAM: mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
UPSTREAM: mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
UPSTREAM: efi: rt-wrapper: Add missing include
BACKPORT: arm64: efi: Execute runtime services from a dedicated stack
UPSTREAM: io_uring: have io_kill_timeout() honor the request references
UPSTREAM: io_uring: don't drop completion lock before timer is fully initialized
UPSTREAM: io_uring: always grab lock in io_cancel_async_work()
UPSTREAM: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
UPSTREAM: cdc_ncm: Fix the build warning
UPSTREAM: cdc_ncm: Implement the 32-bit version of NCM Transfer Block
UPSTREAM: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
UPSTREAM: ext4: fix invalid free tracking in ext4_xattr_move_to_block()
Revert "Revert "mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse""
FROMLIST: binder: fix UAF caused by faulty buffer cleanup
UPSTREAM: usb: musb: mediatek: don't unregister something that wasn't registered
UPSTREAM: net: fix NULL pointer in skb_segment_list
UPSTREAM: xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
UPSTREAM: xfrm: compat: change expression for switch in xfrm_xlate64
UPSTREAM: perf/core: Call LSM hook after copying perf_event_attr
UPSTREAM: ext4: fix use-after-free in ext4_xattr_set_entry
UPSTREAM: ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()
UPSTREAM: Revert "ext4: fix use-after-free in ext4_xattr_set_entry"
Linux 5.4.242
ASN.1: Fix check for strdup() success
iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger()
pwm: meson: Explicitly set .polarity in .get_state()
xfs: fix forkoff miscalculation related to XFS_LITINO(mp)
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
ext4: fix use-after-free in ext4_xattr_set_entry
ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()
Revert "ext4: fix use-after-free in ext4_xattr_set_entry"
x86/purgatory: Don't generate debug info for purgatory.ro
MIPS: Define RUNTIME_DISCARD_EXIT in LD script
mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25
memstick: fix memory leak if card device is never registered
nilfs2: initialize unused bytes in segment summary blocks
iio: light: tsl2772: fix reading proximity-diodes from device tree
xen/netback: use same error messages for same errors
nvme-tcp: fix a possible UAF when failing to allocate an io queue
s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling
net: dsa: b53: mmap: add phy ops
scsi: core: Improve scsi_vpd_inquiry() checks
scsi: megaraid_sas: Fix fw_crash_buffer_show()
selftests: sigaltstack: fix -Wuninitialized
Input: i8042 - add quirk for Fujitsu Lifebook A574/H
f2fs: Fix f2fs_truncate_partial_nodes ftrace event
e1000e: Disable TSO on i219-LM card to increase speed
bpf: Fix incorrect verifier pruning due to missing register precision taints
mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
i40e: fix i40e_setup_misc_vector() error handling
i40e: fix accessing vsi->active_filters without holding lock
netfilter: nf_tables: fix ifdef to also consider nf_tables=m
virtio_net: bugfix overflow inside xdp_linearize_page()
net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
regulator: fan53555: Explicitly include bits header
netfilter: br_netfilter: fix recent physdev match breakage
arm64: dts: meson-g12-common: specify full DMC range
ARM: dts: rockchip: fix a typo error for rk3288 spdif node
Linux 5.4.241
xfs: force log and push AIL to clear pinned inodes when aborting mount
xfs: don't reuse busy extents on extent trim
xfs: consider shutdown in bmapbt cursor delete assert
xfs: shut down the filesystem if we screw up quota reservation
xfs: report corruption only as a regular error
xfs: set inode size after creating symlink
xfs: fix up non-directory creation in SGID directories
xfs: remove the di_version field from struct icdinode
xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize
xfs: simplify di_flags2 inheritance in xfs_ialloc
xfs: only check the superblock version for dinode size calculation
xfs: add a new xfs_sb_version_has_v3inode helper
xfs: remove the kuid/kgid conversion wrappers
xfs: remove the icdinode di_uid/di_gid members
xfs: ensure that the inode uid/gid match values match the icdinode ones
xfs: merge the projid fields in struct xfs_icdinode
xfs: show the proper user quota options
coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug
watchdog: sbsa_wdog: Make sure the timeout programming is within the limits
i2c: ocores: generate stop condition after timeout in polling mode
ubi: Fix deadlock caused by recursively holding work_sem
mtd: ubi: wl: Fix a couple of kernel-doc issues
ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
asymmetric_keys: log on fatal failures in PE/pkcs7
verify_pefile: relax wrapper length check
drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
i2c: imx-lpi2c: clean rx/tx buffers upon new message
power: supply: cros_usbpd: reclassify "default case!" as debug
net: macb: fix a memory corruption in extended buffer descriptor mode
udp6: fix potential access to stale information
RDMA/core: Fix GID entry ref leak when create_ah fails
sctp: fix a potential overflow in sctp_ifwdtsn_skip
qlcnic: check pci_reset_function result
niu: Fix missing unwind goto in niu_alloc_channels()
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
mtd: rawnand: stm32_fmc2: remove unsupported EDO mode
mtd: rawnand: meson: fix bitmask for length in command word
mtdblock: tolerate corrected bit-flips
btrfs: fix fast csum implementation detection
btrfs: print checksum type and implementation at mount time
Bluetooth: Fix race condition in hidp_session_thread
Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex()
ALSA: i2c/cs8427: fix iec958 mixer control deactivation
ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
ALSA: emu10k1: fix capture interrupt handler unlinking
Revert "pinctrl: amd: Disable and mask interrupts on resume"
irqdomain: Fix mapping-creation race
irqdomain: Refactor __irq_domain_alloc_irqs()
irqdomain: Look for existing mapping only once
mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
ring-buffer: Fix race while reader and writer are on the same page
drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path
net_sched: prevent NULL dereference if default qdisc setup failed
tracing: Free error logs of tracing instances
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
ftrace: Mark get_lock_parent_ip() __always_inline
perf/core: Fix the same task check in perf_event_set_output
ALSA: hda/realtek: Add quirk for Clevo X370SNW
nilfs2: fix sysfs interface lifetime
nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty
tty: serial: sh-sci: Fix Rx on RZ/G2L SCI
tty: serial: sh-sci: Fix transmit end interrupt handler
iio: dac: cio-dac: Fix max DAC write value check for 12-bit
iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip
USB: serial: option: add Quectel RM500U-CN modem
USB: serial: option: add Telit FE990 compositions
usb: typec: altmodes/displayport: Fix configure initial pin assignment
USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu
NFSD: callback request does not use correct credential for AUTH_SYS
sunrpc: only free unix grouplist after RCU settles
gpio: davinci: Add irq chip flag to skip set wake
ipv6: Fix an uninit variable access bug in __ip6_make_skb()
sctp: check send stream number after wait_for_sndbuf
net: don't let netpoll invoke NAPI if in xmit context
icmp: guard against too small mtu
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
pwm: sprd: Explicitly set .polarity in .get_state()
pwm: cros-ec: Explicitly set .polarity in .get_state()
pinctrl: amd: Disable and mask interrupts on resume
pinctrl: amd: disable and mask interrupts on probe
pinctrl: amd: Use irqchip template
smb3: fix problem with null cifs super block with previous patch
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
Revert "treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()"
cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot
scsi: ses: Handle enclosure with just a primary component gracefully
Linux 5.4.240
gfs2: Always check inode size of inline inodes
firmware: arm_scmi: Fix device node validation for mailbox transport
net: sched: fix race condition in qdisc_graft()
net_sched: add __rcu annotation to netdev->qdisc
ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
btrfs: scan device in non-exclusive mode
s390/uaccess: add missing earlyclobber annotations to __clear_user()
drm/etnaviv: fix reference leak when mmaping imported buffer
ALSA: usb-audio: Fix regression on detection of Roland VS-100
ALSA: hda/conexant: Partial revert of a quirk for Lenovo
NFSv4: Fix hangs when recovering open state after a server reboot
pinctrl: at91-pio4: fix domain name assignment
xen/netback: don't do grant copy across page boundary
Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table
cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
cifs: prevent infinite recursion in CIFSGetDFSRefer()
Input: focaltech - use explicitly signed char type
Input: alps - fix compatibility with -funsigned-char
pinctrl: ocelot: Fix alt mode for ocelot
net: mvneta: make tx buffer array agnostic
net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
bnxt_en: Fix typo in PCI id to device description string mapping
i40e: fix registers dump after run ethtool adapter self test
s390/vfio-ap: fix memory leak in vfio_ap device driver
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
net/net_failover: fix txq exceeding warning
regulator: Handle deferred clk
regulator: fix spelling mistake "Cant" -> "Can't"
ptp_qoriq: fix memory leak in probe()
scsi: megaraid_sas: Fix crash after a double completion
mtd: rawnand: meson: invalidate cache on polling ECC bit
mips: bmips: BCM6358: disable RAC flush for TP1
dma-mapping: drop the dev argument to arch_sync_dma_for_*
ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()
fbdev: au1200fb: Fix potential divide by zero
fbdev: lxfb: Fix potential divide by zero
fbdev: intelfb: Fix potential divide by zero
fbdev: nvidia: Fix potential divide by zero
sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
fbdev: tgafb: Fix potential divide by zero
ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
ALSA: asihpi: check pao in control_message()
md: avoid signed overflow in slot_store()
bus: imx-weim: fix branch condition evaluates to a garbage value
fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY
ocfs2: fix data corruption after failed write
tun: avoid double free in tun_free_netdev
sched/fair: Sanitize vruntime of entity being migrated
sched/fair: sanitize vruntime of entity being placed
dm crypt: add cond_resched() to dmcrypt_write()
dm stats: check for and propagate alloc_percpu failure
i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
wifi: mac80211: fix qos on mesh interfaces
usb: chipidea: core: fix possible concurrent when switch role
usb: chipdea: core: fix return -EINVAL if request role is the same with current role
usb: cdns3: Fix issue with using incorrect PCI device function
dm thin: fix deadlock when swapping to thin device
igb: revert rtnl_lock() that causes deadlock
fsverity: Remove WQ_UNBOUND from fsverity read workqueue
usb: gadget: u_audio: don't let userspace block driver unbind
scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
cifs: empty interface list when server doesn't support query interfaces
sh: sanitize the flags on sigreturn
net: usb: qmi_wwan: add Telit 0x1080 composition
net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
scsi: lpfc: Avoid usage of list iterator variable after loop
scsi: ufs: core: Add soft dependency on governor_simpleondemand
scsi: target: iscsi: Fix an error message in iscsi_check_key()
selftests/bpf: check that modifier resolves after pointer
m68k: Only force 030 bus error if PC not in exception table
ca8210: fix mac_len negative array access
riscv: Bump COMMAND_LINE_SIZE value to 1024
thunderbolt: Use const qualifier for `ring_interrupt_index`
uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
scsi: qla2xxx: Perform lockless command completion in abort path
hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs
platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
Bluetooth: btqcomsmd: Fix command timeout after setting BD address
net: mdio: thunder: Add missing fwnode_handle_put()
hvc/xen: prevent concurrent accesses to the shared ring
nvme-tcp: fix nvme_tcp_term_pdu to match spec
net/sonic: use dma_mapping_error() for error check
erspan: do not use skb_mac_header() in ndo_start_xmit()
atm: idt77252: fix kmemleak when rmmod idt77252
net/mlx5: Read the TC mapping of all priorities on ETS query
bpf: Adjust insufficient default bpf_jit_limit
keys: Do not cache key in task struct if key is requested from kernel thread
net/ps3_gelic_net: Use dma_mapping_error
net/ps3_gelic_net: Fix RX sk_buff length
net: qcom/emac: Fix use after free bug in emac_remove due to race condition
xirc2ps_cs: Fix use after free bug in xirc2ps_detach
qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
net: usb: smsc95xx: Limit packet length to skb->len
scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
i2c: imx-lpi2c: check only for enabled interrupt flags
igbvf: Regard vf reset nack as success
intel/igbvf: free irq on the error path in igbvf_request_msix()
iavf: fix non-tunneled IPv6 UDP packet type and hashing
iavf: fix inverted Rx hash condition leading to disabled hash
power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
Linux 5.4.239
selftests: Fix the executable permissions for fib_tests.sh
BACKPORT: mac80211_hwsim: notify wmediumd of used MAC addresses
FROMGIT: mac80211_hwsim: add concurrent channels scanning support over virtio
Revert "HID: core: Provide new max_buffer_size attribute to over-ride the default"
Revert "HID: uhid: Over-ride the default maximum data buffer value with our own"
Linux 5.4.238
HID: uhid: Over-ride the default maximum data buffer value with our own
HID: core: Provide new max_buffer_size attribute to over-ride the default
PCI: Unify delay handling for reset and resume
s390/ipl: add missing intersection check to ipl_report handling
serial: 8250_em: Fix UART port type
drm/i915: Don't use stolen memory for ring buffers with LLC
x86/mm: Fix use of uninitialized buffer in sme_enable()
fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks
ftrace: Fix invalid address access in lookup_rec() when index is 0
KVM: nVMX: add missing consistency checks for CR0 and CR4
tracing: Make tracepoint lockdep check actually test something
tracing: Check field value in hist_field_name()
interconnect: fix mem leak when freeing nodes
tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted
ext4: fix possible double unlock when moving a directory
sh: intc: Avoid spurious sizeof-pointer-div warning
drm/amdkfd: Fix an illegal memory access
ext4: fix task hung in ext4_xattr_delete_inode
ext4: fail ext4_iget if special inode unallocated
jffs2: correct logic when creating a hole in jffs2_write_begin
mmc: atmel-mci: fix race between stop command and start of next command
media: m5mols: fix off-by-one loop termination error
hwmon: (ina3221) return prober error code
hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition
hwmon: (adt7475) Fix masking of hysteresis registers
hwmon: (adt7475) Display smoothing attributes in correct order
ethernet: sun: add check for the mdesc_grab()
net/iucv: Fix size of interrupt data
net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull
ipv4: Fix incorrect table ID in IOCTL path
block: sunvdc: add check for mdesc_grab() returning NULL
nvmet: avoid potential UAF in nvmet_req_complete()
net: usb: smsc75xx: Limit packet length to skb->len
nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails
net: tunnels: annotate lockless accesses to dev->needed_headroom
qed/qed_dev: guard against a possible division by zero
i40e: Fix kernel crash during reboot when adapter is in recovery mode
ipvlan: Make skb->skb_iif track skb->dev for l3s mode
nfc: pn533: initialize struct pn533_out_arg properly
tcp: tcp_make_synack() can be called from process context
scsi: core: Fix a procfs host directory removal regression
scsi: core: Fix a comment in function scsi_host_dev_release()
netfilter: nft_redir: correct value of inet type `.maxattrs`
ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid
ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid
ALSA: hda - controller is in GPU on the DG1
ALSA: hda - add Intel DG1 PCI and HDMI ids
scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()
docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate
clk: HI655X: select REGMAP instead of depending on it
drm/meson: fix 1px pink line on GXM when scaling video overlay
cifs: Move the in_send statistic to __smb_send_rqst()
drm/panfrost: Don't sync rpm suspension after mmu flushing
xfrm: Allow transport-mode states with AF_UNSPEC selector
ext4: fix cgroup writeback accounting with fs-layer encryption
ANDROID: preserve CRC for __irq_domain_add()
Revert "drm/exynos: Don't reset bridge->next"
Revert "drm/bridge: Rename bridge helpers targeting a bridge chain"
Revert "drm/bridge: Introduce drm_bridge_get_next_bridge()"
Revert "drm: Initialize struct drm_crtc_state.no_vblank from device settings"
Revert "drm/msm/mdp5: Add check for kzalloc"
Linux 5.4.237
s390/dasd: add missing discipline function
UML: define RUNTIME_DISCARD_EXIT
sh: define RUNTIME_DISCARD_EXIT
s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36
powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds
powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT
arch: fix broken BuildID for arm64 and riscv
x86, vmlinux.lds: Add RUNTIME_DISCARD_EXIT to generic DISCARDS
drm/i915: Don't use BAR mappings for ring buffers with LLC
ipmi:watchdog: Set panic count to proper value on a panic
ipmi/watchdog: replace atomic_add() and atomic_sub()
media: ov5640: Fix analogue gain control
PCI: Add SolidRun vendor ID
macintosh: windfarm: Use unsigned type for 1-bit bitfields
alpha: fix R_ALPHA_LITERAL reloc for large modules
MIPS: Fix a compilation issue
ext4: Fix deadlock during directory rename
riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode
net/smc: fix fallback failed while sendmsg with fastopen
scsi: megaraid_sas: Update max supported LD IDs to 240
btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR
netfilter: tproxy: fix deadlock due to missing BH disable
bnxt_en: Avoid order-5 memory allocation for TPA data
net: caif: Fix use-after-free in cfusbl_device_notify()
net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver
net: usb: lan78xx: Remove lots of set but unused 'ret' variables
selftests: nft_nat: ensuring the listening side is up before starting the client
ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register
ext4: Fix possible corruption when moving a directory
scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
cifs: Fix uninitialized memory read in smb3_qfs_tcon()
SMB3: Backup intent flag missing from some more ops
iommu/vt-d: Fix PASID directory pointer coherency
irqdomain: Fix domain registration race
irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent
ipmi:ssif: Add a timer between request retries
ipmi:ssif: Increase the message retry time
ipmi:ssif: Remove rtc_us_timer
ipmi:ssif: resend_msg() cannot fail
ipmi:ssif: make ssif_i2c_send() void
iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter
iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options
iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands
nfc: change order inside nfc_se_io error path
ext4: zero i_disksize when initializing the bootloader inode
ext4: fix WARNING in ext4_update_inline_data
ext4: move where set the MAY_INLINE_DATA flag is set
ext4: fix another off-by-one fsmap error on 1k block filesystems
ext4: fix RENAME_WHITEOUT handling for inline directories
drm/connector: print max_requested_bpc in state debugfs
x86/CPU/AMD: Disable XSAVES on AMD family 0x17
fs: prevent out-of-bounds array speculation when closing a file descriptor
Linux 5.4.236
staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh
staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
Linux 5.4.235
dt-bindings: rtc: sun6i-a31-rtc: Loosen the requirements on the clocks
media: uvcvideo: Fix race condition with usb_kill_urb
media: uvcvideo: Provide sync and async uvc_ctrl_status_event
tcp: Fix listen() regression in 5.4.229.
Bluetooth: hci_sock: purge socket queues in the destruct() callback
x86/resctl: fix scheduler confusion with 'current'
x86/resctrl: Apply READ_ONCE/WRITE_ONCE to task_struct.{rmid,closid}
net: tls: avoid hanging tasks on the tx_lock
phy: rockchip-typec: Fix unsigned comparison with less than zero
PCI: Add ACS quirk for Wangxun NICs
kernel/fail_function: fix memory leak with using debugfs_lookup()
usb: uvc: Enumerate valid values for color matching
USB: ene_usb6250: Allocate enough memory for full object
usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word()
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()
tools/iio/iio_utils:fix memory leak
mei: bus-fixup:upon error print return values of send and receive
tty: serial: fsl_lpuart: disable the CTS when send break signal
tty: fix out-of-bounds access in tty_driver_lookup_tty()
staging: emxx_udc: Add checks for dma_alloc_coherent()
media: uvcvideo: Silence memcpy() run-time false positive warnings
media: uvcvideo: Quirk for autosuspend in Logitech B910 and C910
media: uvcvideo: Handle errors from calls to usb_string
media: uvcvideo: Handle cameras with invalid descriptors
mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
thermal: intel: BXT_PMIC: select REGMAP instead of depending on it
thermal: intel: quark_dts: fix error pointer dereference
scsi: ipr: Work around fortify-string warning
rtc: sun6i: Always export the internal oscillator
rtc: sun6i: Make external 32k oscillator optional
vc_screen: modify vcs_size() handling in vcs_read()
tcp: tcp_check_req() can be called from process context
ARM: dts: spear320-hmi: correct STMPE GPIO compatible
net/sched: act_sample: fix action bind logic
nfc: fix memory leak of se_io context in nfc_genl_se_io
net/mlx5: Geneve, Fix handling of Geneve object id as error code
9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
9p/xen: fix connection sequence
9p/xen: fix version parsing
net: fix __dev_kfree_skb_any() vs drop monitor
sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
ipv6: Add lwtunnel encap size of all siblings in nexthop calculation
netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
watchdog: pcwd_usb: Fix attempting to access uninitialized memory
watchdog: Fix kmemleak in watchdog_cdev_register
watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path
x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
ubifs: ubifs_writepage: Mark page dirty after writing inode failed
ubifs: dirty_cow_znode: Fix memleak in error handling path
ubifs: Re-statistic cleaned znode count if commit failed
ubi: Fix possible null-ptr-deref in ubi_free_volume()
ubifs: Fix memory leak in alloc_wbufs()
ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
ubi: Fix use-after-free when volume resizing failed
ubifs: Reserve one leb for each journal head while doing budget
ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1
ubifs: Fix wrong dirty space budget for dirty inode
ubifs: Rectify space budget for ubifs_xrename()
ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
ubifs: Fix build errors as symbol undefined
ubi: ensure that VID header offset + VID header size <= alloc, size
um: vector: Fix memory leak in vector_config
fs: f2fs: initialize fsdata in pagecache_write()
f2fs: use memcpy_{to,from}_page() where possible
pwm: stm32-lp: fix the check on arr and cmp registers update
pwm: sifive: Always let the first pwm_apply_state succeed
pwm: sifive: Reduce time the controller lock is held
fs/jfs: fix shift exponent db_agl2size negative
net/sched: Retire tcindex classifier
kbuild: Port silent mode detection to future gnu make.
wifi: ath9k: use proper statements in conditionals
drm/radeon: Fix eDP for single-display iMac11,2
drm/i915/quirks: Add inverted backlight quirk for HP 14-r206nv
PCI: Avoid FLR for AMD FCH AHCI adapters
PCI: hotplug: Allow marking devices as disconnected during bind/unbind
PCI/PM: Observe reset delay irrespective of bridge_d3
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
scsi: ses: Don't attach if enclosure has no components
scsi: qla2xxx: Fix erroneous link down
scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
scsi: qla2xxx: Fix link failure in NPIV environment
ktest.pl: Add RUN_TIMEOUT option with default unlimited
ktest.pl: Fix missing "end_monitor" when machine check fails
ktest.pl: Give back console on Ctrt^C on monitor
mm/thp: check and bail out if page in deferred queue already
mm: memcontrol: deprecate charge moving
media: ipu3-cio2: Fix PM runtime usage_count in driver unbind
mips: fix syscall_get_nr
alpha: fix FEN fault handling
rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
ARM: dts: exynos: correct TMU phandle in Odroid XU
ARM: dts: exynos: correct TMU phandle in Exynos4
dm flakey: don't corrupt the zero page
dm flakey: fix logic when corrupting a bio
thermal: intel: powerclamp: Fix cur_state for multi package system
wifi: cfg80211: Fix use after free for wext
wifi: rtl8xxxu: Use a longer retry limit of 48
ext4: refuse to create ea block when umounted
ext4: optimize ea_inode block expansion
ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC
ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
irqdomain: Drop bogus fwspec-mapping error handling
irqdomain: Fix disassociation race
irqdomain: Fix association race
ima: Align ima_file_mmap() parameters with mmap_file LSM hook
Documentation/hw-vuln: Document the interaction between IBRS and STIBP
x86/speculation: Allow enabling STIBP with legacy IBRS
x86/microcode/AMD: Fix mixed steppings support
x86/microcode/AMD: Add a @cpu parameter to the reloading functions
x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter
x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
x86/reboot: Disable SVM, not just VMX, when stopping CPUs
x86/reboot: Disable virtualization in an emergency if SVM is supported
x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
KVM: s390: disable migration mode when dirty tracking is disabled
KVM: Destroy target device if coalesced MMIO unregistration fails
udf: Fix file corruption when appending just after end of preallocated extent
udf: Detect system inodes linked into directory hierarchy
udf: Preserve link count of system files
udf: Do not update file length for failed writes to inline files
udf: Do not bother merging very long extents
udf: Truncate added extents on failed expansion
ocfs2: fix non-auto defrag path not working issue
ocfs2: fix defrag path triggering jbd2 ASSERT
f2fs: fix cgroup writeback accounting with fs-layer encryption
f2fs: fix information leak in f2fs_move_inline_dirents()
fs: hfsplus: fix UAF issue in hfsplus_put_super
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
ARM: dts: exynos: correct HDMI phy compatible in Exynos4
s390/kprobes: fix current_kprobe never cleared after kprobes reenter
s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
s390: discard .interp section
ipmi_ssif: Rename idle state and check
rtc: pm8xxx: fix set-alarm race
firmware: coreboot: framebuffer: Ignore reserved pixel color bits
wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
nfsd: zero out pointers after putting nfsd_files on COPY setup error
dm cache: add cond_resched() to various workqueue loops
dm thin: add cond_resched() to various workqueue loops
drm: panel-orientation-quirks: Add quirk for Lenovo IdeaPad Duet 3 10IGL5
pinctrl: at91: use devm_kasprintf() to avoid potential leaks
hwmon: (coretemp) Simplify platform device handling
regulator: s5m8767: Bounds check id indexing into arrays
regulator: max77802: Bounds check regulator id against opmode
ASoC: kirkwood: Iterate over array indexes instead of using pointer math
docs/scripts/gdb: add necessary make scripts_gdb step
drm/msm/dsi: Add missing check for alloc_ordered_workqueue
drm/radeon: free iio for atombios when driver shutdown
HID: Add Mapping for System Microphone Mute
drm/omap: dsi: Fix excessive stack usage
drm/amd/display: Fix potential null-deref in dm_resume
uaccess: Add minimum bounds check on kernel buffer size
coda: Avoid partial allocation of sig_inputArgs
net/mlx5: fw_tracer: Fix debug print
ACPI: video: Fix Lenovo Ideapad Z570 DMI match
wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup
m68k: Check syscall_trace_enter() return code
net: bcmgenet: Add a check for oversized packets
ACPI: Don't build ACPICA with '-Os'
ice: add missing checks for PF vsi type
inet: fix fast path in __inet_hash_connect()
wifi: mt7601u: fix an integer underflow
wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds
x86/bugs: Reset speculation control settings on init
timers: Prevent union confusion from unexpected restart_syscall()
thermal: intel: Fix unsigned comparison with less than zero
rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait()
wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
blk-iocost: fix divide by 0 error in calc_lcoefs()
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
udf: Define EFSCORRUPTED error code
rpmsg: glink: Avoid infinite loop on intent for missing channel
media: usb: siano: Fix use after free bugs caused by do_submit_urb
media: i2c: ov7670: 0 instead of -EINVAL was returned
media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
media: i2c: ov772x: Fix memleak in ov772x_probe()
media: ov5675: Fix memleak in ov5675_init_controls()
powerpc: Remove linker flag from KBUILD_AFLAGS
media: platform: ti: Add missing check for devm_regulator_get
remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem headers
MIPS: vpe-mt: drop physical_memsize
MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set
powerpc/eeh: Set channel state after notifying the drivers
powerpc/eeh: Small refactor of eeh_handle_normal_event()
powerpc/rtas: ensure 4KB alignment for rtas_data_buf
powerpc/rtas: make all exports GPL
powerpc/pseries/lparcfg: add missing RTAS retry status handling
powerpc/pseries/lpar: add missing RTAS retry status handling
clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()
powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC
Input: ads7846 - don't check penirq immediately for 7845
Input: ads7846 - don't report pressure for ads7845
clk: renesas: cpg-mssr: Remove superfluous check in resume code
clk: renesas: cpg-mssr: Use enum clk_reg_layout instead of a boolean flag
clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed
mtd: rawnand: sunxi: Fix the size of the last OOB region
clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents
clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents
mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
selftests/ftrace: Fix bash specific "==" operator
sparc: allow PM configs for sparc32 COMPILE_TEST
perf tools: Fix auto-complete on aarch64
perf llvm: Fix inadvertent file creation
gfs2: jdata writepage fix
cifs: Fix warning and UAF when destroy the MR list
cifs: Fix lost destroy smbd connection when MR allocate failed
nfsd: fix race to check ls_layouts
hid: bigben_probe(): validate report count
HID: asus: Fix mute and touchpad-toggle keys on Medion Akoya E1239T
HID: asus: Add support for multi-touch touchpad on Medion Akoya E1239T
HID: asus: Add report_size to struct asus_touchpad_info
HID: asus: Only set EV_REP if we are adding a mapping
HID: bigben: use spinlock to safely schedule workers
HID: bigben_worker() remove unneeded check on report_field
HID: bigben: use spinlock to protect concurrent accesses
ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared
ASoC: dapm: declare missing structure prototypes
spi: synquacer: Fix timeout handling in synquacer_spi_transfer_one()
dm: remove flush_scheduled_work() during local_exit()
hwmon: (mlxreg-fan) Return zero speed for broken fan
spi: bcm63xx-hsspi: Fix multi-bit mode setting
spi: bcm63xx-hsspi: fix pm_runtime
scsi: aic94xx: Add missing check for dma_map_single()
hwmon: (ltc2945) Handle error case in ltc2945_value_store
gpio: vf610: connect GPIO label to dev name
ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
drm/mediatek: Clean dangling pointer on bind error path
drm/mediatek: Drop unbalanced obj unref
drm/mediatek: Use NULL instead of 0 for NULL pointer
drm/mediatek: remove cast to pointers passed to kfree
gpu: host1x: Don't skip assigning syncpoints to channels
drm/msm/mdp5: Add check for kzalloc
drm: Initialize struct drm_crtc_state.no_vblank from device settings
drm/bridge: Introduce drm_bridge_get_next_bridge()
drm/bridge: Rename bridge helpers targeting a bridge chain
drm/exynos: Don't reset bridge->next
drm/msm/dpu: Add check for pstates
drm/msm/dpu: Add check for cstate
drm/msm: use strscpy instead of strncpy
drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
ALSA: hda/ca0132: minor fix for allocation size
ASoC: fsl_sai: initialize is_dsp_mode flag
pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id()
drm/vc4: dpi: Fix format mapping for RGB565
drm/vc4: dpi: Add option for inverting pixel clock and output enable
drm/bridge: megachips: Fix error handling in i2c_register_driver()
drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
drm/fourcc: Add missing big-endian XRGB1555 and RGB565 formats
selftest: fib_tests: Always cleanup before exit
selftests/net: Interpret UDP_GRO cmsg data as an int value
irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts
can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error
thermal/drivers/hisi: Drop second sensor hi3660
wifi: mac80211: make rate u32 in sta_set_rate_info_rx()
crypto: crypto4xx - Call dma_unmap_page when done
wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
wifi: iwl4965: Add missing check for create_singlethread_workqueue()
wifi: iwl3945: Add missing check for create_singlethread_workqueue
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
usb: gadget: udc: Avoid tasklet passing a global
RISC-V: time: initialize hrtimer based broadcast clock event device
m68k: /proc/hardware should depend on PROC_FS
crypto: rsa-pkcs1pad - Use akcipher_request_complete
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
libbpf: Fix alen calculation in libbpf_nla_dump_errormsg()
Bluetooth: L2CAP: Fix potential user-after-free
OPP: fix error checking in opp_migrate_dentry()
tap: tap_open(): correctly initialize socket uid
tun: tun_chr_open(): correctly initialize socket uid
net: add sock_init_data_uid()
mptcp: add sk_stop_timer_sync helper
irqchip/ti-sci: Fix refcount leak in ti_sci_intr_irq_domain_probe
irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
net/mlx5: Enhance debug print in page allocation failure
powercap: fix possible name leak in powercap_register_zone()
crypto: seqiv - Handle EBUSY correctly
crypto: essiv - Handle EBUSY correctly
crypto: essiv - remove redundant null pointer check before kfree
crypto: ccp - Failure on re-initialization due to duplicate sysfs filename
ACPI: battery: Fix missing NUL-termination with large strings
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
ath9k: htc: clean up statistics macros
ath9k: hif_usb: simplify if-if to if-else
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
wifi: orinoco: check return value of hermes_write_wordrec()
ACPICA: nsrepair: handle cases without a return value correctly
lib/mpi: Fix buffer overrun when SG is too long
genirq: Fix the return type of kstat_cpu_irqs_sum()
ACPICA: Drop port I/O validation for some regions
crypto: x86/ghash - fix unaligned access in ghash_setkey()
wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave()
wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()
wilc1000: let wilc_mac_xmit() return NETDEV_TX_OK
wifi: ipw2200: fix memory leak in ipw_wdev_init()
wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()
ipw2x00: switch from 'pci_' to 'dma_' API
wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
rtlwifi: fix -Wpointer-sign warning
wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
wifi: libertas: fix memory leak in lbs_init_adapter()
wifi: iwlegacy: common: don't call dev_kfree_skb() under spin_lock_irqsave()
net/wireless: Delete unnecessary checks before the macro call “dev_kfree_skb”
wifi: rsi: Fix memory leak in rsi_coex_attach()
block: bio-integrity: Copy flags when bio_integrity_payload is cloned
sched/rt: pick_next_rt_entity(): check list_entry
sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity()
s390/dasd: Fix potential memleak in dasd_eckd_init()
s390/dasd: Prepare for additional path event handling
blk-mq: correct stale comment of .get_budget
blk-mq: wait on correct sbitmap_queue in blk_mq_mark_tag_wait
blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx
block: Limit number of items taken from the I/O scheduler in one go
Revert "scsi: core: run queue if SCSI device queue isn't ready and queue is idle"
arm64: dts: mediatek: mt7622: Add missing pwm-cells to pwm node
ARM: dts: imx7s: correct iomuxc gpr mux controller cells
arm64: dts: amlogic: meson-gxl-s905d-phicomm-n1: fix led node name
arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name
arm64: dts: amlogic: meson-gx: add missing unit address to rng node name
arm64: dts: amlogic: meson-gx: add missing SCPI sensors compatible
arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name
arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
ARM: imx: Call ida_simple_remove() for ida_simple_get
ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init()
arm64: dts: meson: remove CPU opps below 1GHz for G12A boards
arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
arm64: dts: meson-g12a: Fix internal Ethernet PHY unit name
arm64: dts: meson-gx: Fix Ethernet MAC address unit name
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
arm64: dts: qcom: qcs404: use symbol names for PCIe resets
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
HID: asus: use spinlock to safely schedule workers
HID: asus: use spinlock to protect concurrent accesses
HID: asus: Remove check for same LED brightness on set
Linux 5.4.234
USB: core: Don't hold device lock while reading the "descriptors" sysfs file
USB: serial: option: add support for VW/Skoda "Carstick LTE"
dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size
vc_screen: don't clobber return value in vcs_read
net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state
HID: core: Fix deadloop in hid_apply_multiplier.
neigh: make sure used and confirmed times are valid
IB/hfi1: Assign npages earlier
btrfs: send: limit number of clones and allocated memory size
ACPI: NFIT: fix a potential deadlock during NFIT teardown
ARM: dts: rockchip: add power-domains property to dp node on rk3288
arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc
Conflicts:
Documentation/devicetree/bindings
Documentation/devicetree/bindings/rtc/allwinner,sun6i-a31-rtc.yaml
arch/arm/mm/dma-mapping.c
drivers/clk/qcom/gcc-qcs404.c
drivers/iommu/dma-iommu.c
drivers/mtd/ubi/wl.c
kernel/dma/direct.c
Change-Id: I5797c8cb2276354d851af215d431950eec734174
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>
|
||
Lee Jones
|
61c6111f74 |
ANDROID: HID: Only utilise UHID provided exports if UHID is enabled
Commit "ANDROID: HID; Over-ride default maximum buffer size when using UHID" provided a means for the UHID driver to offer an alternative (smaller) report buffer size when dealing with user-space. The method used was an Android-only solution designed to prevent the KMI ABI from being broken (nb: the upstream solution was cleaner, but broke the ABI). Since this solution involved consuming resources exported by a subordinate driver, that driver would have to be enabled for the export to take place. Since all of our default configs enable UHID, an issue was not detected. However, for more specific kernel configs, where HID is enabled, but UHID is not, this leads to compile-time undefined symbol errors: ld.lld: error: undefined symbol: uhid_hid_driver This patch relies on the compiler to leave out unutilised sections of the code if the associated resources are not available. Bug: 260007429 Reported-by: Paul Lawrence <paullawrence@google.com> Reported-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I80b1aa7454c89d5c5e21f0268252ffb666efab97 Signed-off-by: Lee Jones <joneslee@google.com> |
||
|
qctecmdr
|
f3cc95dafd | Merge "soc: qcom: socinfo: Add soc information for Blair APQ" | ||
Takashi Iwai
|
07452ef620 |
UPSTREAM: media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
[ Upstream commit b8c75e4a1b325ea0a9433fa8834be97b5836b946 ] Using a semaphore in the wait_event*() condition is no good idea. It hits a kernel WARN_ON() at prepare_to_wait_event() like: do not call blocking ops when !TASK_RUNNING; state=1 set at prepare_to_wait_event+0x6d/0x690 For avoiding the potential deadlock, rewrite to an open-coded loop instead. Unlike the loop in wait_event*(), this uses wait_woken() after the condition check, hence the task state stays consistent. CVE-2023-31084 was assigned to this bug. Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/ Bug: 290204413 Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.de Reported-by: Yu Hao <yhao016@ucr.edu> Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084 Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d0088ea444e676a0c75551efe183bee4a3d2cfc8) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: Id9420d5cf7676aec6c565013cc00f0cc6f05732d |
||
|
qctecmdr
|
bc353eb572 | Merge "soc: qcom: minidump: check the size parameter passed to qcom_smem_get()" | ||
Swetha Chikkaboraiah
|
0401e9d8c2 |
soc: qcom: socinfo: Add soc information for Blair APQ
Add SOC ID to support socinfo for Blair APQ and Blair APQ-XR soc. Change-Id: Ica80b43f1eab94d95bf38726571b36b7fc8a2e35 Signed-off-by: Swetha Chikkaboraiah <quic_schikk@quicinc.com> |
||
Treehugger Robot
|
0eff73927d | Merge "Merge tag 'android11-5.4.249_r00' into android11-5.4" into android11-5.4 | ||
|
Srinivasarao Pathipati
|
30e8ee90cb |
soc: qcom: minidump: check the size parameter passed to qcom_smem_get()
The size parameter passed to qcom_smem_get() can become less than global toc size, add check to avoid out of bound accessing. Change-Id: I068b4d5e27e94ce23c26856dad106a3970fb56d6 Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com> |
||
|
qctecmdr
|
c0fe2ac7d9 | Merge "drivers: qcom: pil: Add KPI boot markers for modem" | ||
|
kamasali Satyanarayan
|
6e8aefd6d5 |
ANDROID: ABI: Update allowed list for QCOM
Leaf changes summary: 2 artifacts changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 1 Added function Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 1 Added variable 1 Added function: [A] 'function int snd_card_free_when_closed(snd_card*)' 1 Added variable: [A] 'hid_ll_driver uhid_hid_driver' Bug: 292212778 Change-Id: I82b33b9056da13971b04e5eda36a94992bfa1df2 Signed-off-by: kamasali Satyanarayan <quic_kamasali@quicinc.com> |
||
|
Khaja Hussain Shaik Khaji
|
24dbadc7e8 |
drivers: qcom: pil: Add KPI boot markers for modem
Add modem crash and stop, dump start and complete boot markers. Change-Id: I2e3304aa5d6bb2e578d89444cbd33cd1b8fe6f12 Signed-off-by: Khaja Hussain Shaik Khaji <quic_kshaikkh@quicinc.com> |
||
|
qctecmdr
|
7ca4537e6c | Merge "usb: gadget: cdev: Fix spinlock recursion" | ||
|
qctecmdr
|
cad1e331a8 | Merge "defconfig: sdxlemur: Realtek r8168 IOSS glue driver config" | ||
Pratham Pratap
|
fe41aca1e4 |
usb: gadget: cdev: Fix spinlock recursion
Commit
|
||
|
Pratham Pratap
|
c99a841d40 |
usb: gadget: cdev: Add spinlock to synchronize ports->cbits_updated
Consider a scenario in which open, write and close of AT port is being done repeatedly. At some point in time, cbits_updated in f_cdev structure gets overwritten by the previous close instance causing the AT port to go unresponsive. This prevents port bridge service from sending DTR/RTS settings to at_mdm0 from at_usb0. Fix this by adding spinlock to synchronise the updation of ports->cbits_updated field in f_cdev structure. Change-Id: Ibf39aa90f3918cd5f22e32a3b06685db4c4298ae Signed-off-by: Pratham Pratap <quic_ppratap@quicinc.com> |
||
Greg Kroah-Hartman
|
ef9d9e2c44 |
Merge tag 'android11-5.4.249_r00' into android11-5.4
This is the merge of the upstream LTS release of 5.4.249 into the android11-5.4 branch. It contains the following commits: * |
||
Zheng Wang
|
12d0946b1c |
UPSTREAM: usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition
[ Upstream commit 2b947f8769be8b8181dc795fd292d3e7120f5204 ]
In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work.
renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be
an unfinished work. The possible sequence is as follows:
CPU0 CPU1
renesas_usb3_role_work
renesas_usb3_remove
usb_role_switch_unregister
device_unregister
kfree(sw)
//free usb3->role_sw
usb_role_switch_set_role
//use usb3->role_sw
The usb3->role_sw could be freed under such circumstance and then
used in usb_role_switch_set_role.
This bug was found by static analysis. And note that removing a
driver is a root-only operation, and should never happen in normal
case. But the root user may directly remove the device which
will also trigger the remove function.
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Bug: 289003615
Fixes:
|
||
Lee Jones
|
58dbbc7e9e |
UPSTREAM: x86/mm: Avoid using set_pgd() outside of real PGD pages
commit d082d48737c75d2b3cc1f972b8c8674c25131534 upstream.
KPTI keeps around two PGDs: one for userspace and another for the
kernel. Among other things, set_pgd() contains infrastructure to
ensure that updates to the kernel PGD are reflected in the user PGD
as well.
One side-effect of this is that set_pgd() expects to be passed whole
pages. Unfortunately, init_trampoline_kaslr() passes in a single entry:
'trampoline_pgd_entry'.
When KPTI is on, set_pgd() will update 'trampoline_pgd_entry' (an
8-Byte globally stored [.bss] variable) and will then proceed to
replicate that value into the non-existent neighboring user page
(located +4k away), leading to the corruption of other global [.bss]
stored variables.
Fix it by directly assigning 'trampoline_pgd_entry' and avoiding
set_pgd().
[ dhansen: tweak subject and changelog ]
Bug: 274115504
Fixes:
|
||
Raihan Haider
|
1a7c68833d |
defconfig: sdxlemur: Realtek r8168 IOSS glue driver config
Realtek r8168 IOSS glue driver config set to m Change-Id: I0a7ef825155f928212cc2979a73482874471004e Signed-off-by: Raihan Haider <quic_rhaider@quicinc.com> |
||
Sai Chaitanya Kaveti
|
0c5f471d1c |
msm: ep_pcie: Set clock power management bit for EP
According to PCIe spec, PCIE_CAP_CLOCK_POWER_MAN bit in LINK_CAPABILITIES_REG register should be set for EP. But it is seen as cleared after core reset. In the current driver this bit is being set but it is not taking effect. Enabling CLK_PM_EN in PCIE_ELBI_SYS_CTRL register, so that PCIE_CAP_CLOCK_POWER_MAN is set. Change-Id: I16654d5a477fa8eeaad61d6ec1dd32757627e2f9 Signed-off-by: Sai Chaitanya Kaveti <quic_skaveti@quicinc.com> |
||
Hangyu Hua
|
717aa7d60c |
UPSTREAM: net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
[ Upstream commit 4d56304e5827c8cc8cc18c75343d283af7c4825c ]
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
size is 252 bytes(key->enc_opts.len = 252) then
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
bypasses the next bounds check and results in an out-of-bounds.
Bug: 288660424
Fixes:
|
||
|
Greg Kroah-Hartman
|
874e208e9b |
Merge branch 'android11-5.4' into android11-5.4-lts
Sync up with android11-5.4 for the following commits: |
||
t.feng
|
f95ca5bb23 |
UPSTREAM: ipvlan:Fix out-of-bounds caused by unclear skb->cb
[ Upstream commit 90cbed5247439a966b645b34eb0a2e037836ea8e ]
If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
is actually skb->cb, and IPCB(skb_in)->opt will be used in
__ip_options_echo. It is possible that memcpy is out of bounds and lead
to stack overflow.
We should clear skb->cb before ip_local_out or ip6_local_out.
v2:
1. clean the stack info
2. use IPCB/IP6CB instead of skb->cb
crash on stable-5.10(reproduce in kasan kernel).
Stack info:
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
__ip_options_echo+0x589/0x800
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
swapper/3/0
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
[ 2203.655475] Call Trace:
[ 2203.655481] <IRQ>
[ 2203.655501] dump_stack+0x9c/0xd3
[ 2203.655514] print_address_description.constprop.0+0x19/0x170
[ 2203.655530] __kasan_report.cold+0x6c/0x84
[ 2203.655586] kasan_report+0x3a/0x50
[ 2203.655594] check_memory_region+0xfd/0x1f0
[ 2203.655601] memcpy+0x39/0x60
[ 2203.655608] __ip_options_echo+0x589/0x800
[ 2203.655654] __icmp_send+0x59a/0x960
[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT]
[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables]
[ 2203.655821] nf_hook_slow+0x69/0x100
[ 2203.655828] __ip_local_out+0x21e/0x2b0
[ 2203.655857] ip_local_out+0x28/0x90
[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
[ 2203.655984] xmit_one.constprop.0+0xe1/0x280
[ 2203.655992] dev_hard_start_xmit+0x62/0x100
[ 2203.656000] sch_direct_xmit+0x215/0x640
[ 2203.656028] __qdisc_run+0x153/0x1f0
[ 2203.656069] __dev_queue_xmit+0x77f/0x1030
[ 2203.656173] ip_finish_output2+0x59b/0xc20
[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0
[ 2203.656312] ip_finish_output+0x168/0x190
[ 2203.656320] ip_output+0x12d/0x220
[ 2203.656357] __ip_queue_xmit+0x392/0x880
[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0
[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30
[ 2203.656505] tcp_retransmit_skb+0x2d/0x190
[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0
[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510
[ 2203.656529] tcp_write_timer+0x55/0x180
[ 2203.656542] call_timer_fn+0x3f/0x1d0
[ 2203.656555] expire_timers+0x160/0x200
[ 2203.656562] run_timer_softirq+0x1f4/0x480
[ 2203.656606] __do_softirq+0xfd/0x402
[ 2203.656613] asm_call_irq_on_stack+0x12/0x20
[ 2203.656617] </IRQ>
[ 2203.656623] do_softirq_own_stack+0x37/0x50
[ 2203.656631] irq_exit_rcu+0x134/0x1a0
[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80
[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
ffffffffaf290191
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
ffff88811a3c4f60
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
ffff88811a3c4f63
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
0000000000000003
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
0000000000000000
[ 2203.656729] default_idle_call+0x5a/0x150
[ 2203.656735] cpuidle_idle_call+0x1c6/0x220
[ 2203.656780] do_idle+0xab/0x100
[ 2203.656786] cpu_startup_entry+0x19/0x20
[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb
[ 2203.657409] The buggy address belongs to the page:
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x11a388
[ 2203.658665] flags:
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
0000000000000000
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
0000000000000000
[ 2203.658686] page dumped because: kasan: bad access detected
To reproduce(ipvlan with IPVLAN_MODE_L3):
Env setting:
=======================================================
modprobe ipvlan ipvlan_default_mode=1
sysctl net.ipv4.conf.eth0.forwarding=1
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
MASQUERADE
ip link add gw link eth0 type ipvlan
ip -4 addr add 20.0.0.254/24 dev gw
ip netns add net1
ip link add ipv1 link eth0 type ipvlan
ip link set ipv1 netns net1
ip netns exec net1 ip link set ipv1 up
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
ip netns exec net1 route add default gw 20.0.0.254
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
ifconfig gw up
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
icmp-port-unreachable
=======================================================
And then excute the shell(curl any address of eth0 can reach):
for((i=1;i<=100000;i++))
do
ip netns exec net1 curl x.x.x.x:8888
done
=======================================================
Bug: 289225588
Fixes:
|
||
|
Greg Kroah-Hartman
|
c7f89f1b6b |
This is the 5.4.249 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmSb7V4ACgkQONu9yGCS aT5vLxAA0yhg7h210wyMLrPNgQHrIItxkvcosoAG04WziImnvTT84XYpvthKlQrZ jzLGwdrH8ggdZIq+jPblmGvfvpGuM7MjKw1F8tgmviMnMyfKziGO/kIEzkNPaHSt sRFuGniXx2Q/m2IVblhC8pqJG6SRgkBbNgg3by7SpTRSEHBjpxaOVxvGC53Bdlkb ep90ox3iVbA4Q45rGCn5UfJM22wEnUYbzRv04085fzWaPDEZyHi5S6a3rHepVbrq 7ElDQgUgHKlLm7rd1ngB8Ac+EdfavVcPok789pbEmQwf6jsAetl43yPUSEE6xFXb 5FZAA7uUUa+E7P+140+iWBCZwQX9g+WglEkOxJV8gOMtWoiFZjpPcJxyWnvz/7ch XFz88WW/Ub4+bpg62TJ2F3dboeF0x1rN5kB8/ylb+Gf9vACT2gPLDbFaeG24DZEr s1hdsRx1Q3m8ffOYbsuTTn3bfGv8TfycV4Cwy+v+QPwJF/WPdMUnIDRY7VgWJ6fO scRdhkgMer9MLDrcSwxgS3tyn6JObQMp5A40H1Yb6ZVwN+q2BRC/B4Gqi6BmUNKr uU0BRMeyExyyQfKYCgvcf0M23qUf5L4PDpk1MX38pU+AHm8rPHlE36/pNFG4PG0g p6vBTlKzYeHKh12VAdPJjiWICloaz2ixf3K85xJ+vH56jXfjbSY= =3Pqk -----END PGP SIGNATURE----- Merge 5.4.249 into android11-5.4-lts Changes in 5.4.249 nilfs2: reject devices with insufficient block count mm: rewrite wait_on_page_bit_common() logic list: add "list_del_init_careful()" to go with "list_empty_careful()" epoll: ep_autoremove_wake_function should use list_del_init_careful tracing: Add tracing_reset_all_online_cpus_unlocked() function x86/purgatory: remove PGO flags tick/common: Align tick period during sched_timer setup media: dvbdev: Fix memleak in dvb_register_device media: dvbdev: fix error logic at dvb_register_device() media: dvb-core: Fix use-after-free due to race at dvb_register_device() nilfs2: fix buffer corruption due to concurrent device reads Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs PCI: hv: Fix a race condition bug in hv_pci_query_relations() cgroup: Do not corrupt task iteration when rebinding subsystem mmc: meson-gx: remove redundant mmc_request_done() call from irq context ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN writeback: fix dereferencing NULL mapping->host on writeback_page_template nilfs2: prevent general protection fault in nilfs_clear_dirty_page() cifs: Clean up DFS referral cache cifs: Get rid of kstrdup_const()'d paths cifs: Introduce helpers for finding TCP connection cifs: Merge is_path_valid() into get_normalized_path() cifs: Fix potential deadlock when updating vol in cifs_reconnect() x86/mm: Avoid using set_pgd() outside of real PGD pages rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer() ieee802154: hwsim: Fix possible memory leaks xfrm: Linearize the skb after offloading if needed. net: qca_spi: Avoid high load if QCA7000 is not available mmc: mtk-sd: fix deferred probing mmc: mvsdio: convert to devm_platform_ioremap_resource mmc: mvsdio: fix deferred probing mmc: omap: fix deferred probing mmc: omap_hsmmc: fix deferred probing mmc: sdhci-acpi: fix deferred probing mmc: sh_mmcif: fix deferred probing mmc: usdhi60rol0: fix deferred probing ipvs: align inner_mac_header for encapsulation net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch be2net: Extend xmit workaround to BE3 chip netfilter: nf_tables: disallow element updates of bound anonymous sets netfilter: nfnetlink_osf: fix module autoload Revert "net: phy: dp83867: perform soft reset and retain established link" sch_netem: acquire qdisc lock in netem_change() scsi: target: iscsi: Prevent login threads from racing between each other HID: wacom: Add error check to wacom_parse_and_register() arm64: Add missing Set/Way CMO encodings media: cec: core: don't set last_initiator if tx in progress nfcsim.c: Fix error checking for debugfs_create_dir usb: gadget: udc: fix NULL dereference in remove() s390/cio: unregister device when the only path is gone ASoC: nau8824: Add quirk to active-high jack-detect ARM: dts: Fix erroneous ADS touchscreen polarities drm/exynos: vidi: fix a wrong error return drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback) mm: make wait_on_page_writeback() wait for multiple pending writebacks xfs: verify buffer contents when we skip log replay Linux 5.4.249 Change-Id: I3f7cf3804fddac70b4c1accef1c7374b184b1ea3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |