This disables Android's app freezer feature, which just happens to be
very unstable on Android 13. Incidentally, this is also disabled on
stock ROM, for unknown reason. Let's hope that we can revert this on
Android 14 ^.^
Fixes: https://gitlab.com/LineageOS/issues/android/-/issues/5384
Change-Id: I9c9074569807f696fe4b4b5ec77ce235b00dcaaf
Add the pending proc->delivered_freeze work to the debugfs output. This
information was omitted in the original implementation of the freeze
notification and can be valuable for debugging issues.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-9-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit cb2aeb2ec25884133110ffe5a67ff3cf7dee5ceb
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Ifc9a22b52e38c35af661732486fa1f154adb34de
[cmllamas: fix KMI break with proc_wrapper()]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
If a freeze notification is cleared with BC_CLEAR_FREEZE_NOTIFICATION
before calling binder_freeze_notification_done(), then it is detached
from its reference (e.g. ref->freeze) but the work remains queued in
proc->delivered_freeze. This leads to a memory leak when the process
exits as any pending entries in proc->delivered_freeze are not freed:
unreferenced object 0xffff38e8cfa36180 (size 64):
comm "binder-util", pid 655, jiffies 4294936641
hex dump (first 32 bytes):
b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8..
0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K.....
backtrace (crc 95983b32):
[<000000000d0582cf>] kmemleak_alloc+0x34/0x40
[<000000009c99a513>] __kmalloc_cache_noprof+0x208/0x280
[<00000000313b1704>] binder_thread_write+0xdec/0x439c
[<000000000cbd33bb>] binder_ioctl+0x1b68/0x22cc
[<000000002bbedeeb>] __arm64_sys_ioctl+0x124/0x190
[<00000000b439adee>] invoke_syscall+0x6c/0x254
[<00000000173558fc>] el0_svc_common.constprop.0+0xac/0x230
[<0000000084f72311>] do_el0_svc+0x40/0x58
[<000000008b872457>] el0_svc+0x38/0x78
[<00000000ee778653>] el0t_64_sync_handler+0x120/0x12c
[<00000000a8ec61bf>] el0t_64_sync+0x190/0x194
This patch fixes the leak by ensuring that any pending entries in
proc->delivered_freeze are freed during binder_deferred_release().
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-8-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 1db76ec2b4b206ff943e292a0b55e68ff3443598
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Iafdec3421c521b4b591b94455deba7ee5102c8ca
[cmllamas: drop BINDER_STAT_FREEZE and use proc_wrapper()]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Alice points out that binder_request_freeze_notification() should not
return EINVAL when the relevant node is dead [1]. The node can die at
any point even if the user input is valid. Instead, allow the request
to be allocated but skip the initial notification for dead nodes. This
avoids propagating unnecessary errors back to userspace.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/all/CAH5fLghapZJ4PbbkC8V5A6Zay-_sgTzwVpwqk6RWWUNKKyJC_Q@mail.gmail.com/ [1]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-7-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit ca63c66935b978441055e3d87d30225267f99329
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I03af1eedfeb194f5a775388cbb4e7487e4a5dfc0
Signed-off-by: Carlos Llamas <cmllamas@google.com>
The BINDER_WORK_FROZEN_BINDER type is not handled in the binder_logs
entries and it shows up as "unknown work" when logged:
proc 649
context binder-test
thread 649: l 00 need_return 0 tr 0
ref 13: desc 1 node 8 s 1 w 0 d 0000000053c4c0c3
unknown work: type 10
This patch add the freeze work type and is now logged as such:
proc 637
context binder-test
thread 637: l 00 need_return 0 tr 0
ref 8: desc 1 node 3 s 1 w 0 d 00000000dc39e9c6
has frozen binder
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-5-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 830d7db744b42c693bf1db7e94db86d7efd91f0e
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I06f888aa5218db19eeda79e315385506af09d9d5
Signed-off-by: Carlos Llamas <cmllamas@google.com>
When a binder reference is cleaned up, any freeze work queued in the
associated process should also be removed. Otherwise, the reference is
freed while its ref->freeze.work is still queued in proc->work leading
to a use-after-free issue as shown by the following KASAN report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0
Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22
Hardware name: linux,dummy-virt (DT)
Workqueue: events binder_deferred_func
Call trace:
binder_release_work+0x398/0x3d0
binder_deferred_func+0xb60/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
Allocated by task 703:
__kmalloc_cache_noprof+0x130/0x280
binder_thread_write+0xdb4/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
invoke_syscall+0x6c/0x254
Freed by task 211:
kfree+0xc4/0x230
binder_deferred_func+0xae8/0x109c
process_one_work+0x51c/0xbd4
worker_thread+0x608/0xee8
==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed
when cleaning up a binder reference.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Acked-by: Todd Kjos <tkjos@android.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-4-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 7e20434cbca814cb91a0a261ca0106815ef48e5f
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Icc40e7dd6157981f4adbea7243e55be118552321
[cmllamas: drop BINDER_STAT_FREEZE as it's not supported here]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped to
acquire the node->lock first (lock nesting order). This can race with
binder_deferred_release() which removes the nodes from the proc->nodes
rbtree and adds them into binder_dead_nodes list. This leads to a broken
iteration in binder_add_freeze_work() as rb_next() will use data from
binder_dead_nodes, triggering an out-of-bounds access:
==================================================================
BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124
Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18
Hardware name: linux,dummy-virt (DT)
Call trace:
rb_next+0xfc/0x124
binder_add_freeze_work+0x344/0x534
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
The buggy address belongs to the variable:
binder_dead_nodes+0x10/0x40
[...]
==================================================================
This is possible because proc->nodes (rbtree) and binder_dead_nodes
(list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply
break out of the iteration.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-3-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit 011e69a1b23011c0db3af4b8293fdd4522cc97b0
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I5ec9d49277a23b864862665b52213460750c535e
Signed-off-by: Carlos Llamas <cmllamas@google.com>
In binder_add_freeze_work() we iterate over the proc->nodes with the
proc->inner_lock held. However, this lock is temporarily dropped in
order to acquire the node->lock first (lock nesting order). This can
race with binder_node_release() and trigger a use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff53c04c29dd04 by task freeze/640
CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_add_freeze_work+0x148/0x478
binder_ioctl+0x1e70/0x25ac
__arm64_sys_ioctl+0x124/0x190
Allocated by task 637:
__kmalloc_cache_noprof+0x12c/0x27c
binder_new_node+0x50/0x700
binder_transaction+0x35ac/0x6f74
binder_thread_write+0xfb8/0x42a0
binder_ioctl+0x18f0/0x25ac
__arm64_sys_ioctl+0x124/0x190
Freed by task 637:
kfree+0xf0/0x330
binder_thread_read+0x1e88/0x3a68
binder_ioctl+0x16d8/0x25ac
__arm64_sys_ioctl+0x124/0x190
==================================================================
Fix the race by taking a temporary reference on the node before
releasing the proc->inner lock. This ensures the node remains alive
while in use.
Fixes: d579b04a52a1 ("binder: frozen notification")
Cc: stable@vger.kernel.org
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240926233632.821189-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 366003708
(cherry picked from commit dc8aea47b928cc153b591b3558829ce42f685074
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I47b053532dd4cd3424d35d6f254ca4d00c426411
Signed-off-by: Carlos Llamas <cmllamas@google.com>
https://source.android.com/docs/security/bulletin/2024-09-01
CVE-2024-36972
* tag 'ASB-2024-09-05_11-5.4' of https://android.googlesource.com/kernel/common: (59 commits)
ANDROID: delete tool added by mistake
ANDROID: fix ENOMEM check of binder_proc_ext
ANDROID: binder: fix KMI issues due to frozen notification
BACKPORT: FROMGIT: binder: frozen notification binder_features flag
BACKPORT: FROMGIT: binder: frozen notification
BACKPORT: selftests/binderfs: add test for feature files
UPSTREAM: docs: binderfs: add section about feature files
BACKPORT: binderfs: add support for feature files
FROMLIST: binder: fix memory leaks of spam and pending work
FROMGIT: Binder: add TF_UPDATE_TXN to replace outdated txn
BACKPORT: binder: tell userspace to dump current backtrace when detected oneway spamming
UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune()
FROMLIST: binder: fix UAF caused by offsets overwrite
Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()"
Linux 5.4.281
tap: add missing verification for short frame
tun: add missing verification for short frame
filelock: Fix fcntl/close race recovery compat path
ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
jfs: don't walk off the end of ealist
...
Conflicts:
drivers/android/binder.c
include/uapi/linux/android/binder.h
Change-Id: I0cdb84a8241c0abaf6e5fad140ed19480655d53c
The check should be done against 'eproc' before it gets dereferenced.
Fixes: d49297739550 ("BACKPORT: binder: use euid from cred instead of using task")
Change-Id: Ief0c08212c4da8bdfdf628474de9dd30ee5a8db0
Signed-off-by: Carlos Llamas <cmllamas@google.com>
The patches to support binder's frozen notification feature break the
KMI. This change fixes such issues by (1) moving proc->delivered_freeze
into the existing proc_wrapper struction, (2) dropping the frozen stats
support and (3) amending the STG due to a harmless enum binder_work_type
addition.
These are the reported KMI issues fixed by this patch:
function symbol 'int __traceiter_binder_transaction_received(void*, struct binder_transaction*)' changed
CRC changed from 0x74e9c98b to 0xfe0f8640
type 'struct binder_proc' changed
byte size changed from 584 to 632
member 'struct list_head delivered_death' changed
offset changed by 256
member 'struct list_head delivered_freeze' was added
13 members ('u32 max_threads' .. 'u64 android_oem_data1') changed
offset changed by 384
type 'struct binder_thread' changed
byte size changed from 464 to 496
2 members ('atomic_t tmp_ref' .. 'bool is_dead') changed
offset changed by 224
4 members ('struct task_struct* task' .. 'enum binder_prio_state prio_state') changed
offset changed by 256
type 'struct binder_stats' changed
byte size changed from 216 to 244
member changed from 'atomic_t br[21]' to 'atomic_t br[23]'
type changed from 'atomic_t[21]' to 'atomic_t[23]'
number of elements changed from 21 to 23
member changed from 'atomic_t bc[19]' to 'atomic_t bc[22]'
offset changed from 672 to 736
type changed from 'atomic_t[19]' to 'atomic_t[22]'
number of elements changed from 19 to 22
member changed from 'atomic_t obj_created[7]' to 'atomic_t obj_created[8]'
offset changed from 1280 to 1440
type changed from 'atomic_t[7]' to 'atomic_t[8]'
number of elements changed from 7 to 8
member changed from 'atomic_t obj_deleted[7]' to 'atomic_t obj_deleted[8]'
offset changed from 1504 to 1696
type changed from 'atomic_t[7]' to 'atomic_t[8]'
number of elements changed from 7 to 8
type 'enum binder_work_type' changed
enumerator 'BINDER_WORK_FROZEN_BINDER' (10) was added
enumerator 'BINDER_WORK_CLEAR_FREEZE_NOTIFICATION' (11) was added
Bug: 363013421
Change-Id: If9f1f14a2eda215a4c9cb0823c50c8e0e8079ef1
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Add a flag to binder_features to indicate that the freeze notification
feature is available.
Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240709070047.4055369-6-yutingtseng@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 363013421
(cherry picked from commit 30b968b002a92870325a5c9d1ce78eba0ce386e7
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: Ic26c8ae42d27c6fd8f5daed5eecabd1652e29502
[cmllamas: fix trivial conflicts due to missing extended_error]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Frozen processes present a significant challenge in binder transactions.
When a process is frozen, it cannot, by design, accept and/or respond to
binder transactions. As a result, the sender needs to adjust its
behavior, such as postponing transactions until the peer process
unfreezes. However, there is currently no way to subscribe to these
state change events, making it impossible to implement frozen-aware
behaviors efficiently.
Introduce a binder API for subscribing to frozen state change events.
This allows programs to react to changes in peer process state,
mitigating issues related to binder transactions sent to frozen
processes.
Implementation details:
For a given binder_ref, the state of frozen notification can be one of
the followings:
1. Userspace doesn't want a notification. binder_ref->freeze is null.
2. Userspace wants a notification but none is in flight.
list_empty(&binder_ref->freeze->work.entry) = true
3. A notification is in flight and waiting to be read by userspace.
binder_ref_freeze.sent is false.
4. A notification was read by userspace and kernel is waiting for an ack.
binder_ref_freeze.sent is true.
When a notification is in flight, new state change events are coalesced into
the existing binder_ref_freeze struct. If userspace hasn't picked up the
notification yet, the driver simply rewrites the state. Otherwise, the
notification is flagged as requiring a resend, which will be performed
once userspace acks the original notification that's inflight.
See https://r.android.com/3070045 for how userspace is going to use this
feature.
Signed-off-by: Yu-Ting Tseng <yutingtseng@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240709070047.4055369-4-yutingtseng@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 363013421
(cherry picked from commit d579b04a52a183db47dfcb7a44304d7747d551e1
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I5dd32abba932ca7d03ae58660143e075ed778b81
[cmllamas: fix merge conflicts due to missing 0567461a7a6e]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Provide userspace with a mechanism to discover features supported by
the binder driver to refrain from using any unsupported ones in the
first place. Starting with "oneway_spam_detection" only new features
are to be listed under binderfs and all previous ones are assumed to
be supported.
Assuming an instance of binderfs has been mounted at /dev/binderfs,
binder feature files can be found under /dev/binderfs/features/.
Usage example:
$ mkdir /dev/binderfs
$ mount -t binder binder /dev/binderfs
$ cat /dev/binderfs/features/oneway_spam_detection
1
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20210715031805.1725878-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit fc470abf54b2bd6e539065e07905e767b443d719)
Bug: 191910201
Signed-off-by: Carlos Llamas <cmllamas@google.com>
[cmllamas: fix merge conflicts due to missing 095cf502b31e]
Change-Id: Ia5c03aa1881981bee26459e741134b83d5b59693
commit 1aa3aaf8953c84bad398adf6c3cabc9d6685bf7d upstream
A transaction complete work is allocated and queued for each
transaction. Under certain conditions the work->type might be marked as
BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT to notify userspace about
potential spamming threads or as BINDER_WORK_TRANSACTION_PENDING when
the target is currently frozen.
However, these work types are not being handled in binder_release_work()
so they will leak during a cleanup. This was reported by syzkaller with
the following kmemleak dump:
BUG: memory leak
unreferenced object 0xffff88810e2d6de0 (size 32):
comm "syz-executor338", pid 5046, jiffies 4294968230 (age 13.590s)
hex dump (first 32 bytes):
e0 6d 2d 0e 81 88 ff ff e0 6d 2d 0e 81 88 ff ff .m-......m-.....
04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81573b75>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff83d41873>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff83d41873>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83d41873>] binder_transaction+0x573/0x4050 drivers/android/binder.c:3152
[<ffffffff83d45a05>] binder_thread_write+0x6b5/0x1860 drivers/android/binder.c:4010
[<ffffffff83d486dc>] binder_ioctl_write_read drivers/android/binder.c:5066 [inline]
[<ffffffff83d486dc>] binder_ioctl+0x1b2c/0x3cf0 drivers/android/binder.c:5352
[<ffffffff816b25f2>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff816b25f2>] __do_sys_ioctl fs/ioctl.c:871 [inline]
[<ffffffff816b25f2>] __se_sys_ioctl fs/ioctl.c:857 [inline]
[<ffffffff816b25f2>] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:857
[<ffffffff84b30008>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b30008>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix the leaks by kfreeing these work types in binder_release_work() and
handle them as a BINDER_WORK_TRANSACTION_COMPLETE cleanup.
Cc: stable@vger.kernel.org
Fixes: a7dc1e6f99df ("binder: tell userspace to dump current backtrace when detected oneway spamming")
Reported-by: syzbot+7f10c1653e35933c0f1e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7f10c1653e35933c0f1e
Suggested-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20230922175138.230331-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[cmllamas: backport to v5.15 by dropping BINDER_WORK_TRANSACTION_PENDING
as commit 0567461a7a6e is not present. Remove fixes tag accordingly.]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Link: https://lore.kernel.org/all/20231208034842.997899-1-cmllamas@google.com/
Change-Id: I8e1ee7af87ef5706544e4f320e9498b8f4855a6b
[cmllamas: also backport to v5.4 to fix OOT 8a09136176f6]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
When the target process is busy, incoming oneway transactions are
queued in the async_todo list. If the clients continue sending extra
oneway transactions while the target process is frozen, this queue can
become too large to accommodate new transactions. That's why binder
driver introduced ONEWAY_SPAM_DETECTION to detect this situation. It's
helpful to debug the async binder buffer exhausting issue, but the
issue itself isn't solved directly.
In real cases applications are designed to send oneway transactions
repeatedly, delivering updated inforamtion to the target process.
Typical examples are Wi-Fi signal strength and some real time sensor
data. Even if the apps might only care about the lastet information,
all outdated oneway transactions are still accumulated there until the
frozen process is thawed later. For this kind of situations, there's
no existing method to skip those outdated transactions and deliver the
latest one only.
This patch introduces a new transaction flag TF_UPDATE_TXN. To use it,
use apps can set this new flag along with TF_ONE_WAY. When such an
oneway transaction is to be queued into the async_todo list of a frozen
process, binder driver will check if any previous pending transactions
can be superseded by comparing their code, flags and target node. If
such an outdated pending transaction is found, the latest transaction
will supersede that outdated one. This effectively prevents the async
binder buffer running out and saves unnecessary binder read workloads.
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Li Li <dualli@google.com>
Link: https://lore.kernel.org/r/20220526220018.3334775-2-dualli@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 231624308
Test: manually check async binder buffer size of frozen apps
Test: stress test with kernel 4.14/4.19/5.10/5.15
(cherry picked from commit 9864bb4801331daa48514face9d0f4861e4d485b
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I1c4bff1eda1ca15aaaad5bf696c8fc00be743176
When async binder buffer got exhausted, some normal oneway transactions
will also be discarded and may cause system or application failures. By
that time, the binder debug information we dump may not be relevant to
the root cause. And this issue is difficult to debug if without the
backtrace of the thread sending spam.
This change will send BR_ONEWAY_SPAM_SUSPECT to userspace when oneway
spamming is detected, request to dump current backtrace. Oneway spamming
will be reported only once when exceeding the threshold (target process
dips below 80% of its oneway space, and current process is responsible
for either more than 50 transactions, or more than 50% of the oneway
space). And the detection will restart when the async buffer has
returned to a healthy state.
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Hang Lu <hangl@codeaurora.org>
Link: https://lore.kernel.org/r/1617961246-4502-3-git-send-email-hangl@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 181190340
Change-Id: Id3d2526099bc89f04d8ad3ad6e48141b2a8f2515
(cherry picked from commit a7dc1e6f99df59799ab0128d9c4e47bbeceb934d)
Signed-off-by: Hang Lu <hangl@codeaurora.org>
[cmllamas: fix trivial merge issue]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmbCvnsACgkQONu9yGCS
aT45Zw/9FM9SGzzJpl0jFgvbKhOufwdtzg/CNBRoqFybE+Zmpy0dJvzuurYQFmJZ
bh6b9oPRGKBzT6aolOcN2bxjT1IlvTZ950CIbfYHD38qA7bhkeBKK9i8kuz7REUQ
Bs8H7xMMK9xHrLUWb6gVPfPy2vPiBIE7IMzlhCrKKneInR3OANG70hM3USpt44/1
BxuA87kjJHMe/He4AL7jVL4AO8EpZYrO5WuYA49aLEtrVFKOtbKQ1HgzhUsDgFI4
FA5MXTBx7Cw7NKLcYkykbdScPJ7ZZgakY8283F0s+E8BdqcabeH/l1lvK4/EqHGC
mnz6+9CmSnjyI7pW/X5FCXssmznoxBd9btnLM2ap9610veRqRuolo6VQpv6ONO53
SYMKEkUs2CjS7adG8uGv2+C0t4nw2jWJjjNkyic72vZwlZL9BTJitiy3q96KFYmD
OoRK6e7UQYgraRY8FmirMOjicKtBXASLDvfZ3KuZVconbloQTeYO9mRMLVsTt7Qn
gag021ogc++Ps/75TrmygT5/rv4sV9vXWk/1pFsTdcAdn6kHVTtI+QHACLljrms8
nEQGI/ZET9fZaCrLz56dfswLZzxjemJ7vLMGoweEXltXCG/e6d1tHGW3prYo2ZXC
+wR6jw9q8kSoCSahACDkryAeQsnMkoIoDAJEktnRhBSCtGpUbZE=
=zKyu
-----END PGP SIGNATURE-----
Merge 5.4.282 into android11-5.4-lts
Changes in 5.4.282
EDAC, skx_common: Refactor so that we initialize "dev" in result of adxl decode.
EDAC, skx: Retrieve and print retry_rd_err_log registers
EDAC/skx_common: Add new ADXL components for 2-level memory
EDAC, i10nm: make skx_common.o a separate module
platform/chrome: cros_ec_debugfs: fix wrong EC message version
hfsplus: fix to avoid false alarm of circular locking
x86/of: Return consistent error type from x86_of_pci_irq_enable()
x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
x86/pci/xen: Fix PCIBIOS_* return code handling
x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
hwmon: (adt7475) Fix default duty on fan is disabled
pwm: stm32: Always do lazy disabling
hwmon: (max6697) Fix underflow when writing limit attributes
hwmon: (max6697) Fix swapped temp{1,8} critical alarms
arm64: dts: qcom: sdm845: add power-domain to UFS PHY
arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
arm64: dts: rockchip: Increase VOP clk rate on RK3328
ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
ARM: dts: imx6qdl-kontron-samx6i: fix board reset
ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
arm64: dts: amlogic: gx: correct hdmi clocks
m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
x86/xen: Convert comma to semicolon
m68k: cmpxchg: Fix return value for default case in __arch_xchg()
firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout()
firmware: turris-mox-rwtm: Initialize completion before mailbox
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
net/smc: Allow SMC-D 1MB DMB allocations
net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined
selftests/bpf: Check length of recv in test_sockmap
lib: objagg: Fix general protection fault
mlxsw: spectrum_acl_erp: Fix object nesting warning
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()
net: fec: Refactor: #define magic constants
net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
ipvs: Avoid unnecessary calls to skb_is_gso_sctp
netfilter: nf_tables: rise cap on SELinux secmark context
perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
perf: Fix perf_aux_size() for greater-than 32-bit size
perf: Prevent passing zero nr_pages to rb_alloc_aux()
qed: Improve the stack space of filter_config()
wifi: virt_wifi: avoid reporting connection success with wrong SSID
gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
wifi: virt_wifi: don't use strlen() in const context
bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
selftests: forwarding: devlink_lib: Wait for udev events after reloading
USB: move snd_usb_pipe_sanity_check into the USB core
media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()
media: imon: Fix race getting ictx->lock
saa7134: Unchecked i2c_transfer function result fixed
media: uvcvideo: Allow entity-defined get_info and get_cur
media: uvcvideo: Override default flags
media: renesas: vsp1: Fix _irqsave and _irq mix
media: renesas: vsp1: Store RPF partition configuration per RPF instance
leds: trigger: Unregister sysfs attributes before calling deactivate()
perf report: Fix condition in sort__sym_cmp()
drm/etnaviv: fix DMA direction handling for cached RW buffers
drm/qxl: Add check for drm_cvt_mode
mfd: omap-usb-tll: Use struct_size to allocate tll
SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
ext4: avoid writing unitialized memory to disk in EA inodes
sparc64: Fix incorrect function signature and add prototype for prom_cif_init
SUNRPC: Fixup gss_status tracepoint error output
PCI: Fix resource double counting on remove & rescan
Input: qt1050 - handle CHIP_ID reading error
RDMA/mlx4: Fix truncated output warning in mad.c
RDMA/mlx4: Fix truncated output warning in alias_GUID.c
RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
ASoC: max98088: Check for clk_prepare_enable() error
mtd: make mtd_test.c a separate module
RDMA/device: Return error earlier if port in not valid
Input: elan_i2c - do not leave interrupt disabled on suspend failure
MIPS: Octeron: remove source file executable bit
powerpc/xmon: Fix disassembly CPU feature checks
macintosh/therm_windtunnel: fix module unload.
bnxt_re: Fix imm_data endianness
netfilter: ctnetlink: use helper function to calculate expect ID
pinctrl: core: fix possible memory leak when pinctrl_enable() fails
pinctrl: single: fix possible memory leak when pinctrl_enable() fails
pinctrl: ti: ti-iodelay: Drop if block with always false condition
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails
pinctrl: freescale: mxs: Fix refcount of child
fs/nilfs2: remove some unused macros to tame gcc
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
rtc: interface: Add RTC offset to alarm after fix-up
tick/broadcast: Make takeover of broadcast hrtimer reliable
net: netconsole: Disable target before netpoll cleanup
af_packet: Handle outgoing VLAN packets without hardware offloading
ipv6: take care of scope when choosing the src addr
char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
media: venus: fix use after free in vdec_close
hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
drm/amd/display: Check for NULL pointer
udf: Avoid using corrupted block bitmap buffer
m68k: amiga: Turn off Warp1260 interrupts during boot
ext4: check dot and dotdot of dx_root before making dir indexed
ext4: make sure the first directory block is not a hole
wifi: mwifiex: Fix interface type change
leds: ss4200: Convert PCIBIOS_* return codes to errnos
tools/memory-model: Fix bug in lock.cat
hwrng: amd - Convert PCIBIOS_* return codes to errnos
PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
binder: fix hang of unregistered readers
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
f2fs: fix to don't dirty inode for readonly filesystem
clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
ubi: eba: properly rollback inside self_check_eba
decompress_bunzip2: fix rare decompression failure
kobject_uevent: Fix OOB access within zap_modalias_env()
rtc: cmos: Fix return value of nvmem callbacks
scsi: qla2xxx: During vport delete send async logout explicitly
scsi: qla2xxx: Fix for possible memory corruption
scsi: qla2xxx: Complete command early within lock
scsi: qla2xxx: validate nvme_local_port correctly
perf/x86/intel/pt: Fix topa_entry base length
perf/x86/intel/pt: Fix a topa_entry base address calculation
rtc: isl1208: Fix return value of nvmem callbacks
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
platform: mips: cpu_hwmon: Disable driver on unsupported hardware
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
selftests/sigaltstack: Fix ppc64 GCC build
rbd: don't assume rbd_is_lock_owner() for exclusive mappings
drm/panfrost: Mark simple_ondemand governor as softdep
rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
nilfs2: handle inconsistent state in nilfs_btnode_create_block()
kdb: address -Wformat-security warnings
kdb: Use the passed prompt in kdb_position_cursor()
jfs: Fix array-index-out-of-bounds in diFree
um: time-travel: fix time-travel-start option
libbpf: Fix no-args func prototype BTF dumping syntax
dma: fix call order in dmam_free_coherent
MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
ipv4: Fix incorrect source address in Record Route option
net: bonding: correctly annotate RCU in bond_should_notify_peers()
tipc: Return non-zero value from tipc_udp_addr2str() on error
net: nexthop: Initialize all fields in dumped nexthops
bpf: Fix a segment issue when downgrading gso_size
mISDN: Fix a use after free in hfcmulti_tx()
apparmor: Fix null pointer deref when receiving skb during sock creation
powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
ASoC: Intel: Convert to new X86 CPU match macros
ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header
ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
nvme-pci: add missing condition check for existence of mapped data
mm: avoid overflows in dirty throttling logic
PCI: rockchip: Make 'ep-gpios' DT property optional
PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
parport: Convert printk(KERN_<LEVEL> to pr_<level>(
parport: Standardize use of printmode
dev/parport: fix the array out-of-bounds risk
driver core: Cast to (void *) with __force for __percpu pointer
devres: Fix memory leakage caused by driver API devm_free_percpu()
genirq: Allow the PM device to originate from irq domain
irqchip/imx-irqsteer: Constify irq_chip struct
irqchip/imx-irqsteer: Add runtime PM support
irqchip/imx-irqsteer: Handle runtime power management correctly
remoteproc: imx_rproc: ignore mapping vdev regions
remoteproc: imx_rproc: Fix ignoring mapping vdev regions
remoteproc: imx_rproc: Skip over memory region when node value is NULL
drm/nouveau: prime: fix refcount underflow
drm/vmwgfx: Fix overlay when using Screen Targets
net/iucv: fix use after free in iucv_sock_close()
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
ipv6: fix ndisc_is_useropt() handling for PIO
HID: wacom: Modify pen IDs
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
ALSA: usb-audio: Correct surround channels in UAC1 channel map
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
netfilter: ipset: Add list flush to cancel_gc
genirq: Allow irq_chip registration functions to take a const irq_chip
irqchip/mbigen: Fix mbigen node address layout
x86/mm: Fix pti_clone_pgtable() alignment assumption
sctp: move hlist_node and hashent out of sctp_ep_common
sctp: Fix null-ptr-deref in reuseport_add_sock().
net: usb: qmi_wwan: fix memory leak for not ip packets
net: linkwatch: use system_unbound_wq
Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
net: fec: Stop PPS on driver remove
md/raid5: avoid BUG_ON() while continue reshape after reassembling
clocksource/drivers/sh_cmt: Address race condition for clock events
ACPI: battery: create alarm sysfs attribute atomically
ACPI: SBS: manage alarm sysfs attribute through psy core
selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
PCI: Add Edimax Vendor ID to pci_ids.h
udf: prevent integer overflow in udf_bitmap_free_blocks()
wifi: nl80211: don't give key data to userspace
btrfs: fix bitmap leak when loading free space cache on duplicate entry
drm/amdgpu: Fix the null pointer dereference to ras_manager
media: uvcvideo: Ignore empty TS packets
media: uvcvideo: Fix the bandwdith quirk on USB 3.x
jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
s390/sclp: Prevent release of buffer in I/O
SUNRPC: Fix a race to wake a sync task
ext4: fix wrong unit use in ext4_mb_find_by_goal
arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space
arm64: Add Neoverse-V2 part
arm64: cputype: Add Cortex-X4 definitions
arm64: cputype: Add Neoverse-V3 definitions
arm64: errata: Add workaround for Arm errata 3194386 and 3312417
arm64: cputype: Add Cortex-X3 definitions
arm64: cputype: Add Cortex-A720 definitions
arm64: cputype: Add Cortex-X925 definitions
arm64: errata: Unify speculative SSBS errata logic
arm64: errata: Expand speculative SSBS workaround
arm64: cputype: Add Cortex-X1C definitions
arm64: cputype: Add Cortex-A725 definitions
arm64: errata: Expand speculative SSBS workaround (again)
i2c: smbus: Don't filter out duplicate alerts
i2c: smbus: Improve handling of stuck alerts
i2c: smbus: Send alert notifications to all devices if source not found
bpf: kprobe: remove unused declaring of bpf_kprobe_override
spi: fsl-lpspi: remove unneeded array
spi: spi-fsl-lpspi: Fix scldiv calculation
drm/client: fix null pointer dereference in drm_client_modeset_probe
ALSA: line6: Fix racy access to midibuf
ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
usb: vhci-hcd: Do not drop references before new references are gained
USB: serial: debug: do not echo input by default
usb: gadget: core: Check for unset descriptor
scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
tick/broadcast: Move per CPU pointer access into the atomic section
ntp: Clamp maxerror and esterror to operating range
driver core: Fix uevent_show() vs driver detach race
ntp: Safeguard against time_constant overflow
scsi: mpt3sas: Remove scsi_dma_map() error messages
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
serial: core: check uartclk for zero to avoid divide by zero
genirq/irqdesc: Honor caller provided affinity in alloc_desc()
power: supply: axp288_charger: Fix constant_charge_voltage writes
power: supply: axp288_charger: Round constant_charge_voltage writes down
tracing: Fix overflow in get_free_elt()
x86/mtrr: Check if fixed MTRRs exist before saving them
drm/bridge: analogix_dp: properly handle zero sized AUX transactions
drm/mgag200: Set DDC timeout in milliseconds
Fix gcc 4.9 build issue in 5.4.y
kbuild: Fix '-S -c' in x86 stack protector scripts
netfilter: nf_tables: set element extended ACK reporting support
netfilter: nf_tables: use timestamp to check for set element timeout
netfilter: nf_tables: prefer nft_chain_validate
drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
arm64: cpufeature: Fix the visibility of compat hwcaps
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
exec: Fix ToCToU between perm check and set-uid/gid usage
nvme/pci: Add APST quirk for Lenovo N60z laptop
ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()"
Linux 5.4.282
Change-Id: I6d0e4d26021c20136cefafa63b138db47b4069b8
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.
Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff47fc91598f04 by task binder-util/743
CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_free_buf+0x128/0x434
binder_thread_write+0x8a4/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Allocated by task 743:
__kmalloc_cache_noprof+0x110/0x270
binder_new_node+0x50/0x700
binder_transaction+0x413c/0x6da8
binder_thread_write+0x978/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Freed by task 745:
kfree+0xbc/0x208
binder_thread_read+0x1c5c/0x37d4
binder_ioctl+0x16d8/0x258c
[...]
==================================================================
To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.
Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 352520660
Link: https://lore.kernel.org/all/20240822182353.2129600-1-cmllamas@google.com/
Change-Id: I1b2dd8403b63e5eeb58904558b7b542141c83fc2
Signed-off-by: Carlos Llamas <cmllamas@google.com>
commit 31643d84b8c3d9c846aa0e20bc033e46c68c7e7d upstream.
With the introduction of binder_available_for_proc_work_ilocked() in
commit 1b77e9dcc3 ("ANDROID: binder: remove proc waitqueue") a binder
thread can only "wait_for_proc_work" after its thread->looper has been
marked as BINDER_LOOPER_STATE_{ENTERED|REGISTERED}.
This means an unregistered reader risks waiting indefinitely for work
since it never gets added to the proc->waiting_threads. If there are no
further references to its waitqueue either the task will hang. The same
applies to readers using the (e)poll interface.
I couldn't find the rationale behind this restriction. So this patch
restores the previous behavior of allowing unregistered threads to
"wait_for_proc_work". Note that an error message for this scenario,
which had previously become unreachable, is now re-enabled.
Fixes: 1b77e9dcc3 ("ANDROID: binder: remove proc waitqueue")
Cc: stable@vger.kernel.org
Cc: Martijn Coenen <maco@google.com>
Cc: Arve Hjønnevåg <arve@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240711201452.2017543-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* 'android11-5.4-lts' of https://android.googlesource.com/kernel/common: (482 commits)
ANDROID: GKI: refresh ABI to include kimage_vaddr
ANDROID: preserve CRC for struct tcp_sock
ANDROID: 16K: Don't set padding vm_flags on 32-bit archs
Linux 5.4.280
i2c: rcar: bring hardware to known state when probing
nilfs2: fix kernel bug on rename operation of broken directory
tcp: avoid too many retransmit packets
tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
net: tcp: fix unexcepted socket die when snd_wnd is 0
tcp: refactor tcp_retransmit_timer()
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
libceph: fix race between delayed_work() and ceph_monc_stop()
ALSA: hda/realtek: Limit mic boost on VAIO PRO PX
nvmem: meson-efuse: Fix return value of nvmem callbacks
hpet: Support 32-bit userspace
USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor
usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k
USB: serial: option: add Rolling RW350-GL variants
USB: serial: option: add Netprisma LCUK54 series modules
...
Conflicts:
kernel/gen_kheaders.sh
Change-Id: Ib57235b05d1bd369b3852565eabea8e658b59aed
https://source.android.com/docs/security/bulletin/2024-06-01
CVE-2024-26926
* tag 'ASB-2024-06-05_11-5.4' of https://android.googlesource.com/kernel/common:
ANDROID: ABI fixup for abi break in struct dst_ops
BACKPORT: net: fix __dst_negative_advice() race
UPSTREAM: selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior
Revert "timers: Rename del_timer_sync() to timer_delete_sync()"
Reapply "media: ttpci: fix two memleaks in budget_av_attach"
Revert "media: rename VFL_TYPE_GRABBER to _VIDEO"
Revert "media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO"
Revert "media: ttpci: fix two memleaks in budget_av_attach"
Revert "net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()"
Revert "regmap: allow to define reg_update_bits for no bus configuration"
Revert "regmap: Add bulk read/write callbacks into regmap_config"
Revert "serial: max310x: fix IO data corruption in batched operations"
Revert "geneve: make sure to pull inner header in geneve_rx()"
Linux 5.4.274
firmware: meson_sm: fix to avoid potential NULL pointer dereference
ip_gre: do not report erspan version on GRE interface
erspan: Check IFLA_GRE_ERSPAN_VER is set.
VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()
Bluetooth: btintel: Fixe build regression
x86/alternative: Don't call text_poke() in lazy TLB mode
drm/i915/gt: Reset queue_priority_hint on parking
x86/mm/pat: fix VM_PAT handling in COW mappings
virtio: reenable config if freezing device failed
drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put()
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
netfilter: nf_tables: discard table flag update with pending basechain deletion
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
netfilter: nf_tables: release batch on table validation from abort path
netfilter: nf_tables: reject new basechain after table flag update
fbmon: prevent division by zero in fb_videomode_from_videomode()
fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2
usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined
usb: typec: tcpci: add generic tcpci fallback compatible
tools: iio: replace seekdir() in iio_generic_buffer
ktest: force $buildonly = 1 for 'make_warnings_file' test type
Input: allocate keycode for Display refresh rate toggle
block: prevent division by zero in blk_rq_stat_sum()
Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default"
SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int
drm/amd/display: Fix nanosec stat overflow
media: sta2x11: fix irq handler cast
isofs: handle CDs with bad root inode but good Joliet root directory
scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
sysv: don't call sb_bread() with pointers_lock held
Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails
Bluetooth: btintel: Fix null ptr deref in btintel_read_version
btrfs: send: handle path ref underflow in header iterate_inode_ref()
btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
ionic: set adminq irq affinity
arm64: dts: rockchip: fix rk3399 hdmi ports node
arm64: dts: rockchip: fix rk3328 hdmi ports node
panic: Flush kernel log buffer at the end
VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
wifi: ath9k: fix LNA selection in ath_ant_try_scan()
s390/entry: align system call table on 8 bytes
x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()
ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone
ata: sata_mv: Fix PCI device ID table declaration compilation warning
scsi: mylex: Fix sysfs buffer lengths
ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
net: ravb: Always process TX descriptor ring
erspan: make sure erspan_base_hdr is present in skb->head
erspan: Add type I version 0 support.
init: open /initrd.image with O_LARGEFILE
initramfs: switch initramfs unpacking to struct file based APIs
fs: add a vfs_fchmod helper
fs: add a vfs_fchown helper
staging: vc04_services: fix information leak in create_component()
staging: vc04_services: changen strncpy() to strscpy_pad()
staging: mmal-vchiq: Fix client_component for 64 bit kernel
staging: mmal-vchiq: Allocate and free components as required
i40e: fix vf may be used uninitialized in this function warning
ipv6: Fix infinite recursion in fib6_dump_done().
selftests: reuseaddr_conflict: add missing new line at the end of the output
net: stmmac: fix rx queue priority assignment
net/sched: act_skbmod: prevent kernel-infoleak
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
netfilter: nf_tables: flush pending destroy work before exit_net release
mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped."
vfio/platform: Create persistent IRQ handlers
vfio/pci: Create persistent INTx handler
vfio: Introduce interface to flush virqfd inject workqueue
vfio/pci: Lock external INTx masking ops
vfio/pci: Disable auto-enable of exclusive INTx IRQ
net/rds: fix possible cp null dereference
netfilter: nf_tables: disallow timeout for anonymous sets
Bluetooth: Fix TOCTOU in HCI debugfs implementation
Bluetooth: hci_event: set the conn encrypted before conn establishes
x86/cpufeatures: Add new word for scattered features
r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d
dm integrity: fix out-of-range warning
tcp: properly terminate timers for kernel sockets
ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
USB: core: Fix deadlock in usb_deauthorize_interface()
scsi: lpfc: Correct size for wqe for memset()
x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
scsi: qla2xxx: Fix command flush on cable pull
usb: udc: remove warning when queue disabled ep
usb: dwc2: gadget: LPM flow fix
usb: dwc2: host: Fix ISOC flow in DDMA mode
usb: dwc2: host: Fix hibernation flow
usb: dwc2: host: Fix remote wakeup from hibernation
scsi: core: Fix unremoved procfs host directory regression
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
usb: cdc-wdm: close race between read and workqueue
mmc: core: Avoid negative index with array access
mmc: core: Initialize mmc_blk_ioc_data
exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
mm/migrate: set swap entry values of THP tail pages properly.
mm/memory-failure: fix an incorrect use of tail pages
vt: fix memory overlapping when deleting chars in the buffer
bounds: support non-power-of-two CONFIG_NR_CPUS
powerpc: xor_vmx: Add '-mhard-float' to CFLAGS
efivarfs: Request at most 512 bytes for variable names
perf/core: Fix reentry problem in perf_output_read_group()
loop: loop_set_status_from_info() check before assignment
loop: Check for overflow while configuring loop
loop: Factor out configuring loop from status
loop: Refactor loop_set_status() size calculation
loop: Factor out setting loop device size
loop: Remove sector_t truncation checks
loop: Call loop_config_discard() only after new config is applied
Revert "loop: Check for overflow while configuring loop"
btrfs: allocate btrfs_ioctl_defrag_range_args on stack
printk: Update @console_may_schedule in console_trylock_spinning()
xen/events: close evtchn after mapping cleanup
x86/speculation: Support intra-function call validation
objtool: Add support for intra-function calls
objtool: is_fentry_call() crashes if call has no destination
fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
vt: fix unicode buffer corruption when deleting characters
tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
usb: port: Don't try to peer unused USB ports based on location
usb: gadget: ncm: Fix handling of zero block length packets
USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
xfrm: Avoid clang fortify warning in copy_to_user_tmpl()
netfilter: nf_tables: reject constant set with timeout
netfilter: nf_tables: disallow anonymous set with timeout flag
netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
comedi: comedi_test: Prevent timers rescheduling during deletion
dm snapshot: fix lockup in dm_exception_table_exit
ahci: asm1064: asm1166: don't limit reported ports
ahci: asm1064: correct count of reported ports
x86/CPU/AMD: Update the Zenbleed microcode revisions
nilfs2: prevent kernel bug at submit_bh_wbc()
nilfs2: use a more common logging style
nilfs2: fix failure to detect DAT corruption in btree and direct mappings
memtest: use {READ,WRITE}_ONCE in memory scanning
drm/vc4: hdmi: do not return negative values from .get_modes()
drm/imx/ipuv3: do not return negative values from .get_modes()
drm/exynos: do not return negative values from .get_modes()
s390/zcrypt: fix reference counting on zcrypt card objects
soc: fsl: qbman: Use raw spinlock for cgr_lock
soc: fsl: qbman: Add CGR update function
soc: fsl: qbman: Add helper for sanity checking cgr ops
soc: fsl: qbman: Always disable interrupts when taking cgr_lock
ring-buffer: Fix full_waiters_pending in poll
ring-buffer: Fix resetting of shortest_full
vfio/platform: Disable virqfds on cleanup
kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1
speakup: Fix 8bit characters from direct synth
slimbus: core: Remove usage of the deprecated ida_simple_xx() API
nvmem: meson-efuse: fix function pointer type mismatch
firmware: meson_sm: Rework driver as a proper platform driver
ext4: fix corruption during on-line resize
hwmon: (amc6821) add of_match table
mmc: core: Fix switch on gp3 partition
dm-raid: fix lockdep waring in "pers->hot_add_disk"
Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d""
PCI/PM: Drain runtime-idle callbacks before driver removal
PCI: Drop pci_device_remove() test of pci_dev->driver
btrfs: fix off-by-one chunk length calculation at contains_pending_extent()
fuse: don't unhash root
mmc: tmio: avoid concurrent runs of mmc_request_done()
PM: sleep: wakeirq: fix wake irq warning in system suspend
USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M
USB: serial: option: add MeiG Smart SLM320 product
USB: serial: cp210x: add ID for MGP Instruments PDS100
USB: serial: add device ID for VeriFone adapter
USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB
powerpc/fsl: Fix mfpmr build errors with newer binutils
clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays
clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays
clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays
PM: suspend: Set mem_sleep_current during kernel command line setup
parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds
parisc: Fix csum_ipv6_magic on 64-bit systems
parisc: Fix csum_ipv6_magic on 32-bit systems
parisc: Fix ip_fast_csum
parisc: Do not hardcode registers in checksum functions
mtd: rawnand: meson: fix scrambling mode value in command macro
ubi: correct the calculation of fastmap size
ubi: Check for too small LEB size in VTBL code
ubifs: Set page uptodate in the correct place
fat: fix uninitialized field in nostale filehandles
ext4: correct best extent lstart adjustment logic
selftests/mqueue: Set timeout to 180 seconds
crypto: qat - resolve race condition during AER recovery
crypto: qat - fix double free during reset
sparc: vDSO: fix return value of __setup handler
sparc64: NMI watchdog: fix return value of __setup handler
KVM: Always flush async #PF workqueue when vCPU is being destroyed
media: xc4000: Fix atomicity violation in xc4000_get_frequency
serial: max310x: fix NULL pointer dereference in I2C instantiation
arm: dts: marvell: Fix maxium->maxim typo in brownstone dts
ARM: dts: mmp2-brownstone: Don't redeclare phandle references
smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity()
smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()
clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd
media: staging: ipu3-imgu: Set fields before media_entity_pads_init()
wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
timers: Rename del_timer_sync() to timer_delete_sync()
timers: Use del_timer_sync() even on UP
timers: Update kernel-doc for various functions
x86/bugs: Use sysfs_emit()
x86/cpu: Support AMD Automatic IBRS
Documentation/hw-vuln: Update spectre doc
amdkfd: use calloc instead of kzalloc to avoid integer overflow
Linux 5.4.273
regmap: Add missing map->bus check
spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
bpf: report RCU QS in cpumap kthread
rcu: add a helper to report consolidated flavor QS
netfilter: nf_tables: do not compare internal table flags on updates
ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes vcc-dram and vcc1v2
octeontx2-af: Use separate handlers for interrupts
net/bnx2x: Prevent access to a freed page in page_pool
hsr: Handle failures in module init
rds: introduce acquire/release ordering in acquire/release_in_xmit()
packet: annotate data-races around ignore_outgoing
hsr: Fix uninit-value access in hsr_get_node()
s390/vtime: fix average steal time calculation
octeontx2-af: Use matching wake_up API variant in CGX command interface
usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin
staging: greybus: fix get_channel_from_mode() failure path
serial: 8250_exar: Don't remove GPIO device on suspend
rtc: mt6397: select IRQ_DOMAIN instead of depending on it
kconfig: fix infinite loop when expanding a macro at the end of file
tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT
serial: max310x: fix syntax error in IRQ error message
tty: vt: fix 20 vs 0x20 typo in EScsiignore
afs: Revert "afs: Hide silly-rename files from userspace"
NFS: Fix an off by one in root_nfs_cat()
watchdog: stm32_iwdg: initialize default timeout
net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
RDMA/device: Fix a race between mad_client and cm_client init
scsi: csiostor: Avoid function pointer casts
ALSA: usb-audio: Stop parsing channels bits when all channels are found.
clk: Fix clk_core_get NULL dereference
sparc32: Fix section mismatch in leon_pci_grpci
backlight: lp8788: Fully initialize backlight_properties during probe
backlight: lm3639: Fully initialize backlight_properties during probe
backlight: da9052: Fully initialize backlight_properties during probe
backlight: lm3630a: Don't set bl->props.brightness in get_brightness
backlight: lm3630a: Initialize backlight_properties on init
powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.
drm/msm/dpu: add division of drm_display_mode's hskew parameter
powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks
drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip
media: ttpci: fix two memleaks in budget_av_attach
media: media/pci: rename VFL_TYPE_GRABBER to _VIDEO
media: rename VFL_TYPE_GRABBER to _VIDEO
media: v4l2-core: correctly validate video and metadata ioctls
media: go7007: fix a memleak in go7007_load_encoder
media: dvb-frontends: avoid stack overflow warnings with clang
media: pvrusb2: fix uaf in pvr2_context_set_notify
drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()
ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs
mtd: rawnand: lpc32xx_mlc: fix irq handler prototype
mtd: maps: physmap-core: fix flash size larger than 32-bit
crypto: arm/sha - fix function cast warnings
mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref
mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref
drm/tegra: put drm_gem_object ref on error in tegra_fb_create
clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister()
PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
drm/mediatek: dsi: Fix DSI RGB666 formats and definitions
clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times
media: pvrusb2: fix pvr2_stream_callback casts
media: pvrusb2: remove redundant NULL check
media: go7007: add check of return value of go7007_read_addr()
media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak
perf stat: Avoid metric-only segv
ALSA: seq: fix function cast warnings
drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()
perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()
PCI: switchtec: Fix an error handling path in switchtec_pci_probe()
quota: Fix rcu annotations of inode dquot pointers
quota: Fix potential NULL pointer dereference
quota: simplify drop_dquot_ref()
clk: qcom: reset: Ensure write completion on reset de/assertion
clk: qcom: reset: Commonize the de/assert functions
clk: qcom: reset: support resetting multiple bits
clk: qcom: reset: Allow specifying custom reset delay
media: edia: dvbdev: fix a use-after-free
media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity
media: v4l2-tpg: fix some memleaks in tpg_alloc
media: em28xx: annotate unchecked call to media_device_register()
perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample()
drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'
perf record: Fix possible incorrect free in record__switch_output()
PCI/DPC: Print all TLP Prefixes, not just the first
media: tc358743: register v4l2 async device only after successful setup
dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA
drm/rockchip: lvds: do not overwrite error code
drm: Don't treat 0 as -1 in drm_fixp2int_ceil
drm/rockchip: inno_hdmi: Fix video timing
drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths of tegra_output_probe()
drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe()
drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()
drm/tegra: dsi: Make use of the helper function dev_err_probe()
gpu: host1x: mipi: Update tegra_mipi_request() to be node based
drm/tegra: dsi: Add missing check for of_find_device_by_node
dm: call the resume method on internal suspend
dm raid: fix false positive for requeue needed during reshape
nfp: flower: handle acti_netdevs allocation failure
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
udp: fix incorrect parameter validation in the udp_lib_getsockopt() function
l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function
tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function
net: hns3: fix port duplex configure error in IMP reset
net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
ipv6: fib6_rules: flush route cache when rule is changed
bpf: Fix stackmap overflow check on 32-bit arches
bpf: Fix hashtab overflow check on 32-bit arches
sr9800: Add check for usbnet_get_endpoints
Bluetooth: hci_core: Fix possible buffer overflow
Bluetooth: Remove superfluous call to hci_conn_check_pending()
igb: Fix missing time sync events
igb: move PEROUT and EXTTS isr logic to separate functions
mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function
SUNRPC: fix some memleaks in gssx_dec_option_array
x86, relocs: Ignore relocations in .notes section
ACPI: scan: Fix device check notification handling
ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node
ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address
ARM: dts: imx6dl-yapp4: Move phy reset into switch node
ARM: dts: arm: realview: Fix development chip ROM compatible value
net: ena: Remove ena_select_queue
net: ena: cosmetic: fix line break issues
wifi: brcmsmac: avoid function pointer casts
iommu/amd: Mark interrupt as managed
bus: tegra-aconnect: Update dependency to ARCH_TEGRA
ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()
arm64: dts: qcom: msm8996: Pad addresses
arm64: dts: qcom: msm8996: Move regulator consumers to db820c
arm64: dts: qcom: msm8996: Use node references in db820c
arm64: dts: qcom: db820c: Move non-soc entries out of /soc
bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly
bpf: Factor out bpf_spin_lock into helpers.
bpf: Add typecast to bpf helpers to help BTF generation
arm64: dts: mediatek: mt7622: add missing "device_type" to memory nodes
wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
net: blackhole_dev: fix build warning for ethh set but not used
af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
sock_diag: annotate data-races around sock_diag_handlers[family]
wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir()
wifi: wilc1000: fix RCU usage in connect path
wifi: wilc1000: fix declarations ordering
wifi: b43: Disable QoS for bcm4331
wifi: b43: Stop correct queue in DMA worker when QoS is disabled
b43: main: Fix use true/false for bool type
wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled
wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled
b43: dma: Fix use true/false for bool type variable
wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
timekeeping: Fix cross-timestamp interpolation for non-x86
timekeeping: Fix cross-timestamp interpolation corner case decision
timekeeping: Fix cross-timestamp interpolation on counter wrap
aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
fs/select: rework stack allocation hack for clang
nbd: null check for nla_nest_start
do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll
ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode
ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC
Input: gpio_keys_polled - suppress deferred probe error for gpio
ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet
firewire: core: use long bus reset on gap count error
Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
scsi: mpt3sas: Prevent sending diag_reset when the controller is ready
btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve
dm-verity, dm-crypt: align "struct bvec_iter" correctly
block: sed-opal: handle empty atoms when parsing response
parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check
net/iucv: fix the allocation size of iucv_path_table array
RDMA/mlx5: Relax DEVX access upon modify commands
HID: multitouch: Add required quirk for Synaptics 0xcddc device
MIPS: Clear Cause.BD in instruction_pointer_set
x86/xen: Add some null pointer checking to smp.c
ASoC: rt5645: Make LattePanda board DMI match more precise
selftests: tls: use exact comparison in recv_partial
io_uring: drop any code related to SCM_RIGHTS
io_uring/unix: drop usage of io_uring socket
UPSTREAM: arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts
UPSTREAM: arm64: dts: qcom: add PDC interrupt controller for SDM845
Linux 5.4.272
arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts
arm64: dts: qcom: add PDC interrupt controller for SDM845
serial: max310x: fix IO data corruption in batched operations
serial: max310x: implement I2C support
serial: max310x: make accessing revision id interface-agnostic
regmap: Add bulk read/write callbacks into regmap_config
regmap: allow to define reg_update_bits for no bus configuration
serial: max310x: Unprepare and disable clock in error path
getrusage: use sig->stats_lock rather than lock_task_sighand()
getrusage: use __for_each_thread()
getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand()
getrusage: add the "signal_struct *sig" local variable
y2038: rusage: use __kernel_old_timeval
hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed
hv_netvsc: use netif_is_bond_master() instead of open code
hv_netvsc: Make netvsc/VF binding check both MAC and serial number
Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU
serial: max310x: prevent infinite while() loop in port startup
serial: max310x: use a separate regmap for each port
serial: max310x: use regmap methods for SPI batch operations
serial: max310x: Make use of device properties
serial: max310x: fail probe if clock crystal is unstable
serial: max310x: Try to get crystal clock rate from property
serial: max310x: Use devm_clk_get_optional() to get the input clock
um: allow not setting extra rpaths in the linux binary
selftests: mm: fix map_hugetlb failure on 64K page size systems
netrom: Fix data-races around sysctl_net_busy_read
netrom: Fix a data-race around sysctl_netrom_link_fails_count
netrom: Fix a data-race around sysctl_netrom_routing_control
netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout
netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size
netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay
netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
netrom: Fix a data-race around sysctl_netrom_transport_timeout
netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser
netrom: Fix a data-race around sysctl_netrom_default_path_quality
netfilter: nf_conntrack_h323: Add protection for bmp length out of range
netfilter: nft_ct: fix l3num expectations with inet pseudo family
net/rds: fix WARNING in rds_conn_connect_if_down
net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()
geneve: make sure to pull inner header in geneve_rx()
ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able
net: lan78xx: fix runtime PM count underflow on link stop
lan78xx: Fix race conditions in suspend/resume handling
lan78xx: Fix partial packet errors on suspend/resume
lan78xx: Add missing return code checks
lan78xx: Fix white space and style issues
Linux 5.4.271
gpio: 74x164: Enable output pins after registers are reset
fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
cachefiles: fix memory leak in cachefiles_add_cache()
x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers
mmc: core: Fix eMMC initialization with 1-bit bus connection
dmaengine: fsl-qdma: init irq after reg initialization
dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read
btrfs: dev-replace: properly validate device names
wifi: nl80211: reject iftype change with mesh ID change
gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
afs: Fix endless loop in directory parsing
ALSA: Drop leftover snd-rtctimer stuff from Makefile
power: supply: bq27xxx-i2c: Do not free non existing IRQ
efi/capsule-loader: fix incorrect allocation size
rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
Bluetooth: Enforce validation on max value of connection interval
Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
Bluetooth: Avoid potential use-after-free in hci_error_reset
net: usb: dm9601: fix wrong return value in dm9601_mdio_read
lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected
ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
tun: Fix xdp_rxq_info's queue_index when detaching
net: ip_tunnel: prevent perpetual headroom growth
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
ANDROID: GKI: update .xml file due to USB changes in 5.4.270
Revert "bpf: Add map and need_defer parameters to .map_fd_put_ptr()"
Revert "hrtimer: Report offline hrtimer enqueue"
Revert "drm/mipi-dsi: Fix detach call without attach"
Linux 5.4.270
scripts/bpf: Fix xdp_md forward declaration typo
fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set
drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3
netfilter: nf_tables: set dormant flag on hook register failure
tls: stop recv() if initial process_rx_list gave us non-DATA
tls: rx: drop pointless else after goto
tls: rx: jump to a more appropriate label
s390: use the correct count for __iowrite64_copy()
packet: move from strlcpy with unused retval to strscpy
ipv6: sr: fix possible use-after-free and null-ptr-deref
afs: Increase buffer size in afs_update_volume_status()
ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid
ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid
nouveau: fix function cast warnings
scsi: jazz_esp: Only build if SCSI core is builtin
bpf, scripts: Correct GPL license name
scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions
RDMA/srpt: fix function pointer cast warnings
RDMA/srpt: Make debug output more detailed
RDMA/bnxt_re: Return error for SRQ resize
IB/hfi1: Fix a memleak in init_credit_return
usb: roles: don't get/set_role() when usb_role_switch is unregistered
usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs
usb: cdns3: fix memory double free when handle zero packet
usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
ARM: ep93xx: Add terminator to gpiod_lookup_table
l2tp: pass correct message length to ip6_append_data
PCI/MSI: Prevent MSI hardware interrupt number truncation
gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
dm-crypt: don't modify the data when using authenticated encryption
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
PCI: tegra: Fix OF node reference leak
PCI: tegra: Fix reporting GPIO error value
arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node
drm/amdgpu: Fix type of second parameter in trans_msg() callback
iomap: Set all uptodate bits for an Uptodate page
dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()
x86/alternatives: Disable KASAN in apply_alternatives()
drm/amdgpu: Check for valid number of registers to read
Revert "drm/sun4i: dsi: Change the start delay calculation"
ALSA: hda/realtek - Enable micmute LED on and HP system
selftests/bpf: Avoid running unprivileged tests with alignment requirements
net: bridge: clear bridge's private skb space on xmit
spi: mt7621: Fix an error message in mt7621_spi_probe()
pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours
tcp: add annotations around sk->sk_shutdown accesses
tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit
tcp: factor out __tcp_close() helper
pmdomain: renesas: r8a77980-sysc: CR7 must be always on
s390/qeth: Fix potential loss of L3-IP@ in case of network issues
virtio-blk: Ensure no requests in virtqueues before deleting vqs.
firewire: core: send bus reset promptly on gap count error
scsi: lpfc: Use unsigned type for num_sge
hwmon: (coretemp) Enlarge per package core count limit
nvmet-fc: abort command when there is no binding
netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new
ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616
nvmet-tcp: fix nvme tcp ida memory leak
regulator: pwm-regulator: Add validity checks in continuous .get_voltage
ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()
ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()
ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers
ahci: asm1166: correct count of reported ports
fbdev: sis: Error out if pixclock equals zero
fbdev: savage: Error out if pixclock equals zero
wifi: mac80211: fix race condition on enabling fast-xmit
wifi: cfg80211: fix missing interfaces when dumping
dmaengine: fsl-qdma: increase size of 'irq_name'
dmaengine: shdma: increase size of 'dev_id'
scsi: target: core: Add TMF to tmr_list handling
sched/rt: Disallow writing invalid values to sched_rt_period_us
sched/rt: Fix sysctl_sched_rr_timeslice intial value
userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb
nilfs2: replace WARN_ONs for invalid DAT metadata block requests
memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock()
sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset
net/sched: Retire dsmark qdisc
net/sched: Retire ATM qdisc
net/sched: Retire CBQ qdisc
KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler
KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()
Linux 5.4.269
of: gpio unittest kfree() wrong object
of: unittest: fix EXPECT text for gpio hog errors
net: bcmgenet: Fix EEE implementation
Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting""
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
lsm: new security_file_ioctl_compat() hook
drm/msm/dsi: Enable runtime PM
PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
PM: runtime: add devm_pm_runtime_enable helper
nilfs2: fix potential bug in end_buffer_async_write
sched/membarrier: reduce the ability to hammer on sys_membarrier
net: prevent mss overflow in skb_segment()
netfilter: ipset: Missing gc cancellations fixed
netfilter: ipset: fix performance regression in swap operation
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
mips: Fix max_mapnr being uninitialized on early stages
arch, mm: remove stale mentions of DISCONIGMEM
bus: moxtet: Add spi device table
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
tracing: Inform kmemleak of saved_cmdlines allocation
pmdomain: core: Move the unused cleanup to a _sync initcall
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
irqchip/irq-brcmstb-l2: Add write memory barrier before exit
nfp: flower: prevent re-adding mac index for bonded port
nfp: use correct macro for LengthSelect in BAR config
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
nilfs2: fix data corruption in dsync block recovery for small block sizes
ALSA: hda/conexant: Add quirk for SWS JS201D
mmc: slot-gpio: Allow non-sleeping GPIO ro
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
serial: max310x: improve crystal stable clock detection
serial: max310x: set default value when reading clock ready bit
ring-buffer: Clean ring_buffer_poll_wait() error return
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
staging: iio: ad5933: fix type mismatch regression
tracing: Fix wasted memory in saved_cmdlines logic
ext4: fix double-free of blocks due to wrong extents moved_len
misc: fastrpc: Mark all sessions as invalid in cb_remove
binder: signal epoll threads of self-work
ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
xen-netback: properly sync TX responses
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
kbuild: Fix changing ELF file type for output of gen_btf for big endian
firewire: core: correct documentation of fw_csr_string() kernel API
scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
i2c: i801: Fix block process call transactions
i2c: i801: Remove i801_set_block_buffer_mode
usb: f_mass_storage: forbid async queue when shutdown happen
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
HID: wacom: Do not register input devices until after hid_hw_start
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
tracing/trigger: Fix to return error if failed to alloc snapshot
i40e: Fix waiting for queues of all VSIs to be disabled
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
spi: ppc4xx: Drop write-only variable
of: unittest: Fix compile in the non-dynamic case
of: unittest: add overlay gpio test to catch gpio hog problem
btrfs: send: return EOPNOTSUPP on unknown flags
btrfs: forbid deleting live subvol qgroup
btrfs: forbid creating subvol qgroups
netfilter: nft_set_rbtree: skip end interval element from gc
net: stmmac: xgmac: fix a typo of register name in DPP safety handling
net: stmmac: xgmac: use #define for string constants
vhost: use kzalloc() instead of kmalloc() followed by memset()
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
hrtimer: Report offline hrtimer enqueue
USB: serial: cp210x: add ID for IMST iM871A-USB
USB: serial: option: add Fibocom FM101-GL variant
USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
net/af_iucv: clean up a try_then_request_module()
netfilter: nft_ct: reject direction for ct id
netfilter: nft_compat: restrict match/target protocol to u16
netfilter: nft_compat: reject unused compat flag
ppp_async: limit MRU to 64K
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
inet: read sk->sk_family once in inet_recv_error()
hwmon: (coretemp) Fix bogus core_id to attr name mapping
hwmon: (coretemp) Fix out-of-bounds memory access
hwmon: (aspeed-pwm-tacho) mutex for tach reading
atm: idt77252: fix a memleak in open_card_ubr0
selftests: net: avoid just another constant wait
net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
bonding: remove print in bond_verify_device_path
HID: apple: Add 2021 magic keyboard FN key mapping
HID: apple: Swap the Fn and Left Control keys on Apple keyboards
HID: apple: Add support for the 2021 Magic Keyboard
net: sysfs: Fix /sys/class/net/<iface> path
af_unix: fix lockdep positive in sk_diag_dump_icons()
net: ipv4: fix a memleak in ip_setup_cork
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
llc: call sock_orphan() at release time
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
ixgbe: Refactor overtemp event handling
ixgbe: Refactor returning internal error codes
ixgbe: Remove non-inclusive language
net: remove unneeded break
scsi: isci: Fix an error code problem in isci_io_request_build()
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
perf: Fix the nr_addr_filters fix
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
ceph: fix deadlock or deadcode of misusing dget()
blk-mq: fix IO hang from sbitmap wakeup race
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
libsubcmd: Fix memory leak in uniq()
PCI/AER: Decode Requester ID when no error info found
fs/kernfs/dir: obey S_ISGID
usb: hub: Replace hardcoded quirk value with BIT() macro
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
PCI: Only override AMD USB controller if required
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
i3c: master: cdns: Update maximum prescaler value for i2c clock
um: net: Fix return type of uml_net_start_xmit()
um: Don't use vfprintf() for os_info()
um: Fix naming clash between UML and scheduler
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
drm/amdgpu: Let KFD sync with VM fences
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
drm/msm/dpu: Ratelimit framedone timeout msgs
media: ddbridge: fix an error code problem in ddb_probe
IB/ipoib: Fix mcast list locking
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
ALSA: hda: Intel: add HDA_ARL PCI ID support
PCI: add INTEL_HDA_ARL to pci_ids.h
media: rockchip: rga: fix swizzling for RGB formats
media: stk1160: Fixed high volume of stk1160_dbg messages
drm/mipi-dsi: Fix detach call without attach
drm/framebuffer: Fix use of uninitialized variable
drm/drm_file: fix use of uninitialized variable
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
fast_dput(): handle underflows gracefully
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
f2fs: fix to check return value of f2fs_reserve_new_block()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
md: Whenassemble the array, consult the superblock of the freshest device
block: prevent an integer overflow in bvec_try_merge_hw_page
ARM: dts: imx23/28: Fix the DMA controller node name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx1: Fix sram node
ARM: dts: imx27: Fix sram node
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: rockchip: fix rk3036 hdmi ports node
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
scsi: libfc: Don't schedule abort twice
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
ARM: dts: imx7s: Fix nand-controller #size-cells
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7d: Fix coresight funnel ports
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
scsi: lpfc: Fix possible file string name overflow when updating firmware
selftests/bpf: Fix pyperf180 compilation failure with clang18
selftests/bpf: satisfy compiler by having explicit return in btf test
wifi: rt2x00: restart beacon queue when hardware reset
ext4: avoid online resizing failures due to oversized flex bg
ext4: remove unnecessary check from alloc_flex_gd()
ext4: unify the type of flexbg_size to unsigned int
ext4: fix inconsistent between segment fstrim and full fstrim
ecryptfs: Reject casefold directory inodes
SUNRPC: Fix a suspicious RCU usage warning
KVM: s390: fix setting of fpc register
s390/ptrace: handle setting of fpc register correctly
jfs: fix array-index-out-of-bounds in diNewExt
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
crypto: stm32/crc32 - fix parsing list of devices
pstore/ram: Fix crash when setting number of cpus to an odd number
jfs: fix uaf in jfs_evict_inode
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix slab-out-of-bounds Read in dtSearch
UBSAN: array-index-out-of-bounds in dtSplitRoot
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
ACPI: extlog: fix NULL pointer dereference check
PNP: ACPI: fix fortify warning
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
audit: Send netlink ACK before setting connection in auditd_set
regulator: core: Only increment use_count when enable_count changes
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
powerpc/lib: Validate size for vector operations
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
x86/entry/ia32: Ensure s32 is sign extended to s64
tick/sched: Preserve number of idle sleeps across CPU hotplug events
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
gpio: eic-sprd: Clear interrupt after set the interrupt type
drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
drm/exynos: fix accidental on-stack copy of exynos_drm_plane
drm/bridge: nxp-ptn3460: simplify some error checking
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
drm: Don't unref the same fb many times by mistake due to deadlock handling
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
rbd: don't move requests to the running list on errors
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
btrfs: don't warn if discard range is not aligned to sector
btrfs: tree-checker: fix inline ref size in error messages
btrfs: ref-verify: free ref cache before clearing mount opt
net: fec: fix the unhandled context fault from smmu
fjes: fix memleaks in fjes_hw_setup
netfilter: nf_tables: validate NFPROTO_* family
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
net/mlx5e: fix a double-free in arfs_create_groups
net/mlx5: Use kfree(ft->g) in arfs_create_groups()
net/mlx5: DR, Use the right GVMI number for drop action
netlink: fix potential sleeping issue in mqueue_flush_file
tcp: Add memory barrier to tcp_push()
afs: Hide silly-rename files from userspace
tracing: Ensure visibility when inserting an element into tracing_map
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
llc: Drop support for ETH_P_TR_802_2.
llc: make llc_ui_sendmsg() more robust against bonding changes
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
net/smc: fix illegal rmb_desc access in SMC-D connection dump
x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum
powerpc: Use always instead of always-y in for crtsavres.o
fs: move S_ISGID stripping into the vfs_*() helpers
fs: add mode_strip_sgid() helper
mtd: spinand: macronix: Fix MX35LFxGE4AD page size
block: Remove special-casing of compound pages
rename(): fix the locking of subdirectories
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
nouveau/vmm: don't set addr on the fail path to avoid warning
mmc: core: Use mrq.sbc in close-ended ffu
arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
parisc/firmware: Fix F-extend for PDC addresses
rpmsg: virtio: Free driver_override when rpmsg_remove()
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
PM: hibernate: Enforce ordering during image compression/decompression
crypto: api - Disallow identical driver names
ext4: allow for the last group to be marked as trimmed
serial: sc16is7xx: add check for unsupported SPI modes during probe
spi: introduce SPI_MODE_X_MASK macro
serial: sc16is7xx: set safe default SPI clock frequency
units: add the HZ macros
units: change from 'L' to 'UL'
units: Add Watt units
include/linux/units.h: add helpers for kelvin to/from Celsius conversion
PCI: mediatek: Clear interrupt status before dispatching handler
Conflicts:
include/linux/timer.h
mm/memory-failure.c
Change-Id: I4974903c79ecddc3d9225b0b723a30b6c83ef572
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmZuzHwACgkQONu9yGCS
aT6M7xAAuCGja5JhZ7ciWjhdxIFxACHrSVm3l/i+bqNAXoDh2rJDKgOize1OTLGR
R1Fq2qBEtfMsoKNa+3DyMCB8D1IsMUrhr8hdM56+AqDBbmaTsDmw+L6vzepwJKVV
ksX2onT5tXdydH95IjqnM7vbadxnU9cLkHZIpckXkb2dDA2kjhMksWSfA+GJfRsY
XReqFYfeQhLWv4c0OWZ//ssSmGWztSVaRCX22jemUJ5MYpQHt3TYQXVpFYkaQLYH
FZHDxBFEr48Gt9bQtnBZ2fyurKX9NdzZF+WwNDuo0DShlEpJB99vYHQ/dIxzxl9R
7VOs3Cj7vvUBSIRPY9DhuhBm7tQrpCvf4w3qUBc0TD+IdPPIIf0ZqDsVUvZGM9JE
T54rnXppxNKlbW8HmYqefc2FBgjrZn08NprrAVqIVhNwFyq+8/ADqdSTTKlD9z1i
S/3Pur7ES2e15YsrjOrDJIpGl3klMrEBbz9XyEHwrTY2vrDjdqOF0NHYUaugnjSd
B+qmUtZxwSjzRok5wgQaf/EbrW78e9q1lTj97QRJfBr0A7MUpDMuQCvmsMoe2HUA
vANx7ty/ubNk/9PLTGyBHUw4/F58Bk5osibAKRmulvlO5g80FsJXEU9WWqQmIkzp
3df+cOL8ipqh0fg/PaUOBCoeVs2HqPHnewOlYRegN41FokQndsE=
=XU0g
-----END PGP SIGNATURE-----
Merge 5.4.278 into android11-5.4-lts
Changes in 5.4.278
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
speakup: Fix sizeof() vs ARRAY_SIZE() bug
ring-buffer: Fix a race between readers and resize checks
net: smc91x: Fix m68k kernel compilation for ColdFire CPU
nilfs2: fix unexpected freezing of nilfs_segctor_sync()
nilfs2: fix potential hang in nilfs_detach_log_writer()
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class
net: usb: qmi_wwan: add Telit FN920C04 compositions
drm/amd/display: Set color_mgmt_changed to true on unsuspend
ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
ASoC: da7219-aad: fix usage of device_get_named_child_node()
drm/amdkfd: Flush the process wq before creating a kfd_process
nvme: find numa distance only if controller has valid numa id
openpromfs: finish conversion to the new mount API
crypto: bcm - Fix pointer arithmetic
firmware: raspberrypi: Use correct device for DMA mappings
ecryptfs: Fix buffer size for tag 66 packet
nilfs2: fix out-of-range warning
parisc: add missing export of __cmpxchg_u8()
crypto: ccp - drop platform ifdef checks
s390/cio: fix tracepoint subchannel type field
jffs2: prevent xattr node from overflowing the eraseblock
null_blk: Fix missing mutex_destroy() at module removal
md: fix resync softlockup when bitmap size is less than array size
wifi: ath10k: poll service ready message before failing
x86/boot: Ignore relocations in .notes sections in walk_relocs() too
qed: avoid truncating work queue length
scsi: ufs: qcom: Perform read back after writing reset bit
scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
scsi: ufs: core: Perform read back after disabling interrupts
scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
irqchip/alpine-msi: Fix off-by-one in allocation error path
ACPI: disable -Wstringop-truncation
cpufreq: Reorganize checks in cpufreq_offline()
cpufreq: Split cpufreq_offline()
cpufreq: Rearrange locking in cpufreq_remove_dev()
cpufreq: exit() callback is optional
scsi: libsas: Fix the failure of adding phy with zero-address to port
scsi: hpsa: Fix allocation size for Scsi_Host private data
x86/purgatory: Switch to the position-independent small code model
wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()
wifi: ath10k: populate board data for WCN3990
tcp: minor optimization in tcp_add_backlog()
tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
tcp: avoid premature drops in tcp_add_backlog()
macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"
wifi: carl9170: add a proper sanity check for endpoints
wifi: ar5523: enable proper endpoint verification
sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
Revert "sh: Handle calling csum_partial with misaligned data"
HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
scsi: bfa: Ensure the copied buf is NUL terminated
scsi: qedf: Ensure the copied buf is NUL terminated
wifi: mwl8k: initialize cmd->addr[] properly
usb: aqc111: stop lying about skb->truesize
net: usb: sr9700: stop lying about skb->truesize
m68k: Fix spinlock race in kernel thread creation
m68k: mac: Fix reboot hang on Mac IIci
net: ethernet: cortina: Locking fixes
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
net: usb: smsc95xx: stop lying about skb->truesize
net: openvswitch: fix overwriting ct original tuple for ICMPv6
ipv6: sr: add missing seg6_local_exit
ipv6: sr: fix incorrect unregister order
ipv6: sr: fix invalid unregister error path
drm/amd/display: Fix potential index out of bounds in color transformation function
mtd: rawnand: hynix: fixed typo
fbdev: shmobile: fix snprintf truncation
drm/mediatek: Add 0 size check to mtk_drm_gem_obj
powerpc/fsl-soc: hide unused const variable
fbdev: sisfb: hide unused variables
media: ngene: Add dvb_ca_en50221_init return value check
media: radio-shark2: Avoid led_names truncations
platform/x86: wmi: Make two functions static
fbdev: sh7760fb: allow modular build
drm/arm/malidp: fix a possible null pointer dereference
ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
RDMA/hns: Use complete parentheses in macros
x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
ext4: avoid excessive credit estimate in ext4_tmpfile()
sunrpc: removed redundant procp check
SUNRPC: Fix gss_free_in_token_pages()
selftests/kcmp: Make the test output consistent and clear
selftests/kcmp: remove unused open mode
RDMA/IPoIB: Fix format truncation compilation errors
netrom: fix possible dead-lock in nr_rt_ioctl()
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
greybus: lights: check return of get_channel_from_mode
soundwire: cadence/intel: simplify PDI/port mapping
soundwire: intel: don't filter out PDI0/1
soundwire: cadence_master: improve PDI allocation
soundwire: cadence: fix invalid PDI offset
dmaengine: idma64: Add check for dma_set_max_seg_size
firmware: dmi-id: add a release callback function
serial: max3100: Lock port->lock when calling uart_handle_cts_change()
serial: max3100: Update uart_driver_registered on driver removal
serial: max3100: Fix bitwise types
greybus: arche-ctrl: move device table to its right location
iio: pressure: dps310: support negative temperature values
microblaze: Remove gcc flag for non existing early_printk.c file
microblaze: Remove early printk call from cpuinfo-static.c
usb: gadget: u_audio: Clear uac pointer when freed.
stm class: Fix a double free in stm_register_device()
ppdev: Remove usage of the deprecated ida_simple_xx() API
ppdev: Add an error check in register_device
extcon: max8997: select IRQ_DOMAIN instead of depending on it
f2fs: fix to release node block count in error path of f2fs_new_node_page()
serial: sh-sci: protect invalidating RXDMA on shutdown
libsubcmd: Fix parse-options memory leak
Input: ims-pcu - fix printf string overflow
Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
drm/msm/dpu: Always flush the slave INTF on the CTL
um: Fix return value in ubd_init()
um: Add winch to winch_handlers before registering winch IRQ
media: stk1160: fix bounds checking in stk1160_copy_video()
scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
um: Fix the -Wmissing-prototypes warning for __switch_mm
media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
media: cec: cec-api: add locking in cec_release()
null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y
nfc: nci: Fix uninit-value in nci_rx_work
sunrpc: fix NFSACL RPC retry on soft mount
ipv6: sr: fix memleak in seg6_hmac_init_algo
params: lift param_set_uint_minmax to common code
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
openvswitch: Set the skbuff pkt_type for proper pmtud support.
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
net: fec: avoid lock evasion when reading pps_enable
nfc: nci: Fix kcov check in nci_rx_work()
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
spi: Don't mark message DMA mapped when no transfer in it is
nvmet: fix ns enable/disable possible hang
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion
dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
enic: Validate length of nl attributes in enic_set_vf_port
smsc95xx: remove redundant function arguments
smsc95xx: use usbnet->driver_priv
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
net:fec: Add fec_enet_deinit()
netfilter: tproxy: bail out if IP has been disabled on the device
kconfig: fix comparison to constant symbols, 'm', 'n'
spi: stm32: Don't warn about spurious interrupts
ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
ALSA: timer: Set lower bound of start tick time
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
binder: fix max_thread type inconsistency
mmc: core: Do not force a retune before RPMB switch
io_uring: fail NOP if non-zero op flags is passed in
afs: Don't cross .backup mountpoint from backup volume
nilfs2: fix use-after-free of timer for log writer thread
vxlan: Fix regression when dropping packets due to invalid src addresses
x86/mm: Remove broken vsyscall emulation code from the page fault code
f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
media: lgdt3306a: Add a check against null-pointer-def
drm/amdgpu: add error handle to avoid out-of-bounds
ata: pata_legacy: make legacy_exit() work again
ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx
arm64: tegra: Correct Tegra132 I2C alias
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
arm64: dts: hi3798cv200: fix the size of GICR
media: mc: mark the media devnode as registered from the, start
media: mxl5xx: Move xpt structures off stack
media: v4l2-core: hold videodev_lock until dev reg, finishes
fbdev: savage: Handle err return when savagefb_check_var failed
KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
crypto: ecrdsa - Fix module auto-load on add_key
crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
net/ipv6: Fix route deleting failure when metric equals 0
net/9p: fix uninit-value in p9_client_rpc()
intel_th: pci: Add Meteor Lake-S CPU support
sparc64: Fix number of online CPUs
kdb: Fix buffer overflow during tab-complete
kdb: Use format-strings rather than '\0' injection in kdb_read()
kdb: Fix console handling when editing and tab-completing commands
kdb: Merge identical case statements in kdb_read()
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
net: fix __dst_negative_advice() race
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
sparc: move struct termio to asm/termios.h
ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
s390/ap: Fix crash in AP internal function modify_bitmap()
nfs: fix undefined behavior in nfs_block_bits()
Linux 5.4.278
Change-Id: I0cdcfac77f01b25b5790752b68d92f1eafaa9ddd
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 42316941335644a98335f209daafa4c122f28983 upstream.
The type defined for the BINDER_SET_MAX_THREADS ioctl was changed from
size_t to __u32 in order to avoid incompatibility issues between 32 and
64-bit kernels. However, the internal types used to copy from user and
store the value were never updated. Use u32 to fix the inconsistency.
Fixes: a9350fc859 ("staging: android: binder: fix BINDER_SET_MAX_THREADS declaration")
Reported-by: Arve Hjønnevåg <arve@android.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240421173750.3117808-1-cmllamas@google.com
[cmllamas: resolve minor conflicts due to missing commit 421518a2740f]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmYzoYAACgkQONu9yGCS
aT5Gog/8DiBn13NgIqTvlQucOpiKcQrFS6ghuLjWUj+H+toaBPCoiAaSNzDgk3a6
Vc7aW+/H6035Wpt6qmA9nr9VljS4JgHRlxPbp442zcXoaQabxXstt80s05EgC+ue
MamCnirQwtkSaHYTQDHwumyr+J73b/EM6w0MHinmKJKbmLOpF6ejt87bBN8i1i4N
0/atD79jq6l3wOIwNpJI5hIdc/OwNKnCd0M1lQL60XQgN+4Yc5Gup/BazSnVzTHN
PvkyqJOPSHcOcTkaDsS6t6RRJ5fQcHDihEPILwQuyqDbasyVULaNWxuZjVUeXbIS
rcgrlPTsJB1KjtZuGSkSCmj3FrmBBhs9Fd2HBEGE2UfShJa1c4O/Hbmq3sHvijUQ
i8Oaakkx0Z4XKiXf5djwG0QNm4vT8M+nBDNTxw+/pzWg2L0uzlpVh87YwODsrtT2
/WHQ0B1MFXncCDebweXqlxTWKRCoqR183MjMedDJt25smCKp1RZZR7pJb9c065Mn
bg2benOfKUr/+Us5oiQboV3XZkZiPc39V/E6J9NjYE62EPht6Gb/yoblFKp9t+/f
8MYPXqyAjGGXIzkqD7e1+YyOH6N/96EOZ2TrLhZiMb/3W6+dCjc1YeFtquNmaN9b
pdYhzG3qlneflRNTz/30YKIyMQE5Zv+1DMR2mpBSD4hvSEYCmE4=
=yaox
-----END PGP SIGNATURE-----
Merge 5.4.275 into android11-5.4-lts
Changes in 5.4.275
batman-adv: Avoid infinite loop trying to resize local TT
Bluetooth: Fix memory leak in hci_req_sync_complete()
nouveau: fix function cast warning
net: openvswitch: fix unwanted error log on timeout policy probing
u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
geneve: fix header validation in geneve[6]_xmit_skb
ipv6: fib: hide unused 'pn' variable
ipv4/route: avoid unused-but-set-variable warning
ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
net/mlx5: Properly link new fs rules into the tree
af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
af_unix: Fix garbage collector racing against connect()
net: ena: Fix potential sign extension issue
btrfs: qgroup: correctly model root qgroup rsv in convert
drm/client: Fully protect modes[] with dev->mode_config.mutex
vhost: Add smp_rmb() in vhost_vq_avail_empty()
selftests: timers: Fix abs() warning in posix_timers test
x86/apic: Force native_apic_mem_read() to use the MOV instruction
btrfs: record delayed inode root in transaction
selftests/ftrace: Limit length in subsystem-enable tests
kprobes: Fix possible use-after-free issue on kprobe registration
Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
tun: limit printing rate when illegal packet received by tun dev
RDMA/rxe: Fix the problem "mutex_destroy missing"
RDMA/mlx5: Fix port number for counter query in multi-port configuration
drm: nv04: Fix out of bounds access
clk: Remove prepare_lock hold assertion in __clk_release()
clk: Mark 'all_lists' as const
clk: remove extra empty line
clk: Print an info line before disabling unused clocks
clk: Initialize struct clk_core kref earlier
clk: Get runtime PM before walking tree during disable_unused
x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ
binder: check offset alignment in binder_get_object()
comedi: vmk80xx: fix incomplete endpoint checking
serial/pmac_zilog: Remove flawed mitigation for rx irq flood
USB: serial: option: add Fibocom FM135-GL variants
USB: serial: option: add support for Fibocom FM650/FG650
USB: serial: option: add Lonsung U8300/U9300 product
USB: serial: option: support Quectel EM060K sub-models
USB: serial: option: add Rolling RW101-GL and RW135-GL support
USB: serial: option: add Telit FN920C04 rmnet compositions
Revert "usb: cdc-wdm: close race between read and workqueue"
usb: dwc2: host: Fix dereference issue in DDMA completion flow.
usb: Disable USB3 LPM at shutdown
speakup: Avoid crash on very long word
fs: sysfs: Fix reference leak in sysfs_break_active_protection()
nouveau: fix instmem race condition around ptr stores
nilfs2: fix OOB in nilfs_set_de_type
KVM: async_pf: Cleanup kvm_setup_async_pf()
arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
arm64: dts: mediatek: mt7622: fix IR nodename
arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
arm64: dts: mt2712: add ethernet device node
arm64: dts: mediatek: mt2712: fix validation errors
ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
vxlan: drop packets from invalid src-address
mlxsw: core: Unregister EMAD trap using FORWARD action
NFC: trf7970a: disable all regulators on removal
net: usb: ax88179_178a: stop lying about skb->truesize
net: gtp: Fix Use-After-Free in gtp_dellink
ipvs: Fix checksumming on GSO of SCTP packets
net: openvswitch: Fix Use-After-Free in ovs_ct_exit
mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
mlxsw: spectrum_acl_tcam: Rate limit error message
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
mlxsw: spectrum_acl_tcam: Fix warning during rehash
mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
iavf: Fix TC config comparison with existing adapter TC config
af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
serial: core: Provide port lock wrappers
serial: mxs-auart: add spinlock around changing cts state
drm/amdgpu: restrict bo mapping within gpu address limits
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
drm/amdgpu: validate the parameters of bo mapping operations more clearly
Revert "crypto: api - Disallow identical driver names"
net/mlx5e: Fix a race in command alloc flow
tracing: Show size of requested perf buffer
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together
Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
drm/amdgpu: Fix leak when GPU memory allocation fails
irqchip/gic-v3-its: Prevent double free on error
ethernet: Add helper for assigning packet type when dest address does not match device address
net: b44: set pause params only when interface is up
stackdepot: respect __GFP_NOLOCKDEP allocation flag
mtd: diskonchip: work around ubsan link failure
tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
dmaengine: owl: fix register access functions
idma64: Don't try to serve interrupts when device is powered off
i2c: smbus: fix NULL function pointer dereference
HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
dm: limit the number of targets and parameter size area
udp: preserve the connected status if only UDP cmsg
serial: core: fix kernel-doc for uart_port_unlock_irqrestore()
Linux 5.4.275
Change-Id: I0ebcbc604c4ef7fb2b1ce4d7a530f57e27a74cb6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit aaef73821a3b0194a01bd23ca77774f704a04d40 upstream.
Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
txn") introduced changes to how binder objects are copied. In doing so,
it unintentionally removed an offset alignment check done through calls
to binder_alloc_copy_from_buffer() -> check_buffer().
These calls were replaced in binder_get_object() with copy_from_user(),
so now an explicit offset alignment check is needed here. This avoids
later complications when unwinding the objects gets harder.
It is worth noting this check existed prior to commit 7a67a39320
("binder: add function to copy binder object from buffer"), likely
removed due to redundancy at the time.
Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20240330190115.1877819-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
https://source.android.com/docs/security/bulletin/2024-04-01
* tag 'ASB-2024-04-05_11-5.4' of https://android.googlesource.com/kernel/common:
FROMLIST: binder: check offset alignment in binder_get_object()
BACKPORT: f2fs: expose # of overprivision segments
ANDROID: GKI: Update symbol list for Zebra
ANDROID: GKI: db845c: Update symbols list and ABI
UPSTREAM: drm/msm/dsi: Enable runtime PM
UPSTREAM: PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
UPSTREAM: PM: runtime: add devm_pm_runtime_enable helper
Change-Id: Ie646a1c4ae01dacb93625c5ef26283c0d9f5df33
Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
txn") introduced changes to how binder objects are copied. In doing so,
it unintentionally removed an offset alignment check done through calls
to binder_alloc_copy_from_buffer() -> check_buffer().
These calls were replaced in binder_get_object() with copy_from_user(),
so now an explicit offset alignment check is needed here. This avoids
later complications when unwinding the objects gets harder.
It is worth noting this check existed prior to commit 7a67a39320
("binder: add function to copy binder object from buffer"), likely
removed due to redundancy at the time.
Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
Cc: <stable@vger.kernel.org>
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 320661088
Link: https://lore.kernel.org/all/20240330190115.1877819-1-cmllamas@google.com/
Change-Id: Iaddabaa28de7ba7b7d35dbb639d38ca79dbc5077
Signed-off-by: Carlos Llamas <cmllamas@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmXYSHgACgkQONu9yGCS
aT74ag/6AqWJBzK/2xvUCYjfBU5+4ApFWQt47Ly9MKFhFX7YBjQGXS6av1YFA9Kw
i01R9SCpIv2eaDrM7/J0wvXGybemfvQ8VyNngG30QC/0jTc4ZAj0PEbtyHpUaz4F
HWOFfAlHAYcLQWhmjhXitoGUfeyhchWnQZpn45mkT0i3DSAEFc5gsiMlO+jaM8No
hOaAHEpGsd7zlH32NYpWrFI0i54HSCwlaHlQFJ7U+rbWyG935RdLjMAX+488R8oc
KccOj+xb4zQyASdC7qdgPz02U7Tm3UB5s0lLrviDiBrYVxSe77vw2TBEeejF+7ZE
oYqjsygRYmRbKuI55rxyxph7cT93ZctL48DZJ4fT4zVIT9kak3S/NtFs0Hyr3TkY
N6ZlDnd10cj8QsnXXtTd9QgT7Ind+3KySv7sr4a/gLO/N39EYpztrMCc/lKfG/Bu
MPDMXBrEtKkjMelcnISwac9QcOb/MAJaepCWtYgcXbEcaBP+/Or8OM0yZPOEk7SA
3CamE+ou0Ds/c6gnsBw6WDMTJd+sX6sw6+4cMEaWzaWiE12Ryc0gscCDJXjEAYzc
+47PiPijNJ+iPjsos8ZaNnTQHALemgJ4cjolHivsEvAYU1s5cyKjVEgMB1MJN8ib
y19D9L8T9BtG2ukWBxtIXMIt51VZ7B8fXodcYXbyqtV25JZj/k8=
=cJfu
-----END PGP SIGNATURE-----
Merge 5.4.269 into android11-5.4-lts
Changes in 5.4.269
PCI: mediatek: Clear interrupt status before dispatching handler
include/linux/units.h: add helpers for kelvin to/from Celsius conversion
units: Add Watt units
units: change from 'L' to 'UL'
units: add the HZ macros
serial: sc16is7xx: set safe default SPI clock frequency
spi: introduce SPI_MODE_X_MASK macro
serial: sc16is7xx: add check for unsupported SPI modes during probe
ext4: allow for the last group to be marked as trimmed
crypto: api - Disallow identical driver names
PM: hibernate: Enforce ordering during image compression/decompression
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
rpmsg: virtio: Free driver_override when rpmsg_remove()
parisc/firmware: Fix F-extend for PDC addresses
arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
mmc: core: Use mrq.sbc in close-ended ffu
nouveau/vmm: don't set addr on the fail path to avoid warning
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
rename(): fix the locking of subdirectories
block: Remove special-casing of compound pages
mtd: spinand: macronix: Fix MX35LFxGE4AD page size
fs: add mode_strip_sgid() helper
fs: move S_ISGID stripping into the vfs_*() helpers
powerpc: Use always instead of always-y in for crtsavres.o
x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum
net/smc: fix illegal rmb_desc access in SMC-D connection dump
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
llc: make llc_ui_sendmsg() more robust against bonding changes
llc: Drop support for ETH_P_TR_802_2.
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
tracing: Ensure visibility when inserting an element into tracing_map
afs: Hide silly-rename files from userspace
tcp: Add memory barrier to tcp_push()
netlink: fix potential sleeping issue in mqueue_flush_file
net/mlx5: DR, Use the right GVMI number for drop action
net/mlx5: Use kfree(ft->g) in arfs_create_groups()
net/mlx5e: fix a double-free in arfs_create_groups
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
netfilter: nf_tables: validate NFPROTO_* family
fjes: fix memleaks in fjes_hw_setup
net: fec: fix the unhandled context fault from smmu
btrfs: ref-verify: free ref cache before clearing mount opt
btrfs: tree-checker: fix inline ref size in error messages
btrfs: don't warn if discard range is not aligned to sector
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
rbd: don't move requests to the running list on errors
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
drm: Don't unref the same fb many times by mistake due to deadlock handling
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
drm/bridge: nxp-ptn3460: simplify some error checking
drm/exynos: fix accidental on-stack copy of exynos_drm_plane
drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
gpio: eic-sprd: Clear interrupt after set the interrupt type
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
tick/sched: Preserve number of idle sleeps across CPU hotplug events
x86/entry/ia32: Ensure s32 is sign extended to s64
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
f2fs: fix to check return value of f2fs_reserve_new_block()
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: ddbridge: fix an error code problem in ddb_probe
drm/msm/dpu: Ratelimit framedone timeout msgs
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
i3c: master: cdns: Update maximum prescaler value for i2c clock
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
usb: hub: Replace hardcoded quirk value with BIT() macro
fs/kernfs/dir: obey S_ISGID
PCI/AER: Decode Requester ID when no error info found
libsubcmd: Fix memory leak in uniq()
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: fix deadlock or deadcode of misusing dget()
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
scsi: isci: Fix an error code problem in isci_io_request_build()
net: remove unneeded break
ixgbe: Remove non-inclusive language
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
net: sysfs: Fix /sys/class/net/<iface> path
HID: apple: Add support for the 2021 Magic Keyboard
HID: apple: Swap the Fn and Left Control keys on Apple keyboards
HID: apple: Add 2021 magic keyboard FN key mapping
bonding: remove print in bond_verify_device_path
dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
selftests: net: avoid just another constant wait
atm: idt77252: fix a memleak in open_card_ubr0
hwmon: (aspeed-pwm-tacho) mutex for tach reading
hwmon: (coretemp) Fix out-of-bounds memory access
hwmon: (coretemp) Fix bogus core_id to attr name mapping
inet: read sk->sk_family once in inet_recv_error()
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
ppp_async: limit MRU to 64K
netfilter: nft_compat: reject unused compat flag
netfilter: nft_compat: restrict match/target protocol to u16
netfilter: nft_ct: reject direction for ct id
net/af_iucv: clean up a try_then_request_module()
USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
USB: serial: option: add Fibocom FM101-GL variant
USB: serial: cp210x: add ID for IMST iM871A-USB
hrtimer: Report offline hrtimer enqueue
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
vhost: use kzalloc() instead of kmalloc() followed by memset()
net: stmmac: xgmac: use #define for string constants
net: stmmac: xgmac: fix a typo of register name in DPP safety handling
netfilter: nft_set_rbtree: skip end interval element from gc
btrfs: forbid creating subvol qgroups
btrfs: forbid deleting live subvol qgroup
btrfs: send: return EOPNOTSUPP on unknown flags
of: unittest: add overlay gpio test to catch gpio hog problem
of: unittest: Fix compile in the non-dynamic case
spi: ppc4xx: Drop write-only variable
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
i40e: Fix waiting for queues of all VSIs to be disabled
tracing/trigger: Fix to return error if failed to alloc snapshot
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
HID: wacom: Do not register input devices until after hid_hw_start
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
usb: f_mass_storage: forbid async queue when shutdown happen
i2c: i801: Remove i801_set_block_buffer_mode
i2c: i801: Fix block process call transactions
scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
firewire: core: correct documentation of fw_csr_string() kernel API
kbuild: Fix changing ELF file type for output of gen_btf for big endian
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
xen-netback: properly sync TX responses
ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
binder: signal epoll threads of self-work
misc: fastrpc: Mark all sessions as invalid in cb_remove
ext4: fix double-free of blocks due to wrong extents moved_len
tracing: Fix wasted memory in saved_cmdlines logic
staging: iio: ad5933: fix type mismatch regression
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
ring-buffer: Clean ring_buffer_poll_wait() error return
serial: max310x: set default value when reading clock ready bit
serial: max310x: improve crystal stable clock detection
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
mmc: slot-gpio: Allow non-sleeping GPIO ro
ALSA: hda/conexant: Add quirk for SWS JS201D
nilfs2: fix data corruption in dsync block recovery for small block sizes
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
nfp: use correct macro for LengthSelect in BAR config
nfp: flower: prevent re-adding mac index for bonded port
irqchip/irq-brcmstb-l2: Add write memory barrier before exit
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
pmdomain: core: Move the unused cleanup to a _sync initcall
tracing: Inform kmemleak of saved_cmdlines allocation
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
bus: moxtet: Add spi device table
arch, mm: remove stale mentions of DISCONIGMEM
mips: Fix max_mapnr being uninitialized on early stages
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
netfilter: ipset: fix performance regression in swap operation
netfilter: ipset: Missing gc cancellations fixed
net: prevent mss overflow in skb_segment()
sched/membarrier: reduce the ability to hammer on sys_membarrier
nilfs2: fix potential bug in end_buffer_async_write
PM: runtime: add devm_pm_runtime_enable helper
PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
drm/msm/dsi: Enable runtime PM
lsm: new security_file_ioctl_compat() hook
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting""
net: bcmgenet: Fix EEE implementation
of: unittest: fix EXPECT text for gpio hog errors
of: gpio unittest kfree() wrong object
Linux 5.4.269
Change-Id: Iedabcdbe95a83593f102e237f2a80d2fc7206669
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 97830f3c3088638ff90b20dfba2eb4d487bf14d7 upstream.
In (e)poll mode, threads often depend on I/O events to determine when
data is ready for consumption. Within binder, a thread may initiate a
command via BINDER_WRITE_READ without a read buffer and then make use
of epoll_wait() or similar to consume any responses afterwards.
It is then crucial that epoll threads are signaled via wakeup when they
queue their own work. Otherwise, they risk waiting indefinitely for an
event leaving their work unhandled. What is worse, subsequent commands
won't trigger a wakeup either as the thread has pending work.
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Martijn Coenen <maco@android.com>
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Steven Moreland <smoreland@google.com>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20240131215347.1808751-1-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* 'android11-5.4-lts' of https://android.googlesource.com/kernel/common:
FROMGIT: clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd
Linux 5.4.268
arm64: dts: armada-3720-turris-mox: set irq type for RTC
perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set
i2c: s3c24xx: fix transferring more than one message in polling mode
i2c: s3c24xx: fix read transfers in polling mode
mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure
kdb: Fix a potential buffer overflow in kdb_local()
kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ
ipvs: avoid stat macros calls from preemptible context
netfilter: nf_tables: skip dead set elements in netlink dump
net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe
net: ravb: Fix dma_addr_t truncation in error case
net: phy: micrel: populate .soft_reset for KSZ9131
net: qualcomm: rmnet: fix global oob in rmnet_policy
s390/pci: fix max size calculation in zpci_memcpy_toio()
PCI: keystone: Fix race condition when initializing PHYs
nvmet-tcp: Fix the H2C expected PDU len calculation
serial: imx: Correct clock error message in function probe()
apparmor: avoid crash when parsed profile name is empty
perf env: Avoid recursively taking env->bpf_progs.lock
perf bpf: Decouple creating the evlist from adding the SB event
perf top: Move sb_evlist to 'struct perf_top'
perf record: Move sb_evlist to 'struct record'
perf env: Add perf_env__numa_node()
nvmet-tcp: fix a crash in nvmet_req_complete()
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
perf genelf: Set ELF program header addresses properly
software node: Let args be NULL in software_node_get_reference_args
acpi: property: Let args be NULL in __acpi_node_get_property_reference
serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed
MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup()
MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup()
mips: Fix incorrect max_low_pfn adjustment
HID: wacom: Correct behavior when processing some confidence == false touches
x86/kvm: Do not try to disable kvmclock if it was not enabled
wifi: mwifiex: configure BSSID consistently when starting AP
wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors
wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code
rootfs: Fix support for rootfstype= when root= is given
fbdev: flush deferred work in fb_deferred_io_fsync()
ALSA: oxygen: Fix right channel of capture volume mixer
usb: mon: Fix atomicity violation in mon_bin_vma_fault
usb: typec: class: fix typec_altmode_put_partner to put plugs
Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs"
usb: chipidea: wait controller resume finished for wakeup irq
Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only"
Revert "usb: dwc3: Soft reset phy on probe for host"
usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host()
tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug
binder: fix unused alloc->free_async_space
binder: fix race between mmput() and do_exit()
xen-netback: don't produce zero-size SKB frags
Revert "ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek"
Input: atkbd - use ab83 as id when skipping the getid command
binder: fix use-after-free in shinker's callback
binder: fix async space check for 0-sized buffers
of: unittest: Fix of_count_phandle_with_args() expected value message
of: Fix double free in of_parse_phandle_with_args_map
mmc: sdhci_omap: Fix TI SoC dependencies
clk: si5341: fix an error code problem in si5341_output_clk_set_rate
watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
watchdog: set cdev owner before adding
drivers: clk: zynqmp: calculate closest mux rate
gpu/drm/radeon: fix two memleaks in radeon_vm_init
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
drm/amd/pm: fix a double-free in si_dpm_init
drm/amdgpu/debugfs: fix error code when smc register accessors are NULL
media: dvbdev: drop refcount on error path in dvb_device_open()
media: cx231xx: fix a memleak in cx231xx_init_isoc
drm/bridge: tc358767: Fix return value on error case
drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
drm/radeon/dpm: fix a memleak in sumo_parse_power_table
drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
drm/drv: propagate errors from drm_modeset_register_all()
drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
drm/msm/mdp4: flush vblank event on disable
ASoC: cs35l34: Fix GPIO name and drop legacy include
ASoC: cs35l33: Fix GPIO name and drop legacy include
drm/radeon: check return value of radeon_ring_lock()
drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
f2fs: fix to avoid dirent corruption
drm/bridge: Fix typo in post_disable() description
media: pvrusb2: fix use after free on context disconnection
RDMA/usnic: Silence uninitialized symbol smatch warnings
ARM: davinci: always select CONFIG_CPU_ARM926T
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
Bluetooth: btmtkuart: fix recv_buf() return value
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
netfilter: nf_tables: mark newset as dead on transaction abort
wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
rtlwifi: rtl8192de: make arrays static const, makes object smaller
wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
wifi: rtlwifi: add calculate_bit_shift()
dma-mapping: clear dev->dma_mem to NULL after freeing it
virtio/vsock: fix logic which reduces credit update messages
selftests/net: fix grep checking for fib_nexthop_multiprefix
scsi: hisi_sas: Replace with standard error code return value
arm64: dts: qcom: sdm845-db845c: correct LED panic indicator
scsi: fnic: Return error if vmalloc() failed
wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior
rtlwifi: Use ffs in <foo>_phy_calculate_bit_shift
firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
net/ncsi: Fix netlink major/minor version numbers
ncsi: internal.h: Fix a spello
ARM: dts: qcom: apq8064: correct XOADC register address
wifi: libertas: stop selecting wext
bpf, lpm: Fix check prefixlen before walking trie
wifi: rtw88: fix RX filter in FIF_ALLMULTI flag
NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
blocklayoutdriver: Fix reference leak of pnfs_device_node
crypto: scomp - fix req->dst buffer overflow
crypto: sahara - do not resize req->src when doing hash operations
crypto: sahara - fix processing hash requests with req->nbytes < sg->length
crypto: sahara - improve error handling in sahara_sha_process()
crypto: sahara - fix wait_for_completion_timeout() error handling
crypto: sahara - fix ahash reqsize
crypto: virtio - Wait for tasklet to complete on device remove
gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
crypto: sahara - fix error handling in sahara_hw_descriptor_create()
crypto: sahara - fix processing requests with cryptlen < sg->length
crypto: sahara - fix ahash selftest failure
crypto: sahara - remove FLAGS_NEW_KEY logic
crypto: af_alg - Disallow multiple in-flight AIO requests
crypto: ccp - fix memleak in ccp_init_dm_workarea
virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC
crypto: virtio - don't use 'default m'
crypto: virtio - Handle dataq logic with tasklet
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
spi: sh-msiof: Enforce fixed DTDL for R-Car H3
calipso: fix memory leak in netlbl_calipso_add_pass()
netlabel: remove unused parameter in netlbl_netlink_auditinfo()
net: netlabel: Fix kerneldoc warnings
ACPI: LPIT: Avoid u32 multiplication overflow
ACPI: video: check for error while searching for backlight device parent
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response
powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
powerpc/powernv: Add a null pointer check in opal_powercap_init()
powerpc/powernv: Add a null pointer check in opal_event_init()
powerpc/powernv: Add a null pointer check to scom_debug_init_one()
selftests/powerpc: Fix error handling in FPU/VMX preemption tests
powerpc/pseries/memhp: Fix access beyond end of drmem array
powerpc/pseries/memhotplug: Quieten some DLPAR operations
powerpc/44x: select I2C for CURRITUCK
powerpc: add crtsavres.o to always-y instead of extra-y
EDAC/thunderx: Fix possible out-of-bounds string access
x86/lib: Fix overflow when counting digits
coresight: etm4x: Fix width of CCITMIN field
parport: parport_serial: Add Brainboxes device IDs and geometry
parport: parport_serial: Add Brainboxes BAR details
uio: Fix use-after-free in uio_open
binder: fix comment on binder_alloc_new_buf() return value
binder: fix trivial typo of binder_free_buf_locked()
binder: use EPOLLERR from eventpoll.h
ACPI: resource: Add another DMI match for the TongFang GMxXGxx
drm/crtc: fix uninitialized variable use
ARM: sun9i: smp: fix return code check of of_property_match_string
ida: Fix crash in ida_free when the bitmap is empty
Input: xpad - add Razer Wolverine V2 support
ARC: fix spare error
s390/scm: fix virtual vs physical address confusion
Input: i8042 - add nomux quirk for Acer P459-G2-M
Input: atkbd - skip ATKBD_CMD_GETID in translated mode
reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI
tracing: Add size check when printing trace_marker output
tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
neighbour: Don't let neigh_forced_gc() disable preemption for long
drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
jbd2: correct the printing of write_flags in jbd2_write_superblock()
clk: rockchip: rk3128: Fix HCLK_OTG gate register
drm/exynos: fix a wrong error checking
drm/exynos: fix a potential error pointer dereference
nvme: introduce helper function to get ctrl state
ASoC: da7219: Support low DC impedance headset
net/tg3: fix race condition in tg3_reset_task()
nouveau/tu102: flush all pdbs on vmm flush
ASoC: rt5650: add mutex to avoid the jack detection failure
ASoC: cs43130: Fix incorrect frame delay configuration
ASoC: cs43130: Fix the position of const qualifier
ASoC: Intel: Skylake: mem leak in skl register function
ASoC: nau8822: Fix incorrect type in assignment and cast to restricted __be16
ASoC: Intel: Skylake: Fix mem leak in few functions
ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro
pinctrl: lochnagar: Don't build on MIPS
f2fs: explicitly null-terminate the xattr list
Revert "ipv6: make ip6_rt_gc_expire an atomic_t"
Revert "ipv6: remove max_size check inline with ipv4"
Linux 5.4.267
ASoC: meson: codec-glue: fix pcm format cast warning
ipv6: remove max_size check inline with ipv4
ipv6: make ip6_rt_gc_expire an atomic_t
net/dst: use a smaller percpu_counter batch for dst entries accounting
PCI: Disable ATS for specific Intel IPU E2000 devices
PCI: Extract ATS disabling to a helper function
netfilter: nf_tables: Reject tables of unsupported family
net: tls, update curr on splice as well
ath10k: Get rid of "per_ce_irq" hw param
ath10k: Keep track of which interrupts fired, don't poll them
ath10k: Add interrupt summary based CE processing
ath10k: Wait until copy complete is actually done before completing
mmc: sdhci-sprd: Fix eMMC init failure after hw reset
mmc: core: Cancel delayed work before releasing host
mmc: rpmb: fixes pause retune on all RPMB partitions.
mm: fix unmap_mapping_range high bits shift bug
i2c: core: Fix atomic xfer check for non-preempt config
firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards
mm/memory-failure: check the mapcount of the precise page
net: Implement missing SO_TIMESTAMPING_NEW cmsg support
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
asix: Add check for usbnet_get_endpoints
net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
net/qla3xxx: switch from 'pci_' to 'dma_' API
i40e: Restore VF MSI-X state during PCI reset
ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
ASoC: meson: g12a-tohdmitx: Validate written enum values
ASoC: meson: g12a: extract codec-to-codec utils
i40e: fix use-after-free in i40e_aqc_add_filters()
net: Save and restore msg_namelen in sock_sendmsg
net: bcmgenet: Fix FCS generation for fragmented skbuffs
ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
net-timestamp: extend SOF_TIMESTAMPING_OPT_ID to HW timestamps
can: raw: add support for SO_MARK
can: raw: add support for SO_TXTIME/SCM_TXTIME
net: sched: em_text: fix possible memory leak in em_text_destroy()
i40e: Fix filter input checks to prevent config with invalid values
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
ANDROID: db845c: Enable device tree overlay support
Linux 5.4.266
block: Don't invalidate pagecache for invalid falloc modes
ring-buffer: Fix wake ups when buffer_percent is set to 100
smb: client: fix OOB in smbCalcSize()
usb: fotg210-hcd: delete an incorrect bounds test
x86/alternatives: Sync core before enabling interrupts
net: rfkill: gpio: set GPIO direction
net: 9p: avoid freeing uninit memory in p9pdu_vreadf
Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent
USB: serial: option: add Quectel RM500Q R13 firmware support
USB: serial: option: add Foxconn T99W265 with new baseline
USB: serial: option: add Quectel EG912Y module support
USB: serial: ftdi_sio: update Actisense PIDs constant names
wifi: cfg80211: fix certs build to not depend on file order
wifi: cfg80211: Add my certificate
iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma()
iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table
scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
Input: ipaq-micro-keys - add error handling for devm_kmemdup
iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw
interconnect: Treat xlate() returning NULL node as an error
btrfs: do not allow non subvolume root targets for snapshot
smb: client: fix NULL deref in asn1_ber_decoder()
ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10
pinctrl: at91-pio4: use dedicated lock class for IRQ
i2c: aspeed: Handle the coalesced stop conditions with the start conditions.
afs: Fix overwriting of result of DNS query
net: check dev->gso_max_size in gso_features_check()
net: warn if gso_type isn't set for a GSO SKB
afs: Fix dynamic root lookup DNS check
afs: Fix the dynamic root's d_delete to always delete unused dentries
net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
net/rose: fix races in rose_kill_by_device()
ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
net: sched: ife: fix potential use-after-free
net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors
net/mlx5: Fix fw tracer first block check
net/mlx5: improve some comments
Revert "net/mlx5e: fix double free of encap_header"
wifi: mac80211: mesh_plink: fix matches_local logic
s390/vx: fix save/restore of fpu kernel context
reset: Fix crash when freeing non-existent optional resets
ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init
ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
ANDROID: GKI: fix crc issue in include/net/addrconf.h
Revert "cred: switch to using atomic_long_t"
Linux 5.4.265
powerpc/ftrace: Fix stack teardown in ftrace_no_trace
powerpc/ftrace: Create a dummy stackframe to fix stack unwind
mmc: block: Be sure to wait while busy in CQE error recovery
ring-buffer: Fix memory leak of free page
team: Fix use-after-free when an option instance allocation fails
arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
soundwire: stream: fix NULL pointer dereference for multi_link
perf: Fix perf_event_validate_size() lockdep splat
HID: hid-asus: add const to read-only outgoing usb buffer
net: usb: qmi_wwan: claim interface 4 for ZTE MF290
asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
HID: hid-asus: reset the backlight brightness level on resume
HID: add ALWAYS_POLL quirk for Apple kb
platform/x86: intel_telemetry: Fix kernel doc descriptions
bcache: avoid NULL checking to c->root in run_cache_set()
bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc()
bcache: avoid oversize memory allocation by small stripe_size
blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!"
usb: aqc111: check packet for fixup for true limit
Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
cred: switch to using atomic_long_t
appletalk: Fix Use-After-Free in atalk_ioctl
net: stmmac: Handle disabled MDIO busses from devicetree
net: stmmac: use dev_err_probe() for reporting mdio bus registration failure
vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
sign-file: Fix incorrect return values check
net: Remove acked SYN flag from packet in the transmit queue correctly
qed: Fix a potential use-after-free in qed_cxt_tables_alloc
net/rose: Fix Use-After-Free in rose_ioctl
atm: Fix Use-After-Free in do_vcc_ioctl
atm: solos-pci: Fix potential deadlock on &tx_queue_lock
atm: solos-pci: Fix potential deadlock on &cli_queue_lock
qca_spi: Fix reset behavior
qca_debug: Fix ethtool -G iface tx behavior
qca_debug: Prevent crash on TX ring changes
net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
afs: Fix refcount underflow from error handling race
Revert "psample: Require 'CAP_NET_ADMIN' when joining "packets" group"
Revert "mmc: core: add helpers mmc_regulator_enable/disable_vqmmc"
Revert "mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled"
Revert "genetlink: add CAP_NET_ADMIN test for multicast bind"
Revert "drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group"
Revert "perf/core: Add a new read format to get a number of lost samples"
Revert "perf: Fix perf_event_validate_size()"
Revert "hrtimers: Push pending hrtimers away from outgoing CPU earlier"
Linux 5.4.264
devcoredump: Send uevent once devcd is ready
devcoredump : Serialize devcd_del work
smb: client: fix potential NULL deref in parse_dfs_referrals()
cifs: Fix non-availability of dedup breaking generic/304
Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem"
tools headers UAPI: Sync linux/perf_event.h with the kernel sources
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
genetlink: add CAP_NET_ADMIN test for multicast bind
netlink: don't call ->netlink_bind with table lock held
io_uring/af_unix: disable sending io_uring over sockets
nilfs2: fix missing error check for sb_set_blocksize call
KVM: s390/mm: Properly reset no-dat
x86/CPU/AMD: Check vendor in the AMD microcode callback
serial: 8250_omap: Add earlycon support for the AM654 UART controller
serial: sc16is7xx: address RX timeout interrupt errata
ARM: PL011: Fix DMA support
usb: typec: class: fix typec_altmode_put_partner to put plugs
parport: Add support for Brainboxes IX/UC/PX parallel cards
usb: gadget: f_hid: fix report descriptor allocation
mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled
mmc: core: add helpers mmc_regulator_enable/disable_vqmmc
gpiolib: sysfs: Fix error handling on failed export
perf: Fix perf_event_validate_size()
perf/core: Add a new read format to get a number of lost samples
arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
arm64: dts: mediatek: mt7622: fix memory node warning check
packet: Move reference count in packet_sock to atomic_long_t
tracing: Fix a possible race when disabling buffered events
tracing: Fix incomplete locking when disabling buffered events
tracing: Always update snapshot buffer size
nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
ARM: dts: imx: make gpt node name generic
ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
tracing: Fix a warning when allocating buffered events fails
ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
hwmon: (acpi_power_meter) Fix 4.29 MW bug
RDMA/bnxt_re: Correct module description string
bpf: sockmap, updating the sg structure should also update curr
tcp: do not accept ACK of bytes we never sent
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
net: hns: fix fake link up on xge port
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
arcnet: restoring support for multiple Sohard Arcnet cards
net: arcnet: com20020 fix error handling
net: arcnet: Fix RESET flag handling
hv_netvsc: rndis_filter needs to select NLS
ipv6: fix potential NULL deref in fib6_add()
of: dynamic: Fix of_reconfig_get_state_change() return value documentation
of: Add missing 'Return' section in kerneldoc comments
of: Fix kerneldoc output formatting
of: base: Fix some formatting issues and provide missing descriptions
of/irq: Make of_msi_map_rid() PCI bus agnostic
of/irq: make of_msi_map_get_device_domain() bus agnostic
of/iommu: Make of_map_rid() PCI agnostic
ACPI/IORT: Make iort_msi_map_rid() PCI agnostic
ACPI/IORT: Make iort_get_device_domain IRQ domain agnostic
of: base: Add of_get_cpu_state_node() to get idle states for a CPU node
drm/amdgpu: correct chunk_ptr to a pointer to chunk.
kconfig: fix memory leak from range properties
tg3: Increment tx_dropped in tg3_tso_bug()
tg3: Move the [rt]x_dropped counters to tg3_napi
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
hrtimers: Push pending hrtimers away from outgoing CPU earlier
Revert "HID: core: store the unique system identifier in hid_device"
Revert "HID: fix HID device resource race between HID core and debugging support"
Linux 5.4.263
mmc: block: Retry commands in CQE error recovery
mmc: core: convert comma to semicolon
mmc: cqhci: Fix task clearing in CQE error recovery
mmc: cqhci: Warn of halt or task clear failure
mmc: cqhci: Increase recovery halt timeout
cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily
cpufreq: imx6q: don't warn for disabling a non-existing frequency
scsi: qla2xxx: Fix system crash due to bad pointer access
scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request
scsi: core: Introduce the scsi_cmd_to_rq() function
scsi: qla2xxx: Simplify the code for aborting SCSI commands
ima: detect changes to the backing overlay file
ovl: skip overlayfs superblocks at global sync
ima: annotate iint mutex to avoid lockdep false positive warnings
fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
mtd: cfi_cmdset_0001: Byte swap OTP info
mtd: cfi_cmdset_0001: Support the absence of protection registers
s390/cmma: fix detection of DAT pages
s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family
smb3: fix touch -h of symlink
net: ravb: Start TX queues after HW initialization succeeded
net: ravb: Use pm_runtime_resume_and_get()
ravb: Fix races between ravb_tx_timeout_work() and net related ops
net: stmmac: xgmac: Disable FPE MMC interrupts
ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
Input: xpad - add HyperX Clutch Gladiate Support
btrfs: make error messages more clear when getting a chunk map
btrfs: send: ensure send_fd is writable
btrfs: fix off-by-one when checking chunk map includes logical address
btrfs: add dmesg output for first mount and last unmount of a filesystem
powerpc: Don't clobber f0/vs0 during fp|altivec register save
bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
dm verity: don't perform FEC for failed readahead IO
dm-verity: align struct dm_verity_fec_io properly
ALSA: hda/realtek: Add supported ALC257 for ChromeOS
ALSA: hda/realtek: Headset Mic VREF to 100%
ALSA: hda: Disable power-save on KONTRON SinglePC
mmc: block: Do not lose cache flush during CQE error recovery
firewire: core: fix possible memory leak in create_units()
pinctrl: avoid reload of p state in list iteration
io_uring: fix off-by one bvec index
USB: dwc3: qcom: fix wakeup after probe deferral
USB: dwc3: qcom: fix resource leaks on probe deferral
usb: dwc3: set the dma max_seg_size
USB: dwc2: write HCINT with INTMASK applied
USB: serial: option: don't claim interface 4 for ZTE MF290
USB: serial: option: fix FM101R-GL defines
USB: serial: option: add Fibocom L7xx modules
bcache: prevent potential division by zero error
bcache: check return value from btree_node_alloc_replacement()
dm-delay: fix a race between delay_presuspend and delay_bio
hv_netvsc: Mark VF as slave before exposing it to user-mode
hv_netvsc: Fix race of register_netdevice_notifier and VF register
USB: serial: option: add Luat Air72*U series products
s390/dasd: protect device queue against concurrent access
bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce()
ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA
KVM: arm64: limit PMU version to PMUv3 for ARMv8.1
arm64: cpufeature: Extract capped perfmon fields
ext4: make sure allocate pending entry not fail
ext4: fix slab-use-after-free in ext4_es_insert_extent()
ext4: using nofail preallocation in ext4_es_insert_extent()
ext4: using nofail preallocation in ext4_es_insert_delayed_block()
ext4: using nofail preallocation in ext4_es_remove_extent()
ext4: use pre-allocated es in __es_remove_extent()
ext4: use pre-allocated es in __es_insert_extent()
ext4: factor out __es_alloc_extent() and __es_free_extent()
ext4: add a new helper to check if es must be kept
MIPS: KVM: Fix a build warning about variable set but not used
nvmet: nul-terminate the NQNs passed in the connect command
nvmet: remove unnecessary ctrl parameter
afs: Fix file locking on R/O volumes to operate in local mode
afs: Return ENOENT if no cell DNS record can be found
net: axienet: Fix check for partial TX checksum
amd-xgbe: propagate the correct speed and duplex status
amd-xgbe: handle the corner-case during tx completion
amd-xgbe: handle corner-case during sfp hotplug
arm/xen: fix xen_vcpu_info allocation alignment
net: usb: ax88179_178a: fix failed operations during ax88179_reset
ipv4: Correct/silence an endian warning in __ip_do_redirect
HID: fix HID device resource race between HID core and debugging support
HID: core: store the unique system identifier in hid_device
drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
ata: pata_isapnp: Add missing error check for devm_ioport_map()
drm/panel: simple: Fix Innolux G101ICE-L01 timings
drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
afs: Make error on cell lookup failure consistent with OpenAFS
PCI: keystone: Drop __init from ks_pcie_add_pcie_{ep,port}()
RDMA/irdma: Prevent zero-length STAG registration
driver core: Release all resources during unbind before updating device links
ANDROID: GKI: db845c: Update symbols list and ABI on rpmsg_register_device_override
Revert "tracing: Have trace_event_file have ref counters"
Linux 5.4.262
netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 5.4)
netfilter: nf_tables: disable toggling dormant table state more than once
netfilter: nf_tables: fix table flag updates
netfilter: nftables: update table flags from the commit phase
netfilter: nf_tables: double hook unregistration in netns path
netfilter: nf_tables: unregister flowtable hooks on netns exit
netfilter: nf_tables: fix memleak when more than 255 elements expired
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
netfilter: nf_tables: defer gc run if previous batch is still pending
netfilter: nf_tables: use correct lock to protect gc_list
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nft_set_hash: mark set element as dead when deleting from packet path
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nf_tables: GC transaction API to avoid race with control plane
netfilter: nf_tables: don't skip expired elements during walk
netfilter: nft_set_rbtree: fix overlap expiration walk
netfilter: nft_set_rbtree: fix null deref on element insertion
netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
netfilter: nf_tables: drop map element references from preparation phase
netfilter: nftables: rename set element data activation/deactivation functions
netfilter: nf_tables: pass context to nft_set_destroy()
tracing: Have trace_event_file have ref counters
drm/amdgpu: fix error handling in amdgpu_bo_list_get()
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
ext4: correct the start block of counting reserved clusters
ext4: correct return value of ext4_convert_meta_bg
ext4: correct offset of gdb backup in non meta_bg group to update_backups
ext4: apply umask if ACL support is disabled
Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
nfsd: fix file memleak on client_opens_release
media: venus: hfi: add checks to handle capabilities from firmware
media: venus: hfi: fix the check to handle session buffer requirement
media: venus: hfi_parser: Add check to keep the number of codecs within range
media: sharp: fix sharp encoding
media: lirc: drop trailing space from scancode transmit
i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
net: dsa: lan9303: consequently nested-lock physical MDIO
Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
bluetooth: Add device 13d3:3571 to device tables
bluetooth: Add device 0bda:887b to device tables
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
Bluetooth: btusb: add Realtek 8822CE to usb_device_id table
Bluetooth: btusb: Add flag to define wideband speech capability
tty: serial: meson: fix hard LOCKUP on crtscts mode
serial: meson: Use platform_get_irq() to get the interrupt
tty: serial: meson: retrieve port FIFO size from DT
serial: meson: remove redundant initialization of variable id
ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
ALSA: info: Fix potential deadlock at disconnection
parisc/pgtable: Do not drop upper 5 address bits of physical address
parisc: Prevent booting 64-bit kernels on PA1.x machines
i3c: master: cdns: Fix reading status register
mm/cma: use nth_page() in place of direct struct page manipulation
dmaengine: stm32-mdma: correct desc prep when channel running
mcb: fix error handling for different scenarios when parsing
i2c: core: Run atomic i2c xfer when !preemptible
kernel/reboot: emergency_restart: Set correct system_state
quota: explicitly forbid quota files from being encrypted
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
btrfs: don't arbitrarily slow down delalloc if we're committing
PM: hibernate: Clean up sync_read handling in snapshot_write_next()
PM: hibernate: Use __get_safe_page() rather than touching the list
mmc: vub300: fix an error code
clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
parisc/pdc: Add width field to struct pdc_model
PCI: keystone: Don't discard .probe() callback
PCI: keystone: Don't discard .remove() callback
genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
mmc: meson-gx: Remove setting of CMD_CFG_ERROR
ACPI: resource: Do IRQ override on TongFang GMxXGxx
PCI/sysfs: Protect driver's D3cold preference from user space
hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
audit: don't take task_lock() in audit_exe_compare() code path
KVM: x86: Ignore MSR_AMD64_TW_CFG access
KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
x86/cpu/hygon: Fix the CPU topology evaluation for real
scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers
bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
randstruct: Fix gcc-plugin performance mode to stay in group
media: venus: hfi: add checks to perform sanity on queue pointers
cifs: spnego: add ';' in HOST_KEY_LEN
tools/power/turbostat: Fix a knl bug
macvlan: Don't propagate promisc change to lower dev in passthru
net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors
net/mlx5_core: Clean driver version and name
net/mlx5e: fix double free of encap_header
net: stmmac: fix rx budget limit check
net: stmmac: Rework stmmac_rx()
netfilter: nf_conntrack_bridge: initialize err to 0
net: ethernet: cortina: Fix MTU max setting
net: ethernet: cortina: Handle large frames
net: ethernet: cortina: Fix max RX frame define
bonding: stop the device in bond_setup_by_slave()
ptp: annotate data-race around q->head and q->tail
xen/events: fix delayed eoi list handling
ppp: limit MRU to 64K
tipc: Fix kernel-infoleak due to uninitialized TLV value
net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
tty: Fix uninit-value access in ppp_sync_receive()
ipvlan: add ipvlan_route_v6_outbound() helper
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
wifi: iwlwifi: Use FW rate for non-data frames
pwm: Fix double shift bug
ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
kgdb: Flush console before entering kgdb on panic
drm/amd/display: Avoid NULL dereference of timing generator
media: cobalt: Use FIELD_GET() to extract Link Width
gfs2: ignore negated quota changes
media: vivid: avoid integer overflow
media: gspca: cpia1: shift-out-of-bounds in set_flicker
i2c: sun6i-p2wi: Prevent potential division by zero
usb: gadget: f_ncm: Always set current gadget in ncm_bind()
tty: vcc: Add check for kstrdup() in vcc_probe()
HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
atm: iphase: Do PCI error checks on own line
PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
ALSA: hda: Fix possible null-ptr-deref when assigning a stream
ARM: 9320/1: fix stack depot IRQ stack filter
jfs: fix array-index-out-of-bounds in diAlloc
jfs: fix array-index-out-of-bounds in dbFindLeaf
fs/jfs: Add validity check for db_maxag and db_agpref
fs/jfs: Add check for negative db_l2nbperpage
RDMA/hfi1: Use FIELD_GET() to extract Link Width
crypto: pcrypt - Fix hungtask for PADATA_RESET
selftests/efivarfs: create-read: fix a resource leak
drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
drm/komeda: drop all currently held locks if deadlock happens
platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
Bluetooth: Fix double free in hci_conn_cleanup
wifi: ath10k: Don't touch the CE interrupt registers after power up
net: annotate data-races around sk->sk_dst_pending_confirm
net: annotate data-races around sk->sk_tx_queue_mapping
wifi: ath10k: fix clang-specific fortify warning
wifi: ath9k: fix clang-specific fortify warnings
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
wifi: mac80211_hwsim: fix clang-specific fortify warning
x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
clocksource/drivers/timer-imx-gpt: Fix potential memory leak
perf/core: Bail out early if the request AUX area is out of bound
locking/ww_mutex/test: Fix potential workqueue corruption
Revert "inet: shrink struct flowi_common"
Revert "ipvlan: properly track tx_errors"
ANDROID: fix up rpmsg_device ABI break
ANDROID: fix up platform_device ABI break
Linux 5.4.261
btrfs: use u64 for buffer sizes in the tree search ioctls
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
fbdev: fsl-diu-fb: mark wr_reg_wa() static
fbdev: imsttfb: fix a resource leak in probe
fbdev: imsttfb: Fix error path of imsttfb_probe()
spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
r8169: respect userspace disabling IFF_MULTICAST
tg3: power down device only on SYSTEM_POWER_OFF
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
Fix termination state for idr_for_each_entry_ul()
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
inet: shrink struct flowi_common
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
llc: verify mac len before reading mac header
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: sti: Avoid conditional gotos
regmap: prevent noinc writes from clobbering cache
media: dvb-usb-v2: af9035: fix missing unlock
media: s3c-camif: Avoid inappropriate kfree()
media: bttv: fix use after free error due to btv->timeout timer
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: cs: fix possible hung task and memory leak pccardd()
rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
powerpc/pseries: fix potential memory leak in init_cpu_associativity()
powerpc/imc-pmu: Use the correct spinlock initializer.
powerpc/xive: Fix endian conversion size
modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
USB: usbip: fix stub_dev hub disconnect
tools: iio: iio_generic_buffer ensure alignment
tools: iio: iio_generic_buffer: Fix some integer type and calculation
tools: iio: privatize globals and functions in iio_generic_buffer.c file
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
ledtrig-cpu: Limit to 8 CPUs
leds: pwm: Don't disable the PWM when the LED should be off
leds: pwm: convert to atomic PWM API
leds: pwm: simplify if condition
mfd: dln2: Fix double put in dln2_probe
ASoC: ams-delta.c: use component after check
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
sh: bios: Revive earlyprintk support
RDMA/hfi1: Workaround truncation compilation error
scsi: ufs: core: Leave space for '\0' in utf8 desc string
ext4: move 'ix' sanity check to corrent position
ARM: 9321/1: memset: cast the constant byte to unsigned char
hid: cp2112: Fix duplicate workqueue initialization
HID: cp2112: Use irqchip template
crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
nd_btt: Make BTT lanes preemptible
sched/rt: Provide migrate_disable/enable() inlines
libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
hwrng: geode - fix accessing registers
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
firmware: ti_sci: Mark driver as non removable
firmware: ti_sci: Replace HTTP links with HTTPS ones
soc: qcom: llcc: Handle a second device without data corruption
soc: qcom: Rename llcc-slice to llcc-qcom
soc: qcom: llcc cleanup to get rid of sdm845 specific driver file
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
drm/radeon: possible buffer overflow
drm/rockchip: vop: Fix call to crtc reset helper
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
platform/x86: wmi: Fix opening of char device
platform/x86: wmi: remove unnecessary initializations
platform/x86: wmi: Fix probe failure when failing to register WMI devices
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
clk: npcm7xx: Fix incorrect kfree
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: imx: Select MXC_CLK for CLK_IMX8QXP
clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
clk: qcom: gcc-sm8150: use ARRAY_SIZE instead of specifying num_parents
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
regmap: debugfs: Fix a erroneous check after snprintf()
ipvlan: properly track tx_errors
net: add DEV_STATS_READ() helper
ipv6: avoid atomic fragment on GSO packets
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
tcp: fix cookie_init_timestamp() overflows
tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp
chtls: fix tp->rcv_tstamp initialization
r8169: fix rare issue with broken rx after link-down on RTL8125
r8169: use tp_to_dev instead of open code
thermal: core: prevent potential string overflow
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
can: dev: can_restart(): don't crash kernel if carrier is OK
wifi: rtlwifi: fix EDCA limit set by BT coexistence
tcp_metrics: do not create an entry from tcp_init_metrics()
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: add missing barriers on delete
wifi: mt76: mt7603: rework/fix rx pse hang check
wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
i40e: fix potential memory leaks in i40e_remove()
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
vfs: fix readahead(2) on block devices
Linux 5.4.260
tty: 8250: Add support for Intashield IS-100
tty: 8250: Add support for Brainboxes UP cards
tty: 8250: Add support for additional Brainboxes UC cards
tty: 8250: Remove UC-257 and UC-431
usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
Revert "ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver"
nvmet-tcp: Fix a possible UAF in queue intialization setup
nvmet-tcp: move send/recv error handling in the send/recv methods instead of call-sites
remove the sx8 block driver
ata: ahci: fix enum constants for gcc-13
net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
platform/mellanox: mlxbf-tmfifo: Fix a warning message
platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
scsi: mpt3sas: Fix in error path
fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
ASoC: rt5650: fix the wrong result of key button
netfilter: nfnetlink_log: silence bogus compiler warning
spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0
fbdev: atyfb: only use ioremap_uc() on i386 and ia64
Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
irqchip/stm32-exti: add missing DT IRQ flag translation
Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
x86: Fix .brk attribute in linker script
rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
rpmsg: glink: Release driver_override
rpmsg: Fix calling device_lock() on non-initialized device
rpmsg: Fix kfree() of static memory on setting driver_override
rpmsg: Constify local variable in field store macro
driver: platform: Add helper for safer setting of driver_override
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
ext4: avoid overlapping preallocations due to overflow
ext4: add two helper functions extent_logical_end() and pa_logical_end()
x86/mm: Fix RESERVE_BRK() for older binutils
x86/mm: Simplify RESERVE_BRK()
nfsd: lock_rename() needs both directories to live on the same fs
f2fs: fix to do sanity check on inode type during garbage collection
smbdirect: missing rc checks while waiting for rdma events
kobject: Fix slab-out-of-bounds in fill_kobj_path()
arm64: fix a concurrency issue in emulation_proc_handler()
drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name
perf/core: Fix potential NULL deref
nvmem: imx: correct nregs for i.MX6UL
nvmem: imx: correct nregs for i.MX6SLL
nvmem: imx: correct nregs for i.MX6ULL
i2c: aspeed: Fix i2c bus hang in slave read
i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
iio: exynos-adc: request second interupt only when touchscreen mode is used
gtp: fix fragmentation needed check with gso
gtp: uapi: fix GTPA_MAX
tcp: fix wrong RTO timeout when received SACK reneging
r8152: Cancel hw_phy_work if we have an error in probe
r8152: Run the unload routine if we have errors during probe
r8152: Increase USB control msg timeout to 5000ms as per spec
net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show()
igc: Fix ambiguity in the ethtool advertising
neighbour: fix various data-races
igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
treewide: Spelling fix in comment
r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1
virtio-mmio: fix memory leak of vm_dev
virtio_balloon: Fix endless deflation and inflation on arm64
mcb-lpc: Reallocate memory region to avoid memory overlapping
mcb: Return actual parsed size when reading chameleon table
selftests/ftrace: Add new test case which checks non unique symbol
mtd: rawnand: marvell: Ensure program page operations are successful
Conflicts:
drivers/clk/qcom/gcc-sm8150.c
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
drivers/soc/qcom/Kconfig
drivers/soc/qcom/Makefile
drivers/soc/qcom/llcc-qcom.c
drivers/usb/dwc3/core.c
drivers/usb/gadget/function/f_ncm.c
include/linux/soc/qcom/llcc-qcom.h
include/net/netfilter/nf_tables.h
mm/memory-failure.c
net/netfilter/nf_tables_api.c
net/netfilter/nft_set_hash.c
net/netfilter/nft_set_rbtree.c
Notes:
* Dropped the following upstream commits:
813fddd | AOSP soc: qcom: Rename llcc-slice to llcc-qcom
0770107 | AOSP soc: qcom: llcc cleanup to get rid of sdm845 specific driver file
Change-Id: Id31af0559be59eccc0cd242940754292baed09f7
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWy4hYACgkQONu9yGCS
aT7SVBAAyx1DlSyJWcqzpESH0+VfqyWHxXlKS6Ip5wT0/+t0gglIKkwU/O0FsRXw
pLO24wL0+MuIzgfZZj7wieAOPlGLOonKAvvUHGEMlpfAzyKjmZuW93WLKQlA/Oec
uaT2ooQevRQcgXzbuV1yN/CeCnhbtmiQdcwy6OU5QACfzguQYtDbNGpbVHJEyEIW
khlr+tj1KgRMzh/Sx76RPg4C/hkZBHun3tPcE0lTg+5QZDSkUj5gEdhVOSG2qmSh
Lj9zt/isY3v6Whixel9YoTLr9SukI7ZlKzMrH1kSbGtTW3uZqgqB+7wCi1tWoNE1
Zwu9/kUe1dU1kfwYW8AA5OwupjBjADVnZZx1cKN3nQZG2J8bSKHwHmuZPx3DGhJ1
sxlaQ0nGvcEbCKljlIqsHzx2U22YKk939mVz5Y+MZYT5uwWRHI+iH4yRW97putSP
t8tb3uX69Gsl6B+gLu38Mr7kkwyY06xmMnc5dfNCPwh8SxLj3dG7Gft90CNq1JKT
q2cwlMEcDZRlC08kwzD7pRehZ6hYLRlTOv8yhQsQefcfzrtsT18Cec5TI2k72NOe
fbIY8us3Qsr8JVSYuObGqT8LmkX9pkmRozEXgENvwltijEsWULoO2Hs+Z/yD07z8
RYqtxWxVxFVeHTkrXbbMUTZWhFx5LE+rtxCySpfeFkv0WgRRwa8=
=vkKq
-----END PGP SIGNATURE-----
Merge 5.4.268 into android11-5.4-lts
Changes in 5.4.268
f2fs: explicitly null-terminate the xattr list
pinctrl: lochnagar: Don't build on MIPS
ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro
ASoC: Intel: Skylake: Fix mem leak in few functions
ASoC: nau8822: Fix incorrect type in assignment and cast to restricted __be16
ASoC: Intel: Skylake: mem leak in skl register function
ASoC: cs43130: Fix the position of const qualifier
ASoC: cs43130: Fix incorrect frame delay configuration
ASoC: rt5650: add mutex to avoid the jack detection failure
nouveau/tu102: flush all pdbs on vmm flush
net/tg3: fix race condition in tg3_reset_task()
ASoC: da7219: Support low DC impedance headset
nvme: introduce helper function to get ctrl state
drm/exynos: fix a potential error pointer dereference
drm/exynos: fix a wrong error checking
clk: rockchip: rk3128: Fix HCLK_OTG gate register
jbd2: correct the printing of write_flags in jbd2_write_superblock()
drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
neighbour: Don't let neigh_forced_gc() disable preemption for long
tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
tracing: Add size check when printing trace_marker output
ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI
reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
Input: atkbd - skip ATKBD_CMD_GETID in translated mode
Input: i8042 - add nomux quirk for Acer P459-G2-M
s390/scm: fix virtual vs physical address confusion
ARC: fix spare error
Input: xpad - add Razer Wolverine V2 support
ida: Fix crash in ida_free when the bitmap is empty
ARM: sun9i: smp: fix return code check of of_property_match_string
drm/crtc: fix uninitialized variable use
ACPI: resource: Add another DMI match for the TongFang GMxXGxx
binder: use EPOLLERR from eventpoll.h
binder: fix trivial typo of binder_free_buf_locked()
binder: fix comment on binder_alloc_new_buf() return value
uio: Fix use-after-free in uio_open
parport: parport_serial: Add Brainboxes BAR details
parport: parport_serial: Add Brainboxes device IDs and geometry
coresight: etm4x: Fix width of CCITMIN field
x86/lib: Fix overflow when counting digits
EDAC/thunderx: Fix possible out-of-bounds string access
powerpc: add crtsavres.o to always-y instead of extra-y
powerpc/44x: select I2C for CURRITUCK
powerpc/pseries/memhotplug: Quieten some DLPAR operations
powerpc/pseries/memhp: Fix access beyond end of drmem array
selftests/powerpc: Fix error handling in FPU/VMX preemption tests
powerpc/powernv: Add a null pointer check to scom_debug_init_one()
powerpc/powernv: Add a null pointer check in opal_event_init()
powerpc/powernv: Add a null pointer check in opal_powercap_init()
powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response
ACPI: video: check for error while searching for backlight device parent
ACPI: LPIT: Avoid u32 multiplication overflow
net: netlabel: Fix kerneldoc warnings
netlabel: remove unused parameter in netlbl_netlink_auditinfo()
calipso: fix memory leak in netlbl_calipso_add_pass()
spi: sh-msiof: Enforce fixed DTDL for R-Car H3
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
crypto: virtio - Handle dataq logic with tasklet
crypto: virtio - don't use 'default m'
virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC
crypto: ccp - fix memleak in ccp_init_dm_workarea
crypto: af_alg - Disallow multiple in-flight AIO requests
crypto: sahara - remove FLAGS_NEW_KEY logic
crypto: sahara - fix ahash selftest failure
crypto: sahara - fix processing requests with cryptlen < sg->length
crypto: sahara - fix error handling in sahara_hw_descriptor_create()
pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
crypto: virtio - Wait for tasklet to complete on device remove
crypto: sahara - fix ahash reqsize
crypto: sahara - fix wait_for_completion_timeout() error handling
crypto: sahara - improve error handling in sahara_sha_process()
crypto: sahara - fix processing hash requests with req->nbytes < sg->length
crypto: sahara - do not resize req->src when doing hash operations
crypto: scomp - fix req->dst buffer overflow
blocklayoutdriver: Fix reference leak of pnfs_device_node
NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
wifi: rtw88: fix RX filter in FIF_ALLMULTI flag
bpf, lpm: Fix check prefixlen before walking trie
wifi: libertas: stop selecting wext
ARM: dts: qcom: apq8064: correct XOADC register address
ncsi: internal.h: Fix a spello
net/ncsi: Fix netlink major/minor version numbers
firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
rtlwifi: Use ffs in <foo>_phy_calculate_bit_shift
wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior
scsi: fnic: Return error if vmalloc() failed
arm64: dts: qcom: sdm845-db845c: correct LED panic indicator
scsi: hisi_sas: Replace with standard error code return value
selftests/net: fix grep checking for fib_nexthop_multiprefix
virtio/vsock: fix logic which reduces credit update messages
dma-mapping: clear dev->dma_mem to NULL after freeing it
wifi: rtlwifi: add calculate_bit_shift()
wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
rtlwifi: rtl8192de: make arrays static const, makes object smaller
wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
netfilter: nf_tables: mark newset as dead on transaction abort
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
Bluetooth: btmtkuart: fix recv_buf() return value
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
ARM: davinci: always select CONFIG_CPU_ARM926T
RDMA/usnic: Silence uninitialized symbol smatch warnings
media: pvrusb2: fix use after free on context disconnection
drm/bridge: Fix typo in post_disable() description
f2fs: fix to avoid dirent corruption
drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
drm/radeon: check return value of radeon_ring_lock()
ASoC: cs35l33: Fix GPIO name and drop legacy include
ASoC: cs35l34: Fix GPIO name and drop legacy include
drm/msm/mdp4: flush vblank event on disable
drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
drm/drv: propagate errors from drm_modeset_register_all()
drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
drm/radeon/dpm: fix a memleak in sumo_parse_power_table
drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
drm/bridge: tc358767: Fix return value on error case
media: cx231xx: fix a memleak in cx231xx_init_isoc
media: dvbdev: drop refcount on error path in dvb_device_open()
drm/amdgpu/debugfs: fix error code when smc register accessors are NULL
drm/amd/pm: fix a double-free in si_dpm_init
drivers/amd/pm: fix a use-after-free in kv_parse_power_table
gpu/drm/radeon: fix two memleaks in radeon_vm_init
drivers: clk: zynqmp: calculate closest mux rate
watchdog: set cdev owner before adding
watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
clk: si5341: fix an error code problem in si5341_output_clk_set_rate
mmc: sdhci_omap: Fix TI SoC dependencies
of: Fix double free in of_parse_phandle_with_args_map
of: unittest: Fix of_count_phandle_with_args() expected value message
binder: fix async space check for 0-sized buffers
binder: fix use-after-free in shinker's callback
Input: atkbd - use ab83 as id when skipping the getid command
Revert "ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek"
xen-netback: don't produce zero-size SKB frags
binder: fix race between mmput() and do_exit()
binder: fix unused alloc->free_async_space
tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug
usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host()
usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart
Revert "usb: dwc3: Soft reset phy on probe for host"
Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only"
usb: chipidea: wait controller resume finished for wakeup irq
Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs"
usb: typec: class: fix typec_altmode_put_partner to put plugs
usb: mon: Fix atomicity violation in mon_bin_vma_fault
ALSA: oxygen: Fix right channel of capture volume mixer
fbdev: flush deferred work in fb_deferred_io_fsync()
rootfs: Fix support for rootfstype= when root= is given
wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code
wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors
wifi: mwifiex: configure BSSID consistently when starting AP
x86/kvm: Do not try to disable kvmclock if it was not enabled
HID: wacom: Correct behavior when processing some confidence == false touches
mips: Fix incorrect max_low_pfn adjustment
MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup()
MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup()
serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed
acpi: property: Let args be NULL in __acpi_node_get_property_reference
software node: Let args be NULL in software_node_get_reference_args
perf genelf: Set ELF program header addresses properly
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
nvmet-tcp: fix a crash in nvmet_req_complete()
perf env: Add perf_env__numa_node()
perf record: Move sb_evlist to 'struct record'
perf top: Move sb_evlist to 'struct perf_top'
perf bpf: Decouple creating the evlist from adding the SB event
perf env: Avoid recursively taking env->bpf_progs.lock
apparmor: avoid crash when parsed profile name is empty
serial: imx: Correct clock error message in function probe()
nvmet-tcp: Fix the H2C expected PDU len calculation
PCI: keystone: Fix race condition when initializing PHYs
s390/pci: fix max size calculation in zpci_memcpy_toio()
net: qualcomm: rmnet: fix global oob in rmnet_policy
net: phy: micrel: populate .soft_reset for KSZ9131
net: ravb: Fix dma_addr_t truncation in error case
net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe
netfilter: nf_tables: skip dead set elements in netlink dump
ipvs: avoid stat macros calls from preemptible context
kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ
kdb: Fix a potential buffer overflow in kdb_local()
mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure
i2c: s3c24xx: fix read transfers in polling mode
i2c: s3c24xx: fix transferring more than one message in polling mode
perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set
arm64: dts: armada-3720-turris-mox: set irq type for RTC
Linux 5.4.268
Change-Id: I347fc44c3a9947e2b7cb476d622adca58677f78a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit c6d05e0762ab276102246d24affd1e116a46aa0c upstream.
Each transaction is associated with a 'struct binder_buffer' that stores
the metadata about its buffer area. Since commit 74310e06be ("android:
binder: Move buffer out of area shared with user space") this struct is
no longer embedded within the buffer itself but is instead allocated on
the heap to prevent userspace access to this driver-exclusive info.
Unfortunately, the space of this struct is still being accounted for in
the total buffer size calculation, specifically for async transactions.
This results in an additional 104 bytes added to every async buffer
request, and this area is never used.
This wasted space can be substantial. If we consider the maximum mmap
buffer space of SZ_4M, the driver will reserve half of it for async
transactions, or 0x200000. This area should, in theory, accommodate up
to 262,144 buffers of the minimum 8-byte size. However, after adding
the extra 'sizeof(struct binder_buffer)', the total number of buffers
drops to only 18,724, which is a sad 7.14% of the actual capacity.
This patch fixes the buffer size calculation to enable the utilization
of the entire async buffer space. This is expected to reduce the number
of -ENOSPC errors that are seen on the field.
Fixes: 74310e06be ("android: binder: Move buffer out of area shared with user space")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-6-cmllamas@google.com
[cmllamas: fix trivial conflict with missing 261e7818f06e.]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9a9ab0d963621d9d12199df9817e66982582d5a5 upstream.
Task A calls binder_update_page_range() to allocate and insert pages on
a remote address space from Task B. For this, Task A pins the remote mm
via mmget_not_zero() first. This can race with Task B do_exit() and the
final mmput() refcount decrement will come from Task A.
Task A | Task B
------------------+------------------
mmget_not_zero() |
| do_exit()
| exit_mm()
| mmput()
mmput() |
exit_mmap() |
remove_vma() |
fput() |
In this case, the work of ____fput() from Task B is queued up in Task A
as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup
work gets executed. However, Task A instead sleep, waiting for a reply
from Task B that never comes (it's dead).
This means the binder_deferred_release() is blocked until an unrelated
binder event forces Task A to go back to userspace. All the associated
death notifications will also be delayed until then.
In order to fix this use mmput_async() that will schedule the work in
the corresponding mm->async_put_work WQ instead of Task A.
Fixes: 457b9a6f09 ("Staging: android: add binder driver")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-4-cmllamas@google.com
[cmllamas: fix trivial conflict with missing d8ed45c5dcd4.]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3f489c2067c5824528212b0fc18b28d51332d906 upstream.
The mmap read lock is used during the shrinker's callback, which means
that using alloc->vma pointer isn't safe as it can race with munmap().
As of commit dd2283f260 ("mm: mmap: zap pages with read mmap_sem in
munmap") the mmap lock is downgraded after the vma has been isolated.
I was able to reproduce this issue by manually adding some delays and
triggering page reclaiming through the shrinker's debug sysfs. The
following KASAN report confirms the UAF:
==================================================================
BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8
Read of size 8 at addr ffff356ed50e50f0 by task bash/478
CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70
Hardware name: linux,dummy-virt (DT)
Call trace:
zap_page_range_single+0x470/0x4b8
binder_alloc_free_page+0x608/0xadc
__list_lru_walk_one+0x130/0x3b0
list_lru_walk_node+0xc4/0x22c
binder_shrink_scan+0x108/0x1dc
shrinker_debugfs_scan_write+0x2b4/0x500
full_proxy_write+0xd4/0x140
vfs_write+0x1ac/0x758
ksys_write+0xf0/0x1dc
__arm64_sys_write+0x6c/0x9c
Allocated by task 492:
kmem_cache_alloc+0x130/0x368
vm_area_alloc+0x2c/0x190
mmap_region+0x258/0x18bc
do_mmap+0x694/0xa60
vm_mmap_pgoff+0x170/0x29c
ksys_mmap_pgoff+0x290/0x3a0
__arm64_sys_mmap+0xcc/0x144
Freed by task 491:
kmem_cache_free+0x17c/0x3c8
vm_area_free_rcu_cb+0x74/0x98
rcu_core+0xa38/0x26d4
rcu_core_si+0x10/0x1c
__do_softirq+0x2fc/0xd24
Last potentially related work creation:
__call_rcu_common.constprop.0+0x6c/0xba0
call_rcu+0x10/0x1c
vm_area_free+0x18/0x24
remove_vma+0xe4/0x118
do_vmi_align_munmap.isra.0+0x718/0xb5c
do_vmi_munmap+0xdc/0x1fc
__vm_munmap+0x10c/0x278
__arm64_sys_munmap+0x58/0x7c
Fix this issue by performing instead a vma_lookup() which will fail to
find the vma that was isolated before the mmap lock downgrade. Note that
this option has better performance than upgrading to a mmap write lock
which would increase contention. Plus, mmap_write_trylock() has been
recently removed anyway.
Fixes: dd2283f260 ("mm: mmap: zap pages with read mmap_sem in munmap")
Cc: stable@vger.kernel.org
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Minchan Kim <minchan@kernel.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-3-cmllamas@google.com
[cmllamas: use find_vma() instead of vma_lookup() as commit ce6d42f2e4a2
is missing in v5.4. This only works because we check the vma against
our cached alloc->vma pointer. Also, unlock via up_read() instead of
mmap_read_unlock() as commit d8ed45c5dcd4 is also missing in v5.4.]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3091c21d3e9322428691ce0b7a0cfa9c0b239eeb upstream.
Move the padding of 0-sized buffers to an earlier stage to account for
this round up during the alloc->free_async_space check.
Fixes: 74310e06be ("android: binder: Move buffer out of area shared with user space")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-5-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e1090371e02b601cbfcea175c2a6cc7c955fa830 upstream.
Update the comments of binder_alloc_new_buf() to reflect that the return
value of the function is now ERR_PTR(-errno) on failure.
No functional changes in this patch.
Cc: stable@vger.kernel.org
Fixes: 57ada2fb22 ("binder: add log information for binder transaction failures")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-8-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 122a3c1cb0ff304c2b8934584fcfea4edb2fe5e3 upstream.
Fix minor misspelling of the function in the comment section.
No functional changes in this patch.
Cc: stable@vger.kernel.org
Fixes: 0f966cba95c7 ("binder: add flag to clear buffer on txn complete")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-7-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6ac061db9c58ca5b9270b1b3940d2464fb3ff183 upstream.
Use EPOLLERR instead of POLLERR to make sure it is cast to the correct
__poll_t type. This fixes the following sparse issue:
drivers/android/binder.c:5030:24: warning: incorrect type in return expression (different base types)
drivers/android/binder.c:5030:24: expected restricted __poll_t
drivers/android/binder.c:5030:24: got int
Fixes: f88982679f ("binder: check for binder_thread allocation failure in binder_poll()")
Cc: stable@vger.kernel.org
Cc: Eric Biggers <ebiggers@google.com>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Link: https://lore.kernel.org/r/20231201172212.1813387-2-cmllamas@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
https://source.android.com/docs/security/bulletin/2023-10-01
* tag 'ASB-2023-10-06_11-5.4' of https://android.googlesource.com/kernel/common:
UPSTREAM: arm64: efi: Make efi_rt_lock a raw_spinlock
UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve
UPSTREAM: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
UPSTREAM: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
UPSTREAM: af_unix: Fix null-ptr-deref in unix_stream_sendpage().
Linux 5.4.254
sch_netem: fix issues in netem_change() vs get_dist_table()
alpha: remove __init annotation from exported page_is_ram()
scsi: core: Fix possible memory leak if device_add() fails
scsi: snic: Fix possible memory leak if device_add() fails
scsi: 53c700: Check that command slot is not NULL
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: core: Fix legacy /proc parsing buffer overflow
netfilter: nf_tables: report use refcount overflow
nvme-rdma: fix potential unbalanced freeze & unfreeze
nvme-tcp: fix potential unbalanced freeze & unfreeze
btrfs: set cache_block_group_error if we find an error
btrfs: don't stop integrity writeback too early
ibmvnic: Handle DMA unmapping of login buffs in release functions
net/mlx5: Allow 0 for total host VFs
dmaengine: mcf-edma: Fix a potential un-allocated memory access
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
IB/hfi1: Fix possible panic during hotplug remove
drivers: net: prevent tun_build_skb() to exceed the packet size limit
dccp: fix data-race around dp->dccps_mss_cache
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
net/packet: annotate data-races around tp->status
mISDN: Update parameter type of dsp_cmx_send()
selftests/rseq: Fix build with undefined __weak
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
x86: Move gds_ucode_mitigated() declaration to header
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
usb: dwc3: Properly handle processing of pending events
usb-storage: alauda: Fix uninit-value in alauda_check_media()
binder: fix memory leak in binder_init()
iio: cros_ec: Fix the allocation size for cros_ec_command
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
x86/pkeys: Revert a5eff72597 ("x86/pkeys: Add PKRU value to init_fpstate")
radix tree test suite: fix incorrect allocation size for pthreads
drm/nouveau/gr: enable memory loads on helper invocation on all channels
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
ipv6: adjust ndisc_is_useropt() to also return true for PIO
mmc: moxart: read scr register without changing byte order
Linux 5.4.253
Revert "driver core: Annotate dev_err_probe() with __must_check"
drivers: core: fix kernel-doc markup for dev_err_probe()
driver code: print symbolic error code
driver core: Annotate dev_err_probe() with __must_check
ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node
ARM: dts: imx6sll: fixup of operating points
ARM: dts: imx: add usb alias
ARM: dts: imx: Align L2 cache-controller nodename with dtschema
ARM: dts: imx6sll: Make ssi node name same as other platforms
arm64: dts: stratix10: fix incorrect I2C property for SCL signal
ceph: defer stopping mdsc delayed_work
ceph: use kill_anon_super helper
ceph: show tasks waiting on caps in debugfs caps file
PM: sleep: wakeirq: fix wake irq arming
PM / wakeirq: support enabling wake-up irq after runtime_suspend called
selftests/rseq: Play nice with binaries statically linked against glibc 2.35+
selftests/rseq: check if libc rseq support is registered
powerpc/mm/altmap: Fix altmap boundary check
mtd: rawnand: omap_elm: Fix incorrect type in assignment
test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation
test_firmware: prevent race conditions by a correct implementation of locking
ext2: Drop fragment support
fs: Protect reconfiguration of sb read-write from racing writes
net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
fs/sysv: Null check to prevent null-ptr-deref bug
net: tap_open(): set sk_uid from current_fsuid()
net: tun_chr_open(): set sk_uid from current_fsuid()
mtd: rawnand: meson: fix OOB available bytes for ECC
mtd: spinand: toshiba: Fix ecc_get_status
USB: zaurus: Add ID for A-300/B-500/C-700
libceph: fix potential hang in ceph_osdc_notify()
scsi: zfcp: Defer fc_rport blocking until after ADISC response
tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen
tcp_metrics: annotate data-races around tm->tcpm_net
tcp_metrics: annotate data-races around tm->tcpm_vals[]
tcp_metrics: annotate data-races around tm->tcpm_lock
tcp_metrics: annotate data-races around tm->tcpm_stamp
tcp_metrics: fix addr_same() helper
ip6mr: Fix skb_under_panic in ip6mr_cache_report()
net: dcb: choose correct policy to parse DCB_ATTR_BCN
net: ll_temac: fix error checking of irq_of_parse_and_map()
net: ll_temac: Switch to use dev_err_probe() helper
driver core: add device probe log helper
bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire
net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
net: add missing data-race annotation for sk_ll_usec
net: add missing data-race annotations around sk->sk_peek_off
net: add missing READ_ONCE(sk->sk_rcvbuf) annotation
net: add missing READ_ONCE(sk->sk_sndbuf) annotation
net: add missing READ_ONCE(sk->sk_rcvlowat) annotation
net: annotate data-races around sk->sk_max_pacing_rate
mISDN: hfcpci: Fix potential deadlock on &hc->lock
net: sched: cls_u32: Fix match key mis-addressing
perf test uprobe_from_different_cu: Skip if there is no gcc
rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length
net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx
KVM: s390: fix sthyi error handling
word-at-a-time: use the same return type for has_zero regardless of endianness
loop: Select I/O scheduler 'none' from inside add_disk()
perf: Fix function pointer case
arm64: Fix bit-shifting UB in the MIDR_CPU_MODEL() macro
arm64: Add AMPERE1 to the Spectre-BHB affected list
ASoC: cs42l51: fix driver to properly autoload with automatic module loading
net/sched: sch_qfq: account for stab overhead in qfq_enqueue
btrfs: fix race between quota disable and quota assign ioctls
btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not enabled
btrfs: qgroup: remove one-time use variables for quota_root checks
cpufreq: intel_pstate: Drop ACPI _PSS states table patching
ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily
ACPI: processor: perflib: Use the "no limit" frequency QoS
dm cache policy smq: ensure IO doesn't prevent cleaner policy progress
ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register
s390/dasd: fix hanging device after quiesce/resume
virtio-net: fix race between set queues and probe
btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
irq-bcm6345-l1: Do not assume a fixed block to cpu mapping
tpm_tis: Explicitly check for error code
btrfs: check for commit error at btrfs_attach_transaction_barrier()
hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled
staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
Documentation: security-bugs.rst: clarify CVE handling
Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
Revert "usb: xhci: tegra: Fix error check"
usb: xhci-mtk: set the dma max_seg_size
USB: quirks: add quirk for Focusrite Scarlett
usb: ohci-at91: Fix the unhandle interrupt when resume
usb: dwc3: don't reset device side if dwc3 was configured as host-only
usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy
Revert "usb: dwc3: core: Enable AutoRetry feature in the controller"
can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED
USB: serial: simple: sort driver entries
USB: serial: simple: add Kaufmann RKS+CAN VCP
USB: serial: option: add Quectel EC200A module support
USB: serial: option: support Quectel EM060K_128
serial: sifive: Fix sifive_serial_console_setup() section
serial: 8250_dw: Preserve original value of DLF register
tracing: Fix warning in trace_buffered_event_disable()
ring-buffer: Fix wrong stat of cpu_buffer->read
ata: pata_ns87415: mark ns87560_tf_read static
dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths
block: Fix a source code comment in include/uapi/linux/blkzoned.h
ASoC: fsl_spdif: Silence output on stop
drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb()
drm/msm/adreno: Fix snapshot BINDLESS_DATA size
drm/msm/dpu: drop enum dpu_core_perf_data_bus_id
RDMA/mlx4: Make check for invalid flags stricter
benet: fix return value check in be_lancer_xmit_workarounds()
net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64
net/sched: mqprio: add extack to mqprio_parse_nlattr()
net/sched: mqprio: refactor nlattr parsing to a separate function
platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100
team: reset team's flags when down link is P2P device
bonding: reset bond's flags when down link is P2P device
tcp: Reduce chance of collisions in inet6_hashfn().
ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new temporary address
ethernet: atheros: fix return value check in atl1e_tso_csum()
phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
vxlan: calculate correct header length for GPE
i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir()
ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
keys: Fix linking a duplicate key to a keyring's assoc_array
uapi: General notification queue definitions
scsi: qla2xxx: Array index may go out of bound
scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c
pwm: meson: fix handling of period/duty if greater than UINT_MAX
pwm: meson: Simplify duplicated per-channel tracking
pwm: meson: Remove redundant assignment to variable fin_freq
ftrace: Fix possible warning on checking all pages used in ftrace_process_locs()
ftrace: Store the order of pages allocated in ftrace_page
ftrace: Check if pages were allocated before calling free_pages()
ftrace: Add information on number of page groups allocated
fs: dlm: interrupt posix locks only when process is killed
dlm: rearrange async condition return
dlm: cleanup plock_op vs plock_xop
PCI/ASPM: Avoid link retraining race
PCI/ASPM: Factor out pcie_wait_for_retrain()
PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link()
ext4: Fix reusing stale buffer heads from last failed mounting
ext4: rename journal_dev to s_journal_dev inside ext4_sb_info
btrfs: fix extent buffer leak after tree mod log failure at split_node()
btrfs: fix race between quota disable and relocation
btrfs: qgroup: catch reserved space leaks at unmount time
bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
bcache: remove 'int n' from parameter list of bch_bucket_alloc_set()
gpio: tps68470: Make tps68470_gpio_output() always set the initial value
jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint
jbd2: recheck chechpointing non-dirty buffer
jbd2: remove redundant buffer io error checks
jbd2: fix kernel-doc markups
jbd2: fix incorrect code style
Linux 5.4.252
x86: fix backwards merge of GDS/SRSO bit
xen/netback: Fix buffer overrun triggered by unusual packet
x86/cpu, kvm: Add support for CPUID_80000021_EAX
x86/bugs: Increase the x86 bugs vector size to two u32s
tools headers cpufeatures: Sync with the kernel sources
x86/cpufeatures: Assign dedicated feature word for CPUID_0x8000001F[EAX]
x86/cpu: Add VM page flush MSR availablility as a CPUID feature
x86/cpufeatures: Add SEV-ES CPU feature
Documentation/x86: Fix backwards on/off logic about YMM support
x86/mm: Initialize text poking earlier
mm: Move mm_cachep initialization to mm_init()
x86/mm: Use mm_alloc() in poking_init()
x86/mm: fix poking_init() for Xen PV guests
x86/xen: Fix secondary processors' FPU initialization
KVM: Add GDS_NO support to KVM
x86/speculation: Add Kconfig option for GDS
x86/speculation: Add force option to GDS mitigation
x86/speculation: Add Gather Data Sampling mitigation
x86/fpu: Move FPU initialization into arch_cpu_finalize_init()
x86/fpu: Mark init functions __init
x86/fpu: Remove cpuinfo argument from init functions
init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init()
init: Invoke arch_cpu_finalize_init() earlier
init: Remove check_bugs() leftovers
um/cpu: Switch to arch_cpu_finalize_init()
sparc/cpu: Switch to arch_cpu_finalize_init()
sh/cpu: Switch to arch_cpu_finalize_init()
mips/cpu: Switch to arch_cpu_finalize_init()
m68k/cpu: Switch to arch_cpu_finalize_init()
ia64/cpu: Switch to arch_cpu_finalize_init()
ARM: cpu: Switch to arch_cpu_finalize_init()
x86/cpu: Switch to arch_cpu_finalize_init()
init: Provide arch_cpu_finalize_init()
Revert "posix-timers: Ensure timer ID search-loop limit is valid"
Revert "drm/panel: Initialise panel dev and funcs through drm_panel_init()"
Revert "drm/panel: Add and fill drm_panel type field"
Revert "drm/panel: simple: Add connector_type for innolux_at043tn24"
Revert "Revert "8250: add support for ASIX devices with a FIFO bug""
Linux 5.4.251
tracing/histograms: Return an error if we fail to add histogram to hist_vars list
tcp: annotate data-races around fastopenq.max_qlen
tcp: annotate data-races around tp->notsent_lowat
tcp: annotate data-races around rskq_defer_accept
tcp: annotate data-races around tp->linger2
net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX
tcp: annotate data-races around tp->tcp_tx_delay
netfilter: nf_tables: can't schedule in nft_chain_validate
netfilter: nf_tables: fix spurious set element insertion failure
llc: Don't drop packet from non-root netns.
fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
Revert "tcp: avoid the lookup process failing to get sk in ehash table"
net:ipv6: check return value of pskb_trim()
iavf: Fix use-after-free in free_netdev
net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()
pinctrl: amd: Use amd_pinconf_set() for all config options
fbdev: imxfb: warn about invalid left/right margin
spi: bcm63xx: fix max prepend length
igb: Fix igb_down hung on surprise removal
wifi: iwlwifi: mvm: avoid baid size integer overflow
wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
devlink: report devlink_port_type_warn source device
bpf: Address KCSAN report on bpf_lru_list
sched/fair: Don't balance task to its current running CPU
arm64: mm: fix VA-range sanity check
posix-timers: Ensure timer ID search-loop limit is valid
md/raid10: prevent soft lockup while flush writes
md: fix data corruption for raid456 when reshape restart while grow up
nbd: Add the maximum limit of allocated index in nbd_dev_add
debugobjects: Recheck debug_objects_enabled before reporting
ext4: correct inline offset when handling xattrs in inode body
drm/client: Fix memory leak in drm_client_modeset_probe
drm/client: Fix memory leak in drm_client_target_cloned
can: bcm: Fix UAF in bcm_proc_show()
selftests: tc: set timeout to 15 minutes
fuse: revalidate: don't invalidate if interrupted
btrfs: fix warning when putting transaction with qgroups enabled after abort
perf probe: Add test for regression introduced by switch to die_get_decl_file()
drm/atomic: Fix potential use-after-free in nonblocking commits
scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
scsi: qla2xxx: Pointer may be dereferenced
scsi: qla2xxx: Correct the index of array
scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
scsi: qla2xxx: Fix potential NULL pointer dereference
scsi: qla2xxx: Wait for io return on terminate rport
tracing/probes: Fix not to count error code to total length
tracing: Fix null pointer dereference in tracing_err_log_open()
xtensa: ISS: fix call to split_if_spec
ring-buffer: Fix deadloop issue on reading trace_pipe
tracing/histograms: Add histograms to hist_vars if they have referenced variables
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
Revert "8250: add support for ASIX devices with a FIFO bug"
meson saradc: fix clock divider mask length
ceph: don't let check_caps skip sending responses for revoke msgs
hwrng: imx-rngc - fix the timeout for init and self check
firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()
serial: atmel: don't enable IRQs prematurely
drm/rockchip: vop: Leave vblank enabled in self-refresh
drm/atomic: Allow vblank-enabled + self-refresh "disable"
fs: dlm: return positive pid value for F_GETLK
md/raid0: add discard support for the 'original' layout
misc: pci_endpoint_test: Re-init completion for every test
misc: pci_endpoint_test: Free IRQs before removing the device
PCI: rockchip: Set address alignment for endpoint mode
PCI: rockchip: Use u32 variable to access 32-bit registers
PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core
PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked
PCI: rockchip: Write PCI Device ID to correct register
PCI: rockchip: Assert PCI Configuration Enable bit after probe
PCI: qcom: Disable write access to read only registers for IP v2.3.3
PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold
jfs: jfs_dmap: Validate db_l2nbperpage while mounting
ext4: only update i_reserved_data_blocks on successful block allocation
ext4: fix wrong unit use in ext4_mb_clear_bb
erofs: fix compact 4B support for 16k block size
SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
misc: fastrpc: Create fastrpc scalar with correct buffer count
powerpc: Fail build if using recordmcount with binutils v2.37
net: bcmgenet: Ensure MDIO unregistration has clocks enabled
mtd: rawnand: meson: fix unaligned DMA buffers handling
tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
pinctrl: amd: Only use special debounce behavior for GPIO 0
pinctrl: amd: Detect internal GPIO0 debounce handling
pinctrl: amd: Fix mistake in handling clearing pins at startup
net/sched: make psched_mtu() RTNL-less safe
net/sched: flower: Ensure both minimum and maximum ports are specified
cls_flower: Add extack support for src and dst port range options
wifi: airo: avoid uninitialized warning in airo_get_rate()
erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF
platform/x86: wmi: Break possible infinite loop when parsing GUID
platform/x86: wmi: move variables
platform/x86: wmi: use guid_t and guid_equal()
platform/x86: wmi: remove unnecessary argument
platform/x86: wmi: Fix indentation in some cases
platform/x86: wmi: Replace UUID redefinitions by their originals
ipv6/addrconf: fix a potential refcount underflow for idev
NTB: ntb_tool: Add check for devm_kcalloc
NTB: ntb_transport: fix possible memory leak while device_register() fails
ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
ntb: idt: Fix error handling in idt_pci_driver_init()
udp6: fix udp6_ehashfn() typo
icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
ionic: remove WARN_ON to prevent panic_on_warn
ionic: ionic_intr_free parameter change
ionic: move irq request to qcq alloc
ionic: clean irq affinity on queue deinit
ionic: improve irq numa locality
net/sched: cls_fw: Fix improper refcount update leads to use-after-free
net: mvneta: fix txq_map in case of txq_number==1
scsi: qla2xxx: Fix error code in qla2x00_start_sp()
igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings
igc: Remove delay during TX ring configuration
drm/panel: simple: Add connector_type for innolux_at043tn24
drm/panel: Add and fill drm_panel type field
drm/panel: Initialise panel dev and funcs through drm_panel_init()
workqueue: clean up WORK_* constant types, clarify masking
net: lan743x: Don't sleep in atomic context
block/partition: fix signedness issue for Amiga partitions
tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
netfilter: nf_tables: fix scheduling-while-atomic splat
netfilter: nf_tables: unbind non-anonymous set if rule construction fails
netfilter: nf_tables: reject unbound anonymous set before commit phase
netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
netfilter: nf_tables: add rescheduling points during loop detection walks
netfilter: nf_tables: use net_generic infra for transaction data
netfilter: add helper function to set up the nfnetlink header and use it
netfilter: nftables: add helper function to set the base sequence number
netfilter: nf_tables: fix nat hook table deletion
block: add overflow checks for Amiga partition support
fanotify: disallow mount/sb marks on kernel internal pseudo fs
fs: no need to check source
ARM: orion5x: fix d2net gpio initialization
btrfs: fix race when deleting quota root from the dirty cow roots list
fs: Lock moved directories
fs: Establish locking order for unrelated directories
Revert "f2fs: fix potential corruption when moving a directory"
ext4: Remove ext4 locking of moved directory
fs: avoid empty option when generating legacy mount string
jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
integrity: Fix possible multiple allocation in integrity_inode_get()
bcache: Remove unnecessary NULL point check in node allocations
mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used.
mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
mmc: core: disable TRIM on Kingston EMMC04G-M627
NFSD: add encoding of op_recall flag for write delegation
ALSA: jack: Fix mutex call in snd_jack_report()
i2c: xiic: Don't try to handle more interrupt events after error
i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process()
sh: dma: Fix DMA channel offset calculation
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
xsk: Honor SO_BINDTODEVICE on bind
xsk: Improve documentation for AF_XDP
tcp: annotate data races in __tcp_oow_rate_limited()
net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
f2fs: fix error path handling in truncate_dnode()
mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
sctp: fix potential deadlock on &net->sctp.addr_wq_lock
rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
pwm: sysfs: Do not apply state to already disabled PWMs
pwm: imx-tpm: force 'real_period' to be zero in suspend
mfd: stmpe: Only disable the regulators if they are enabled
KVM: s390: vsie: fix the length of APCB bitmap
mfd: stmfx: Fix error path in stmfx_chip_init
serial: 8250_omap: Use force_suspend and resume for system suspend
mfd: intel-lpss: Add missing check for platform_get_resource
usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()
KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
mfd: rt5033: Drop rt5033-battery sub-device
usb: hide unused usbfs_notify_suspend/resume functions
usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
extcon: Fix kernel doc of property capability fields to avoid warnings
extcon: Fix kernel doc of property fields to avoid warnings
usb: dwc3: qcom: Fix potential memory leak
media: usb: siano: Fix warning due to null work_func_t function pointer
media: videodev2.h: Fix struct v4l2_input tuner index comment
media: usb: Check az6007_read() return value
sh: j2: Use ioremap() to translate device tree address into kernel memory
w1: fix loop in w1_fini()
block: change all __u32 annotations to __be32 in affs_hardblocks.h
block: fix signed int overflow in Amiga partition support
usb: dwc3: gadget: Propagate core init errors to UDC during pullup
USB: serial: option: add LARA-R6 01B PIDs
hwrng: st - keep clock enabled while hwrng is registered
hwrng: st - Fix W=1 unused variable warning
NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard
modpost: fix off by one in is_executable_section()
crypto: marvell/cesa - Fix type mismatch warning
modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
modpost: fix section mismatch message for R_ARM_ABS32
crypto: nx - fix build warnings when DEBUG_FS is not enabled
hwrng: virtio - Fix race on data_avail and actual data
hwrng: virtio - always add a pending request
hwrng: virtio - don't waste entropy
hwrng: virtio - don't wait on cleanup
hwrng: virtio - add an internal buffer
powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary
pinctrl: at91-pio4: check return value of devm_kasprintf()
perf dwarf-aux: Fix off-by-one in die_get_varname()
pinctrl: cherryview: Return correct value if pin in push-pull mode
PCI: Add pci_clear_master() stub for non-CONFIG_PCI
PCI: ftpci100: Release the clock resources
PCI: pciehp: Cancel bringup sequence if card is not present
scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
scsi: qedf: Fix NULL dereference in error handling
ASoC: imx-audmix: check return value of devm_kasprintf()
clk: keystone: sci-clk: check return value of kasprintf()
clk: cdce925: check return value of kasprintf()
ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
clk: tegra: tegra124-emc: Fix potential memory leak
drm/radeon: fix possible division-by-zero errors
drm/amdkfd: Fix potential deallocation of previously deallocated memory.
fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
soc/fsl/qe: fix usb.c build errors
ASoC: es8316: Do not set rate constraints for unsupported MCLKs
ASoC: es8316: Increment max value for ALC Capture Target Volume control
memory: brcmstb_dpfe: fix testing array offset after use
ARM: ep93xx: fix missing-prototype warnings
drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
arm64: dts: qcom: msm8916: correct camss unit address
ARM: dts: gta04: Move model property out of pinctrl node
RDMA/bnxt_re: Fix to remove an unnecessary log
drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
Input: adxl34x - do not hardcode interrupt trigger type
ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
Input: drv260x - sleep between polling GO bit
radeon: avoid double free in ci_dpm_init()
netlink: Add __sock_i_ino() for __netlink_diag_dump().
ipvlan: Fix return value of ipvlan_queue_xmit()
netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.
netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
lib/ts_bm: reset initial match offset for every block of text
net: nfc: Fix use-after-free caused by nfc_llcp_find_local
nfc: llcp: simplify llcp_sock_connect() error paths
gtp: Fix use-after-free in __gtp_encap_destroy().
selftests: rtnetlink: remove netdevsim device after ipsec offload test
netlink: do not hard code device address lenth in fdb dumps
netlink: fix potential deadlock in netlink_set_err()
wifi: ath9k: convert msecs to jiffies where needed
wifi: cfg80211: rewrite merging of inherited elements
wifi: iwlwifi: pull from TXQs with softirqs disabled
rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
memstick r592: make memstick_debug_get_tpc_name() static
kexec: fix a memory leak in crash_shrink_memory()
watchdog/perf: more properly prevent false positives with turbo modes
watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config
wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
wifi: ray_cs: Fix an error handling path in ray_probe()
wifi: ray_cs: Drop useless status variable in parse_addr()
wifi: ray_cs: Utilize strnlen() in parse_addr()
wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
wl3501_cs: use eth_hw_addr_set()
net: create netdev->dev_addr assignment helpers
wl3501_cs: Fix misspelling and provide missing documentation
wl3501_cs: Remove unnecessary NULL check
wl3501_cs: Fix a bunch of formatting issues related to function docs
wifi: atmel: Fix an error handling path in atmel_probe()
wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
regulator: core: Streamline debugfs operations
regulator: core: Fix more error checking for debugfs_create_dir()
nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()
nfc: constify several pointers to u8, char and sk_buff
wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan()
spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
samples/bpf: Fix buffer overflow in tcp_basertt
wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
ima: Fix build warnings
pstore/ram: Add check for kstrdup
evm: Complete description of evm_inode_setattr()
ARM: 9303/1: kprobes: avoid missing-declaration warnings
powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
PM: domains: fix integer overflow issues in genpd_parse_state()
clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
clocksource/drivers/cadence-ttc: Use ttc driver as platform driver
tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
md/raid10: fix io loss while replacement replace rdev
md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
md/raid10: fix wrong setting of max_corr_read_errors
md/raid10: fix overflow of md/safe_mode_delay
md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
x86/resctrl: Only show tasks' pid in current pid namespace
x86/resctrl: Use is_closid_match() in more places
bgmac: fix *initial* chip reset to support BCM5358
drm/amdgpu: Validate VM ioctl flags.
scripts/tags.sh: Resolve gtags empty index generation
drm/i915: Initialise outparam for error return from wait_for_register
HID: wacom: Use ktime_t rather than int when dealing with timestamps
fbdev: imsttfb: Fix use after free bug in imsttfb_probe
video: imsttfb: check for ioremap() failures
x86/smp: Use dedicated cache-line for mwait_play_dead()
gfs2: Don't deref jdesc in evict
Linux 5.4.250
x86/cpu/amd: Add a Zenbleed fix
x86/cpu/amd: Move the errata checking functionality up
x86/microcode/AMD: Load late on both threads too
Conflicts:
drivers/usb/dwc3/gadget.c
Change-Id: Ibd4bab8255496e4640f2eaf4eb7836209dd7cbfb
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmTc9xQACgkQONu9yGCS
aT4VrQ//aeDhl35R4kgB8ZYcv2EHa9DgE+cDkFYIUruQ029jPET1NkMuXMiWys2K
trzC5VCAawfac8jHR4kAetP2W6ydHgSQprtUxjgjIwKlPgiFQOla5/DXNqMGTv9Y
fFKcIfgpef9OkvPr46LHf1S4i3H8vaVu3pN40gEnIAPu4Rgz3wvbmi6BoSTszThI
MrbOu70iRxVxF8+3HR8G3Ja6bly4dTl2Y36P6G+JPAQc8+X9RT1Yv39kiAg7TSzP
i/SIn2G5pNu2+BMcxUn0SO13YXPYIGQTZ6xLX13QIDEuoqQRjDB9vZPaKoSm7170
Nh1JjvUXy72/zvDJYJWzbrL/o4AfS2tHBNTUq5loXO4LPvbmg18g3Xysuk6vRBmG
NjOpbG9PK3MCwWEQIdEAgtFF6hw74MF/UM7b1Tty3FAaWf4Ca75vY5acqSy4Fhbx
KuBnNGZTaRJRCUFeEBtAz8sIeFCclfuSpBhrQzj8zCkDT59PuiWJ7wyW1yAizMtE
VNvDJFxdQXtU06AHWJxp9msWiXYBZbFfk75MVTxnZLS3SDJuJ40fDjjGCM4WciMg
gBLS+v4tO67KEuhj8t50WJW4Kk7P1Q0j3QkItHOMMRpsJQZF3z8rqEqthAacEaAH
hVvB2OxpXicqpHwrFW3DZuxzgfJd6sofaKq85/2I7FullRyXVjg=
=6G08
-----END PGP SIGNATURE-----
Merge 5.4.254 into android11-5.4-lts
Changes in 5.4.254
mmc: moxart: read scr register without changing byte order
ipv6: adjust ndisc_is_useropt() to also return true for PIO
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
drm/nouveau/gr: enable memory loads on helper invocation on all channels
radix tree test suite: fix incorrect allocation size for pthreads
x86/pkeys: Revert a5eff72597 ("x86/pkeys: Add PKRU value to init_fpstate")
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
iio: cros_ec: Fix the allocation size for cros_ec_command
binder: fix memory leak in binder_init()
usb-storage: alauda: Fix uninit-value in alauda_check_media()
usb: dwc3: Properly handle processing of pending events
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86: Move gds_ucode_mitigated() declaration to header
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
selftests/rseq: Fix build with undefined __weak
mISDN: Update parameter type of dsp_cmx_send()
net/packet: annotate data-races around tp->status
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
dccp: fix data-race around dp->dccps_mss_cache
drivers: net: prevent tun_build_skb() to exceed the packet size limit
IB/hfi1: Fix possible panic during hotplug remove
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
dmaengine: mcf-edma: Fix a potential un-allocated memory access
net/mlx5: Allow 0 for total host VFs
ibmvnic: Handle DMA unmapping of login buffs in release functions
btrfs: don't stop integrity writeback too early
btrfs: set cache_block_group_error if we find an error
nvme-tcp: fix potential unbalanced freeze & unfreeze
nvme-rdma: fix potential unbalanced freeze & unfreeze
netfilter: nf_tables: report use refcount overflow
scsi: core: Fix legacy /proc parsing buffer overflow
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: 53c700: Check that command slot is not NULL
scsi: snic: Fix possible memory leak if device_add() fails
scsi: core: Fix possible memory leak if device_add() fails
alpha: remove __init annotation from exported page_is_ram()
sch_netem: fix issues in netem_change() vs get_dist_table()
Linux 5.4.254
Change-Id: I187a81acd36ef0ec486a959c626f1f06373170cc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit adb9743d6a08778b78d62d16b4230346d3508986 upstream.
In binder_init(), the destruction of binder_alloc_shrinker_init() is not
performed in the wrong path, which will cause memory leaks. So this commit
introduces binder_alloc_shrinker_exit() and calls it in the wrong path to
fix that.
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Fixes: f2517eb76f ("android: binder: Add global lru shrinker to binder")
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20230625154937.64316-1-qi.zheng@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
https://source.android.com/docs/security/bulletin/2023-06-01
* tag 'ASB-2023-06-05_11-5.4' of https://android.googlesource.com/kernel/common:
UPSTREAM: io_uring: have io_kill_timeout() honor the request references
UPSTREAM: io_uring: don't drop completion lock before timer is fully initialized
UPSTREAM: io_uring: always grab lock in io_cancel_async_work()
UPSTREAM: net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
UPSTREAM: cdc_ncm: Fix the build warning
UPSTREAM: cdc_ncm: Implement the 32-bit version of NCM Transfer Block
UPSTREAM: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
UPSTREAM: ext4: fix invalid free tracking in ext4_xattr_move_to_block()
Revert "Revert "mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse""
FROMLIST: binder: fix UAF caused by faulty buffer cleanup
Linux 5.4.242
ASN.1: Fix check for strdup() success
iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger()
pwm: meson: Explicitly set .polarity in .get_state()
xfs: fix forkoff miscalculation related to XFS_LITINO(mp)
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
ext4: fix use-after-free in ext4_xattr_set_entry
ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()
Revert "ext4: fix use-after-free in ext4_xattr_set_entry"
x86/purgatory: Don't generate debug info for purgatory.ro
MIPS: Define RUNTIME_DISCARD_EXIT in LD script
mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25
memstick: fix memory leak if card device is never registered
nilfs2: initialize unused bytes in segment summary blocks
iio: light: tsl2772: fix reading proximity-diodes from device tree
xen/netback: use same error messages for same errors
nvme-tcp: fix a possible UAF when failing to allocate an io queue
s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling
net: dsa: b53: mmap: add phy ops
scsi: core: Improve scsi_vpd_inquiry() checks
scsi: megaraid_sas: Fix fw_crash_buffer_show()
selftests: sigaltstack: fix -Wuninitialized
Input: i8042 - add quirk for Fujitsu Lifebook A574/H
f2fs: Fix f2fs_truncate_partial_nodes ftrace event
e1000e: Disable TSO on i219-LM card to increase speed
bpf: Fix incorrect verifier pruning due to missing register precision taints
mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
i40e: fix i40e_setup_misc_vector() error handling
i40e: fix accessing vsi->active_filters without holding lock
netfilter: nf_tables: fix ifdef to also consider nf_tables=m
virtio_net: bugfix overflow inside xdp_linearize_page()
net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
regulator: fan53555: Explicitly include bits header
netfilter: br_netfilter: fix recent physdev match breakage
arm64: dts: meson-g12-common: specify full DMC range
ARM: dts: rockchip: fix a typo error for rk3288 spdif node
Linux 5.4.241
xfs: force log and push AIL to clear pinned inodes when aborting mount
xfs: don't reuse busy extents on extent trim
xfs: consider shutdown in bmapbt cursor delete assert
xfs: shut down the filesystem if we screw up quota reservation
xfs: report corruption only as a regular error
xfs: set inode size after creating symlink
xfs: fix up non-directory creation in SGID directories
xfs: remove the di_version field from struct icdinode
xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize
xfs: simplify di_flags2 inheritance in xfs_ialloc
xfs: only check the superblock version for dinode size calculation
xfs: add a new xfs_sb_version_has_v3inode helper
xfs: remove the kuid/kgid conversion wrappers
xfs: remove the icdinode di_uid/di_gid members
xfs: ensure that the inode uid/gid match values match the icdinode ones
xfs: merge the projid fields in struct xfs_icdinode
xfs: show the proper user quota options
coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug
watchdog: sbsa_wdog: Make sure the timeout programming is within the limits
i2c: ocores: generate stop condition after timeout in polling mode
ubi: Fix deadlock caused by recursively holding work_sem
mtd: ubi: wl: Fix a couple of kernel-doc issues
ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
asymmetric_keys: log on fatal failures in PE/pkcs7
verify_pefile: relax wrapper length check
drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
i2c: imx-lpi2c: clean rx/tx buffers upon new message
power: supply: cros_usbpd: reclassify "default case!" as debug
net: macb: fix a memory corruption in extended buffer descriptor mode
udp6: fix potential access to stale information
RDMA/core: Fix GID entry ref leak when create_ah fails
sctp: fix a potential overflow in sctp_ifwdtsn_skip
qlcnic: check pci_reset_function result
niu: Fix missing unwind goto in niu_alloc_channels()
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
mtd: rawnand: stm32_fmc2: remove unsupported EDO mode
mtd: rawnand: meson: fix bitmask for length in command word
mtdblock: tolerate corrected bit-flips
btrfs: fix fast csum implementation detection
btrfs: print checksum type and implementation at mount time
Bluetooth: Fix race condition in hidp_session_thread
Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex()
ALSA: i2c/cs8427: fix iec958 mixer control deactivation
ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
ALSA: emu10k1: fix capture interrupt handler unlinking
Revert "pinctrl: amd: Disable and mask interrupts on resume"
irqdomain: Fix mapping-creation race
irqdomain: Refactor __irq_domain_alloc_irqs()
irqdomain: Look for existing mapping only once
mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
ring-buffer: Fix race while reader and writer are on the same page
drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path
net_sched: prevent NULL dereference if default qdisc setup failed
tracing: Free error logs of tracing instances
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
ftrace: Mark get_lock_parent_ip() __always_inline
perf/core: Fix the same task check in perf_event_set_output
ALSA: hda/realtek: Add quirk for Clevo X370SNW
nilfs2: fix sysfs interface lifetime
nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty
tty: serial: sh-sci: Fix Rx on RZ/G2L SCI
tty: serial: sh-sci: Fix transmit end interrupt handler
iio: dac: cio-dac: Fix max DAC write value check for 12-bit
iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip
USB: serial: option: add Quectel RM500U-CN modem
USB: serial: option: add Telit FE990 compositions
usb: typec: altmodes/displayport: Fix configure initial pin assignment
USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu
NFSD: callback request does not use correct credential for AUTH_SYS
sunrpc: only free unix grouplist after RCU settles
gpio: davinci: Add irq chip flag to skip set wake
ipv6: Fix an uninit variable access bug in __ip6_make_skb()
sctp: check send stream number after wait_for_sndbuf
net: don't let netpoll invoke NAPI if in xmit context
icmp: guard against too small mtu
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
pwm: sprd: Explicitly set .polarity in .get_state()
pwm: cros-ec: Explicitly set .polarity in .get_state()
pinctrl: amd: Disable and mask interrupts on resume
pinctrl: amd: disable and mask interrupts on probe
pinctrl: amd: Use irqchip template
smb3: fix problem with null cifs super block with previous patch
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
Revert "treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()"
cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot
scsi: ses: Handle enclosure with just a primary component gracefully
Linux 5.4.240
gfs2: Always check inode size of inline inodes
firmware: arm_scmi: Fix device node validation for mailbox transport
net: sched: fix race condition in qdisc_graft()
net_sched: add __rcu annotation to netdev->qdisc
ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
btrfs: scan device in non-exclusive mode
s390/uaccess: add missing earlyclobber annotations to __clear_user()
drm/etnaviv: fix reference leak when mmaping imported buffer
ALSA: usb-audio: Fix regression on detection of Roland VS-100
ALSA: hda/conexant: Partial revert of a quirk for Lenovo
NFSv4: Fix hangs when recovering open state after a server reboot
pinctrl: at91-pio4: fix domain name assignment
xen/netback: don't do grant copy across page boundary
Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table
cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
cifs: prevent infinite recursion in CIFSGetDFSRefer()
Input: focaltech - use explicitly signed char type
Input: alps - fix compatibility with -funsigned-char
pinctrl: ocelot: Fix alt mode for ocelot
net: mvneta: make tx buffer array agnostic
net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
bnxt_en: Fix typo in PCI id to device description string mapping
i40e: fix registers dump after run ethtool adapter self test
s390/vfio-ap: fix memory leak in vfio_ap device driver
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
net/net_failover: fix txq exceeding warning
regulator: Handle deferred clk
regulator: fix spelling mistake "Cant" -> "Can't"
ptp_qoriq: fix memory leak in probe()
scsi: megaraid_sas: Fix crash after a double completion
mtd: rawnand: meson: invalidate cache on polling ECC bit
mips: bmips: BCM6358: disable RAC flush for TP1
dma-mapping: drop the dev argument to arch_sync_dma_for_*
ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()
fbdev: au1200fb: Fix potential divide by zero
fbdev: lxfb: Fix potential divide by zero
fbdev: intelfb: Fix potential divide by zero
fbdev: nvidia: Fix potential divide by zero
sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
fbdev: tgafb: Fix potential divide by zero
ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
ALSA: asihpi: check pao in control_message()
md: avoid signed overflow in slot_store()
bus: imx-weim: fix branch condition evaluates to a garbage value
fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY
ocfs2: fix data corruption after failed write
tun: avoid double free in tun_free_netdev
sched/fair: Sanitize vruntime of entity being migrated
sched/fair: sanitize vruntime of entity being placed
dm crypt: add cond_resched() to dmcrypt_write()
dm stats: check for and propagate alloc_percpu failure
i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
wifi: mac80211: fix qos on mesh interfaces
usb: chipidea: core: fix possible concurrent when switch role
usb: chipdea: core: fix return -EINVAL if request role is the same with current role
usb: cdns3: Fix issue with using incorrect PCI device function
dm thin: fix deadlock when swapping to thin device
igb: revert rtnl_lock() that causes deadlock
fsverity: Remove WQ_UNBOUND from fsverity read workqueue
usb: gadget: u_audio: don't let userspace block driver unbind
scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
cifs: empty interface list when server doesn't support query interfaces
sh: sanitize the flags on sigreturn
net: usb: qmi_wwan: add Telit 0x1080 composition
net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
scsi: lpfc: Avoid usage of list iterator variable after loop
scsi: ufs: core: Add soft dependency on governor_simpleondemand
scsi: target: iscsi: Fix an error message in iscsi_check_key()
selftests/bpf: check that modifier resolves after pointer
m68k: Only force 030 bus error if PC not in exception table
ca8210: fix mac_len negative array access
riscv: Bump COMMAND_LINE_SIZE value to 1024
thunderbolt: Use const qualifier for `ring_interrupt_index`
uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
scsi: qla2xxx: Perform lockless command completion in abort path
hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs
platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
Bluetooth: btqcomsmd: Fix command timeout after setting BD address
net: mdio: thunder: Add missing fwnode_handle_put()
hvc/xen: prevent concurrent accesses to the shared ring
nvme-tcp: fix nvme_tcp_term_pdu to match spec
net/sonic: use dma_mapping_error() for error check
erspan: do not use skb_mac_header() in ndo_start_xmit()
atm: idt77252: fix kmemleak when rmmod idt77252
net/mlx5: Read the TC mapping of all priorities on ETS query
bpf: Adjust insufficient default bpf_jit_limit
keys: Do not cache key in task struct if key is requested from kernel thread
net/ps3_gelic_net: Use dma_mapping_error
net/ps3_gelic_net: Fix RX sk_buff length
net: qcom/emac: Fix use after free bug in emac_remove due to race condition
xirc2ps_cs: Fix use after free bug in xirc2ps_detach
qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
net: usb: smsc95xx: Limit packet length to skb->len
scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
i2c: imx-lpi2c: check only for enabled interrupt flags
igbvf: Regard vf reset nack as success
intel/igbvf: free irq on the error path in igbvf_request_msix()
iavf: fix non-tunneled IPv6 UDP packet type and hashing
iavf: fix inverted Rx hash condition leading to disabled hash
power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
Linux 5.4.239
selftests: Fix the executable permissions for fib_tests.sh
BACKPORT: mac80211_hwsim: notify wmediumd of used MAC addresses
FROMGIT: mac80211_hwsim: add concurrent channels scanning support over virtio
Revert "HID: core: Provide new max_buffer_size attribute to over-ride the default"
Revert "HID: uhid: Over-ride the default maximum data buffer value with our own"
Linux 5.4.238
HID: uhid: Over-ride the default maximum data buffer value with our own
HID: core: Provide new max_buffer_size attribute to over-ride the default
PCI: Unify delay handling for reset and resume
s390/ipl: add missing intersection check to ipl_report handling
serial: 8250_em: Fix UART port type
drm/i915: Don't use stolen memory for ring buffers with LLC
x86/mm: Fix use of uninitialized buffer in sme_enable()
fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks
ftrace: Fix invalid address access in lookup_rec() when index is 0
KVM: nVMX: add missing consistency checks for CR0 and CR4
tracing: Make tracepoint lockdep check actually test something
tracing: Check field value in hist_field_name()
interconnect: fix mem leak when freeing nodes
tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted
ext4: fix possible double unlock when moving a directory
sh: intc: Avoid spurious sizeof-pointer-div warning
drm/amdkfd: Fix an illegal memory access
ext4: fix task hung in ext4_xattr_delete_inode
ext4: fail ext4_iget if special inode unallocated
jffs2: correct logic when creating a hole in jffs2_write_begin
mmc: atmel-mci: fix race between stop command and start of next command
media: m5mols: fix off-by-one loop termination error
hwmon: (ina3221) return prober error code
hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition
hwmon: (adt7475) Fix masking of hysteresis registers
hwmon: (adt7475) Display smoothing attributes in correct order
ethernet: sun: add check for the mdesc_grab()
net/iucv: Fix size of interrupt data
net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull
ipv4: Fix incorrect table ID in IOCTL path
block: sunvdc: add check for mdesc_grab() returning NULL
nvmet: avoid potential UAF in nvmet_req_complete()
net: usb: smsc75xx: Limit packet length to skb->len
nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails
net: tunnels: annotate lockless accesses to dev->needed_headroom
qed/qed_dev: guard against a possible division by zero
i40e: Fix kernel crash during reboot when adapter is in recovery mode
ipvlan: Make skb->skb_iif track skb->dev for l3s mode
nfc: pn533: initialize struct pn533_out_arg properly
tcp: tcp_make_synack() can be called from process context
scsi: core: Fix a procfs host directory removal regression
scsi: core: Fix a comment in function scsi_host_dev_release()
netfilter: nft_redir: correct value of inet type `.maxattrs`
ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid
ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid
ALSA: hda - controller is in GPU on the DG1
ALSA: hda - add Intel DG1 PCI and HDMI ids
scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()
docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate
clk: HI655X: select REGMAP instead of depending on it
drm/meson: fix 1px pink line on GXM when scaling video overlay
cifs: Move the in_send statistic to __smb_send_rqst()
drm/panfrost: Don't sync rpm suspension after mmu flushing
xfrm: Allow transport-mode states with AF_UNSPEC selector
ext4: fix cgroup writeback accounting with fs-layer encryption
ANDROID: preserve CRC for __irq_domain_add()
Revert "drm/exynos: Don't reset bridge->next"
Revert "drm/bridge: Rename bridge helpers targeting a bridge chain"
Revert "drm/bridge: Introduce drm_bridge_get_next_bridge()"
Revert "drm: Initialize struct drm_crtc_state.no_vblank from device settings"
Revert "drm/msm/mdp5: Add check for kzalloc"
Linux 5.4.237
s390/dasd: add missing discipline function
UML: define RUNTIME_DISCARD_EXIT
sh: define RUNTIME_DISCARD_EXIT
s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36
powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds
powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT
arch: fix broken BuildID for arm64 and riscv
x86, vmlinux.lds: Add RUNTIME_DISCARD_EXIT to generic DISCARDS
drm/i915: Don't use BAR mappings for ring buffers with LLC
ipmi:watchdog: Set panic count to proper value on a panic
ipmi/watchdog: replace atomic_add() and atomic_sub()
media: ov5640: Fix analogue gain control
PCI: Add SolidRun vendor ID
macintosh: windfarm: Use unsigned type for 1-bit bitfields
alpha: fix R_ALPHA_LITERAL reloc for large modules
MIPS: Fix a compilation issue
ext4: Fix deadlock during directory rename
riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode
net/smc: fix fallback failed while sendmsg with fastopen
scsi: megaraid_sas: Update max supported LD IDs to 240
btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR
netfilter: tproxy: fix deadlock due to missing BH disable
bnxt_en: Avoid order-5 memory allocation for TPA data
net: caif: Fix use-after-free in cfusbl_device_notify()
net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver
net: usb: lan78xx: Remove lots of set but unused 'ret' variables
selftests: nft_nat: ensuring the listening side is up before starting the client
ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register
ext4: Fix possible corruption when moving a directory
scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
cifs: Fix uninitialized memory read in smb3_qfs_tcon()
SMB3: Backup intent flag missing from some more ops
iommu/vt-d: Fix PASID directory pointer coherency
irqdomain: Fix domain registration race
irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent
ipmi:ssif: Add a timer between request retries
ipmi:ssif: Increase the message retry time
ipmi:ssif: Remove rtc_us_timer
ipmi:ssif: resend_msg() cannot fail
ipmi:ssif: make ssif_i2c_send() void
iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter
iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options
iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands
nfc: change order inside nfc_se_io error path
ext4: zero i_disksize when initializing the bootloader inode
ext4: fix WARNING in ext4_update_inline_data
ext4: move where set the MAY_INLINE_DATA flag is set
ext4: fix another off-by-one fsmap error on 1k block filesystems
ext4: fix RENAME_WHITEOUT handling for inline directories
drm/connector: print max_requested_bpc in state debugfs
x86/CPU/AMD: Disable XSAVES on AMD family 0x17
fs: prevent out-of-bounds array speculation when closing a file descriptor
Linux 5.4.236
staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh
staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
Linux 5.4.235
dt-bindings: rtc: sun6i-a31-rtc: Loosen the requirements on the clocks
media: uvcvideo: Fix race condition with usb_kill_urb
media: uvcvideo: Provide sync and async uvc_ctrl_status_event
tcp: Fix listen() regression in 5.4.229.
Bluetooth: hci_sock: purge socket queues in the destruct() callback
x86/resctl: fix scheduler confusion with 'current'
x86/resctrl: Apply READ_ONCE/WRITE_ONCE to task_struct.{rmid,closid}
net: tls: avoid hanging tasks on the tx_lock
phy: rockchip-typec: Fix unsigned comparison with less than zero
PCI: Add ACS quirk for Wangxun NICs
kernel/fail_function: fix memory leak with using debugfs_lookup()
usb: uvc: Enumerate valid values for color matching
USB: ene_usb6250: Allocate enough memory for full object
usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word()
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()
tools/iio/iio_utils:fix memory leak
mei: bus-fixup:upon error print return values of send and receive
tty: serial: fsl_lpuart: disable the CTS when send break signal
tty: fix out-of-bounds access in tty_driver_lookup_tty()
staging: emxx_udc: Add checks for dma_alloc_coherent()
media: uvcvideo: Silence memcpy() run-time false positive warnings
media: uvcvideo: Quirk for autosuspend in Logitech B910 and C910
media: uvcvideo: Handle errors from calls to usb_string
media: uvcvideo: Handle cameras with invalid descriptors
mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
thermal: intel: BXT_PMIC: select REGMAP instead of depending on it
thermal: intel: quark_dts: fix error pointer dereference
scsi: ipr: Work around fortify-string warning
rtc: sun6i: Always export the internal oscillator
rtc: sun6i: Make external 32k oscillator optional
vc_screen: modify vcs_size() handling in vcs_read()
tcp: tcp_check_req() can be called from process context
ARM: dts: spear320-hmi: correct STMPE GPIO compatible
net/sched: act_sample: fix action bind logic
nfc: fix memory leak of se_io context in nfc_genl_se_io
net/mlx5: Geneve, Fix handling of Geneve object id as error code
9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
9p/xen: fix connection sequence
9p/xen: fix version parsing
net: fix __dev_kfree_skb_any() vs drop monitor
sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
ipv6: Add lwtunnel encap size of all siblings in nexthop calculation
netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
watchdog: pcwd_usb: Fix attempting to access uninitialized memory
watchdog: Fix kmemleak in watchdog_cdev_register
watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path
x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
ubifs: ubifs_writepage: Mark page dirty after writing inode failed
ubifs: dirty_cow_znode: Fix memleak in error handling path
ubifs: Re-statistic cleaned znode count if commit failed
ubi: Fix possible null-ptr-deref in ubi_free_volume()
ubifs: Fix memory leak in alloc_wbufs()
ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
ubi: Fix use-after-free when volume resizing failed
ubifs: Reserve one leb for each journal head while doing budget
ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1
ubifs: Fix wrong dirty space budget for dirty inode
ubifs: Rectify space budget for ubifs_xrename()
ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
ubifs: Fix build errors as symbol undefined
ubi: ensure that VID header offset + VID header size <= alloc, size
um: vector: Fix memory leak in vector_config
fs: f2fs: initialize fsdata in pagecache_write()
f2fs: use memcpy_{to,from}_page() where possible
pwm: stm32-lp: fix the check on arr and cmp registers update
pwm: sifive: Always let the first pwm_apply_state succeed
pwm: sifive: Reduce time the controller lock is held
fs/jfs: fix shift exponent db_agl2size negative
net/sched: Retire tcindex classifier
kbuild: Port silent mode detection to future gnu make.
wifi: ath9k: use proper statements in conditionals
drm/radeon: Fix eDP for single-display iMac11,2
drm/i915/quirks: Add inverted backlight quirk for HP 14-r206nv
PCI: Avoid FLR for AMD FCH AHCI adapters
PCI: hotplug: Allow marking devices as disconnected during bind/unbind
PCI/PM: Observe reset delay irrespective of bridge_d3
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
scsi: ses: Don't attach if enclosure has no components
scsi: qla2xxx: Fix erroneous link down
scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
scsi: qla2xxx: Fix link failure in NPIV environment
ktest.pl: Add RUN_TIMEOUT option with default unlimited
ktest.pl: Fix missing "end_monitor" when machine check fails
ktest.pl: Give back console on Ctrt^C on monitor
mm/thp: check and bail out if page in deferred queue already
mm: memcontrol: deprecate charge moving
media: ipu3-cio2: Fix PM runtime usage_count in driver unbind
mips: fix syscall_get_nr
alpha: fix FEN fault handling
rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
ARM: dts: exynos: correct TMU phandle in Odroid XU
ARM: dts: exynos: correct TMU phandle in Exynos4
dm flakey: don't corrupt the zero page
dm flakey: fix logic when corrupting a bio
thermal: intel: powerclamp: Fix cur_state for multi package system
wifi: cfg80211: Fix use after free for wext
wifi: rtl8xxxu: Use a longer retry limit of 48
ext4: refuse to create ea block when umounted
ext4: optimize ea_inode block expansion
ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC
ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
irqdomain: Drop bogus fwspec-mapping error handling
irqdomain: Fix disassociation race
irqdomain: Fix association race
ima: Align ima_file_mmap() parameters with mmap_file LSM hook
Documentation/hw-vuln: Document the interaction between IBRS and STIBP
x86/speculation: Allow enabling STIBP with legacy IBRS
x86/microcode/AMD: Fix mixed steppings support
x86/microcode/AMD: Add a @cpu parameter to the reloading functions
x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter
x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
x86/reboot: Disable SVM, not just VMX, when stopping CPUs
x86/reboot: Disable virtualization in an emergency if SVM is supported
x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
KVM: s390: disable migration mode when dirty tracking is disabled
KVM: Destroy target device if coalesced MMIO unregistration fails
udf: Fix file corruption when appending just after end of preallocated extent
udf: Detect system inodes linked into directory hierarchy
udf: Preserve link count of system files
udf: Do not update file length for failed writes to inline files
udf: Do not bother merging very long extents
udf: Truncate added extents on failed expansion
ocfs2: fix non-auto defrag path not working issue
ocfs2: fix defrag path triggering jbd2 ASSERT
f2fs: fix cgroup writeback accounting with fs-layer encryption
f2fs: fix information leak in f2fs_move_inline_dirents()
fs: hfsplus: fix UAF issue in hfsplus_put_super
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
ARM: dts: exynos: correct HDMI phy compatible in Exynos4
s390/kprobes: fix current_kprobe never cleared after kprobes reenter
s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
s390: discard .interp section
ipmi_ssif: Rename idle state and check
rtc: pm8xxx: fix set-alarm race
firmware: coreboot: framebuffer: Ignore reserved pixel color bits
wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
nfsd: zero out pointers after putting nfsd_files on COPY setup error
dm cache: add cond_resched() to various workqueue loops
dm thin: add cond_resched() to various workqueue loops
drm: panel-orientation-quirks: Add quirk for Lenovo IdeaPad Duet 3 10IGL5
pinctrl: at91: use devm_kasprintf() to avoid potential leaks
hwmon: (coretemp) Simplify platform device handling
regulator: s5m8767: Bounds check id indexing into arrays
regulator: max77802: Bounds check regulator id against opmode
ASoC: kirkwood: Iterate over array indexes instead of using pointer math
docs/scripts/gdb: add necessary make scripts_gdb step
drm/msm/dsi: Add missing check for alloc_ordered_workqueue
drm/radeon: free iio for atombios when driver shutdown
HID: Add Mapping for System Microphone Mute
drm/omap: dsi: Fix excessive stack usage
drm/amd/display: Fix potential null-deref in dm_resume
uaccess: Add minimum bounds check on kernel buffer size
coda: Avoid partial allocation of sig_inputArgs
net/mlx5: fw_tracer: Fix debug print
ACPI: video: Fix Lenovo Ideapad Z570 DMI match
wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup
m68k: Check syscall_trace_enter() return code
net: bcmgenet: Add a check for oversized packets
ACPI: Don't build ACPICA with '-Os'
ice: add missing checks for PF vsi type
inet: fix fast path in __inet_hash_connect()
wifi: mt7601u: fix an integer underflow
wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds
x86/bugs: Reset speculation control settings on init
timers: Prevent union confusion from unexpected restart_syscall()
thermal: intel: Fix unsigned comparison with less than zero
rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait()
wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
blk-iocost: fix divide by 0 error in calc_lcoefs()
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
udf: Define EFSCORRUPTED error code
rpmsg: glink: Avoid infinite loop on intent for missing channel
media: usb: siano: Fix use after free bugs caused by do_submit_urb
media: i2c: ov7670: 0 instead of -EINVAL was returned
media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
media: i2c: ov772x: Fix memleak in ov772x_probe()
media: ov5675: Fix memleak in ov5675_init_controls()
powerpc: Remove linker flag from KBUILD_AFLAGS
media: platform: ti: Add missing check for devm_regulator_get
remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem headers
MIPS: vpe-mt: drop physical_memsize
MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set
powerpc/eeh: Set channel state after notifying the drivers
powerpc/eeh: Small refactor of eeh_handle_normal_event()
powerpc/rtas: ensure 4KB alignment for rtas_data_buf
powerpc/rtas: make all exports GPL
powerpc/pseries/lparcfg: add missing RTAS retry status handling
powerpc/pseries/lpar: add missing RTAS retry status handling
clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()
powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC
Input: ads7846 - don't check penirq immediately for 7845
Input: ads7846 - don't report pressure for ads7845
clk: renesas: cpg-mssr: Remove superfluous check in resume code
clk: renesas: cpg-mssr: Use enum clk_reg_layout instead of a boolean flag
clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed
mtd: rawnand: sunxi: Fix the size of the last OOB region
clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents
clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents
mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
selftests/ftrace: Fix bash specific "==" operator
sparc: allow PM configs for sparc32 COMPILE_TEST
perf tools: Fix auto-complete on aarch64
perf llvm: Fix inadvertent file creation
gfs2: jdata writepage fix
cifs: Fix warning and UAF when destroy the MR list
cifs: Fix lost destroy smbd connection when MR allocate failed
nfsd: fix race to check ls_layouts
hid: bigben_probe(): validate report count
HID: asus: Fix mute and touchpad-toggle keys on Medion Akoya E1239T
HID: asus: Add support for multi-touch touchpad on Medion Akoya E1239T
HID: asus: Add report_size to struct asus_touchpad_info
HID: asus: Only set EV_REP if we are adding a mapping
HID: bigben: use spinlock to safely schedule workers
HID: bigben_worker() remove unneeded check on report_field
HID: bigben: use spinlock to protect concurrent accesses
ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared
ASoC: dapm: declare missing structure prototypes
spi: synquacer: Fix timeout handling in synquacer_spi_transfer_one()
dm: remove flush_scheduled_work() during local_exit()
hwmon: (mlxreg-fan) Return zero speed for broken fan
spi: bcm63xx-hsspi: Fix multi-bit mode setting
spi: bcm63xx-hsspi: fix pm_runtime
scsi: aic94xx: Add missing check for dma_map_single()
hwmon: (ltc2945) Handle error case in ltc2945_value_store
gpio: vf610: connect GPIO label to dev name
ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
drm/mediatek: Clean dangling pointer on bind error path
drm/mediatek: Drop unbalanced obj unref
drm/mediatek: Use NULL instead of 0 for NULL pointer
drm/mediatek: remove cast to pointers passed to kfree
gpu: host1x: Don't skip assigning syncpoints to channels
drm/msm/mdp5: Add check for kzalloc
drm: Initialize struct drm_crtc_state.no_vblank from device settings
drm/bridge: Introduce drm_bridge_get_next_bridge()
drm/bridge: Rename bridge helpers targeting a bridge chain
drm/exynos: Don't reset bridge->next
drm/msm/dpu: Add check for pstates
drm/msm/dpu: Add check for cstate
drm/msm: use strscpy instead of strncpy
drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
ALSA: hda/ca0132: minor fix for allocation size
ASoC: fsl_sai: initialize is_dsp_mode flag
pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id()
drm/vc4: dpi: Fix format mapping for RGB565
drm/vc4: dpi: Add option for inverting pixel clock and output enable
drm/bridge: megachips: Fix error handling in i2c_register_driver()
drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
drm/fourcc: Add missing big-endian XRGB1555 and RGB565 formats
selftest: fib_tests: Always cleanup before exit
selftests/net: Interpret UDP_GRO cmsg data as an int value
irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts
can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error
thermal/drivers/hisi: Drop second sensor hi3660
wifi: mac80211: make rate u32 in sta_set_rate_info_rx()
crypto: crypto4xx - Call dma_unmap_page when done
wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
wifi: iwl4965: Add missing check for create_singlethread_workqueue()
wifi: iwl3945: Add missing check for create_singlethread_workqueue
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
usb: gadget: udc: Avoid tasklet passing a global
RISC-V: time: initialize hrtimer based broadcast clock event device
m68k: /proc/hardware should depend on PROC_FS
crypto: rsa-pkcs1pad - Use akcipher_request_complete
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
libbpf: Fix alen calculation in libbpf_nla_dump_errormsg()
Bluetooth: L2CAP: Fix potential user-after-free
OPP: fix error checking in opp_migrate_dentry()
tap: tap_open(): correctly initialize socket uid
tun: tun_chr_open(): correctly initialize socket uid
net: add sock_init_data_uid()
mptcp: add sk_stop_timer_sync helper
irqchip/ti-sci: Fix refcount leak in ti_sci_intr_irq_domain_probe
irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
net/mlx5: Enhance debug print in page allocation failure
powercap: fix possible name leak in powercap_register_zone()
crypto: seqiv - Handle EBUSY correctly
crypto: essiv - Handle EBUSY correctly
crypto: essiv - remove redundant null pointer check before kfree
crypto: ccp - Failure on re-initialization due to duplicate sysfs filename
ACPI: battery: Fix missing NUL-termination with large strings
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
ath9k: htc: clean up statistics macros
ath9k: hif_usb: simplify if-if to if-else
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
wifi: orinoco: check return value of hermes_write_wordrec()
ACPICA: nsrepair: handle cases without a return value correctly
lib/mpi: Fix buffer overrun when SG is too long
genirq: Fix the return type of kstat_cpu_irqs_sum()
ACPICA: Drop port I/O validation for some regions
crypto: x86/ghash - fix unaligned access in ghash_setkey()
wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave()
wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()
wilc1000: let wilc_mac_xmit() return NETDEV_TX_OK
wifi: ipw2200: fix memory leak in ipw_wdev_init()
wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()
ipw2x00: switch from 'pci_' to 'dma_' API
wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
rtlwifi: fix -Wpointer-sign warning
wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
wifi: libertas: fix memory leak in lbs_init_adapter()
wifi: iwlegacy: common: don't call dev_kfree_skb() under spin_lock_irqsave()
net/wireless: Delete unnecessary checks before the macro call “dev_kfree_skb”
wifi: rsi: Fix memory leak in rsi_coex_attach()
block: bio-integrity: Copy flags when bio_integrity_payload is cloned
sched/rt: pick_next_rt_entity(): check list_entry
sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity()
s390/dasd: Fix potential memleak in dasd_eckd_init()
s390/dasd: Prepare for additional path event handling
blk-mq: correct stale comment of .get_budget
blk-mq: wait on correct sbitmap_queue in blk_mq_mark_tag_wait
blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx
block: Limit number of items taken from the I/O scheduler in one go
Revert "scsi: core: run queue if SCSI device queue isn't ready and queue is idle"
arm64: dts: mediatek: mt7622: Add missing pwm-cells to pwm node
ARM: dts: imx7s: correct iomuxc gpr mux controller cells
arm64: dts: amlogic: meson-gxl-s905d-phicomm-n1: fix led node name
arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name
arm64: dts: amlogic: meson-gx: add missing unit address to rng node name
arm64: dts: amlogic: meson-gx: add missing SCPI sensors compatible
arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name
arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
ARM: imx: Call ida_simple_remove() for ida_simple_get
ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init()
arm64: dts: meson: remove CPU opps below 1GHz for G12A boards
arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
arm64: dts: meson-g12a: Fix internal Ethernet PHY unit name
arm64: dts: meson-gx: Fix Ethernet MAC address unit name
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
arm64: dts: qcom: qcs404: use symbol names for PCIe resets
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
HID: asus: use spinlock to safely schedule workers
HID: asus: use spinlock to protect concurrent accesses
HID: asus: Remove check for same LED brightness on set
Linux 5.4.234
USB: core: Don't hold device lock while reading the "descriptors" sysfs file
USB: serial: option: add support for VW/Skoda "Carstick LTE"
dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size
vc_screen: don't clobber return value in vcs_read
net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state
HID: core: Fix deadloop in hid_apply_multiplier.
neigh: make sure used and confirmed times are valid
IB/hfi1: Assign npages earlier
btrfs: send: limit number of clones and allocated memory size
ACPI: NFIT: fix a potential deadlock during NFIT teardown
ARM: dts: rockchip: add power-domains property to dp node on rk3288
arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc
Conflicts:
Documentation/devicetree/bindings/rtc/allwinner,sun6i-a31-rtc.yaml
Documentation/devicetree/bindings~HEAD
arch/arm/mm/dma-mapping.c
drivers/clk/qcom/gcc-qcs404.c
drivers/iommu/dma-iommu.c
drivers/mtd/ubi/wl.c
kernel/dma/direct.c
Change-Id: I804ccb5552f305c49ec17b323c6c933cc99e6d39
commit bdc1c5fac982845a58d28690cdb56db8c88a530d upstream.
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit 44d8047f1d ("binder: use standard functions to allocate fds"),
to release all the objects in the buffer when 'failed_at' is zero.
This introduced an issue when a transaction buffer is released without
any objects having been processed so far. In this case, 'failed_at' is
indeed zero yet it is misinterpreted as releasing the entire buffer.
This leads to use-after-free errors where nodes are incorrectly freed
and subsequently accessed. Such is the case in the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30
Read of size 8 at addr ffff4faf037cfc58 by task poc/474
CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
print_report+0xf8/0x5b8
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
binder_thread_read+0xc40/0x1f30
binder_ioctl+0xd9c/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Allocated by task 474:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xbc
kmalloc_trace+0x48/0x5c
binder_new_node+0x3c/0x3a4
binder_transaction+0x2b58/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Freed by task 475:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
__kasan_slab_free+0xe8/0x154
__kmem_cache_free+0x128/0x2bc
kfree+0x58/0x70
binder_dec_node_tmpref+0x178/0x1fc
binder_transaction_buffer_release+0x430/0x628
binder_transaction+0x1954/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
==================================================================
In order to avoid these issues, let's always calculate the intended
'failed_at' offset beforehand. This is renamed and wrapped in a helper
function to make it clear and convenient.
Fixes: 32e9f56a96d8 ("binder: don't detect sender/target during buffer cleanup")
Reported-by: Zi Fan Tan <zifantan@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20230505203020.4101154-1-cmllamas@google.com
[cmllamas: resolve trivial conflict due to missing commit 9864bb4801331]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In binder_transaction_buffer_release() the 'failed_at' offset indicates
the number of objects to clean up. However, this function was changed by
commit 44d8047f1d ("binder: use standard functions to allocate fds"),
to release all the objects in the buffer when 'failed_at' is zero.
This introduced an issue when a transaction buffer is released without
any objects having been processed so far. In this case, 'failed_at' is
indeed zero yet it is misinterpreted as releasing the entire buffer.
This leads to use-after-free errors where nodes are incorrectly freed
and subsequently accessed. Such is the case in the following KASAN
report:
==================================================================
BUG: KASAN: slab-use-after-free in binder_thread_read+0xc40/0x1f30
Read of size 8 at addr ffff4faf037cfc58 by task poc/474
CPU: 6 PID: 474 Comm: poc Not tainted 6.3.0-12570-g7df047b3f0aa #5
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
print_report+0xf8/0x5b8
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
binder_thread_read+0xc40/0x1f30
binder_ioctl+0xd9c/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Allocated by task 474:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_alloc_info+0x24/0x34
__kasan_kmalloc+0xb8/0xbc
kmalloc_trace+0x48/0x5c
binder_new_node+0x3c/0x3a4
binder_transaction+0x2b58/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
Freed by task 475:
kasan_save_stack+0x3c/0x64
kasan_set_track+0x2c/0x40
kasan_save_free_info+0x38/0x5c
__kasan_slab_free+0xe8/0x154
__kmem_cache_free+0x128/0x2bc
kfree+0x58/0x70
binder_dec_node_tmpref+0x178/0x1fc
binder_transaction_buffer_release+0x430/0x628
binder_transaction+0x1954/0x36f0
binder_thread_write+0x8e0/0x1b78
binder_ioctl+0x14a0/0x1768
__arm64_sys_ioctl+0xd4/0x118
invoke_syscall+0x60/0x188
[...]
==================================================================
In order to avoid these issues, let's always calculate the intended
'failed_at' offset beforehand. This is renamed and wrapped in a helper
function to make it clear and convenient.
Fixes: 32e9f56a96d8 ("binder: don't detect sender/target during buffer cleanup")
Reported-by: Zi Fan Tan <zifantan@google.com>
Link: https://b.corp.google.com/issues/275041864
Cc: stable@vger.kernel.org
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 275041864
Link: https://lore.kernel.org/all/20230505203020.4101154-1-cmllamas@google.com
Change-Id: I4bcc8bde77a8118872237d100cccb5caf95d99a1
[cmllamas: drop hunk for missing commit 9864bb480133]
Signed-off-by: Carlos Llamas <cmllamas@google.com>
LuK1337
Michael Bestas
Carlos Llamas
Greg Kroah-Hartman
Yu-Ting Tseng
Li Li
Hang Lu
Bruno Martins
Qi Zheng