6725684c74
1035583 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Michael Bestas
|
6725684c74
|
Merge tag 'ASB-2024-12-05_12-5.10' of https://android.googlesource.com/kernel/common into android13-5.10-waipio
https://source.android.com/docs/security/bulletin/2024-12-01 * tag 'ASB-2024-12-05_12-5.10' of https://android.googlesource.com/kernel/common: (649 commits) ANDROID: ABI: update symbol list for honor ANDROID: fs: add vendor hook to collect IO statistics ANDROID: tools/objtool: Pass CFLAGS to libsubcmd build via EXTRA_CFLAGS UPSTREAM: HID: core: zero-initialize the report buffer ANDROID: libsubcmd: Hoist iterator variable declarations in parse_options_subcommand() ANDROID: mm: Fix SPF-aware fast-mremap UPSTREAM: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT UPSTREAM: f2fs: support SEEK_DATA and SEEK_HOLE for compression files Revert "genetlink: hold RCU in genlmsg_mcast()" ANDROID: add file for recording allowed ABI breaks ANDROID: GKI: update symbol list for honor ANDROID: Allow vendor modules perform more operations on memleak detect UPSTREAM: drm/omap: fix misleading indentation in pixinc() UPSTREAM: bitfield: build kunit tests without structleak plugin BACKPORT: FROMGIT: binder: add delivered_freeze to debugfs output BACKPORT: FROMGIT: binder: fix memleak of proc->delivered_freeze FROMGIT: binder: allow freeze notification for dead nodes FROMGIT: binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs FROMGIT: binder: fix BINDER_WORK_FROZEN_BINDER debug logs BACKPORT: FROMGIT: binder: fix freeze UAF in binder_release_work() ... Conflicts: android/abi_gki_aarch64.xml net/qrtr/af_qrtr.c Change-Id: I4f416cf6c90e71fbdc0bea2c76a620842a2a2288 |
||
|
Michael Bestas
|
bcf90117d7
|
Merge tag 'KERNEL.PLATFORM.1.0.r1-18400-kernel.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.10 into android13-5.10-waipio
"KERNEL.PLATFORM.1.0.r1-18400-kernel.0" * tag 'KERNEL.PLATFORM.1.0.r1-18400-kernel.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.10: drivers: dcvs: llcc_miss: Remove Secure Device Check defconfig: Enable PM8008 module for neo LE arm64: config: Enable LLCC Miss and BUS Profile drivers: dcvs: llcc_miss: Add llcc miss stats driver interconnect: qcom: icc-rpmh: enable support for no secondary display clk: qcom: gcc-anorak: Add CLK_DONT_HOLD_STATE to usb2_clkref soc: qcom: smcinvoke: Add dependent modules for smcinvoke drivers: scm: Change order of dload legacy support check i2c: i2c-master-msm-geni: add null pointer check in event call back drivers: qseecom: Define .compat_ioctl based on CONFIG_COMPAT build.config: Move smcinvoke and qseecom to early init msm: kgsl: Fix gpu work period update for legacy path Merge remote-tracking branch into HEAD UPSTREAM: af_unix: Fix garbage collector racing against connect() ANDROID: irq: put irq_resolve_mapping under protection of __irq_enter_raw UPSTREAM: af_unix: Do not use atomic ops for unix_sk(sk)->inflight. ANDROID: ABI fixup for abi break in struct dst_ops BACKPORT: net: fix __dst_negative_advice() race power: reset: Disable support of dynamic download mode (ramdump) Conflicts: android/abi_gki_aarch64.xml Change-Id: Ibf2399d85835c5e2e28569a4df8c5fd4e7b3fb72 |
||
Rui Chen
|
7c627b9bc8 |
ANDROID: ABI: update symbol list for honor
Update symbol list for honor in android/abi_gki_aarch64_honor Bug: 380502059 Change-Id: I2b1a67fc7cb827c354894c117f74d35af3a2ce0c Signed-off-by: Rui Chen <chenrui9@honor.com> |
||
|
Rui Chen
|
5f45a7ef79 |
ANDROID: fs: add vendor hook to collect IO statistics
Add vendor hook to get metainfo of direct/buffered read and write. Determine hot files in each performance-sensitive user scenario. Bug: 380502059 Change-Id: Ie7604852df637d6664afd72e87bd6d4b14bbc2a2 Signed-off-by: Rui Chen <chenrui9@honor.com> |
||
Tao Wu
|
35fae48401 |
ANDROID: tools/objtool: Pass CFLAGS to libsubcmd build via EXTRA_CFLAGS
The upstream fix is too invasive to backport so we take a similar fix like http://aosp/2755768 Bug: 355379840 Change-Id: I50258052fbf0c4f8ace7007427037122b4fd02b0 Link: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=cd955bdd Signed-off-by: Tao Wu <lepton@google.com> (cherry picked from commit 42e503e28698187142397240819ca7f97b4374fc) |
||
Jiri Kosina
|
b6f4fd26d5 |
UPSTREAM: HID: core: zero-initialize the report buffer
[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
Bug: 380395346
Fixes:
|
||
Greg Kroah-Hartman
|
b0e9b554c3 |
Merge tag 'android12-5.10.228_r00' into android12-5.10
This merges up to the 5.10.228 LTS release into the android12-5.10 branch. Changes included in here are: * |
||
Nathan Chancellor
|
7098f838f2 |
ANDROID: libsubcmd: Hoist iterator variable declarations in parse_options_subcommand()
When applying HOSTCFLAGS to the libsubcmd build to resolve a separate
issue, which contain '-std=gnu89' prior to commit 1e24078113ae ("Kbuild:
use -std=gnu11 for KBUILD_USERCFLAGS"), the following warning/error
occurs:
parse-options.c:643:8: error: GCC does not allow variable declarations in for loop initializers before C99 [-Werror,-Wgcc-compat]
for (int i = 0; subcommands[i]; i++) {
^
parse-options.c:669:9: error: GCC does not allow variable declarations in for loop initializers before C99 [-Werror,-Wgcc-compat]
for (int i = 0; subcommands[i]; i++)
^
This issue was never visible upstream, as commit 1e24078113ae ("Kbuild:
use -std=gnu11 for KBUILD_USERCFLAGS") was applied before
commit 13e07691a16f ("tools/resolve_btfids: Alter how HOSTCC is
forced"). Prior to the latter change, there was no '-std=' flag passed
to the libsubcmd build, so the default standard value was used, which
may be newer than C99.
To resolve this issue to unblock applying HOSTCFLAGS to libsubcmd, just
hoist the declarations out of the for loops.
Bug: 301145081
Link: https://github.com/ClangBuiltLinux/linux/issues/1929
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Change-Id: I41f17964f3d0822b026f6ae8f06a4d49bc7f15a9
(cherry picked from https://android-review.googlesource.com/q/commit:8f75dab19c30be65c740bd4abf9587714b3305dc)
|
||
Kalesh Singh
|
1fed2de8e6 |
ANDROID: mm: Fix SPF-aware fast-mremap
Fast-mremap tries to detect concerrent SPF's by checking if
vma->file_ref_count is 1 and setting it to -1 to prevent concurrent
SPF's from happening after a fast-mremap has started. This check
doesn't account for the cases where the VMA has been split/merged
after the check has happened in the SPF or fast-remap paths; which
can lead to the PMD/PUD level page table being changed from under
a concurrent SPF if certain race conditions are met.
Currently SPF takes the PTL lock at the lowest level of the
page table hierarchy (i.e. the page table page covering a 2MB extent).
Fast mremap at the PMD level only takes the PTL lock for the
page table pages (old and new) containing the PMD entries to be
updated (i.e the page table pages covering 1GB extents)
Remove the vma_ref_count trylock, and disable fast-mremap at the PUD
level if SPF is enabled.
At the PMD level take the pte ptl lock on the source address,
to avoid races with concurrent SPF.
NOTE: The additional lock, means that there are now 2 levels of
nested spinlocks. However we forego adding a new lockdep
subclass as Android doesn't enable lockdep in production.
old_ptl (pmd_lock)
new_ptl (pmd_lock)
old_pte_ptl (pte ptl lock)
Bug: 377672115
Change-Id: Ie634806115ce86a05477dfe45806487c856c3759
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
|
||
Pedro Tammela
|
b396c229b4 |
UPSTREAM: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ] In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In |
||
Daeho Jeong
|
a8339e7fd0 |
UPSTREAM: f2fs: support SEEK_DATA and SEEK_HOLE for compression files
Fix to support SEEK_DATA and SEEK_HOLE for compression files Bug: 325092012 Signed-off-by: Daeho Jeong <daehojeong@google.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> (cherry picked from commit a94c7fded76bfd1a061deae7be80fedbfa26774e) (cherry picked from https://android-review.googlesource.com/q/commit:268f1fed504a7bc9cfba291fe994ad767eda7a70) Merged-In: Iba62c53e634682205f84c8dc3566ab8df9079158 Change-Id: Iba62c53e634682205f84c8dc3566ab8df9079158 |
||
|
Greg Kroah-Hartman
|
38dc270ca0 |
Revert "genetlink: hold RCU in genlmsg_mcast()"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
c515597aec |
Merge 02874ca52d ("tracing: Consider the NULL character when validating the event length") into android12-5.10-lts
Steps on the way to 5.10.229 Resolves conflicts in: drivers/net/macsec.c Change-Id: Ibc2583ddd810808fa9ce619e71935aeb5f97805a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Aleksei Vetrov
|
894861d67a |
ANDROID: add file for recording allowed ABI breaks
The tooling is configured to block any changes that has a chance to break ABI, including the possibly safe: * replacement of ANDROID_KABI_RESERVE with ANDROID_KABI_USE * changes to internal structures that are not accessible to modules * addition of enumerators These changes are difficult for the tooling to identify as definitively non-breaking, therefore, a human reviewer must check the change and approve it as non-breaking. This change adds a file to record the approval with the change that was marked as breaking. This allows the tooling to: * unblock presubmits for the change * don't block presubmits when it is cherry-picked to another branch * filter compatibility reports between a release branch and a tip of the development branch it was forked from The file is prefilled with all breaks that happened from the KMI freeze. Bug: 365521273 Change-Id: I63fbed5c364cb8c7bd149bf40d084d3d87533bf7 Signed-off-by: Aleksei Vetrov <vvvvvv@google.com> |
||
zhengwei
|
2936e6a8e4 |
ANDROID: GKI: update symbol list for honor
Leaf changes summary: 4 artifacts changed Changed leaf types summary: 0 leaf type changed Removed/Changed/Added functions summary: 0 Removed, 0 Changed, 4 Added functions Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable 4 Added functions: [A] 'function spinlock_t* __pmd_trans_huge_lock(pmd_t*, vm_area_struct*)' [A] 'function page* _vm_normal_page(vm_area_struct*, unsigned long int, pte_t, unsigned long int)' [A] 'function const char* arch_vma_name(vm_area_struct*)' [A] 'function void pmd_clear_bad(pmd_t*)' Bug: 379962310 Change-Id: Id4e8195820d68b890936ca972b03d864305ae52b Signed-off-by: zhengwei <zhengwei2@honor.com> |
||
Dezhi Huang
|
e05e6574f7 |
ANDROID: Allow vendor modules perform more operations on memleak detect
Export arch_vma_name, _vm_normal_page, pmd_clear_bad, __pmd_trans_huge_lock functions. Allow vendor modules perform more operations on memleak detect and debug. It can detect multiple types of memleak,such as Native,ION,Slub and Vmalloc. Shows detail size of memleak, and shows the stack. Bug: 379962310 Bug: 365506692 Bug: 342305999 Change-Id: I118efa570e660d0696bf081d00b670760d01bec1 Signed-off-by: Dezhi Huang <huangdezhi@hihonor.com> (cherry picked from commit 21e76b82444db3635eacb360f0d0206a069de4a8) (cherry picked from commit ce0653fd2cb3b91553870938edd1b854c4975c72) |
||
Arnd Bergmann
|
900cb56f4c |
UPSTREAM: drm/omap: fix misleading indentation in pixinc()
An old patch added a 'return' statement after each BUG() in this driver,
which was necessary at the time, but has become redundant after the BUG()
definition was updated to handle this properly.
gcc-11 now warns about one such instance, where the 'return' statement
was incorrectly indented:
drivers/gpu/drm/omapdrm/dss/dispc.c: In function ‘pixinc’:
drivers/gpu/drm/omapdrm/dss/dispc.c:2093:9: error: this ‘else’ clause does not guard... [-Werror=misleading-indentation]
2093 | else
| ^~~~
drivers/gpu/drm/omapdrm/dss/dispc.c:2095:17: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘else’
2095 | return 0;
| ^~~~~~
Address this by removing the return again and changing the BUG()
to be unconditional to make this more intuitive.
Fixes:
|
||
|
Arnd Bergmann
|
ef536a1d63 |
UPSTREAM: bitfield: build kunit tests without structleak plugin
The structleak plugin causes the stack frame size to grow immensely: lib/bitfield_kunit.c: In function 'test_bitfields_constants': lib/bitfield_kunit.c:93:1: error: the frame size of 7440 bytes is larger than 2048 bytes [-Werror=frame-larger-than=] Turn it off in this file. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Brendan Higgins <brendanhiggins@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> (cherry picked from commit a8cf90332ae3e2b53813a146a99261b6a5e16a73) Change-Id: Iafc6cac194dd798fdc5e12c75373a4df59e48116 |
||
Carlos Llamas
|
db11e82971 |
BACKPORT: FROMGIT: binder: add delivered_freeze to debugfs output
Add the pending proc->delivered_freeze work to the debugfs output. This
information was omitted in the original implementation of the freeze
notification and can be valuable for debugging issues.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-9-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit cb2aeb2ec25884133110ffe5a67ff3cf7dee5ceb
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Ifc9a22b52e38c35af661732486fa1f154adb34de
[cmllamas: fix KMI break with proc_wrapper()]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
a204f3aa74 |
BACKPORT: FROMGIT: binder: fix memleak of proc->delivered_freeze
If a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION
before calling binder_freeze_notification_done(), then it is detached
from its reference (e.g. ref->freeze) but the work remains queued in
proc->delivered_freeze. This leads to a memory leak when the process
exits as any pending entries in proc->delivered_freeze are not freed:
unreferenced object 0xffff38e8cfa36180 (size 64):
comm "binder-util", pid 655, jiffies 4294936641
hex dump (first 32 bytes):
b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8..
0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K.....
backtrace (crc 95983b32):
[<000000000d0582cf>] kmemleak_alloc+0x34/0x40
[<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280
[<00000000313b1704>] binder_thread_write+0xdec/0x439c
[<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc
[<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190
[<00000000b439adee>] invoke_syscall+0x6c/0x254
[<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230
[<0000000084f72311>] do_el0_svc+0x40/0x58
[<000000008b872457>] el0_svc+0x38/0x78
[<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c
[<00000000a8ec61bf>] el0t_64_sync+0x190/0x194
This patch fixes the leak by ensuring that any pending entries in
proc->delivered_freeze are freed during binder_deferred_release().
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-8-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 1db76ec2b4b206ff943e292a0b55e68ff3443598
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Iafdec3421c521b4b591b94455deba7ee5102c8ca
[cmllamas: drop BINDER_STAT_FREEZE and use proc_wrapper()]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
5a88465893 |
FROMGIT: binder: allow freeze notification for dead nodes
Alice points out that binder_request_freeze_notification() should not
return EINVAL when the relevant node is dead [1]. The node can die at
any point even if the user input is valid. Instead, allow the request
to be allocated but skip the initial notification for dead nodes. This
avoids propagating unnecessary errors back to userspace.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/all/CAH5fLghapZJ4PbbkC8V5A6Zay-_sgTzwVpwqk6RWWUNKKyJC_Q@mail.gmail.com/ [1]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-7-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit ca63c66935b978441055e3d87d30225267f99329
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I03af1eedfeb194f5a775388cbb4e7487e4a5dfc0
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
f357f2a81d |
FROMGIT: binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs
proc 699
context binder-test
thread 699: l 00 need_return 0 tr 0
ref 25: desc 1 node 20 s 1 w 0 d 00000000c03e09a3
unknown work: type 11
proc 640
context binder-test
thread 640: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 000000002bb493e1
has cleared freeze notification
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-6-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 595ea72efff9fa65bc52b6406e0822f90841f266
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Ic6311aaea2040aaf4534cdaa4cbfa378afe31869
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
4e4b2cf3e2 |
FROMGIT: binder: fix BINDER_WORK_FROZEN_BINDER debug logs
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-5-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 830d7db744b42c693bf1db7e94db86d7efd91f0e
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
|
||
|
Carlos Llamas
|
2bd6b2ab69 |
BACKPORT: FROMGIT: binder: fix freeze UAF in binder_release_work()
When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211 CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254 Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 ================================================================== This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Acked-by: Todd Kjos <tkjos@android.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20240926233632.821189-4-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 366003708 (cherry picked from commit 7e20434cbca814cb91a0a261ca0106815ef48e5f git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321 [cmllamas: drop BINDER_STAT_FREEZE as it's not supported here] Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
df183ec320 |
FROMGIT: binder: fix OOB in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union: struct binder_node { [...] union { struct rb_node rb_node; struct hlist_node dead_node; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Reviewed-by: Alice Ryhl <aliceryhl@google.com> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20240926233632.821189-3-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 366003708 (cherry picked from commit 011e69a1b23011c0db3af4b8293fdd4522cc97b0 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: I5ec9d49277a23b864862665b52213460750c535e Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Carlos Llamas
|
8f52d7a1ee |
FROMGIT: binder: fix node UAF in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped in order to acquire the node->lock first (lock nesting order). This can race with binder_node_release() and trigger a use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff53c04c29dd04 by task freeze/640 CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_add_freeze_work+0x148/0x478 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190 Allocated by task 637: __kmalloc_cache_noprof+0x12c/0x27c binder_new_node+0x50/0x700 binder_transaction+0x35ac/0x6f74 binder_thread_write+0xfb8/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 Freed by task 637: kfree+0xf0/0x330 binder_thread_read+0x1e88/0x3a68 binder_ioctl+0x16d8/0x25ac __arm64_sys_ioctl+0x124/0x190 ================================================================== Fix the race by taking a temporary reference on the node before releasing the proc->inner lock. This ensures the node remains alive while in use. Fixes: d579b04a52a1 ("binder: frozen notification") Cc: stable@vger.kernel.org Reviewed-by: Alice Ryhl <aliceryhl@google.com> Acked-by: Todd Kjos <tkjos@google.com> Signed-off-by: Carlos Llamas <cmllamas@google.com> Link: https://lore.kernel.org/r/20240926233632.821189-2-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 366003708 (cherry picked from commit dc8aea47b928cc153b591b3558829ce42f685074 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git char-misc-next) Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411 Signed-off-by: Carlos Llamas <cmllamas@google.com> |
||
|
Greg Kroah-Hartman
|
012423e6bd |
Merge 5.10.228 into android12-5.10-lts
Changes in 5.10.228 ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 net: enetc: add missing static descriptor and inline keyword posix-clock: Fix missing timespec64 check in pc_clock_settime() arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 fat: fix uninitialized variable mm/swapfile: skip HugeTLB pages for unuse_vma wifi: mac80211: fix potential key use-after-free KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() io_uring/sqpoll: do not allow pinning outside of cpuset io_uring/sqpoll: retain test for whether the CPU is valid io_uring/sqpoll: do not put cpumask on stack s390/sclp_vt220: Convert newlines to CRLF instead of LFCR KVM: s390: Change virtual to physical address access in diag 0x258 handler x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET x86/cpufeatures: Add a IBPB_NO_RET BUG flag x86/entry: Have entry_ibpb() invalidate return predictions x86/bugs: Skip RSB fill at VMEXIT x86/bugs: Do not use UNTRAIN_RET with IBPB on entry blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race io_uring/sqpoll: close race on waiting for sqring entries drm/radeon: Fix encoder->possible_clones drm/vmwgfx: Handle surface check failure correctly iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() iio: light: veml6030: fix ALS sensor resolution iio: light: veml6030: fix IIO device retrieval from embedded device iio: light: opt3001: add missing full-scale range value iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Bluetooth: Remove debugfs directory on module init failure Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 xhci: Fix incorrect stream context type macro USB: serial: option: add support for Quectel EG916Q-GL USB: serial: option: add Telit FN920C04 MBIM compositions parport: Proper fix for array out-of-bounds access x86/resctrl: Annotate get_mem_config() functions as __init x86/apic: Always explicitly disarm TSC-deadline timer x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return irqchip/gic-v4: Don't allow a VMOVP on a dying VPE mptcp: track and update contiguous data status mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit nilfs2: propagate directory read errors from nilfs_find_entry() powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Linux 5.10.228 Change-Id: I46a08618e1091915449af89690af27a230a28855 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
af2f7573ea |
Revert "xfrm: Pass flowi_oif or l3mdev as oif to xfrm_dst_lookup"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
705b091042 |
Revert "net: Handle l3mdev in ip_tunnel_init_flow"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
0ba4653710 |
Merge 5.10.227 into android12-5.10-lts
Changes in 5.10.227 usb: dwc3: Decouple USB 2.0 L1 & L2 events usb: dwc3: core: Enable GUCTL1 bit 10 for fixing termination error after resume bug usb: dwc3: core: update LC timer as per USB Spec V3.2 usbnet: ipheth: fix carrier detection in modes 1 and 4 net: ethernet: use ip_hdrlen() instead of bit shift net: phy: vitesse: repair vsc73xx autonegotiation powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL btrfs: update target inode's ctime on unlink Input: ads7846 - ratelimit the spi_sync error message Input: synaptics - enable SMBus for HP Elitebook 840 G2 scripts: kconfig: merge_config: config files: add a trailing newline drm/msm/adreno: Fix error return if missing firmware-name Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table NFS: Avoid unnecessary rescanning of the per-server delegation list arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma minmax: reduce min/max macro expansion in atomisp driver hwmon: (pmbus) Introduce and use write_byte_data callback hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 ice: fix accounting for filters shared by multiple VSIs net/mlx5: Update the list of the PCI supported devices net/mlx5e: Add missing link modes to ptys2ethtool_map fou: fix initialization of grc net: ftgmac100: Enable TX interrupt to avoid TX timeout net: dpaa: Pad packets to ETH_ZLEN spi: nxp-fspi: fix the KASAN report out-of-bounds bug soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" ASoC: meson: axg-card: fix 'use-after-free' dma-buf: heaps: Fix off-by-one in CMA heap fault handler ASoC: allow module autoloading for table db1200_pids ALSA: hda/realtek - Fixed ALC256 headphone no sound ALSA: hda/realtek - FIxed ALC285 headphone no sound pinctrl: at91: make it work with current gpiolib microblaze: don't treat zero reserved memory regions as error net: ftgmac100: Ensure tx descriptor updates are visible wifi: iwlwifi: lower message level for FW buffer destination wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead ASoC: intel: fix module autoloading ASoC: tda7419: fix module autoloading drm: komeda: Fix an issue related to normalized zpos spi: bcm63xx: Enable module autoloading x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency ocfs2: add bounds checking to ocfs2_xattr_find_entry() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() cgroup: Make operations on the cgroup root_list RCU safe netfilter: nft_set_pipapo: walk over current view on netlink dump netfilter: nf_tables: missing iterator type in lookup walk gpio: prevent potential speculation leaks in gpio_device_get_desc() mptcp: export lookup_anno_list_by_saddr mptcp: validate 'id' when stopping the ADD_ADDR retransmit timer mptcp: pm: Fix uaf in __timer_delete_sync inet: inet_defrag: prevent sk release while still in use x86/ibt,ftrace: Search for __fentry__ location ftrace: Fix possible use-after-free issue in ftrace_location() gpiolib: cdev: Ignore reconfiguration without direction cgroup: Move rcu_head up near the top of cgroup_root usb: dwc3: Fix a typo in field name USB: serial: pl2303: add device id for Macrosilicon MS3020 USB: usbtmc: prevent kernel-usb-infoleak wifi: rtw88: always wait for both firmware loading attempts ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() fs: explicitly unregister per-superblock BDIs mount: warn only once about timestamp range expiration fs/namespace: fnic: Switch to use %ptTd mount: handle OOM on mnt_warn_timestamp_expiry padata: Honor the caller's alignment in case of chunk_size 0 can: j1939: use correct function name in comment netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire netfilter: nf_tables: reject element expiration with no timeout netfilter: nf_tables: reject expiration higher than timeout cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() wifi: mt76: mt7915: fix rx filter setting for bfee functionality wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param sock_map: Add a cond_resched() in sock_hash_free() can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). can: m_can: Add support for transceiver as phy can: m_can: m_can_close(): stop clocks after device has been shut down Bluetooth: btusb: Fix not handling ZPL/short-transfer bareudp: allow redirecting bareudp packets to eth devices bareudp: Pull inner IP header in bareudp_udp_encap_recv(). net: geneve: support IPv4/IPv6 as inner protocol geneve: Fix incorrect inner network header offset when innerprotoinherit is set bareudp: Pull inner IP header on xmit. net: enetc: Use IRQF_NO_AUTOEN flag in request_irq() r8169: disable ALDPS per default for RTL8125 net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input net: tipc: avoid possible garbage value block, bfq: fix possible UAF for bfqq->bic with merge chain block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() block, bfq: don't break merge chain in bfq_split_bfqq() block: print symbolic error name instead of error code block: fix potential invalid pointer dereference in blk_add_partition spi: ppc4xx: handle irq_of_parse_and_map() errors spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property ARM: versatile: fix OF node leak in CPUs prepare reset: berlin: fix OF node leak in probe() error path clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() m68k: Fix kernel_clone_args.flags in m68k_clone() hwmon: (max16065) Fix overflows seen when writing limits device property: Add const qualifier to device_get_match_data() parameter i2c: Add i2c_get_match_data() hwmon: (max16065) Remove use of i2c_match_id() hwmon: (max16065) Fix alarm attributes mtd: slram: insert break after errors in parsing the map hwmon: (ntc_thermistor) fix module autoloading power: supply: axp20x_battery: allow disabling battery charging power: supply: axp20x_battery: Remove design from min and max voltage power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() mtd: powernv: Add check devm_kasprintf() returned value drm/stm: Fix an error handling path in stm_drm_platform_probe() drm/amdgpu: Replace one-element array with flexible-array member drm/amdgpu: properly handle vbios fake edid sizing drm/radeon: Replace one-element array with flexible-array member drm/radeon: properly handle vbios fake edid sizing drm/rockchip: vop: Allow 4096px width scaling drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets jfs: fix out-of-bounds in dbNextAG() and diAlloc() drm/msm: Fix incorrect file name output in adreno_request_fw() drm/msm/a5xx: disable preemption in submits by default drm/msm/a5xx: properly clear preemption records on resume drm/msm/a5xx: fix races in preemption evaluation stage drm/msm: Add priv->mm_lock to protect active/inactive lists drm/msm: Drop priv->lastctx drm/msm/a5xx: workaround early ring-buffer emptiness check ipmi: docs: don't advertise deprecated sysfs entries drm/msm: fix %s null argument error drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() xen: use correct end address of kernel for conflict checking xen/swiotlb: add alignment check for dma buffers tpm: Clean up TPM space after command failure selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c selftests/bpf: Fix compiling kfree_skb.c with musl-libc selftests/bpf: Fix compiling flow_dissector.c with musl-libc selftests/bpf: Fix compiling tcp_rtt.c with musl-libc selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc selftests/bpf: Fix error compiling test_lru_map.c selftests/bpf: Fix C++ compile error from missing _Bool type xz: cleanup CRC32 edits from 2018 kthread: add kthread_work tracepoints kthread: fix task state in kthread worker if being frozen ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso ext4: avoid buffer_head leak in ext4_mark_inode_used() ext4: avoid potential buffer_head leak in __ext4_new_inode() ext4: avoid negative min_clusters in find_group_orlov() ext4: return error on ext4_find_inline_entry ext4: avoid OOB when system.data xattr changes underneath the filesystem nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() nilfs2: determine empty node blocks as corrupted nilfs2: fix potential oob read in nilfs_btree_check_delete() bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit perf sched timehist: Fix missing free of session in perf_sched__timehist() perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time perf time-utils: Fix 32-bit nsec parsing clk: imx: imx8mp: fix clock tree update of TF-A managed clocks clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error PCI: keystone: Fix if-statement expression in ks_pcie_quirk() PCI: xilinx-nwl: Fix register misspelling RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency pinctrl: single: fix missing error code in pcs_probe() clk: ti: dra7-atl: Fix leak of of_nodes nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire nfsd: fix refcount leak when file is unhashed after being found pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource() pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function watchdog: imx_sc_wdt: Don't disable WDT in suspend RDMA/hns: Add mapped page count checking for MTR RDMA/hns: Refactor root BT allocation for MTR RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled RDMA/hns: Optimize hem allocation performance riscv: Fix fp alignment bug in perf_callchain_user() RDMA/cxgb4: Added NULL check for lookup_atid ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() ntb_perf: Fix printk format nfsd: call cache_put if xdr_reserve_space returns NULL nfsd: return -EINVAL when namelen is 0 f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() f2fs: fix typo f2fs: fix to update i_ctime in __f2fs_setxattr() f2fs: remove unneeded check condition in __f2fs_setxattr() f2fs: reduce expensive checkpoint trigger frequency spi: lpspi: Silence error message upon deferred probe spi: lpspi: release requested DMA channels spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time iio: adc: ad7606: fix oversampling gpio array iio: adc: ad7606: fix standby gpio state to match the documentation coresight: tmc: sg: Do not leak sg_table interconnect: qcom: sm8250: Enable sync_state vdpa: Add eventfd for the vdpa callback vhost_vdpa: assign irq bypass producer token correctly Revert "dm: requeue IO if mapping table not yet available" netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL tcp: check skb is non-NULL in tcp_rto_delta_us() net: qrtr: Update packets cloning when broadcasting netfilter: nf_tables: Keep deleted flowtable hooks until after RCU netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination Input: goodix - use the new soc_intel_is_byt() helper powercap: RAPL: fix invalid initialization for pl4_supported field x86/mm: Switch to new Intel CPU model defines Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches" Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps" bpf: Fix DEVMAP_HASH overflow check on 32-bit arches selinux,smack: don't bypass permissions check in inode_setsecctx hook mptcp: fix sometimes-uninitialized warning Remove *.orig pattern from .gitignore ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error soc: versatile: integrator: fix OF node leak in probe() error path Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line drm/amd/display: Round calculated vtotal USB: appledisplay: close race between probe and completion handler USB: misc: cypress_cy7c63: check for short transfer USB: class: CDC-ACM: fix race between get_serial and set_serial bus: integrator-lm: fix OF node leak in probe() firmware_loader: Block path traversal tty: rp2: Fix reset with non forgiving PCIe host bridges crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure drbd: Fix atomicity violation in drbd_uuid_set_bm() drbd: Add NULL check for net_conf to prevent dereference in state validation ACPI: sysfs: validate return type of _STR method ACPI: resource: Add another DMI match for the TongFang GMxXGxx efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption perf/x86/intel/pt: Fix sampling synchronization wifi: rtw88: 8822c: Fix reported RX band width debugobjects: Fix conditions in fill_pool() f2fs: prevent possible int overflow in dir_block_index() f2fs: avoid potential int overflow in sanity_check_area_boundary() hwrng: mtk - Use devm_pm_runtime_enable hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity vfs: fix race between evice_inodes() and find_inode()&iput() fs: Fix file_set_fowner LSM hook inconsistencies nfs: fix memory leak in error path of nfs4_do_reclaim padata: use integer wrap around to prevent deadlock on seq_nr overflow PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove usb: yurex: Replace snprintf() with the safer scnprintf() variant USB: misc: yurex: fix race between read and write pps: remove usage of the deprecated ida_simple_xx() API pps: add an error check in parport_attach usb: renesas-xhci: Remove renesas_xhci_pci_exit() xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them. lockdep: fix deadlock issue between lockdep and rcu mm: only enforce minimum stack gap size if it's sensible i2c: aspeed: Update the stop sw state when the bus recovery occurs i2c: isch: Add missed 'else' usb: yurex: Fix inconsistent locking bug in yurex_read() spi: lpspi: Simplify some error message mailbox: rockchip: fix a typo in module autoloading mailbox: bcm2835: Fix timeout during suspend mode ceph: remove the incorrect Fw reference check when dirtying pages ieee802154: Fix build error net/mlx5: Fix error path in multi-packet WQE transmit net/mlx5: Added cond_resched() to crdump collection netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() netfilter: nf_tables: prevent nf_skb_duplicated corruption Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() net: ethernet: lantiq_etop: fix memory disclosure net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() ipv4: ip_gre: Fix drops of small packets in ipgre_xmit sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start i2c: xiic: Fix broken locking on tx_msg i2c: xiic: Switch from waitqueue to completion i2c: xiic: Fix RX IRQ busy check i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path i2c: xiic: improve error message when transfer fails to start i2c: xiic: Try re-initialization on bus busy timeout media: usbtv: Remove useless locks in usbtv_video_free() Bluetooth: L2CAP: Fix not validating setsockopt user input ALSA: mixer_oss: Remove some incorrect kfree_const() usages ALSA: hda/realtek: Fix the push button function for the ALC257 ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin f2fs: Require FMODE_WRITE for atomic write ioctls wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() net/xen-netback: prevent UAF in xenvif_flush_hash() net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails net: sched: consistently use rcu_replace_pointer() in taprio_change() blk_iocost: fix more out of bound shifts wifi: ath11k: fix array out-of-bound access in SoC stats wifi: rtw88: select WANT_DEV_COREDUMP ACPI: EC: Do not release locks during operation region accesses ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family net: atlantic: Avoid warning about potential string truncation tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process ACPICA: iasl: handle empty connection_node proc: add config & param to block forcing mem writes wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() nfp: Use IRQF_NO_AUTOEN flag in request_irq() signal: Replace BUG_ON()s ALSA: usb-audio: Define macros for quirk table entries ALSA: usb-audio: Add logitech Audio profile quirk ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() fbdev: pxafb: Fix possible use after free in pxafb_task() rcuscale: Provide clear error when async specified without primitives iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux power: reset: brcmstb: Do not go into infinite loop if reset fails iommu/vt-d: Always reserve a domain ID for identity setup iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream ata: sata_sil: Rename sil_blacklist to sil_quirks drm/amd/display: Check null pointers before using dc->clk_mgr jfs: UBSAN: shift-out-of-bounds in dbFindBits jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree jfs: Fix uninit-value access of new_ea in ea_buffer drm/amdgpu: add raven1 gfxoff quirk drm/amdgpu: enable gfxoff quirk on HP 705G4 platform/x86: touchscreen_dmi: add nanote-next quirk drm/amd/display: Check stream before comparing them drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/amd/display: Fix index out of bounds in DCN30 color transformation drm/amd/display: Initialize get_bytes_per_element's default to 1 drm/printer: Allow NULL data in devcoredump printer scsi: aacraid: Rearrange order of struct aac_srb_unit drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() drm/amd/pm: ensure the fw_info is not null before using it of/irq: Refer to actual buffer size in of_irq_parse_one() ext4: ext4_search_dir should return a proper error ext4: avoid use-after-free in ext4_ext_show_leaf() ext4: fix i_data_sem unlock order in ext4_ind_migrate() spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled spi: s3c64xx: fix timeout counters in flush_fifo selftests: breakpoints: use remaining time to check if suspend succeed selftests: vDSO: fix vDSO symbols lookup for powerpc64 selftests/mm: fix charge_reserved_hugetlb.sh test i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() i2c: xiic: Wait for TX empty to avoid missed TX NAKs firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() spi: bcm63xx: Fix module autoloading perf/core: Fix small negative period being ignored parisc: Fix itlb miss handler for 64-bit programs drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS ALSA: core: add isascii() check to card ID generator ALSA: line6: add hw monitor volume control to POD HD500X ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 ext4: no need to continue when the number of entries is 1 ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path ext4: update orig_path in ext4_find_extent() ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() parisc: Fix 64-bit userspace syscall path parisc: Fix stack start for ADDR_NO_RANDOMIZE personality of/irq: Support #msi-cells=<0> in of_msi_get_domain drm: omapdrm: Add missing check for alloc_ordered_workqueue jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit mm: krealloc: consider spare memory for __GFP_ZERO ocfs2: fix the la space leak when unmounting an ocfs2 volume ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: reserve space for inline xattr before attaching reflink tree ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix null-ptr-deref when journal load failed. ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate riscv: define ILLEGAL_POINTER_VALUE for 64bit exfat: fix memory leak in exfat_load_bitmap() nfsd: fix delegation_blocked() to block correctly for at least 30 seconds nfsd: map the EBADMSG to nfserr_io to avoid warning NFSD: Fix NFSv4's PUTPUBFH operation aoe: fix the potential use-after-free problem in more places clk: rockchip: fix error for unknown clocks media: sun4i_csi: Implement link validate for sun4i_csi subdev media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags clk: qcom: clk-rpmh: Fix overflow in BCM vote media: venus: fix use after free bug in venus_remove due to race condition clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() iio: magnetometer: ak8975: Fix reading for ak099xx sensors tomoyo: fallback to realpath if symlink's pathname does not exist net: stmmac: Fix zero-division error when disabling tc cbs rtc: at91sam9: fix OF node leak in probe() error path Input: adp5589-keys - fix adp5589_gpio_get_value() ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] btrfs: fix a NULL pointer dereference when failed to start a new trasacntion btrfs: wait for fixup workers before stopping cleaner kthread during umount gpio: davinci: fix lazy disable drm/sched: Add locking to drm_sched_entity_modify_sched kconfig: qconf: fix buffer overflow in debug links i2c: xiic: Simplify with dev_err_probe() i2c: xiic: Use devm_clk_get_enabled() i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled ext4: properly sync file size update after O_SYNC direct IO ext4: dax: fix overflowing extents beyond inode size when partially writing arm64: Add Cortex-715 CPU part definition arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more uprobes: fix kernel info leak via "[uprobes]" vma drm/rockchip: define gamma registers for RK3399 drm/rockchip: support gamma control on RK3399 drm/rockchip: vop: clear DMA stop bit on RK3066 clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" r8169: add tally counter fields added with RTL8125 ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook ext4: fix inode tree inconsistency caused by ENOMEM vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() unicode: Don't special case ignorable code points net: ethernet: cortina: Drop TSO support tracing: Remove precision vsnprintf() check from print event drm/crtc: fix uninitialized variable use even harder s390/zcore: no need to check return value of debugfs_create functions s390/zcore: release dump save area on restart or power down tracing: Have saved_cmdlines arrays all in one allocation virtio_console: fix misc probe bugs kallsyms: Make kallsyms_on_each_symbol generally available kallsyms: Make module_kallsyms_on_each_symbol generally available tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols tracing/kprobes: Fix symbol counting logic by looking at modules as well Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal bpf: Check percpu map value size first s390/facility: Disable compile time optimization for decompressor code s390/mm: Add cond_resched() to cmm_alloc/free_pages() ext4: nested locking for xattr inode s390/cpum_sf: Remove WARN_ON_ONCE statements ktest.pl: Avoid false positives with grub2 skip regex RDMA/mad: Improve handling of timed out WRs of mad agent PCI: Add function 0 DMA alias quirk for Glenfly Arise chip clk: bcm: bcm53573: fix OF node leak in init PCI: Add ACS quirk for Qualcomm SA8775P i2c: i801: Use a different adapter-name for IDF adapters PCI: Mark Creative Labs EMU20k2 INTx masking as broken ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D usb: chipidea: udc: enable suspend interrupt after usb reset usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario virtio_pmem: Check device status before requesting flush tools/iio: Add memory allocation failure check for trigger_name driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute drm/amd/display: Check null pointer before dereferencing se fbdev: sisfb: Fix strbuf array overflow RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt NFSD: Mark filecache "down" if init fails ice: fix VLAN replay after reset SUNRPC: Fix integer overflow in decode_rc_list() NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() net: phy: dp83869: fix memory corruption when enabling fiber tcp: fix to allow timestamp undo if no retransmits were sent tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe netfilter: br_netfilter: fix panic with metadata_dst skb Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change net: phy: bcm84881: Fix some error handling paths net: dsa: b53: fix jumbo frame mtu check net: dsa: b53: fix max MTU for 1g switches net: dsa: b53: fix max MTU for BCM5325/BCM5365 net: dsa: b53: allow lower MTUs on BCM5325/5365 net: dsa: b53: fix jumbo frames on 10/100 ports gpio: aspeed: Add the flush write to ensure the write complete. gpio: aspeed: Use devm_clk api to manage clock source igb: Do not bring the device up after non-fatal error net/sched: accept TCA_STAB only for root qdisc net: ibm: emac: mal: fix wrong goto sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start net: Add l3mdev index to flow struct and avoid oif reset for port devices netfilter: rpfilter/fib: Populate flowic_l3mdev field netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces. netfilter: fib: check correct rtable in vrf setups ppp: fix ppp_async_encode() illegal access slip: make slhc_remember() more robust against malicious packets resource: fix region_intersects() vs add_memory_driver_managed() hwmon: (tmp513) Add missing dependency on REGMAP_I2C hwmon: (adm9240) Add missing dependency on REGMAP_I2C HID: plantronics: Workaround for an unexcepted opposite volume key Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" usb: dwc3: core: Stop processing of pending events if controller is halted usb: xhci: Fix problem with xhci resume from suspend usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma net: Fix an unsafe loop on the list net: dsa: lan9303: ensure chip reset and wait for READY status nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error net: geneve: add missing netlink policy and size for IFLA_GENEVE_INNER_PROTO_INHERIT xfrm: Pass flowi_oif or l3mdev as oif to xfrm_dst_lookup net: Handle l3mdev in ip_tunnel_init_flow net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev net: vrf: determine the dst using the original ifindex for multicast netfilter: ip6t_rpfilter: Fix regression with VRF interfaces ext4: fix warning in ext4_dio_write_end_io() RDMA/hns: Fix uninitialized variable net: dsa: microchip: fix build warning Linux 5.10.227 Change-Id: I0bdb2556c8ecff424d08f1ef284e31a8f7c5eab4 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
7ad1ad5a55 |
Merge 4911610c7a ("ext4: fix warning in ext4_dio_write_end_io()") into android12-5.10-lts
Steps on the way to 5.10.227 Resolves merge conflicts in: fs/ext4/file.c We merge around this change as it is fixing up something that we have already reverted in this branch. Change-Id: I2ba36e89e69fb04fc0368b458b106e6498db53f4 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
b585ecc2c9 |
Merge 05cc42d601 ("netfilter: ip6t_rpfilter: Fix regression with VRF interfaces") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: I4384ca5cd2e6994725dc962097643972212adf37 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
9b1caf0550 |
Merge a7564b1606 ("Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant"") into android12-5.10-lts
Steps on the way to 5.10.227 Resolves merge conflicts in: fs/nfsd/filecache.c Change-Id: I317988eabc7f40793d8706e2d0a9f39e52871d33 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
4098b69102 |
Revert "net: Add l3mdev index to flow struct and avoid oif reset for port devices"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
5cb5d15755 |
Revert "netfilter: rpfilter/fib: Populate flowic_l3mdev field"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
6fc602a28c |
Revert "netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces."
This reverts commit
|
||
|
Greg Kroah-Hartman
|
7253529039 |
Revert "netfilter: fib: check correct rtable in vrf setups"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
81d8cb7a3e |
Merge 3502b1a297 ("netfilter: fib: check correct rtable in vrf setups") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: I8c942c5c9bd222d1b7b04fdf45f17f1ca0bc5d1c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
ff0e27a0f9 |
Merge 265bf63e24 ("sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: Icd51aea58e6744d6fa9097da88dd177513a532c6 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
ca21e0d3a8 |
Merge 0e91c4b484 ("net: dsa: b53: fix jumbo frames on 10/100 ports") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: Icd295683946d347d25cacf37500bb3031ef41621 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
6c71f56f4f |
Merge 21b5af7f0c ("net: phy: dp83869: fix memory corruption when enabling fiber") into android12-5.10-lts
Steps on the way to 5.10.227 Resolves merge conflicts in: fs/nfsd/filecache.c Change-Id: Ied16cae04e74a6303fdf827703d9f9caf57f971a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
e22e091f95 |
Merge de5a059e36 ("RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: Ie75a10f12b4c90baa487a120d138956dd5a09da8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
2a22a03cae |
Merge 2622c805ab ("kallsyms: Make module_kallsyms_on_each_symbol generally available") into android12-5.10-lts
Steps on the way to 5.10.227 Resolves merge conflicts in: include/linux/kallsyms.h include/linux/module.h kernel/kallsyms.c Change-Id: I207acf2f76d2f2bc3be7b811edec98d988365f60 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
96a5139526 |
Merge 570e257621 ("drm/rockchip: vop: clear DMA stop bit on RK3066") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: I91493ff89340657e9b05839438143526a89905e7 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
042d3e2676 |
Merge 24afda0421 ("arm64: errata: Expand speculative SSBS workaround once more") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: I3bd2cd77909ddbf15f7eaf95b1724ad0cbf0b275 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
ce691439c0 |
Revert "ext4: properly sync file size update after O_SYNC direct IO"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
f46870ab3d |
Revert "ext4: dax: fix overflowing extents beyond inode size when partially writing"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
5d9c84863f |
Merge f8a7c34232 ("ext4: dax: fix overflowing extents beyond inode size when partially writing") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: Ifa9c84d819e26b5ec9a4503dbf77f3e48ff0782c Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
8fb88ba5de |
Merge dde4c1e166 ("ext4: properly sync file size update after O_SYNC direct IO") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: If19e4b34d65d6f90dabc6fce79809aea1675bd0a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Greg Kroah-Hartman
|
e62d85f9ba |
Merge 6ff56ef7f7 ("i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled") into android12-5.10-lts
Steps on the way to 5.10.227 Change-Id: I594d13d640c0694fad4d1511963ef76b40d8818b Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |